roles/named: Deploy BIND DNS server

The *named* role configures the BIND DNS server on managed nodes. It writes `/etc/named.conf`, using a template that supports most of the commonly-used options. The configuration can be augmented by other templates, etc. by specifying file paths in the `named_options_include` or `named_global_include` variables, both of which are lists.
2018-01-07 11:26:03 -06:00 · 2018-01-07 11:26:03 -06:00 · b493d81cfa
parent ac354643c5
commit b493d81cfa
6 changed files with 172 additions and 0 deletions
--- a/roles/named/defaults/main.yml
+++ b/roles/named/defaults/main.yml
@ -0,0 +1,14 @@
+named_listen:
+- port: 53
+  addresses:
+  - 127.0.0.1
+named_listen_v6:
+- port: 53
+  addresses:
+  - ::1
+named_allow_query:
+- localhost
+named_recursion: true
+named_dnssec: true
+named_dnssec_validation: true
+named_options_include: '{{ named_default_options_include }}'
--- a/roles/named/handlers/main.yml
+++ b/roles/named/handlers/main.yml
@ -0,0 +1,10 @@
+- name: restart named
+  service:
+    name=named
+    state=restarted
+- name: reload named
+  service:
+    name=named
+    state=reloaded
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@ -0,0 +1,54 @@
+- name: load distribution-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - defaults.yml
+  tags:
+  - always
+
+- name: ensure packages are installed
+  package:
+    name={{ named_packages|join(',') }}
+    state=present
+  tags:
+  - install
+
+- name: ensure named is configured
+  template:
+    src: named.conf.j2
+    dest: /etc/named.conf
+    mode: '0640'
+    owner: root
+    group: named
+    validate: named-checkconf %s
+  notify: reload named
+
+# TODO: What about other OS/init setups?
+- name: ensure named environment variables are set
+  template:
+    src=named.sysconfig.j2
+    dest=/etc/sysconfig/named
+    mode=0644
+  when: ansible_os_family == 'RedHat'
+  notify: restart named
+
+- name: ensure named starts at boot
+  service:
+    name=named
+    enabled=yes
+- meta: flush_handlers
+- name: ensure named is running
+  service:
+    name=named
+    state=started
+
+- name: ensure firewall is configured for dns
+  firewalld:
+    service=dns
+    state=enabled
+    permanent=no
+    immediate=yes
+  notify: save firewalld configuration
+  when: host_uses_firealld|d(true)|bool
+  tags:
+  - firewalld
--- a/roles/named/templates/named.conf.j2
+++ b/roles/named/templates/named.conf.j2
@ -0,0 +1,62 @@
+{% macro yesno(val) %}{{ 'yes' if val|bool else 'no' }}{% endmacro %}
+options {
+{% for listen in named_listen %}
+	listen-on port {{ listen.port|d(53) }} {
+{% for address in listen.addresses %}
+		{{ address }};
+{% endfor %}
+	};
+{% endfor %}
+{% for listen in named_listen_v6 %}
+	listen-on-v6 port {{ listen.port|d(53) }} {
+{% for address in listen.addresses %}
+		{{ address }};
+{% endfor %}
+	};
+{% endfor %}
+	directory 	"{{ named_directory }}";
+	dump-file 	"{{ named_dump_file }}";
+	statistics-file "{{ named_stats_file }}";
+	memstatistics-file "{{ named_memstats_file }}";
+	allow-query     {
+{% for match in named_allow_query %}
+		{{ match }};
+{% endfor %}
+	};
+
+	recursion {{ yesno(named_recursion) }};
+
+	dnssec-enable {{ yesno(named_dnssec) }};
+	dnssec-validation {{ yesno(named_dnssec_validation) }};
+
+	managed-keys-directory "{{ named_managed_keys_dir }}";
+
+	pid-file "{{ named_pid_file }}";
+	session-keyfile "{{ named_session_keyfile }}";
+{% if named_keytab is defined %}
+
+	tkey-gssapi-keytab "{{ named_keytab }}";
+{% endif %}
+
+{% for path in named_options_include %}
+	include "{{ path }}";
+{% endfor %}
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+{% for path in named_global_include %}
+include "{{ path }}";
+{% endfor %}
--- a/roles/named/templates/named.sysconfig.j2
+++ b/roles/named/templates/named.sysconfig.j2
@ -0,0 +1,21 @@
+# BIND named process options
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# OPTIONS="whatever"     --  These additional options will be passed to named
+#                            at startup. Don't add -t here, enable proper
+#                            -chroot.service unit file.
+#
+# NAMEDCONF=/etc/named/alternate.conf
+#                        --  Don't use -c to change configuration file.
+#                            Extend systemd named.service instead or use this
+#                            variable.
+#
+# DISABLE_ZONE_CHECKING  --  By default, service file calls named-checkzone
+#                            utility for every zone to ensure all zones are
+#                            valid before named starts. If you set this option
+#                            to 'yes' then service file doesn't perform those
+#                            checks.
+
+# Work around to make TSIG-GSS dynamic updates work. Kerberos replaying is
+# required in this scenario, but is rejected when a replay cache is used
+KRB5RCACHETYPE=none
--- a/roles/named/vars/defaults.yml
+++ b/roles/named/vars/defaults.yml
@ -0,0 +1,11 @@
+named_packages:
+- bind
+named_directory: /var/named
+named_dump_file: '{{ named_directory }}/data/cache_dump.db'
+named_stats_file: '{{ named_directory }}/data/named_stats.txt'
+named_memstats_file: '{{ named_directory }}/data/named_mem_stats.txt'
+named_managed_keys_dir: '{{ named_directory }}/dynamic'
+named_pid_file: /run/named/named.pid
+named_session_keyfile: /run/named/session.key
+named_default_options_include:
+- /etc/crypto-policies/back-ends/bind.config