Compare commits
70 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 98180fddf5 | |||
| 32a3de5bab | |||
| 29a30e9edd | |||
| dfa3f0d4c3 | |||
| f2e4938336 | |||
| 421922729d | |||
| 4084573f2b | |||
| d59001964b | |||
| c334b2d4e7 | |||
| 83f635de8c | |||
| cc329af080 | |||
| da9b182763 | |||
| ff135cb4b5 | |||
| bc7528d5d6 | |||
| 7903afdcd3 | |||
| 91dfea3138 | |||
| 04425702a1 | |||
| b0f1908a73 | |||
| 700526f824 | |||
| de2b34df01 | |||
| e830133900 | |||
| c510418964 | |||
| 9973b4f395 | |||
| 145d991eb8 | |||
| 18632b56de | |||
| ebde5fefc6 | |||
| 40e3ec16a1 | |||
| 4bb9d67cd5 | |||
| f6bad45074 | |||
| 057e06ec72 | |||
| fa23194990 | |||
| 170f780abe | |||
| e2b700e0c3 | |||
| 4872dd09ad | |||
| 866b2bebfd | |||
| 827f7d3d85 | |||
| 61092ca31e | |||
| a35c70b44d | |||
| 3c09b49dbd | |||
| 3c63023427 | |||
| f726cdea51 | |||
| 1dcc4978f2 | |||
| 38a888bfab | |||
| 7274f04c92 | |||
| 2de8b879ce | |||
| 8e0cd723b7 | |||
| eb543c5796 | |||
| c421acfde6 | |||
| 6700165eb1 | |||
| a8b64dde7b | |||
| 193d3e581d | |||
| 39558fce5b | |||
| 71c33ac5e0 | |||
| 67b9ce2f05 | |||
| 0a0cc376d9 | |||
| f06b782f29 | |||
| b49b4a61ae | |||
| 76dccd713a | |||
| 209e40786b | |||
| fcb7b30ac2 | |||
| 6bb6c3e416 | |||
| d0def303ee | |||
| f0f0dc44ad | |||
| 24b702239d | |||
| fabe862186 | |||
| 34015db98c | |||
| 34c8d68508 | |||
| a31be6a85b | |||
| 8fe293f0ed | |||
| fbf6b76ba4 |
@@ -1,63 +0,0 @@
|
|||||||
---
|
|
||||||
name: Test
|
|
||||||
|
|
||||||
on: # noqa: yaml[truthy]
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- feature/**
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
lint:
|
|
||||||
name: Lint
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v6
|
|
||||||
|
|
||||||
- name: Set up Python
|
|
||||||
uses: actions/setup-python@v4
|
|
||||||
with:
|
|
||||||
python-version: '3.11'
|
|
||||||
|
|
||||||
- name: Install tools
|
|
||||||
run: |
|
|
||||||
pip install --no-cache-dir yamllint ansible-lint
|
|
||||||
|
|
||||||
- name: Run yamllint
|
|
||||||
run: yamllint -d relaxed .
|
|
||||||
|
|
||||||
- name: Run ansible-lint
|
|
||||||
run: ansible-lint --strict --profile=production
|
|
||||||
|
|
||||||
test:
|
|
||||||
name: Test
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: lint
|
|
||||||
if: github.event_name == 'pull_request'
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v6
|
|
||||||
|
|
||||||
- name: Set up Python
|
|
||||||
uses: actions/setup-python@v4
|
|
||||||
with:
|
|
||||||
python-version: '3.11'
|
|
||||||
|
|
||||||
- name: Install podman
|
|
||||||
run: |
|
|
||||||
sudo apt-get update
|
|
||||||
sudo apt-get install -y podman
|
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
run: |
|
|
||||||
pip install --no-cache-dir \
|
|
||||||
ansible \
|
|
||||||
molecule[podman] \
|
|
||||||
podman-compose \
|
|
||||||
pyyaml \
|
|
||||||
jinja2
|
|
||||||
|
|
||||||
- name: Run Molecule tests
|
|
||||||
run: molecule test
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
<!--# cspell: ignore SSOT CMDB -->
|
|
||||||
# AGENTS.md
|
|
||||||
|
|
||||||
Ensure that all practices and instructions described by
|
|
||||||
https://raw.githubusercontent.com/ansible/ansible-creator/refs/heads/main/docs/agents.md
|
|
||||||
are followed.
|
|
||||||
File diff suppressed because it is too large
Load Diff
@@ -38,7 +38,7 @@ named.conf
|
|||||||
bind configuration is set through the various bind9_*_config parameters. These are, in order of precedence:
|
bind configuration is set through the various bind9_*_config parameters. These are, in order of precedence:
|
||||||
1. bind9_default_config
|
1. bind9_default_config
|
||||||
2. bind9_group_config
|
2. bind9_group_config
|
||||||
3. bind9_site_config
|
3. bind9_leaf_config
|
||||||
4. bind9_host_config
|
4. bind9_host_config
|
||||||
|
|
||||||
All these configuration parameters are merged in a way where each successing config supercedes the previous one at a config-file level. To illustrate:
|
All these configuration parameters are merged in a way where each successing config supercedes the previous one at a config-file level. To illustrate:
|
||||||
@@ -59,7 +59,7 @@ bind9_group_config:
|
|||||||
- name: "."
|
- name: "."
|
||||||
type: mirror
|
type: mirror
|
||||||
|
|
||||||
bind9_site_config:
|
bind9_leaf_config:
|
||||||
- name: named.conf.local
|
- name: named.conf.local
|
||||||
zone:
|
zone:
|
||||||
- name: "."
|
- name: "."
|
||||||
@@ -81,7 +81,7 @@ bind9_config:
|
|||||||
file: /etc/share/dns/root.hints
|
file: /etc/share/dns/root.hints
|
||||||
```
|
```
|
||||||
|
|
||||||
The `named.conf.options` block in `bind9_default_config` got completely overwritten by the `bind9_group_config`, and the `bind9_site_config` completely overwrote `named.conf.local`, however, `named.conf.options` was left intact after merging with `bind9_site_config`.
|
The `named.conf.options` block in `bind9_default_config` got completely overwritten by the `bind9_group_config`, and the `bind9_leaf_config` completely overwrote `named.conf.local`, however, `named.conf.options` was left intact after merging with `bind9_leaf_config`.
|
||||||
|
|
||||||
Configuration Grammar
|
Configuration Grammar
|
||||||
---------------------
|
---------------------
|
||||||
@@ -126,43 +126,38 @@ Simple options are defined just as that.
|
|||||||
```
|
```
|
||||||
|
|
||||||
Some options have several optional parameters. For those, a somewhat flexible
|
Some options have several optional parameters. For those, a somewhat flexible
|
||||||
configuration format has been created. Common patterns include:
|
configuration format has been created
|
||||||
|
|
||||||
- **Address with Port/DSCP**: Used by options like `primaries`, `parental_agents` (e.g., `address [ port <port> ] [ dscp <dscp> ]`)
|
|
||||||
- **Address with Port/TLS**: Used by options like `forwarders` (e.g., `address [ port <port> ] [ tls <tls> ]`)
|
|
||||||
|
|
||||||
```
|
```
|
||||||
ADDRESS_PORT_TLS_OPTION: # Example: forwarders option
|
IP_PORT_DSCP_OPTION: # Any option that is defined as one of:
|
||||||
# <option> [ port <port> ] [ tls <tls> ] { <address> [ port <port> ] [ tls <tls> ]; ... }
|
# <option> [ port <port> ] [ dscp <dscp> ] { <address> [ port <port> ] [ dscp <dscp> ]; ... }
|
||||||
|
# <option> [ port <port> ] [ dscp <dscp> ] { <address> [ port <port> ] [ key <key> ] [ tls <tls> ]; ... }
|
||||||
# has a few optional syntaxes
|
# has a few optional syntaxes
|
||||||
# Example 1: Simple address list
|
# Example 1: Simple address list
|
||||||
- ADDRESS1
|
- ADDRESS1
|
||||||
- ADDRESS2
|
- ADDRESS2
|
||||||
# Example 2: To define global port/tls, use 'addresses' sub-element
|
# Example 2: To define source port/dscp, use 'addresses' sub-element
|
||||||
[ port: PORT ]
|
[ port: PORT ]
|
||||||
[ tls: TLS_NAME ]
|
[ dscp: DSCP ]
|
||||||
addresses:
|
addresses:
|
||||||
- ADDRESS1
|
- ADDRESS1
|
||||||
- ADDRESS2
|
- ADDRESS2
|
||||||
- 127.0.0.1
|
- 127.0.0.1
|
||||||
# Example 3: To define per-address port/tls, use 'addresses' as a list of dicts
|
# Example 3: To define target port/dscp, use 'addresses' as a list of dicts
|
||||||
addresses:
|
addresses:
|
||||||
- address: ADDRESS
|
- address: ADDRESS
|
||||||
[ port: PORT ]
|
[ port: PORT ]
|
||||||
[ tls: TLS_NAME ]
|
[ dscp: DSCP ]
|
||||||
- address: 127.0.0.1
|
- address: 127.0.0.1
|
||||||
port: 53
|
port: 53
|
||||||
- address: 127.0.0.1
|
- address: 127.0.0.1
|
||||||
port: 853
|
dscp: 42
|
||||||
tls: dot-tls
|
- address: 127.0.0.1
|
||||||
- address: 8.8.8.8
|
port: 5353
|
||||||
port: 853
|
dscp: 42
|
||||||
tls: google-tls
|
|
||||||
# Example 4: The various formats can be mixed and matched within the main element
|
# Example 4: The various formats can be mixed and matched within the main element
|
||||||
- ADDRESS1
|
- ADDRESS1
|
||||||
- address: ADDRESS2
|
- address: ADDRESS2
|
||||||
port: PORT
|
port: PORT
|
||||||
tls: TLS_NAME
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
+2
-2
@@ -14,7 +14,7 @@ bind9_debug_config: false
|
|||||||
bind9_config_indent: 4
|
bind9_config_indent: 4
|
||||||
|
|
||||||
bind9_group_config: []
|
bind9_group_config: []
|
||||||
bind9_site_config: []
|
bind9_leaf_config: []
|
||||||
bind9_host_config: []
|
bind9_host_config: []
|
||||||
|
|
||||||
bind9_default_config:
|
bind9_default_config:
|
||||||
@@ -30,7 +30,7 @@ bind9_default_config:
|
|||||||
|
|
||||||
bind9_config: "{{ [bind9_default_config,
|
bind9_config: "{{ [bind9_default_config,
|
||||||
bind9_group_config,
|
bind9_group_config,
|
||||||
bind9_site_config,
|
bind9_leaf_config,
|
||||||
bind9_host_config] |
|
bind9_host_config] |
|
||||||
community.general.lists_mergeby('name',
|
community.general.lists_mergeby('name',
|
||||||
recursive=true,
|
recursive=true,
|
||||||
|
|||||||
+1
-1
@@ -21,5 +21,5 @@
|
|||||||
ansible_facts.date_time.iso8601_basic_short + '.tar.gz' }}"
|
ansible_facts.date_time.iso8601_basic_short + '.tar.gz' }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0640'
|
mode: 0640
|
||||||
when: bind9_backup_config is defined and bind9_backup_config
|
when: bind9_backup_config is defined and bind9_backup_config
|
||||||
|
|||||||
@@ -1,56 +0,0 @@
|
|||||||
---
|
|
||||||
argument_specs:
|
|
||||||
main:
|
|
||||||
short_description: The main entry point for the bind9 role.
|
|
||||||
options:
|
|
||||||
bind9_config:
|
|
||||||
type: list
|
|
||||||
elements: dict
|
|
||||||
description:
|
|
||||||
- A list of configuration dictionaries that are merged to
|
|
||||||
produce the final configuration.
|
|
||||||
- Each element must have a 'name' key (filename).
|
|
||||||
bind9_default_config:
|
|
||||||
type: list
|
|
||||||
elements: dict
|
|
||||||
description: Default configuration.
|
|
||||||
bind9_group_config:
|
|
||||||
type: list
|
|
||||||
elements: dict
|
|
||||||
description: Group-level configuration.
|
|
||||||
bind9_site_config:
|
|
||||||
type: list
|
|
||||||
elements: dict
|
|
||||||
description: Site/Leaf-level configuration.
|
|
||||||
bind9_host_config:
|
|
||||||
type: list
|
|
||||||
elements: dict
|
|
||||||
description: Host-level configuration.
|
|
||||||
bind9_backup_config:
|
|
||||||
type: bool
|
|
||||||
default: true
|
|
||||||
description: Whether to backup configuration files before overwriting.
|
|
||||||
bind9_debug_config:
|
|
||||||
type: bool
|
|
||||||
default: false
|
|
||||||
description: Whether to print the merged configuration during execution.
|
|
||||||
bind9_config_indent:
|
|
||||||
type: int
|
|
||||||
default: 4
|
|
||||||
description: Indentation level for generated configuration files.
|
|
||||||
bind9_packages:
|
|
||||||
type: list
|
|
||||||
elements: str
|
|
||||||
description: List of packages to install.
|
|
||||||
bind9_cfgdir:
|
|
||||||
type: str
|
|
||||||
description: Directory for configuration files.
|
|
||||||
bind9_working_directory:
|
|
||||||
type: str
|
|
||||||
description: Working directory for BIND.
|
|
||||||
bind9_libdir:
|
|
||||||
type: str
|
|
||||||
description: Library directory for BIND.
|
|
||||||
bind9_backup_dir:
|
|
||||||
type: str
|
|
||||||
description: Directory for backups.
|
|
||||||
+1
-1
@@ -7,7 +7,7 @@ galaxy_info:
|
|||||||
description: Configure Bind9
|
description: Configure Bind9
|
||||||
company: Valid.dk
|
company: Valid.dk
|
||||||
|
|
||||||
issue_tracker_url: https://git.valid.dk/daniel/ansible-bind9-role
|
issue_tracker_url: https://gitlab.valid.dk/operations/ansible-bind9-role
|
||||||
|
|
||||||
license: GPL-3.0-or-later
|
license: GPL-3.0-or-later
|
||||||
|
|
||||||
|
|||||||
@@ -4,3 +4,4 @@ collections:
|
|||||||
- name: ansible.posix
|
- name: ansible.posix
|
||||||
- name: community.crypto
|
- name: community.crypto
|
||||||
- name: community.general
|
- name: community.general
|
||||||
|
|
||||||
|
|||||||
@@ -1,41 +1,31 @@
|
|||||||
---
|
---
|
||||||
- name: Converge
|
- name: Converge
|
||||||
hosts: all
|
hosts: all
|
||||||
tasks:
|
|
||||||
- name: Include bind9 role
|
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: ../../../ansible-bind9-role # noqa: role-name[path]
|
|
||||||
vars:
|
vars:
|
||||||
bind9_host_config:
|
bind9_group_config:
|
||||||
- name: named.conf.options
|
- name: named.conf.options
|
||||||
options:
|
options:
|
||||||
directory: "{{ bind9_working_directory }}"
|
directory: "{{ bind9_working_directory }}"
|
||||||
recursion: true
|
|
||||||
allow_query:
|
|
||||||
- any
|
|
||||||
allow_recursion:
|
|
||||||
- 10.0.0.0/8
|
|
||||||
- 192.168.0.0/16
|
|
||||||
- 172.16.0.0/12
|
|
||||||
- localhost
|
|
||||||
- localnets
|
|
||||||
forwarders:
|
forwarders:
|
||||||
- address: 91.239.100.100
|
port: 853
|
||||||
tls: censurfridns-anycast
|
tls: common-upstream
|
||||||
- address: 89.233.43.71
|
addresses:
|
||||||
tls: censurfridns-unicast
|
- address: 192.0.2.10
|
||||||
forward: first
|
port: 5353
|
||||||
dnssec_validation: auto
|
tls: leaf-a
|
||||||
- name: named.conf.local
|
- address:
|
||||||
|
- 2001:db8::10
|
||||||
|
- 198.51.100.10
|
||||||
|
tls: dual-stack
|
||||||
|
- 203.0.113.10
|
||||||
tls:
|
tls:
|
||||||
- name: censurfridns-anycast
|
- name: common-upstream
|
||||||
remote_hostname: anycast.uncensoreddns.org
|
remote_hostname: upstream.example
|
||||||
- name: censurfridns-unicast
|
- name: leaf-a
|
||||||
remote_hostname: unicast.uncensoreddns.org
|
remote_hostname: leaf-a.example
|
||||||
zones:
|
- name: dual-stack
|
||||||
- name: example.internal
|
remote_hostname: dual-stack.example
|
||||||
type: forward
|
tasks:
|
||||||
forward: only
|
- name: Include bind9 role
|
||||||
forwarders:
|
ansible.builtin.include_role:
|
||||||
- 10.0.0.53
|
name: ../../../ansible-bind9-role
|
||||||
- 10.0.0.54
|
|
||||||
|
|||||||
@@ -1,11 +1,6 @@
|
|||||||
---
|
---
|
||||||
- name: Prepare
|
- hosts: all
|
||||||
hosts: all
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Update apt
|
- name: Update apt
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
- name: Install bind9-dnsutils package
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: bind9-dnsutils
|
|
||||||
state: present
|
|
||||||
|
|||||||
+13
-68
@@ -1,76 +1,21 @@
|
|||||||
---
|
---
|
||||||
- name: Verify
|
- name: Verify forwarders configuration
|
||||||
hosts: all
|
hosts: all
|
||||||
gather_facts: true
|
gather_facts: false
|
||||||
tasks:
|
tasks:
|
||||||
- name: Check that BIND9 is installed
|
- name: Read named.conf.options
|
||||||
ansible.builtin.package:
|
|
||||||
name: bind9
|
|
||||||
state: present
|
|
||||||
check_mode: true
|
|
||||||
register: __bind9_package_check
|
|
||||||
failed_when: __bind9_package_check is changed
|
|
||||||
|
|
||||||
- name: Check that BIND9 service is running
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: named
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
check_mode: true
|
|
||||||
register: __bind9_service_check
|
|
||||||
failed_when: __bind9_service_check is changed
|
|
||||||
|
|
||||||
- name: Check that named.conf.options exists
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: /etc/bind/named.conf.options
|
|
||||||
register: __options_file
|
|
||||||
failed_when: not __options_file.stat.exists
|
|
||||||
|
|
||||||
- name: Check that named.conf.local exists
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: /etc/bind/named.conf.local
|
|
||||||
register: __local_file
|
|
||||||
failed_when: not __local_file.stat.exists
|
|
||||||
|
|
||||||
- name: Read named.conf.options content
|
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
path: /etc/bind/named.conf.options
|
src: /etc/bind/named.conf.options
|
||||||
register: __options_content
|
register: forwarders_file
|
||||||
|
|
||||||
- name: Verify forwarders are configured in options
|
- name: Assert forwarders render with port and tls
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- "'forwarders' in __options_decoded"
|
- forwarders_content is search('forwarders port 853 tls common-upstream \{')
|
||||||
- "'8.8.8.8' in __options_decoded"
|
- forwarders_content is search('192.0.2.10 port 5353 tls leaf-a;')
|
||||||
- "'forward first' in __options_decoded"
|
- forwarders_content is search('2001:db8::10 tls dual-stack;')
|
||||||
fail_msg: Forwarders not properly configured in named.conf.options
|
- forwarders_content is search('198.51.100.10 tls dual-stack;')
|
||||||
|
- forwarders_content is search('203.0.113.10;')
|
||||||
|
fail_msg: "Forwarders block missing expected port/tls entries"
|
||||||
vars:
|
vars:
|
||||||
__options_decoded: "{{ __options_content.content | b64decode }}"
|
forwarders_content: "{{ forwarders_file.content | b64decode }}"
|
||||||
|
|
||||||
- name: Read named.conf.local content
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
path: /etc/bind/named.conf.local
|
|
||||||
register: __local_content
|
|
||||||
|
|
||||||
- name: Verify forward zone is configured
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- "'zone \"example.internal\"' in __local_decoded"
|
|
||||||
- "'type forward' in __local_decoded"
|
|
||||||
- "'forward only' in __local_decoded"
|
|
||||||
fail_msg: Forward zone not properly configured in named.conf.local
|
|
||||||
vars:
|
|
||||||
__local_decoded: "{{ __local_content.content | b64decode }}"
|
|
||||||
|
|
||||||
- name: Test DNS resolution using localhost
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: dig @localhost google.com +short
|
|
||||||
register: __dns_query
|
|
||||||
changed_when: false
|
|
||||||
failed_when: __dns_query.rc != 0
|
|
||||||
|
|
||||||
- name: Verify DNS query returned results
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- __dns_query.stdout_lines | length > 0
|
|
||||||
fail_msg: DNS forwarding is not working
|
|
||||||
|
|||||||
+14
-63
@@ -15,76 +15,27 @@
|
|||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0750'
|
mode: 0750
|
||||||
when: bind9_backup_config is defined and bind9_backup_config | bool
|
when: bind9_backup_config is defined and bind9_backup_config
|
||||||
|
|
||||||
- name: Deploy and Validate Configuration
|
- name: Template named.conf.generator
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: named.conf.generator.j2
|
||||||
|
dest: "{{ bind9_cfgdir }}/{{ item.name }}"
|
||||||
|
owner: root
|
||||||
|
group: bind
|
||||||
|
mode: 0640
|
||||||
|
backup: "{{ item.backup | default('false') | bool }}"
|
||||||
|
# validate: 'named-checkconf -z -j %s'
|
||||||
|
loop: "{{ bind9_config }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.name }}"
|
||||||
tags:
|
tags:
|
||||||
- bind9
|
- bind9
|
||||||
- template
|
- template
|
||||||
notify:
|
notify:
|
||||||
- Backup bind config
|
- Backup bind config
|
||||||
- Restart bind
|
- Restart bind
|
||||||
block:
|
|
||||||
- name: Create backup of current config
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: "{{ bind9_cfgdir }}/{{ item.name }}"
|
|
||||||
dest: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
|
|
||||||
remote_src: true
|
|
||||||
owner: root
|
|
||||||
group: bind
|
|
||||||
mode: '0640'
|
|
||||||
failed_when: false # It's okay if the file doesn't exist yet
|
|
||||||
loop: "{{ bind9_config }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
|
|
||||||
- name: Template named.conf.generator
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: named.conf.generator.j2
|
|
||||||
dest: "{{ bind9_cfgdir }}/{{ item.name }}"
|
|
||||||
owner: root
|
|
||||||
group: bind
|
|
||||||
mode: '0640'
|
|
||||||
loop: "{{ bind9_config }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
register: _template_result
|
|
||||||
|
|
||||||
- name: Validate configuration using named-checkconf
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: "named-checkconf -z {{ bind9_cfgdir }}/named.conf"
|
|
||||||
changed_when: false
|
|
||||||
|
|
||||||
rescue:
|
|
||||||
- name: Restore configuration from backup
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
|
|
||||||
dest: "{{ bind9_cfgdir }}/{{ item.name }}"
|
|
||||||
remote_src: true
|
|
||||||
owner: root
|
|
||||||
group: bind
|
|
||||||
mode: '0640'
|
|
||||||
loop: "{{ bind9_config }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
failed_when: false # Best effort restore
|
|
||||||
|
|
||||||
- name: Fail due to invalid configuration
|
|
||||||
ansible.builtin.fail:
|
|
||||||
msg: |
|
|
||||||
Configuration validation failed. Changes have been reverted.
|
|
||||||
Check the logs for named-checkconf errors.
|
|
||||||
|
|
||||||
always:
|
|
||||||
- name: Remove backup files
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
|
|
||||||
state: absent
|
|
||||||
loop: "{{ bind9_config }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
when: bind9_backup_config | bool is false
|
|
||||||
|
|
||||||
- name: Ensure the named service is started
|
- name: Ensure the named service is started
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
|
|||||||
@@ -42,6 +42,46 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
|
{% macro list_address_port_tls(dict, indent=bind9_config_indent) %}
|
||||||
|
{# This macro is for use for statements with grammar like #}
|
||||||
|
{# address port 00 tls string; address port 00 tls string; #}
|
||||||
|
{# it is usually called by a parent macro #}
|
||||||
|
{% filter indent(indent, true) %}
|
||||||
|
{% for item in dict %}
|
||||||
|
{% if item is not mapping %}
|
||||||
|
{{ item }};
|
||||||
|
{% elif item.address is string %}
|
||||||
|
{{ item.address -}}
|
||||||
|
{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
|
||||||
|
{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
|
||||||
|
{% elif item.address is sequence %}
|
||||||
|
{% for address in item.address %}
|
||||||
|
{{ address -}}
|
||||||
|
{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
|
||||||
|
{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endfilter %}
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
|
{% macro parent_address_port_tls(name, dict) %}
|
||||||
|
{# This macro is for statements with grammar like #}
|
||||||
|
{# statement port 00 tls string { address port 00 tls string; address port 00 tls string; } #}
|
||||||
|
{# the list inside the statement is handled by list_address_port_tls #}
|
||||||
|
{% if dict is not mapping and dict is iterable %}
|
||||||
|
{{ name }} {
|
||||||
|
{{ list_address_port_tls(dict) -}}
|
||||||
|
};
|
||||||
|
{% else %}
|
||||||
|
{{ name }}
|
||||||
|
{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
|
||||||
|
{{- (' tls ' + dict.tls | string) if dict.tls is defined and dict.tls }} {
|
||||||
|
{{ list_address_port_tls(dict.addresses) -}}
|
||||||
|
};
|
||||||
|
{% endif %}
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
{% macro list_address_port_dscp(dict, indent=bind9_config_indent) %}
|
{% macro list_address_port_dscp(dict, indent=bind9_config_indent) %}
|
||||||
{# This macro is for use for statements with grammar like #}
|
{# This macro is for use for statements with grammar like #}
|
||||||
{# address port 00 dscp 00; address port 00 dscp 00; #}
|
{# address port 00 dscp 00; address port 00 dscp 00; #}
|
||||||
@@ -65,12 +105,14 @@
|
|||||||
{# the list inside the statement is handled by list_address_port #}
|
{# the list inside the statement is handled by list_address_port #}
|
||||||
{% if dict is not mapping and dict is iterable %}
|
{% if dict is not mapping and dict is iterable %}
|
||||||
{{ name }} {
|
{{ name }} {
|
||||||
{{ list_address_port_dscp(dict) }}};
|
{{ list_address_port_dscp(dict) }}
|
||||||
|
};
|
||||||
{% else %}
|
{% else %}
|
||||||
{{ name }}
|
{{ name }}
|
||||||
{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
|
{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
|
||||||
{{- (' dscp ' + dict.dscp | string) if dict.dscp is defined and dict.dscp }} {
|
{{- (' dscp ' + dict.dscp | string) if dict.dscp is defined and dict.dscp }} {
|
||||||
{{ list_address_port_dscp(dict.addresses) }}};
|
{{ list_address_port_dscp(dict.addresses) }}
|
||||||
|
};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
@@ -110,36 +152,4 @@
|
|||||||
{% else %}
|
{% else %}
|
||||||
{{ name }} "{{ value }}";
|
{{ name }} "{{ value }}";
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endmacro %}
|
|
||||||
|
|
||||||
{% macro list_address_port_tls(dict, indent=bind9_config_indent) %}
|
|
||||||
{# This macro is for use for statements with grammar like #}
|
|
||||||
{# address port 00 tls str; address port 00 tls str; #}
|
|
||||||
{# it is usually called by a parent macro #}
|
|
||||||
{% filter indent(indent, true) %}
|
|
||||||
{% for item in dict %}
|
|
||||||
{% if item is not mapping %}
|
|
||||||
{{ item }};
|
|
||||||
{% else %}
|
|
||||||
{{ item.address }}
|
|
||||||
{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
|
|
||||||
{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
{% endfilter %}
|
|
||||||
{% endmacro %}
|
|
||||||
|
|
||||||
{% macro parent_address_port_tls(name, dict) %}
|
|
||||||
{# This macro is for use for statements with grammar like #}
|
|
||||||
{# statement port 00 tls str { address port 00 tls str; address port 00 tls str; } #}
|
|
||||||
{# the list inside the statement is handled by list_address_port_tls #}
|
|
||||||
{% if dict is not mapping and dict is iterable %}
|
|
||||||
{{ name }} {
|
|
||||||
{{ list_address_port_tls(dict) }}};
|
|
||||||
{% else %}
|
|
||||||
{{ name }}
|
|
||||||
{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
|
|
||||||
{{- (' tls ' + dict.tls | string) if dict.tls is defined and dict.tls }} {
|
|
||||||
{{ list_address_port_tls(dict.addresses) }}};
|
|
||||||
{% endif %}
|
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
@@ -101,7 +101,7 @@ listen-on
|
|||||||
{{ functions.simple_item_list(item.options.listen_on.addresses) }}};
|
{{ functions.simple_item_list(item.options.listen_on.addresses) }}};
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{{ functions.parent_address_port_tls("forwarders", item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
|
{{ functions.parent_address_port_tls('forwarders', item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
|
||||||
{% if item.options.dual_stack_servers is defined and item.options.dual_stack_servers %}
|
{% if item.options.dual_stack_servers is defined and item.options.dual_stack_servers %}
|
||||||
dual-stack-servers
|
dual-stack-servers
|
||||||
{{ (' port ' + item.options.dual_stack_servers.port | string) if item.options.dual_stack_servers.port is defined and item.options.dual_stack_servers }} {
|
{{ (' port ' + item.options.dual_stack_servers.port | string) if item.options.dual_stack_servers.port is defined and item.options.dual_stack_servers }} {
|
||||||
|
|||||||
+1
-1
@@ -2,4 +2,4 @@
|
|||||||
- hosts: localhost
|
- hosts: localhost
|
||||||
remote_user: root
|
remote_user: root
|
||||||
roles:
|
roles:
|
||||||
- bind9 # noqa: syntax-check[specific]
|
- bind9
|
||||||
|
|||||||
Reference in New Issue
Block a user