From f85d72f8ccbb74da7626fd2381878f7816d73e63 Mon Sep 17 00:00:00 2001 From: Oleg Broytman Date: Mon, 29 Jul 2019 21:32:15 +0300 Subject: [PATCH] Feat: Add role `named` to setup `BIND 9` --- playbooks/debian/roles/named/README.txt | 1 + .../roles/named/files/named.conf.options | 31 ++++++++++++++++ playbooks/debian/roles/named/meta/main.yml | 1 + playbooks/debian/roles/named/tasks/main.yml | 37 +++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 playbooks/debian/roles/named/README.txt create mode 100644 playbooks/debian/roles/named/files/named.conf.options create mode 100644 playbooks/debian/roles/named/meta/main.yml create mode 100644 playbooks/debian/roles/named/tasks/main.yml diff --git a/playbooks/debian/roles/named/README.txt b/playbooks/debian/roles/named/README.txt new file mode 100644 index 0000000..8d35045 --- /dev/null +++ b/playbooks/debian/roles/named/README.txt @@ -0,0 +1 @@ +Setup named (BIND 9). diff --git a/playbooks/debian/roles/named/files/named.conf.options b/playbooks/debian/roles/named/files/named.conf.options new file mode 100644 index 0000000..6940926 --- /dev/null +++ b/playbooks/debian/roles/named/files/named.conf.options @@ -0,0 +1,31 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + // dnssec-validation auto; + dnssec-enable no; + dnssec-validation no; + + auth-nxdomain no; # conform to RFC1035 + // listen-on-v6 { any; }; + + // allow-transfer { trusted; }; + allow-query { localhost; 192.168.0.0/16; 10.0.0.0/8; }; + allow-recursion { localhost; 192.168.0.0/16; 10.0.0.0/8; }; +}; diff --git a/playbooks/debian/roles/named/meta/main.yml b/playbooks/debian/roles/named/meta/main.yml new file mode 100644 index 0000000..d2e2f89 --- /dev/null +++ b/playbooks/debian/roles/named/meta/main.yml @@ -0,0 +1 @@ +dependencies: ['init-system', 'firewall', 'logcheck'] diff --git a/playbooks/debian/roles/named/tasks/main.yml b/playbooks/debian/roles/named/tasks/main.yml new file mode 100644 index 0000000..ded1b35 --- /dev/null +++ b/playbooks/debian/roles/named/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Check locales + shell: "grep -c '^[ \\t]\\+allow-query' /etc/bind/named.conf.options || :" + register: named_conf + changed_when: named_conf.stdout == "0" + +- debug: + msg: "BIND has already been configured" + when: named_conf.stdout != "0" + +- name: Install BIND + become: true + apt: + autoclean: yes + autoremove: yes + install_recommends: no + name: bind9 + purge: yes + state: latest + update_cache: yes + when: named_conf.stdout == "0" + +- name: Configure BIND + become: true + copy: + src: named.conf.options + dest: /etc/bind/named.conf.options + owner: bind + group: bind + mode: '0600' + when: named_conf.stdout == "0" + +- name: Reload BIND + become: true + service: + name: bind9 + state: reloaded + when: named_conf.stdout == "0" -- 2.39.2