Update forwarders for 9.20

revert feat: Add remote-servers support for BIND 9.20

handlers/main.yml

@@ -18,7 +18,7 @@
       - "{{ bind9_libdir }}"
     dest: "{{
       bind9_backup_dir + '/bind9-config-' +
-      ansible_date_time.iso8601_basic_short + '.tar.gz' }}"
+      ansible_facts.date_time.iso8601_basic_short + '.tar.gz' }}"
     owner: root
     group: root
     mode: 0640

molecule/default/collections.yml

@@ -0,0 +1,7 @@
+---
+collections:
+  - name: ansible.utils
+  - name: ansible.posix
+  - name: community.crypto
+  - name: community.general
+

molecule/default/converge.yml

@@ -1,5 +1,31 @@
 ---
 - name: Converge
   hosts: all
-  roles:
+  vars:
-    - keepit.bind9
+    bind9_group_config:
+      - name: named.conf.options
+        options:
+          directory: "{{ bind9_working_directory }}"
+          forwarders:
+            port: 853
+            tls: common-upstream
+            addresses:
+              - address: 192.0.2.10
+                port: 5353
+                tls: leaf-a
+              - address:
+                  - 2001:db8::10
+                  - 198.51.100.10
+                tls: dual-stack
+              - 203.0.113.10
+        tls:
+          - name: common-upstream
+            remote_hostname: upstream.example
+          - name: leaf-a
+            remote_hostname: leaf-a.example
+          - name: dual-stack
+            remote_hostname: dual-stack.example
+  tasks:
+    - name: Include bind9 role
+      ansible.builtin.include_role:
+        name: ../../../ansible-bind9-role

molecule/default/molecule.yml

@@ -1,22 +1,18 @@
 ---
-dependency:
-  name: galaxy
 driver:
   name: podman
 platforms:
-  - name: ubuntu-jammy
+  - name: debian-trixie
-    image: ubuntu:jammy
+    image: docker.io/jrei/systemd-debian:13
-  - name: ubuntu-focal
+    command: /lib/systemd/systemd
-    image: ubuntu:focal
+    privileged: true
-  - name: debian-bullseye
+    volumes:
-    image: debian:bullseye
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
 provisioner:
   name: ansible
-  lint:
+  config_options:
-    name: ansible-lint
+    defaults:
+      ALLOW_BROKEN_CONDITIONALS: true
 verifier:
   name: ansible
-lint: |
-  set -e
-  ansible-lint .
-  yamllint .

molecule/default/prepare.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+  tasks:
+    - name: Update apt
+      ansible.builtin.apt:
+        update_cache: true

molecule/default/verify.yml

@@ -0,0 +1,21 @@
+---
+- name: Verify forwarders configuration
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Read named.conf.options
+      ansible.builtin.slurp:
+        src: /etc/bind/named.conf.options
+      register: forwarders_file
+
+    - name: Assert forwarders render with port and tls
+      ansible.builtin.assert:
+        that:
+          - forwarders_content is search('forwarders port 853 tls common-upstream \{')
+          - forwarders_content is search('192.0.2.10 port 5353 tls leaf-a;')
+          - forwarders_content is search('2001:db8::10 tls dual-stack;')
+          - forwarders_content is search('198.51.100.10 tls dual-stack;')
+          - forwarders_content is search('203.0.113.10;')
+        fail_msg: "Forwarders block missing expected port/tls entries"
+      vars:
+        forwarders_content: "{{ forwarders_file.content | b64decode }}"

templates/named.conf.functions.j2

@@ -42,6 +42,46 @@
 {% endif %}
 {% endmacro %}
 
+{% macro list_address_port_tls(dict, indent=bind9_config_indent) %}
+{# This macro is for use for statements with grammar like #}
+{#  address port 00 tls string; address port 00 tls string; #}
+{# it is usually called by a parent macro #}
+{% filter indent(indent, true) %}
+{% for item in dict %}
+{% if item is not mapping %}
+{{ item }};
+{% elif item.address is string %}
+{{ item.address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% elif item.address is sequence %}
+{% for address in item.address %}
+{{ address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfilter %}
+{% endmacro %}
+
+{% macro parent_address_port_tls(name, dict) %}
+{# This macro is for statements with grammar like #}
+{# statement port 00 tls string { address port 00 tls string; address port 00 tls string; } #}
+{# the list inside the statement is handled by list_address_port_tls #}
+{% if dict is not mapping and dict is iterable %}
+{{ name }} {
+{{ list_address_port_tls(dict) -}}
+};
+{% else %}
+{{ name }}
+{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
+{{- (' tls ' + dict.tls | string) if dict.tls is defined and dict.tls }} {
+{{ list_address_port_tls(dict.addresses) -}}
+};
+{% endif %}
+{% endmacro %}
+
 {% macro list_address_port_dscp(dict, indent=bind9_config_indent) %}
 {# This macro is for use for statements with grammar like #}
 {#  address port 00 dscp 00; address port 00 dscp 00; #}
@@ -65,12 +105,14 @@
 {# the list inside the statement is handled by list_address_port #}
 {% if dict is not mapping and dict is iterable %}
 {{ name }} {
-{{ list_address_port_dscp(dict) }}};
+{{ list_address_port_dscp(dict) }}
+};
 {% else %}
 {{ name }}
 {{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
 {{- (' dscp ' + dict.dscp | string) if dict.dscp is defined and dict.dscp }} {
-{{ list_address_port_dscp(dict.addresses) }}};
+{{ list_address_port_dscp(dict.addresses) }}
+};
 {% endif %}
 {% endmacro %}
 

templates/named.conf.options.j2

@@ -101,7 +101,7 @@ listen-on
 {{ functions.simple_item_list(item.options.listen_on.addresses) }}};
 {% endfor %}
 {% endif %}
-{{ functions.parent_address_port_dscp("forwarders", item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
+{{ functions.parent_address_port_tls('forwarders', item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
 {% if item.options.dual_stack_servers is defined and item.options.dual_stack_servers %}
 dual-stack-servers
 {{ (' port ' + item.options.dual_stack_servers.port | string) if item.options.dual_stack_servers.port is defined and item.options.dual_stack_servers }} {

templates/named.conf.zone.j2

@@ -47,7 +47,7 @@ server-names {
 server-addresses {
 {{ functions.simple_item_list(zone.server_addresses) }}};
 {% endif %}
-{{ functions.parent_address_port_dscp('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
+{{ functions.parent_address_port_tls('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
 {% if zone.allow_transfer is defined and zone.allow_transfer is not string %}
 allow-transfer
 {{- (' port ' + zone.allow_transfer.port | string) if zone.allow_transfer.port is defined and zone.allow_transfer.port -}}