From 547928426b058d433db1b689ea972433ec7488ee Mon Sep 17 00:00:00 2001 From: mathieui Date: Mon, 4 Jan 2021 22:34:08 +0100 Subject: [PATCH] Add my changes --- README.md | 13 ++++++- handlers/main.yml | 5 ++- tasks/main.yml | 86 ++++++++++++++++++++++++++++++++++++++------- templates/config.j2 | 7 ++++ 4 files changed, 96 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 6d091ad..21331d2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,15 @@ -# Ansible role for NSD +# This is a modified version of "Ansible role for NSD" + +Original source: https://github.com/zorun/ansible-role-nsd/ + +I have made several changes to fit my usecase (essentially remote control and dnssec specificities, as well as some cosmetic changes). + +Changes: added two new dictionaries: + +* **nsd_remote_control** for remote controllong options in the config file +* **nsd_zone_subdirs** to transfer whole subdirectories (I expect each one to contain a source.sh script which signs dnssec, installed as a cron) + +---- This Ansible role installs and configure NSD, an authoritative DNS server. It also allows to publish DNS zones into NSD. diff --git a/handlers/main.yml b/handlers/main.yml index b74d069..871a73e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -12,7 +12,10 @@ command: "{{ nsd_control_program }} reload" - name: restart nsd - service: name={{ nsd_service_name }} state=restarted + systemd: + name: "{{ nsd_service_name }}" + enabled: yes + state: restarted - name: notify slaves command: "{{ nsd_control_program }} notify" diff --git a/tasks/main.yml b/tasks/main.yml index 2ed22a7..69cf2d3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,33 +1,93 @@ --- -- name: Install nsd - apt: pkg={{ nsd_pkg_name }} state=present - +- name: Ensure resolved stays down + systemd: + enabled: false + state: stopped + masked: yes + name: systemd-resolved - name: Create primary zone directory - file: path="{{ nsd_primary_zones_dir }}" state=directory owner=root group=root mode=0755 + file: + path: "{{ nsd_primary_zones_dir }}" + state: directory + owner: nsd + group: nsd + mode: 0711 + +- name: Create control dir + file: + path: /etc/nsd/control + state: directory + owner: nsd + group: nsd + mode: 0700 + +- name: Create subdirectories + file: + path: "{{ nsd_primary_zones_dir }}/{{ item }}" + state: directory + owner: nsd + group: nsd + mode: 0700 + when: nsd_zone_subdirs is defined + loop: "{{ nsd_zone_subdirs }}" - name: Create secondary zone directory - file: path="{{ nsd_secondary_zones_dir }}" state=directory owner=nsd group=nsd mode=0755 - + file: + path: "{{ nsd_secondary_zones_dir }}" + state: directory + owner: nsd + group: nsd + mode: 0755 - name: Configure nsd zones - template: src=zones_config.j2 dest="{{ nsd_zones_config_file }}" owner=root group=root mode=0644 validate='nsd-checkconf %s' - notify: - - rebuild nsd database - - reload nsd database - - restart nsd + template: + src: zones_config.j2 + dest: "{{ nsd_zones_config_file }}" + owner: nsd + group: nsd + mode: 0600 + validate: 'nsd-checkconf %s' - name: Create base nsd configuration file - template: src=config.j2 dest="{{ nsd_config_dir }}/nsd.conf" owner=root group=root mode=0644 validate='nsd-checkconf %s' + template: + src: config.j2 + dest: "{{ nsd_config_dir }}/nsd.conf" + owner: nsd + group: nsd + mode: 0644 + validate: 'nsd-checkconf %s' notify: - restart nsd +- name: Copy content of subdirs + copy: + src: '{{ playbook_dir }}/files/nsd/{{ item }}' + dest: "{{ nsd_primary_zones_dir }}" + owner: nsd + group: nsd + mode: 0600 + directory_mode: 0711 + when: nsd_zone_subdirs is defined + loop: "{{ nsd_zone_subdirs }}" - name: Copy content of primary zones - copy: src="files/nsd/{{ item.zone_filename }}" dest="{{ nsd_primary_zones_dir }}/{{ item.zone_filename }}" owner=root group=root mode=0644 + copy: + src: "{{ playbook_dir }}/files/nsd/{{ item.zone_filename }}" + dest: "{{ nsd_primary_zones_dir }}/{{ item.zone_filename }}" + owner: root + group: root + mode: 0644 with_items: "{{ nsd_primary_zones }}" notify: - rebuild nsd database - reload nsd database - notify slaves + +- name: Add dnssec renewal crons + cron: + special_time: monthly + user: nsd + job: "bash {{ nsd_primary_zones_dir }}/{{ item }}/source.sh" + loop: "{{ nsd_zone_subdirs }}" diff --git a/templates/config.j2 b/templates/config.j2 index e549ff2..296ae41 100644 --- a/templates/config.j2 +++ b/templates/config.j2 @@ -20,6 +20,13 @@ server: {%- endfor %} {% endif %} +{% if nsd_remote_control is defined %} +remote-control: +{% for key, value in nsd_remote_control.items() -%} +{{ expand_list(key, value) }} +{%- endfor %} +{% endif %} + {% if nsd_local_server_config is defined %} # Local configuration {% for key, value in nsd_local_server_config.items() -%}