WIP3

roles/bertvv.bind/tasks/main.yml

@@ -0,0 +1,69 @@
+# roles/bind/tasks/main.yml
+---
+
+# Initialise distribution-specific variables
+- name: Source specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  tags: bind,pretask
+
+- name: Check whether `bind_zone_master_server_ip` was set
+  assert:
+    that: bind_zone_master_server_ip is defined
+
+- name: Install BIND
+  package:
+    pkg: "{{ item }}"
+    state: present
+  with_items:
+    - "{{ bind_packages }}"
+  tags: bind
+
+- name: Ensure runtime directories referenced in config exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: "{{ bind_group }}"
+    mode: 0770
+  with_items:
+    - "{{ bind_dir }}/dynamic"
+    - "{{ bind_dir }}/data"
+    - "{{ bind_zone_dir }}"
+  tags: bind
+
+- name: Create serial, based on UTC UNIX time
+  command: date -u +%s
+  register: timestamp
+  changed_when: false
+  run_once: true
+  check_mode: false
+  tags: bind
+
+# file to set keys for XFR authentication
+- name: create extra config file for authenticated XFR request
+  tags: pretask
+  template:
+    src: auth_transfer.j2
+    dest: "{{ bind_conf_dir }}/{{ auth_file }}"
+    mode: 0640
+    owner: root
+    group: "{{ bind_group }}"
+  when: bind_dns_keys is defined and bind_dns_keys|length > 0
+
+- name: Set up the machine as a master DNS server
+  include_tasks: master.yml
+  when: bind_zone_master_server_ip in ansible_all_ipv4_addresses
+
+- name: Set up the machine as a slave DNS server
+  include_tasks: slave.yml
+  when: bind_zone_master_server_ip not in ansible_all_ipv4_addresses
+
+- name: Start BIND service
+  service:
+    name: "{{ bind_service }}"
+    state: started
+    enabled: true
+  tags: bind

roles/bertvv.bind/tasks/master.yml

@@ -0,0 +1,140 @@
+# roles/bind/tasks/master.yml
+# Set up a BIND master server
+---
+
+- name: Read forward zone hashes
+  shell: 'grep -s "^; Hash:" {{ bind_zone_dir }}/{{ item.name }} || true'
+  changed_when: false
+  check_mode: false
+  register: forward_hashes_temp
+  with_items:
+    - "{{ bind_zone_domains }}"
+  run_once: true
+  loop_control:
+    label: "{{ item.name }}"
+
+- name: create dict of forward hashes
+  set_fact:
+    forward_hashes: "{{ forward_hashes|default([]) + [ {'hash': item.stdout|default(), 'name': item.item.name} ] }}"
+  with_items:
+    - "{{ forward_hashes_temp.results }}"
+  run_once: true
+  loop_control:
+    label: "{{ item.item.name }}"
+
+- name: Read reverse ipv4 zone hashes
+  shell: "grep -s \"^; Hash:\" {{ bind_zone_dir }}/{{ ('.'.join(item.1.replace(item.1+'.','').split('.')[::-1])) }}.in-addr.arpa || true"
+  changed_when: false
+  check_mode: false
+  register: reverse_hashes_temp
+  with_subelements:
+    - "{{ bind_zone_domains }}"
+    - networks
+    - flags:
+      skip_missing: true
+  run_once: true
+  loop_control:
+    label: "{{ item.1 }}"
+
+- name: create dict of reverse hashes
+  set_fact:
+    reverse_hashes: "{{ reverse_hashes|default([]) + [ {'hash': item.0.stdout|default(), 'network': item.1} ] }}"
+  with_subelements:
+    - "{{ reverse_hashes_temp.results }}"
+    - item
+  run_once: true
+  loop_control:
+    label: "{{ item.1.name |default(item.0.cmd.split(' ')[4]) }}"
+
+- name: Read reverse ipv6 zone hashes
+  shell: "grep -s \"^; Hash:\" {{ bind_zone_dir }}/{{ (item.1 | ipaddr('revdns'))[-(9+(item.1|regex_replace('^.*/','')|int)//2):-1] }} || true"
+  changed_when: false
+  check_mode: false
+  register: reverse_hashes_ipv6_temp
+  with_subelements:
+    - "{{ bind_zone_domains }}"
+    - ipv6_networks
+    - flags:
+      skip_missing: true
+  run_once: true
+  loop_control:
+    label: "{{ item.1 }}"
+
+- name: create dict of reverse ipv6 hashes
+  set_fact:
+    reverse_hashes_ipv6: "{{ reverse_hashes_ipv6|default([]) + [ {'hash': item.0.stdout|default(), 'network': item.1} ] }}"
+  with_subelements:
+    - "{{ reverse_hashes_ipv6_temp.results }}"
+    - item
+  run_once: true
+  loop_control:
+    label: "{{ item.1.name |default(item.0.cmd.split(' ')[4]) }}"
+
+- name: Master | Main BIND config file (master)
+  template:
+    src: master_etc_named.conf.j2
+    dest: "{{ bind_config }}"
+    owner: "{{ bind_owner }}"
+    group: "{{ bind_group }}"
+    mode: '0640'
+    setype: named_conf_t
+    validate: 'named-checkconf %s'
+  notify: reload bind
+  tags: bind
+
+- name: Master | Create forward lookup zone file
+  template:
+    src: bind_zone.j2
+    dest: "{{ bind_zone_dir }}/{{ item.name }}"
+    owner: "{{ bind_owner }}"
+    group: "{{ bind_group }}"
+    mode: "{{ bind_zone_file_mode }}"
+    setype: named_zone_t
+    validate: 'named-checkzone -d {{ item.name }} %s'
+  with_items:
+    - "{{ bind_zone_domains }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: item.create_forward_zones is not defined or item.create_forward_zones
+  notify: reload bind
+  tags: bind
+
+- name: Master | Create reverse lookup zone file
+  template:
+    src: reverse_zone.j2
+    dest: "{{ bind_zone_dir }}/{{ ('.'.join(item.1.replace(item.1+'.','').split('.')[::-1])) }}.in-addr.arpa"
+    owner: "{{ bind_owner }}"
+    group: "{{ bind_group }}"
+    mode: "{{ bind_zone_file_mode }}"
+    setype: named_zone_t
+    validate: "named-checkzone {{ ('.'.join(item.1.replace(item.1+'.','').split('.')[::-1])) }}.in-addr.arpa %s"
+  with_subelements:
+    - "{{ bind_zone_domains }}"
+    - networks
+    - flags:
+      skip_missing: true
+  loop_control:
+    label: "{{ item.1 }}"
+  when: item.create_reverse_zones is not defined or item.create_reverse_zones
+  notify: reload bind
+  tags: bind
+
+- name: Master | Create reverse IPv6 lookup zone file
+  template:
+    src: reverse_zone_ipv6.j2
+    dest: "{{ bind_zone_dir }}/{{ (item.1 | ipaddr('revdns'))[-(9+(item.1|regex_replace('^.*/','')|int)//2):-1] }}"
+    owner: "{{ bind_owner }}"
+    group: "{{ bind_group }}"
+    mode: "{{ bind_zone_file_mode }}"
+    setype: named_zone_t
+    validate: "named-checkzone {{ (item.1 | ipaddr('revdns'))[-(9+(item.1|regex_replace('^.*/','')|int)//2):] }} %s"
+  with_subelements:
+    - "{{ bind_zone_domains }}"
+    - ipv6_networks
+    - flags:
+      skip_missing: true
+  loop_control:
+    label: "{{ item.1 }}"
+  when: item.create_reverse_zones is not defined or item.create_reverse_zones
+  notify: reload bind
+  tags: bind

roles/bertvv.bind/tasks/slave.yml

@@ -0,0 +1,24 @@
+# roles/bind/tasks/master.yml
+# Set up a BIND slave server
+---
+
+- name: Slave | Main BIND config file (slave)
+  template:
+    src: slave_etc_named.conf.j2
+    dest: "{{ bind_config }}"
+    owner: "{{ bind_owner }}"
+    group: "{{ bind_group }}"
+    mode: '0640'
+    setype: named_conf_t
+    validate: 'named-checkconf %s'
+  notify: reload bind
+  tags: bind
+
+- name: Slave | ensure directory for cached slaves zones
+  file:
+    path: "{{ bind_dir }}/slaves"
+    state: directory
+    owner: "{{ bind_owner }}"
+    group: "{{ bind_group }}"
+    mode: '0770'
+    setype: named_cache_t