From 71c33ac5e009b7ee9f0c3b7ef5f34097349aa1f2 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 13:55:13 +0200 Subject: [PATCH 1/7] Working molecule --- meta/main.yml | 61 ++--- molecule/default/converge.yml | 455 ++++++++++++++++++++++++++++++++++ molecule/default/molecule.yml | 18 ++ molecule/default/verify.yml | 10 + tasks/main.yml | 1 + tests/test.yml | 448 +++++++++++++++++++++++++++++++++ 6 files changed, 952 insertions(+), 41 deletions(-) create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml diff --git a/meta/main.yml b/meta/main.yml index 64382ae..2673351 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,52 +1,31 @@ galaxy_info: + role_name: bind9 + namespace: valid + author: Daniel Akulenok description: Configure Bind9 company: Valid.dk - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker + issue_tracker_url: https://gitlab.valid.dk/operations/ansible-bind9-role - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: GPL-2.0-or-later + license: GPL-3.0-or-later - min_ansible_version: 2.1 + min_ansible_version: 2.13 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: + platforms: + - name: Ubuntu + versions: + - 22.04 + - 20.04 + - name: Debian + versions: + - 11 - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - bind9 + - bind + - dns + - ubuntu + - debian dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..7cd81e8 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,455 @@ +--- +- name: Converge + hosts: all + roles: + - keepit.bind9 + vars: + bind9_group_config: + - name: named.conf.options + options: + forwarders: + - 1.1.1.1 + - 1.0.0.1 + fetches_per_server: 200 fail + prefetch: 4 10 + version: none + hostname: l33t.h4x0r + avoid_v4_udp_ports: + - "range 5132 5232" + - "range 1337 31337" + servfail_ttl: 0 + allow_notify: + - 10.0.0.0/8 + allow_query: + - "!10.0.2.1" + - 0/0 + blackhole: + - 192.168.0.0/16 + allow_recursion: [] + empty_server: "empty.server.string" + dns64_server: "server.name" + dns64_contact: "dak.keepit.com" + directory: "{{ bind9_working_directory }}" + key_directory: "{{ bind9_working_directory }}/keys" + statistics_file: "{{ bind9_working_directory }}/named.stats" + rrset_order: + - type: A + name: foo.isc.org + order: random + - type: AAAA + name: foo.isc.org + order: cyclic + - name: bar.isc.org + order: random + - name: "*.bar.isc.org" + order: random + - name: "*.baz.isc.org" + order: cyclic + response_policy: + zones: + - zone: smorg.bop + max_policy_ttl: 30S + min_update_interval: 30S + policy: disabled + add_soa: true + log: true + recursive_only: false + nsip_enable: true + nsdname_enable: true + max_policy_ttl: 30S + min_update_interval: 30S + min_ns_dots: 2 + add_soa: false + break_dnssec: false + nsip_wait_recurse: true + nsdname_wait_recurse: true + qname_wait_recurse: true + recursive_only: true + nsip_enable: true + nsdname_enable: true + dnsrps_enable: false + dnsrps_options: + - simple + - item + - list + response_padding: + block_size: 4096 + addresses: + - 0/0 + rate_limit: + all_per_second: 0 + errors_per_second: 0 + responses_per_second: 0 + referrals_per_second: 0 + nodata_per_second: 0 + nxdomains_per_second: 0 + ipv4_prefix_length: 24 + ipv6_prefix_length: 54 + max_table_size: 20000 + min_table_size: 500 + qps_scale: 250 + slip: 2 + window: 15 + log_only: true + exempt_clients: + - 192.168.0.1 + - 10.20.30.40 + query_source_v6: + address: "*" + port: "*" + dscp: 42 + parental_source_v6: + address: "*" + port: "*" + dscp: 42 + notify_source_v6: + address: "*" + notify_source: + address: "*" + listen_on: + - port: 53 + addresses: + - 0.0.0.0 + - port: 5353 + dscp: 42 + addresses: + - 0.0.0.0 + - 127.0.0.1 + listen_on_v6: + - port: 5353 + dscp: 42 + addresses: + - "::" + - "de:ad::be:ef" + dialup: false + minimal_responses: true + zone_statistics: full + ixfr_from_differences: master + dual_stack_servers: + port: 4492 + addresses: + - address: hostname.com + port: 4421 + dscp: 42 + - address: 10.128.128.182 + - address: de:ad::be:ef + dnstap: + - type: auth + - type: client + log: response + - type: resolver + log: query + dnstap_output: + output_type: file + output_file: /tmp/dnstap + size: 10M + versions: 200 + suffix: increment + - name: named.conf.local + acl: + - name: localstuff + addresses: + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/12 + - name: external + addresses: + - 185.181.220.77 + - "!0.0.0.0/0" + controls: + - type: inet + address: 127.0.0.1 + port: 533 + allow: + - 127.0.0.0/8 + - "!127.13.37.1" + readonly: false + - type: inet + address: 10.20.30.40 + allow: + - 100.0.0.0/8 + view: + - name: recursive-view + match_clients: + - localstuff + match_destinations: + - remote + match-recursive-only: true + options: + transfer_source: + address: 0.0.0.0 + port: '*' + dscp: 42 + allow_recursion: + - localstuff + zones: + - name: google.com + type: forward + forward: only + forwarders: + - 1.1.1.1 + - 1.0.0.1 + dnssec_policy: + - name: mypolicy + keylist: + - role: ksk + key_directory: true + lifetime: unlimited + algorithm: rsasha256 + keysize: 2048 + - role: zsk + lifetime: P30D + algorithm: 8 + - role: csk + lifetime: P6MT12H3M15S + algorithm: ecdsa256 + max_zone_ttl: P4D + parent_ds_ttl: P14D + nsec3param: + iterations: '0' + optout: false + salt_length: '0' + dyndb: + - name: sample + driver: example.so + parameters: + - example.nil. arpa. + - example2.nil. arpa. + http: + - name: dohconf + endpoints: + - /dns-query + - /dns + - /query + listener_clients: 4 + streams_per_connection: 1024 + keylist: + - name: certbot. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + - name: certbot2. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + logging: + categories: + - name: default + channels: + - default_syslog + - default_debug + - tv2 + - dr1 + - name: unmatched + channels: + - tv3 + channels: + - name: tv2 + buffered: true + file: + name: /var/log/named.log + versions: 7 + size: 20m + suffix: increment + print_category: false + print_severity: false + print_time: iso8601-utc + severity: info + - name: tv3 + 'null': true + - name: dr1 + syslog: daemon + - name: kanalkobenhavn + stderr: true + severity: debug 3 + parental_agents: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + primaries: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + tls: + - name: certbot + cert_file: /etc/ssl/private/snakeoil.pem + key_file: /etc/ssl/private/snakeoil.key + dhparam_file: /etc/ssl/dhparam.pem + ca_file: /etc/ssl/certs/ca-certificates.crt + remote_hostname: yourhostname + ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384 + protocols: + - TLSv1.2 + - TLSv1.3 + prefer_server_ciphers: true + session_tickets: true + trust_anchors: + - name: . + type: initial-key + flags: 257 + protocol: 3 + algorithm: 8 + key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" + - name: hugs.dk + type: static-ds + flags: 64335 + protocol: 7 + algorithm: 2 + key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372" + server: + - prefix: 1.1.1.1 + bogus: false + edns: true + tcp_only: false + tcp_keepalive: false + edns_version: '0' + padding: '0' + transfers: '0' + keyname: certbot. + query_source: + address: "*" + port: "*" + statistics_channels: + - address: 0.0.0.0 + port: 8080 + allow: + - 0/0 + - name: named.conf.zones + backup: false + zones: + - name: "_acme-challenge.hugs.dk" + type: master + file: master/_acme-challenge.hugs.dk.zone + allow_query: + - any + dnssec_policy: default + inline_signing: true + serial_update_method: date + update_policy: + - permission: grant + identity: certbot. + ruletype: name + name: _acme-challenge.hugs.dk + types: txt + - name: forward.net + type: forward + forwarders: + port: 53 + addresses: + - address: 1.1.1.1 + port: 53 + dscp: 42 + - address: 4.2.2.4 + port: 53 + - name: stub.com + type: static-stub + allow_query: + - any + server_addresses: + - 1.1.1.1 + - 8.8.8.8 + zone_statistics: full + - name: example.com + type: slave + allow_query: + - 127.0.0.1 + - 10.0.0.1 + - 128.15.14.13 + allow_query_on: + - 127.0.0.1 + primaries: + port: 5522 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 55222 + - address: 10.20.30.40 + - name: smorg.bop + type: slave + primaries: + addresses: + - address: 127.0.0.1 + allow_query: + - 15.14.13.12 + - 10.20.30.40 + - 28.25.23.24 + - "!10.13.14.15" + forwarders: + port: 53 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + dscp: 42 + - address: 10.20.30.40 + port: 53 + - address: 20.30.40.50 + - address: 30.40.50.60 + port: 53 + allow_transfer: + port: 5522 + transport: tls + addresses: + - 192.168.122.1 + also_notify: + port: 5523 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 5523 + - address: 127.0.0.2 + auto-dnssec: allow + dnskey_sig_validity: 0 + dnssec-dnskey-kskonly: true + dnssec_loadkeys_interval: 0 + file: "string" + forward: first + inline_signing: true + ixfr_from_differences: true + masterfile_format: raw + masterfile_style: full + max_ixfr_ratio: unlimited + max_journal_size: default + max_records: 0 + max_transfer_idle_out: 0 + max_transfer_time_out: 0 + notify: true + notify_delay: '0' + notify_to_soa: false + parental_agents: + port: 44332 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + sig_signing_nodes: '0' + sig_signing_signatures: '0' + sig_signing_type: 65281 + zero_no_soa_ttl: true + zone_statistics: full diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..a6db466 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,18 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: ubuntu-jammy + image: ubuntu:jammy + - name: ubuntu-focal + image: ubuntu:focal + - name: debian-bullseye + image: debian:bullseye +provisioner: + name: ansible + lint: + name: ansible-lint +verifier: + name: ansible diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..e707420 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + ansible.builtin.assert: + that: true diff --git a/tasks/main.yml b/tasks/main.yml index 0993827..6af2640 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,6 +4,7 @@ ansible.builtin.apt: name: "{{ bind9_packages }}" state: present + cache_valid_time: 3600 tags: - bind9 - packages diff --git a/tests/test.yml b/tests/test.yml index 5e082e0..c5a12ed 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -3,3 +3,451 @@ remote_user: root roles: - bind9 + vars: + options: + forwarders: + - 1.1.1.1 + - 1.0.0.1 + fetches_per_server: 200 fail + prefetch: 4 10 + version: none + hostname: l33t.h4x0r + avoid_v4_udp_ports: + - "range 5132 5232" + - "range 1337 31337" + servfail_ttl: 0 + allow_notify: + - 10.0.0.0/8 + allow_query: + - "!10.0.2.1" + - 0/0 + blackhole: + - 192.168.0.0/16 + allow_recursion: [] + empty_server: "empty.server.string" + dns64_server: "server.name" + dns64_contact: "dak.keepit.com" + directory: "{{ bind9_cachedir }}" + key_directory: "{{ bind9_cachedir }}/keys" + statistics_file: "{{ bind9_cachedir }}/named.stats" + rrset_order: + - type: A + name: foo.isc.org + order: random + - type: AAAA + name: foo.isc.org + order: cyclic + - name: bar.isc.org + order: random + - name: "*.bar.isc.org" + order: random + - name: "*.baz.isc.org" + order: cyclic + response_policy: + zones: + - zone: smorg.bop + max_policy_ttl: 30S + min_update_interval: 30S + policy: disabled + add_soa: true + log: true + recursive_only: false + nsip_enable: true + nsdname_enable: true + max_policy_ttl: 30S + min_update_interval: 30S + min_ns_dots: 2 + add_soa: false + break_dnssec: false + nsip_wait_recurse: true + nsdname_wait_recurse: true + qname_wait_recurse: true + recursive_only: true + nsip_enable: true + nsdname_enable: true + dnsrps_enable: false + dnsrps_options: + - simple + - item + - list + response_padding: + block_size: 4096 + addresses: + - 0/0 + rate_limit: + all_per_second: 0 + errors_per_second: 0 + responses_per_second: 0 + referrals_per_second: 0 + nodata_per_second: 0 + nxdomains_per_second: 0 + ipv4_prefix_length: 24 + ipv6_prefix_length: 54 + max_table_size: 20000 + min_table_size: 500 + qps_scale: 250 + slip: 2 + window: 15 + log_only: true + exempt_clients: + - 192.168.0.1 + - 10.20.30.40 + query_source_v6: + address: "*" + port: "*" + dscp: 42 + parental_source_v6: + address: "*" + port: "*" + dscp: 42 + notify_source_v6: + address: "*" + notify_source: + address: "*" + listen_on: + - port: 53 + addresses: + - 0.0.0.0 + - port: 5353 + dscp: 42 + addresses: + - 0.0.0.0 + - 127.0.0.1 + listen_on_v6: + - port: 5353 + dscp: 42 + addresses: + - "::" + - "de:ad::be:ef" + dialup: false + minimal_responses: true + zone_statistics: full + ixfr_from_differences: master + dual_stack_servers: + port: 4492 + addresses: + - address: hostname.com + port: 4421 + dscp: 42 + - address: 10.128.128.182 + - address: de:ad::be:ef + dnstap: + - type: auth + - type: client + log: response + - type: resolver + log: query + dnstap_output: + output_type: file + output_file: /tmp/dnstap + size: 10M + versions: 200 + suffix: increment + - name: named.conf.local + acl: + - name: localstuff + addresses: + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/12 + - name: external + addresses: + - 185.181.220.77 + - "!0.0.0.0/0" + controls: + - type: inet + address: 127.0.0.1 + port: 533 + allow: + - 127.0.0.0/8 + - "!127.13.37.1" + readonly: false + - type: inet + address: 10.20.30.40 + allow: + - 100.0.0.0/8 + view: + - name: recursive-view + match_clients: + - localstuff + match_destinations: + - remote + match-recursive-only: true + options: + transfer_source: + address: 0.0.0.0 + port: '*' + dscp: 42 + allow_recursion: + - localstuff + zones: + - name: google.com + type: forward + forward: only + forwarders: + - 1.1.1.1 + - 1.0.0.1 + dnssec_policy: + - name: mypolicy + keylist: + - role: ksk + key_directory: true + lifetime: unlimited + algorithm: rsasha256 + keysize: 2048 + - role: zsk + lifetime: P30D + algorithm: 8 + - role: csk + lifetime: P6MT12H3M15S + algorithm: ecdsa256 + max_zone_ttl: P4D + parent_ds_ttl: P14D + nsec3param: + iterations: '0' + optout: false + salt_length: '0' + dyndb: + - name: sample + driver: example.so + parameters: + - example.nil. arpa. + - example2.nil. arpa. + http: + - name: dohconf + endpoints: + - /dns-query + - /dns + - /query + listener_clients: 4 + streams_per_connection: 1024 + keylist: + - name: certbot. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + - name: certbot2. + algorithm: hmac-sha512 + secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" + logging: + categories: + - name: default + channels: + - default_syslog + - default_debug + - tv2 + - dr1 + - name: unmatched + channels: + - tv3 + channels: + - name: tv2 + buffered: true + file: + name: /var/log/named.log + versions: 7 + size: 20m + suffix: increment + print_category: false + print_severity: false + print_time: iso8601-utc + severity: info + - name: tv3 + 'null': true + - name: dr1 + syslog: daemon + - name: kanalkobenhavn + stderr: true + severity: debug 3 + parental_agents: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + primaries: + - name: parents + port: 53353 + dscp: 42 + addresses: + - address: 10.20.30.40 + port: 53 + key: certbot. + - address: 20.30.40.50 + port: 53 + - address: 30.40.50.60 + key: certbot2. + - address: 40.50.60.70 + - name: notparents + addresses: + - address: 10.20.30.40 + - address: 30.40.50.60 + - address: 40.50.60.70 + tls: + - name: certbot + cert_file: /etc/ssl/private/snakeoil.pem + key_file: /etc/ssl/private/snakeoil.key + dhparam_file: /etc/ssl/dhparam.pem + ca_file: /etc/ssl/certs/ca-certificates.crt + remote_hostname: yourhostname + ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384 + protocols: + - TLSv1.2 + - TLSv1.3 + prefer_server_ciphers: true + session_tickets: true + trust_anchors: + - name: . + type: initial-key + flags: 257 + protocol: 3 + algorithm: 8 + key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" + - name: hugs.dk + type: static-ds + flags: 64335 + protocol: 7 + algorithm: 2 + key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372" + server: + - prefix: 1.1.1.1 + bogus: false + edns: true + tcp_only: false + tcp_keepalive: false + edns_version: '0' + padding: '0' + transfers: '0' + keyname: certbot. + query_source: + address: "*" + port: "*" + statistics_channels: + - address: 0.0.0.0 + port: 8080 + allow: + - 0/0 + - name: named.conf.zones + backup: false + zones: + - name: "_acme-challenge.hugs.dk" + type: master + file: master/_acme-challenge.hugs.dk.zone + allow_query: + - any + dnssec_policy: default + inline_signing: true + serial_update_method: date + update_policy: + - permission: grant + identity: certbot. + ruletype: name + name: _acme-challenge.hugs.dk + types: txt + - name: forward.net + type: forward + forwarders: + port: 53 + addresses: + - address: 1.1.1.1 + port: 53 + dscp: 42 + - address: 4.2.2.4 + port: 53 + - name: stub.com + type: static-stub + allow_query: + - any + server_addresses: + - 1.1.1.1 + - 8.8.8.8 + zone_statistics: full + - name: example.com + type: slave + allow_query: + - 127.0.0.1 + - 10.0.0.1 + - 128.15.14.13 + allow_query_on: + - 127.0.0.1 + primaries: + port: 5522 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 55222 + - address: 10.20.30.40 + - name: smorg.bop + type: slave + primaries: + addresses: + - address: 127.0.0.1 + allow_query: + - 15.14.13.12 + - 10.20.30.40 + - 28.25.23.24 + - "!10.13.14.15" + forwarders: + port: 53 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + dscp: 42 + - address: 10.20.30.40 + port: 53 + - address: 20.30.40.50 + - address: 30.40.50.60 + port: 53 + allow_transfer: + port: 5522 + transport: tls + addresses: + - 192.168.122.1 + also_notify: + port: 5523 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 5523 + - address: 127.0.0.2 + auto-dnssec: allow + dnskey_sig_validity: 0 + dnssec-dnskey-kskonly: true + dnssec_loadkeys_interval: 0 + file: "string" + forward: first + inline_signing: true + ixfr_from_differences: true + masterfile_format: raw + masterfile_style: full + max_ixfr_ratio: unlimited + max_journal_size: default + max_records: 0 + max_transfer_idle_out: 0 + max_transfer_time_out: 0 + notify: true + notify_delay: '0' + notify_to_soa: false + parental_agents: + port: 44332 + dscp: 42 + addresses: + - address: 127.0.0.1 + port: 53 + sig_signing_nodes: '0' + sig_signing_signatures: '0' + sig_signing_type: 65281 + zero_no_soa_ttl: true + zone_statistics: full From 39558fce5b4ba4b9975df99757700825c8065b59 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 15:37:32 +0200 Subject: [PATCH 2/7] remove all the vars --- molecule/default/converge.yml | 450 ---------------------------------- tests/test.yml | 448 --------------------------------- 2 files changed, 898 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 7cd81e8..ac3ff8c 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -3,453 +3,3 @@ hosts: all roles: - keepit.bind9 - vars: - bind9_group_config: - - name: named.conf.options - options: - forwarders: - - 1.1.1.1 - - 1.0.0.1 - fetches_per_server: 200 fail - prefetch: 4 10 - version: none - hostname: l33t.h4x0r - avoid_v4_udp_ports: - - "range 5132 5232" - - "range 1337 31337" - servfail_ttl: 0 - allow_notify: - - 10.0.0.0/8 - allow_query: - - "!10.0.2.1" - - 0/0 - blackhole: - - 192.168.0.0/16 - allow_recursion: [] - empty_server: "empty.server.string" - dns64_server: "server.name" - dns64_contact: "dak.keepit.com" - directory: "{{ bind9_working_directory }}" - key_directory: "{{ bind9_working_directory }}/keys" - statistics_file: "{{ bind9_working_directory }}/named.stats" - rrset_order: - - type: A - name: foo.isc.org - order: random - - type: AAAA - name: foo.isc.org - order: cyclic - - name: bar.isc.org - order: random - - name: "*.bar.isc.org" - order: random - - name: "*.baz.isc.org" - order: cyclic - response_policy: - zones: - - zone: smorg.bop - max_policy_ttl: 30S - min_update_interval: 30S - policy: disabled - add_soa: true - log: true - recursive_only: false - nsip_enable: true - nsdname_enable: true - max_policy_ttl: 30S - min_update_interval: 30S - min_ns_dots: 2 - add_soa: false - break_dnssec: false - nsip_wait_recurse: true - nsdname_wait_recurse: true - qname_wait_recurse: true - recursive_only: true - nsip_enable: true - nsdname_enable: true - dnsrps_enable: false - dnsrps_options: - - simple - - item - - list - response_padding: - block_size: 4096 - addresses: - - 0/0 - rate_limit: - all_per_second: 0 - errors_per_second: 0 - responses_per_second: 0 - referrals_per_second: 0 - nodata_per_second: 0 - nxdomains_per_second: 0 - ipv4_prefix_length: 24 - ipv6_prefix_length: 54 - max_table_size: 20000 - min_table_size: 500 - qps_scale: 250 - slip: 2 - window: 15 - log_only: true - exempt_clients: - - 192.168.0.1 - - 10.20.30.40 - query_source_v6: - address: "*" - port: "*" - dscp: 42 - parental_source_v6: - address: "*" - port: "*" - dscp: 42 - notify_source_v6: - address: "*" - notify_source: - address: "*" - listen_on: - - port: 53 - addresses: - - 0.0.0.0 - - port: 5353 - dscp: 42 - addresses: - - 0.0.0.0 - - 127.0.0.1 - listen_on_v6: - - port: 5353 - dscp: 42 - addresses: - - "::" - - "de:ad::be:ef" - dialup: false - minimal_responses: true - zone_statistics: full - ixfr_from_differences: master - dual_stack_servers: - port: 4492 - addresses: - - address: hostname.com - port: 4421 - dscp: 42 - - address: 10.128.128.182 - - address: de:ad::be:ef - dnstap: - - type: auth - - type: client - log: response - - type: resolver - log: query - dnstap_output: - output_type: file - output_file: /tmp/dnstap - size: 10M - versions: 200 - suffix: increment - - name: named.conf.local - acl: - - name: localstuff - addresses: - - 10.0.0.0/8 - - 192.168.0.0/16 - - 172.16.0.0/12 - - name: external - addresses: - - 185.181.220.77 - - "!0.0.0.0/0" - controls: - - type: inet - address: 127.0.0.1 - port: 533 - allow: - - 127.0.0.0/8 - - "!127.13.37.1" - readonly: false - - type: inet - address: 10.20.30.40 - allow: - - 100.0.0.0/8 - view: - - name: recursive-view - match_clients: - - localstuff - match_destinations: - - remote - match-recursive-only: true - options: - transfer_source: - address: 0.0.0.0 - port: '*' - dscp: 42 - allow_recursion: - - localstuff - zones: - - name: google.com - type: forward - forward: only - forwarders: - - 1.1.1.1 - - 1.0.0.1 - dnssec_policy: - - name: mypolicy - keylist: - - role: ksk - key_directory: true - lifetime: unlimited - algorithm: rsasha256 - keysize: 2048 - - role: zsk - lifetime: P30D - algorithm: 8 - - role: csk - lifetime: P6MT12H3M15S - algorithm: ecdsa256 - max_zone_ttl: P4D - parent_ds_ttl: P14D - nsec3param: - iterations: '0' - optout: false - salt_length: '0' - dyndb: - - name: sample - driver: example.so - parameters: - - example.nil. arpa. - - example2.nil. arpa. - http: - - name: dohconf - endpoints: - - /dns-query - - /dns - - /query - listener_clients: 4 - streams_per_connection: 1024 - keylist: - - name: certbot. - algorithm: hmac-sha512 - secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" - - name: certbot2. - algorithm: hmac-sha512 - secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" - logging: - categories: - - name: default - channels: - - default_syslog - - default_debug - - tv2 - - dr1 - - name: unmatched - channels: - - tv3 - channels: - - name: tv2 - buffered: true - file: - name: /var/log/named.log - versions: 7 - size: 20m - suffix: increment - print_category: false - print_severity: false - print_time: iso8601-utc - severity: info - - name: tv3 - 'null': true - - name: dr1 - syslog: daemon - - name: kanalkobenhavn - stderr: true - severity: debug 3 - parental_agents: - - name: parents - port: 53353 - dscp: 42 - addresses: - - address: 10.20.30.40 - port: 53 - key: certbot. - - address: 20.30.40.50 - port: 53 - - address: 30.40.50.60 - key: certbot2. - - address: 40.50.60.70 - - name: notparents - addresses: - - address: 10.20.30.40 - - address: 30.40.50.60 - - address: 40.50.60.70 - primaries: - - name: parents - port: 53353 - dscp: 42 - addresses: - - address: 10.20.30.40 - port: 53 - key: certbot. - - address: 20.30.40.50 - port: 53 - - address: 30.40.50.60 - key: certbot2. - - address: 40.50.60.70 - - name: notparents - addresses: - - address: 10.20.30.40 - - address: 30.40.50.60 - - address: 40.50.60.70 - tls: - - name: certbot - cert_file: /etc/ssl/private/snakeoil.pem - key_file: /etc/ssl/private/snakeoil.key - dhparam_file: /etc/ssl/dhparam.pem - ca_file: /etc/ssl/certs/ca-certificates.crt - remote_hostname: yourhostname - ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384 - protocols: - - TLSv1.2 - - TLSv1.3 - prefer_server_ciphers: true - session_tickets: true - trust_anchors: - - name: . - type: initial-key - flags: 257 - protocol: 3 - algorithm: 8 - key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" - - name: hugs.dk - type: static-ds - flags: 64335 - protocol: 7 - algorithm: 2 - key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372" - server: - - prefix: 1.1.1.1 - bogus: false - edns: true - tcp_only: false - tcp_keepalive: false - edns_version: '0' - padding: '0' - transfers: '0' - keyname: certbot. - query_source: - address: "*" - port: "*" - statistics_channels: - - address: 0.0.0.0 - port: 8080 - allow: - - 0/0 - - name: named.conf.zones - backup: false - zones: - - name: "_acme-challenge.hugs.dk" - type: master - file: master/_acme-challenge.hugs.dk.zone - allow_query: - - any - dnssec_policy: default - inline_signing: true - serial_update_method: date - update_policy: - - permission: grant - identity: certbot. - ruletype: name - name: _acme-challenge.hugs.dk - types: txt - - name: forward.net - type: forward - forwarders: - port: 53 - addresses: - - address: 1.1.1.1 - port: 53 - dscp: 42 - - address: 4.2.2.4 - port: 53 - - name: stub.com - type: static-stub - allow_query: - - any - server_addresses: - - 1.1.1.1 - - 8.8.8.8 - zone_statistics: full - - name: example.com - type: slave - allow_query: - - 127.0.0.1 - - 10.0.0.1 - - 128.15.14.13 - allow_query_on: - - 127.0.0.1 - primaries: - port: 5522 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 55222 - - address: 10.20.30.40 - - name: smorg.bop - type: slave - primaries: - addresses: - - address: 127.0.0.1 - allow_query: - - 15.14.13.12 - - 10.20.30.40 - - 28.25.23.24 - - "!10.13.14.15" - forwarders: - port: 53 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 53 - dscp: 42 - - address: 10.20.30.40 - port: 53 - - address: 20.30.40.50 - - address: 30.40.50.60 - port: 53 - allow_transfer: - port: 5522 - transport: tls - addresses: - - 192.168.122.1 - also_notify: - port: 5523 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 5523 - - address: 127.0.0.2 - auto-dnssec: allow - dnskey_sig_validity: 0 - dnssec-dnskey-kskonly: true - dnssec_loadkeys_interval: 0 - file: "string" - forward: first - inline_signing: true - ixfr_from_differences: true - masterfile_format: raw - masterfile_style: full - max_ixfr_ratio: unlimited - max_journal_size: default - max_records: 0 - max_transfer_idle_out: 0 - max_transfer_time_out: 0 - notify: true - notify_delay: '0' - notify_to_soa: false - parental_agents: - port: 44332 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 53 - sig_signing_nodes: '0' - sig_signing_signatures: '0' - sig_signing_type: 65281 - zero_no_soa_ttl: true - zone_statistics: full diff --git a/tests/test.yml b/tests/test.yml index c5a12ed..5e082e0 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -3,451 +3,3 @@ remote_user: root roles: - bind9 - vars: - options: - forwarders: - - 1.1.1.1 - - 1.0.0.1 - fetches_per_server: 200 fail - prefetch: 4 10 - version: none - hostname: l33t.h4x0r - avoid_v4_udp_ports: - - "range 5132 5232" - - "range 1337 31337" - servfail_ttl: 0 - allow_notify: - - 10.0.0.0/8 - allow_query: - - "!10.0.2.1" - - 0/0 - blackhole: - - 192.168.0.0/16 - allow_recursion: [] - empty_server: "empty.server.string" - dns64_server: "server.name" - dns64_contact: "dak.keepit.com" - directory: "{{ bind9_cachedir }}" - key_directory: "{{ bind9_cachedir }}/keys" - statistics_file: "{{ bind9_cachedir }}/named.stats" - rrset_order: - - type: A - name: foo.isc.org - order: random - - type: AAAA - name: foo.isc.org - order: cyclic - - name: bar.isc.org - order: random - - name: "*.bar.isc.org" - order: random - - name: "*.baz.isc.org" - order: cyclic - response_policy: - zones: - - zone: smorg.bop - max_policy_ttl: 30S - min_update_interval: 30S - policy: disabled - add_soa: true - log: true - recursive_only: false - nsip_enable: true - nsdname_enable: true - max_policy_ttl: 30S - min_update_interval: 30S - min_ns_dots: 2 - add_soa: false - break_dnssec: false - nsip_wait_recurse: true - nsdname_wait_recurse: true - qname_wait_recurse: true - recursive_only: true - nsip_enable: true - nsdname_enable: true - dnsrps_enable: false - dnsrps_options: - - simple - - item - - list - response_padding: - block_size: 4096 - addresses: - - 0/0 - rate_limit: - all_per_second: 0 - errors_per_second: 0 - responses_per_second: 0 - referrals_per_second: 0 - nodata_per_second: 0 - nxdomains_per_second: 0 - ipv4_prefix_length: 24 - ipv6_prefix_length: 54 - max_table_size: 20000 - min_table_size: 500 - qps_scale: 250 - slip: 2 - window: 15 - log_only: true - exempt_clients: - - 192.168.0.1 - - 10.20.30.40 - query_source_v6: - address: "*" - port: "*" - dscp: 42 - parental_source_v6: - address: "*" - port: "*" - dscp: 42 - notify_source_v6: - address: "*" - notify_source: - address: "*" - listen_on: - - port: 53 - addresses: - - 0.0.0.0 - - port: 5353 - dscp: 42 - addresses: - - 0.0.0.0 - - 127.0.0.1 - listen_on_v6: - - port: 5353 - dscp: 42 - addresses: - - "::" - - "de:ad::be:ef" - dialup: false - minimal_responses: true - zone_statistics: full - ixfr_from_differences: master - dual_stack_servers: - port: 4492 - addresses: - - address: hostname.com - port: 4421 - dscp: 42 - - address: 10.128.128.182 - - address: de:ad::be:ef - dnstap: - - type: auth - - type: client - log: response - - type: resolver - log: query - dnstap_output: - output_type: file - output_file: /tmp/dnstap - size: 10M - versions: 200 - suffix: increment - - name: named.conf.local - acl: - - name: localstuff - addresses: - - 10.0.0.0/8 - - 192.168.0.0/16 - - 172.16.0.0/12 - - name: external - addresses: - - 185.181.220.77 - - "!0.0.0.0/0" - controls: - - type: inet - address: 127.0.0.1 - port: 533 - allow: - - 127.0.0.0/8 - - "!127.13.37.1" - readonly: false - - type: inet - address: 10.20.30.40 - allow: - - 100.0.0.0/8 - view: - - name: recursive-view - match_clients: - - localstuff - match_destinations: - - remote - match-recursive-only: true - options: - transfer_source: - address: 0.0.0.0 - port: '*' - dscp: 42 - allow_recursion: - - localstuff - zones: - - name: google.com - type: forward - forward: only - forwarders: - - 1.1.1.1 - - 1.0.0.1 - dnssec_policy: - - name: mypolicy - keylist: - - role: ksk - key_directory: true - lifetime: unlimited - algorithm: rsasha256 - keysize: 2048 - - role: zsk - lifetime: P30D - algorithm: 8 - - role: csk - lifetime: P6MT12H3M15S - algorithm: ecdsa256 - max_zone_ttl: P4D - parent_ds_ttl: P14D - nsec3param: - iterations: '0' - optout: false - salt_length: '0' - dyndb: - - name: sample - driver: example.so - parameters: - - example.nil. arpa. - - example2.nil. arpa. - http: - - name: dohconf - endpoints: - - /dns-query - - /dns - - /query - listener_clients: 4 - streams_per_connection: 1024 - keylist: - - name: certbot. - algorithm: hmac-sha512 - secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" - - name: certbot2. - algorithm: hmac-sha512 - secret: "agyMWst4ZcbhGKqGuR6Pjgz1KJSHdcM0s5tz06n+ZxpfZYVWP67E2cr7Mru+HQRLl7HEBE5Zl4vS3S+SA4kXrA==" - logging: - categories: - - name: default - channels: - - default_syslog - - default_debug - - tv2 - - dr1 - - name: unmatched - channels: - - tv3 - channels: - - name: tv2 - buffered: true - file: - name: /var/log/named.log - versions: 7 - size: 20m - suffix: increment - print_category: false - print_severity: false - print_time: iso8601-utc - severity: info - - name: tv3 - 'null': true - - name: dr1 - syslog: daemon - - name: kanalkobenhavn - stderr: true - severity: debug 3 - parental_agents: - - name: parents - port: 53353 - dscp: 42 - addresses: - - address: 10.20.30.40 - port: 53 - key: certbot. - - address: 20.30.40.50 - port: 53 - - address: 30.40.50.60 - key: certbot2. - - address: 40.50.60.70 - - name: notparents - addresses: - - address: 10.20.30.40 - - address: 30.40.50.60 - - address: 40.50.60.70 - primaries: - - name: parents - port: 53353 - dscp: 42 - addresses: - - address: 10.20.30.40 - port: 53 - key: certbot. - - address: 20.30.40.50 - port: 53 - - address: 30.40.50.60 - key: certbot2. - - address: 40.50.60.70 - - name: notparents - addresses: - - address: 10.20.30.40 - - address: 30.40.50.60 - - address: 40.50.60.70 - tls: - - name: certbot - cert_file: /etc/ssl/private/snakeoil.pem - key_file: /etc/ssl/private/snakeoil.key - dhparam_file: /etc/ssl/dhparam.pem - ca_file: /etc/ssl/certs/ca-certificates.crt - remote_hostname: yourhostname - ciphers: HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384 - protocols: - - TLSv1.2 - - TLSv1.3 - prefer_server_ciphers: true - session_tickets: true - trust_anchors: - - name: . - type: initial-key - flags: 257 - protocol: 3 - algorithm: 8 - key: "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" - - name: hugs.dk - type: static-ds - flags: 64335 - protocol: 7 - algorithm: 2 - key: "D6AAECB1BA13D51F072A229C957ACADEA18118FB17DA2DC7D45A963428091372" - server: - - prefix: 1.1.1.1 - bogus: false - edns: true - tcp_only: false - tcp_keepalive: false - edns_version: '0' - padding: '0' - transfers: '0' - keyname: certbot. - query_source: - address: "*" - port: "*" - statistics_channels: - - address: 0.0.0.0 - port: 8080 - allow: - - 0/0 - - name: named.conf.zones - backup: false - zones: - - name: "_acme-challenge.hugs.dk" - type: master - file: master/_acme-challenge.hugs.dk.zone - allow_query: - - any - dnssec_policy: default - inline_signing: true - serial_update_method: date - update_policy: - - permission: grant - identity: certbot. - ruletype: name - name: _acme-challenge.hugs.dk - types: txt - - name: forward.net - type: forward - forwarders: - port: 53 - addresses: - - address: 1.1.1.1 - port: 53 - dscp: 42 - - address: 4.2.2.4 - port: 53 - - name: stub.com - type: static-stub - allow_query: - - any - server_addresses: - - 1.1.1.1 - - 8.8.8.8 - zone_statistics: full - - name: example.com - type: slave - allow_query: - - 127.0.0.1 - - 10.0.0.1 - - 128.15.14.13 - allow_query_on: - - 127.0.0.1 - primaries: - port: 5522 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 55222 - - address: 10.20.30.40 - - name: smorg.bop - type: slave - primaries: - addresses: - - address: 127.0.0.1 - allow_query: - - 15.14.13.12 - - 10.20.30.40 - - 28.25.23.24 - - "!10.13.14.15" - forwarders: - port: 53 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 53 - dscp: 42 - - address: 10.20.30.40 - port: 53 - - address: 20.30.40.50 - - address: 30.40.50.60 - port: 53 - allow_transfer: - port: 5522 - transport: tls - addresses: - - 192.168.122.1 - also_notify: - port: 5523 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 5523 - - address: 127.0.0.2 - auto-dnssec: allow - dnskey_sig_validity: 0 - dnssec-dnskey-kskonly: true - dnssec_loadkeys_interval: 0 - file: "string" - forward: first - inline_signing: true - ixfr_from_differences: true - masterfile_format: raw - masterfile_style: full - max_ixfr_ratio: unlimited - max_journal_size: default - max_records: 0 - max_transfer_idle_out: 0 - max_transfer_time_out: 0 - notify: true - notify_delay: '0' - notify_to_soa: false - parental_agents: - port: 44332 - dscp: 42 - addresses: - - address: 127.0.0.1 - port: 53 - sig_signing_nodes: '0' - sig_signing_signatures: '0' - sig_signing_type: 65281 - zero_no_soa_ttl: true - zone_statistics: full From 193d3e581d01a90934abe4dea13f4673df747428 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 15:37:41 +0200 Subject: [PATCH 3/7] we do not use travis --- .travis.yml | 35 ----------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index c46a694..0000000 --- a/.travis.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -language: python -python: "2.7" - -# Use the new container infrastructure -sudo: required - -# Install ansible -addons: - apt: - packages: - - python-pip - -install: - # Install ansible - - pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - -script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - -#notifications: -# webhooks: https://galaxy.ansible.com/api/v1/notifications/ - -env: -- distribution: debian - version: bullseye -- distribution: ubuntu - version: jammy \ No newline at end of file From a8b64dde7b144eacdb701aa5cb8f6a423dcd7711 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 16:01:31 +0200 Subject: [PATCH 4/7] Add gitlab ci --- .gitlab-ci.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..7970f91 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,23 @@ +--- +image: docker:stable-dind + +services: + - docker:dind + +before_script: + - apk add --no-cache + python3 python3-dev py3-pip gcc git curl build-base + autoconf automake py3-cryptography linux-headers + musl-dev libffi-dev openssl-dev openssh + - docker info + - python3 --version + - python3 -m pip install ansible molecule[docker] + ansible-lint + - ansible --version + - molecule --version + +molecule: + stage: test + script: + - molecule test + From 6700165eb1c81a89c297679211777588df221595 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 16:02:26 +0200 Subject: [PATCH 5/7] Molecule lint --- defaults/main.yml | 8 +++++++- handlers/main.yml | 13 ++++++++----- meta/main.yml | 11 ++++++----- molecule/default/molecule.yml | 4 ++++ tasks/main.yml | 7 ++++--- 5 files changed, 29 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e914823..42c96d6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -28,4 +28,10 @@ bind9_default_config: options: directory: "{{ bind9_working_directory }}" -bind9_config: "{{ [bind9_default_config, bind9_group_config, bind9_leaf_config, bind9_host_config] | community.general.lists_mergeby('name', recursive=true, list_merge='append_rp') }}" +bind9_config: "{{ [bind9_default_config, + bind9_group_config, + bind9_leaf_config, + bind9_host_config] | + community.general.lists_mergeby('name', + recursive=true, + list_merge='append_rp') }}" diff --git a/handlers/main.yml b/handlers/main.yml index 55a46b5..6f84734 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,23 +1,26 @@ --- # handlers file for bind9 -- name: reload bind +- name: Reload bind ansible.builtin.service: name: named state: reloaded -- name: restart bind +- name: Restart bind ansible.builtin.service: name: named state: restarted -- name: backup bind config +- name: Backup bind config community.general.archive: path: - "{{ bind9_cfgdir }}" - "{{ bind9_working_directory }}" - "{{ bind9_libdir }}" - dest: "{{ bind9_backup_dir }}/bind9-config-{{ ansible_date_time.iso8601_basic_short }}.tar.gz" + dest: > + {{ bind9_backup_dir }}/ + bind9-config- + {{ ansible_date_time.iso8601_basic_short }}.tar.gz owner: root group: root mode: 0640 - when: bind9_backup_config is defined and bind9_backup_config \ No newline at end of file + when: bind9_backup_config is defined and bind9_backup_config diff --git a/meta/main.yml b/meta/main.yml index 2673351..849f568 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: role_name: bind9 namespace: valid @@ -10,18 +11,18 @@ galaxy_info: license: GPL-3.0-or-later - min_ansible_version: 2.13 + min_ansible_version: "2.13" platforms: - name: Ubuntu versions: - - 22.04 - - 20.04 + - jammy + - focal - name: Debian versions: - - 11 + - bullseye - galaxy_tags: + galaxy_tags: - bind9 - bind - dns diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index a6db466..e3aa0d9 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -16,3 +16,7 @@ provisioner: name: ansible-lint verifier: name: ansible +lint: | + set -e + yamllint . + ansible-lint . diff --git a/tasks/main.yml b/tasks/main.yml index 6af2640..d9585f0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -18,12 +18,13 @@ mode: 0750 when: bind9_backup_config is defined and bind9_backup_config -- name: named.conf.generator +- name: Template named.conf.generator ansible.builtin.template: src: named.conf.generator.j2 dest: "{{ bind9_cfgdir }}/{{ item.name }}" owner: root group: bind + mode: 0640 backup: "{{ item.backup | default('false') | bool }}" # validate: 'named-checkconf -z -j %s' loop: "{{ bind9_config }}" @@ -33,8 +34,8 @@ - bind9 - template notify: - - backup bind config - - restart bind + - Backup bind config + - Restart bind - name: Ensure the named service is started ansible.builtin.service: From c421acfde6feff1ea8bf19d7733f5cc319c24427 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 16:02:43 +0200 Subject: [PATCH 6/7] Indentation Saga --- templates/named.conf.generator.j2 | 6 +++--- templates/named.conf.options.j2 | 6 +++--- templates/named.conf.parental-agents.j2 | 5 ++--- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/templates/named.conf.generator.j2 b/templates/named.conf.generator.j2 index 70e3d0e..df107a6 100644 --- a/templates/named.conf.generator.j2 +++ b/templates/named.conf.generator.j2 @@ -1,4 +1,4 @@ -{% import 'named.conf.functions.j2' as functions %} +{% import 'named.conf.functions.j2' as functions with context %} {{ ansible_managed | comment }} {% if item.options is defined and item.options %} {% from 'named.conf.options.j2' import options with context %} @@ -51,7 +51,7 @@ options { {% endif %} {% if item.parental_agents is defined and item.parental_agents %} {% from 'named.conf.parental-agents.j2' import parental_agents with context %} -{{ parental_agents(item.parental_agents) }} +{{ parental_agents(item.parental_agents) -}} {% endif %} {% if item.server is defined and item.server %} {% from 'named.conf.server.j2' import server with context %} @@ -76,4 +76,4 @@ options { {% if item.view is defined and item.view %} {% from 'named.conf.view.j2' import view with context %} {{ view(item.view) }} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 48a3d93..68f85eb 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -2,7 +2,7 @@ {# Unicorn Options#} {% if option.rrset_order is defined and option.rrset_order %} rrset-order { -{% filter indent(bind9_config_indent*2, true) %} +{% filter indent(bind9_config_indent, true) %} {% for rrset in option.rrset_order %} {{ ('class ' + rrset.class | string + ' ') if rrset.class is defined and rrset.class -}} {{ ('type ' + rrset.type | string + ' ') if rrset.type is defined and rrset.type -}} @@ -38,7 +38,7 @@ response-policy { {{- (' nsip-enable ' + functions.named_boolean(option.response_policy.nsip_enable)) if option.response_policy.nsip_enable is defined -}} {{- (' nsdname-enable ' + functions.named_boolean(option.response_policy.nsdname_enable)) if option.response_policy.nsdname_enable is defined -}} {{- (' dnsrps-enable ' + functions.named_boolean(option.response_policy.dnsrps_enable)) if option.response_policy.dnsrps_enable is defined -}} -{{- (' dnsrps-options {\n' + functions.simple_item_list(option.response_policy.dnsrps_options) + '}') if option.response_policy.dnsrps_options is defined and option.response_policy.dnsrps_options -}}; +{{- (' dnsrps-options { ' + option.response_policy.dnsrps_options | join('; ') + '; }') if option.response_policy.dnsrps_options is defined and option.response_policy.dnsrps_options -}}; {% endif %} {% if option.response_padding is defined and option.response_padding %} response-padding { @@ -164,7 +164,7 @@ check-names {{ policy.type }} {{ policy.action }}; catalog-zones { {% for catalog_zone in option.catalog_zones %} zone {{ catalog_zone.zone }} -{% filter indent(bind9_config_indent*3, true) %} +{% filter indent(bind9_config_indent, true) %} {% if catalog_zone.default_primaries is defined and catalog_zone.default_primaries %} default-primaries {{- (' port ' + catalog_zone.default_primaries.port | string) if catalog_zone.default_primaries.port is defined and catalog_zone.default_primaries.port -}} diff --git a/templates/named.conf.parental-agents.j2 b/templates/named.conf.parental-agents.j2 index 95b0a4b..8999a34 100644 --- a/templates/named.conf.parental-agents.j2 +++ b/templates/named.conf.parental-agents.j2 @@ -3,8 +3,7 @@ parental-agents {{ agent.name -}} {{ (' port ' + agent.port | string) if agent.port is defined and agent.port -}} {{ (' dscp ' + agent.dscp | string) if agent.dscp is defined and agent.dscp }} { -{% filter indent(bind9_config_indent, true) %} -{{ functions.list_address_port_key_tls(agent.addresses) -}} -{% endfilter %}}; +{{ functions.list_address_port_key_tls(agent.addresses) -}}}; + {% endfor %} {% endmacro %} \ No newline at end of file From eb543c5796fcdca0f71240f1bae3f95e1ad333f8 Mon Sep 17 00:00:00 2001 From: Daniel Akulenok Date: Tue, 30 Aug 2022 16:09:22 +0200 Subject: [PATCH 7/7] not too many empty lines or else lint goes crazy --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7970f91..0e52b5e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -20,4 +20,3 @@ molecule: stage: test script: - molecule test -