From cc7f0789a8d14e2d546b7907d6388aa9468687f5 Mon Sep 17 00:00:00 2001 From: Niclas Thobaben Date: Mon, 27 Dec 2021 20:58:01 +0100 Subject: [PATCH] initial implementation --- README.md | 6 ++++-- defaults/main.yml | 4 ++-- tasks/01-dependencies.yml | 31 +++++++++++++++++++++++++++++- tasks/02-backup.yml | 36 +++++++++++++++++++++++++++++++++++ tasks/03-configure.yml | 19 ++++++++++++++++++ tasks/04-test-changes.yml | 10 ++++++++++ tasks/05-rollback.yml | 28 +++++++++++++++++++++++++++ tasks/main.yml | 21 ++++++++++++++++++-- templates/named.conf.local.j2 | 20 +++++++++++++++++++ templates/zone.j2 | 12 ++++++++++++ 10 files changed, 180 insertions(+), 7 deletions(-) create mode 100644 tasks/02-backup.yml create mode 100644 tasks/03-configure.yml create mode 100644 tasks/04-test-changes.yml create mode 100644 tasks/05-rollback.yml create mode 100644 templates/named.conf.local.j2 create mode 100644 templates/zone.j2 diff --git a/README.md b/README.md index aa228cd..dd1e952 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,13 @@ Bind9 - Ansible ROle Configure [bind9](https://www.isc.org/bind/) DNS-server with this ansible role. - Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +|name|type|default|description| +|---|---|---|---| +|bind9_zone_dir|path|/srv/dns|Directory to store zone files| +|bind9_zones|[object]|[]|Definition of zones| Dependencies ------------ diff --git a/defaults/main.yml b/defaults/main.yml index 01b2aed..26119ed 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,2 @@ ---- -# defaults file for bind9 +bind9_zone_dir: /srv/dns +bind9_zones: [] \ No newline at end of file diff --git a/tasks/01-dependencies.yml b/tasks/01-dependencies.yml index 69637fd..d280468 100644 --- a/tasks/01-dependencies.yml +++ b/tasks/01-dependencies.yml @@ -1 +1,30 @@ -# Install all required dependencies \ No newline at end of file +# Install all required dependencies + +- name: Update apt cache on debian based distros + become: true + apt: + update_cache: true + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + +- name: Ensure required dependencies are installed + become: true + package: + name: + - bind9 + - dnsutils + state: present + +- name: Ensure unneeded packages are not installed + become: true + package: + name: + - apparmor + state: absent + +- name: Update / Upgrade apt packages + become: true + apt: + upgrade: true + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + + diff --git a/tasks/02-backup.yml b/tasks/02-backup.yml new file mode 100644 index 0000000..7823c12 --- /dev/null +++ b/tasks/02-backup.yml @@ -0,0 +1,36 @@ +# Backup bind9 config and zone files for potential rollback + +- name: Ensure dir {{bind9_zone_dir}} exists + file: + path: /srv/dns + owner: bind + group: bind + mode: u+rwx + state: directory + register: dns_dir_result + +- set_fact: + bind9_initial_setup: "{{dns_dir_result.changed}}" + +- name: List all existing zone files + shell: "find {{ bind9_zone_dir }} -type f -exec basename {} \\;" + changed_when: false + register: existing_zones_result + + +- debug: "msg={{bind9_initial_setup}}" +- debug: "msg={{existing_zones_result.stdout_lines}}" + +- name: Backup /etc/bind/named.conf.local + become: true + copy: + remote_src: true + src: /etc/bind/named.conf.local + dest: /etc/bind/named.conf.local.bak + when: not bind9_initial_setup + + +- name: Backup existing zone files + shell: "mv {{bind9_zone_dir}}/{{item}} {{bind9_zone_dir}}/{{item}}.bak" + with_items: result.stdout_lines + when: not bind9_initial_setup \ No newline at end of file diff --git a/tasks/03-configure.yml b/tasks/03-configure.yml new file mode 100644 index 0000000..a175445 --- /dev/null +++ b/tasks/03-configure.yml @@ -0,0 +1,19 @@ +# Configure bind9 + +- name: Create named.conf.local + become: true + template: + src: named.conf.local.j2 + dest: /etc/bind/named.conf.local + owner: bind + group: bind + mode: 0644 + +- name: Generate DNS zones + template: + src: zone.j2 + dest: "/srv/dns/{{item.name}}.zone" + owner: bind + group: bind + mode: 0644 + with_items: "{{bind9_zones | default([])}}" \ No newline at end of file diff --git a/tasks/04-test-changes.yml b/tasks/04-test-changes.yml new file mode 100644 index 0000000..89938ce --- /dev/null +++ b/tasks/04-test-changes.yml @@ -0,0 +1,10 @@ +# Test if all defined zones are locally available and do a rollback if not + +- name: "Test zone {{zone.name}}" + shell: "dig {{item.type | default('CNAME')}} {{ item.name | default('') + (item.name is defined | ternary('.', '')) + zone.name}} @localhost +short | grep -w '{{item.rdata | default('www')}}' -c" + register: dig_result + changed_when: dig_result.rc != 0 + failed_when: dig_result.rc != 0 + with_items: "{{zone.records}}" + +- debug: "msg={{dig_result.results | selectattr('rc')}}" \ No newline at end of file diff --git a/tasks/05-rollback.yml b/tasks/05-rollback.yml new file mode 100644 index 0000000..0e2a62f --- /dev/null +++ b/tasks/05-rollback.yml @@ -0,0 +1,28 @@ +# Rollback changes on error + +- name: Rollback /etc/named.conf.local + copy: + remote_src: true + src: /etc/bind/named.conf.local.bak + dest: /ect/bind/named.conf.local + owner: bind + group: bind + mode: 0644 + +- name: Delete /etc/named.conf.local.bak + file: + path: /etc/named.conf.local.bak + state: absent + +- name: Delete all changed zone files + shell: "rm $(find {{bind9_zone_dir}} -not -name '*.bak' -type f)" + changed_when: false + +- name: List all backed up zone files + shell: "find {{bind9_zone_dir}} -name '*.bak' -type f -exec basename {} \\;" + changed_when: false + register: backup_zones_result + +- name: Restore backed up zone files + shell: "mv {{bind9_zone_dir}}/{{item}}.bak {{bind9_zone_dir}}/{{item}}" + with_items: backup_zones_result.stdout_lines \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 7677152..dd74f5d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,19 @@ ---- -# tasks file for bind9 +- import_tasks: 01-dependencies.yml +- import_tasks: 02-backup.yml +- import_tasks: 03-configure.yml + +- block: + - name: Reload rndc + shell: rndc freeze && rndc reload && rndc thaw + + - include_tasks: 04-test-changes.yml + with_items: "{{bind9_zones}}" + loop_control: + loop_var: zone + + rescue: + - import_tasks: 05-rollback.yml + when: not bind9_initial_setup + + - name: Reload rndc + shell: rndc freeze && rndc reload && rndc thaw \ No newline at end of file diff --git a/templates/named.conf.local.j2 b/templates/named.conf.local.j2 new file mode 100644 index 0000000..3b85f09 --- /dev/null +++ b/templates/named.conf.local.j2 @@ -0,0 +1,20 @@ +//======================================================================================================== +// +// DO NOT TOUCH! +// +// This file is managed by Ansible. +// {{ansible_managed}} +// +//======================================================================================================== +// +// Do any local configuration here +// +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +{% for zone in dns_zones %} +zone "{{zone.name}}" IN { + type {{zone.type}}; + file "{{bind9_zone_dir}}/{{zone.name}}.zone"; +}; +{% endfor %} \ No newline at end of file diff --git a/templates/zone.j2 b/templates/zone.j2 new file mode 100644 index 0000000..94b2362 --- /dev/null +++ b/templates/zone.j2 @@ -0,0 +1,12 @@ +;======================================================================================================== +; +; DO NOT TOUCH! +; +; This file is managed by Ansible. +; {{ansible_managed}} +; +;======================================================================================================== +@ IN SOA {{item.soa}} . ({{ansible_date_time.epoch}} 3600 900 604800 240) +{% for record in item.records %} +{{record}} +{% endfor%}