Dustin C. Hatch
84313601ef
BIND response policy zones (RPZ) support provides a mechanism for overriding the responses to DNS queries based on a wide range of criteria. In the simplest form, a response policy zone can be used to provide different responses to different clients, or "block" some DNS names. For the Pyrocufflink and related networks, I plan to use an RPZ to implement ad/tracker blocking. The goal will be to generate an RPZ definition from a collection of host lists (e.g. those used by uBlock Origin) periodically. This commit introduces basic support for RPZ configuration in the *named* role. It can be activated by providing a list of "response policy" definitions (e.g. `zone "name"`) in the `named_response_policy` variable, and defining the corresponding zones in `named_zones`.
85 lines
1.8 KiB
YAML
85 lines
1.8 KiB
YAML
- name: load distribution-specific values
|
|
include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- '{{ ansible_distribution }}.yml'
|
|
- defaults.yml
|
|
tags:
|
|
- always
|
|
|
|
- name: ensure packages are installed
|
|
package:
|
|
name={{ named_packages|join(',') }}
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure named keys are configured
|
|
template:
|
|
src: named.secrets.j2
|
|
dest: /etc/named.secrets
|
|
mode: '0440'
|
|
owner: root
|
|
group: named
|
|
validate: named-checkconf %s
|
|
notify: reload named
|
|
|
|
- name: ensure zones are configured
|
|
template:
|
|
src: named.zones.j2
|
|
dest: /etc/named.zones
|
|
mode: '0640'
|
|
owner: root
|
|
group: named
|
|
validate: named-checkconf %s
|
|
notify: reload named
|
|
- name: ensure zone files exist
|
|
template:
|
|
src: zone.j2
|
|
dest: /var/named/{{ item.zone_file|d('dynamic/' + item.zone + '.zone') }}
|
|
mode: '0640'
|
|
owner: root
|
|
group: named
|
|
force: no
|
|
with_items: '{{ named_zones|selectattr("type", "eq", "master")|list }}'
|
|
notify: reload named
|
|
|
|
- name: ensure named is configured
|
|
template:
|
|
src: named.conf.j2
|
|
dest: /etc/named.conf
|
|
mode: '0640'
|
|
owner: root
|
|
group: named
|
|
validate: named-checkconf %s
|
|
notify: restart named
|
|
|
|
# TODO: What about other OS/init setups?
|
|
- name: ensure named environment variables are set
|
|
template:
|
|
src=named.sysconfig.j2
|
|
dest=/etc/sysconfig/named
|
|
mode=0644
|
|
when: ansible_os_family == 'RedHat'
|
|
notify: restart named
|
|
|
|
- name: ensure named starts at boot
|
|
service:
|
|
name=named
|
|
enabled=yes
|
|
- meta: flush_handlers
|
|
- name: ensure named is running
|
|
service:
|
|
name=named
|
|
state=started
|
|
|
|
- name: ensure firewall is configured for dns
|
|
firewalld:
|
|
service=dns
|
|
state=enabled
|
|
permanent=no
|
|
immediate=yes
|
|
notify: save firewalld configuration
|
|
when: host_uses_firealld|d(true)|bool
|
|
tags:
|
|
- firewalld
|