NSD: first playbook, still rough around the edges (no TSIG support)

2016-03-26 17:54:31 +01:00 · 2016-03-26 17:54:31 +01:00 · adc9f0b18e
commit adc9f0b18e
6 changed files with 152 additions and 0 deletions
--- a/32
+++ b/32
@ -0,0 +1,32 @@
+NSD role
+
+It is assumed that all machines host the exact same zones in the same way
+(i.e. for each zone, they are either all masters, or all slaves).
+This greatly simplifies configuration, and there is generally no need
+to have masters and slaves for the same zone handled by Ansible, since
+Ansible can just push the zone to all machines (so, they can all be masters).
+
+There are cases where having multiple masters whose zone is pushed by Ansible
+is not desirable:
+
+- dynamic DNS records (which isn't supported by NSD anyway)
+- DNSSEC (you could always generate DNSSEC signatures in ansible, but it's awkward)
+
+
+You can put key-value pairs in group_vars, under the key "nsd_common_config",
+they will be used for the NSD configuration on all hosts.
+A few common configuration entries are in the playbook itself, because they are
+needed to properly create relevant directories.
+
+Some machine-specific configuration is also possible, e.g. for the bind IP.
+Put key-value pairs in host_vars, under the key "nsd_local_config".
+
+If you want to pass multiple values for a key (e.g. ip-address), just use
+a list as value, it will automatically be expanded.
+
+
+The playbook is currently only tested with Debian wheezy.
+
+When a master zone is updated, the slaves are notified.  Obviously, the slaves
+need to be configured to accept notification from at least one master and pull
+zones accordingly.
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,7 @@
+---
+
+- name: restart nsd3
+  service: name=nsd3 state=restarted
+
+- name: rebuild nsd3 database
+  command: /usr/sbin/nsdc rebuild
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,65 @@
+---
+
+- name: Install nsd3
+  apt: pkg=nsd3 state=present
+
+- name: Configure nsd3
+  template: src=config.j2 dest={{ nsd_config_dir }}/nsd.conf owner=root group=root mode=0644
+  notify:
+    - restart nsd3
+
+
+- name: Create zone configuration directory
+  file: path={{ zones_config_dir }} state=directory owner=root group=root mode=0755
+
+- name: Create primary zone directory
+  file: path={{ primary_zones_dir }} state=directory owner=root group=root mode=0755
+
+- name: Create secondary zone directory
+  file: path={{ secondary_zones_dir }} state=directory owner=nsd group=nsd mode=0755
+
+
+# Unfortunately, nsd doesn't allow to say "include all files in this directory".
+# The following implements the inclusion logic: the main config file includes
+# a secondary file, in which we add include statements for each zone.
+- name: Wipe include file
+  copy: dest={{ zones_include_file }} content="# Generated automatically by Ansible, do not edit by hand.\n"
+
+- name: Configure primary nsd3 zones
+  template: src=primary_zone_config.j2 dest="{{ zones_config_dir }}/{{ item.zone_name }}.primary.conf" owner=root group=root mode=0644
+  notify:
+    - restart nsd3
+  with_items: "{{ nsd_primary_zones }}"
+
+- name: Add include lines for primary zones to the include file
+  lineinfile:
+    state: present
+    dest: "{{ zones_include_file }}"
+    regexp: "^include: {{ zones_config_dir }}/{{ item.zone_name }}.primary.conf"
+    line: "include: {{ zones_config_dir }}/{{ item.zone_name }}.primary.conf"
+  with_items: "{{ nsd_primary_zones }}"
+  notify:
+    - restart nsd3
+
+- name: Copy primary nsd3 zones
+  copy: src="files/nsd/{{ item.zone_filename }}" dest="{{ primary_zones_dir }}/{{ item.zone_filename }}" owner=root group=root mode=0644
+  with_items: "{{ nsd_primary_zones }}"
+  notify:
+    - rebuild nsd3 database
+
+
+- name: Configure secondary nsd3 zones
+  template: src=secondary_zone_config.j2 dest="{{ zones_config_dir }}/{{ item.zone_name }}.secondary.conf" owner=root group=root mode=0644
+  notify:
+    - restart nsd3
+  with_items: "{{ nsd_secondary_zones }}"
+
+- name: Add include lines for secondary zones to the include file
+  lineinfile:
+    state: present
+    dest: "{{ zones_include_file }}"
+    regexp: "^include: {{ zones_config_dir }}/{{ item.zone_name }}.secondary.conf"
+    line: "include: {{ zones_config_dir }}/{{ item.zone_name }}.secondary.conf"
+  with_items: "{{ nsd_secondary_zones }}"
+  notify:
+    - restart nsd3
--- a/templates/config.j2
+++ b/templates/config.j2
@ -0,0 +1,30 @@
+# NSD configuration, automatically generated by Ansible.
+# Do not edit by hand!
+
+server:
+  # Common configuration
+{% for key, value in nsd_common_config.iteritems() %}
+{% if value is string or value is number %}
+  {{ key }}: "{{ value }}"
+{% else %}
+{% for subvalue in value %}
+  {{ key }}: "{{ subvalue }}"
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+  # Local configuration
+{% for key, value in nsd_local_config.iteritems() %}
+{% if value is string or value is number %}
+  {{ key }}: "{{ value }}"
+{% else %}
+{% for subvalue in value %}
+  {{ key }}: "{{ subvalue }}"
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+
+# Include zone definitions
+include: "{{ zones_include_file }}"
+
--- a/templates/primary_zone_config.j2
+++ b/templates/primary_zone_config.j2
@ -0,0 +1,9 @@
+# Primary zone definition for {{ item.zone_name }}
+zone:
+  name: "{{ item.zone_name }}"
+  zonefile: "{{ primary_zones_dir }}/{{ item.zone_filename }}"
+{% for slave in item.slaves %}
+  notify: {{ slave.ip }} NOKEY
+  provide-xfr: {{ slave.ip }} NOKEY
+{% endfor %}
+
--- a/templates/secondary_zone_config.j2
+++ b/templates/secondary_zone_config.j2
@ -0,0 +1,9 @@
+# Secondary zone definition for {{ item.zone_name }}
+zone:
+  name: "{{ item.zone_name }}"
+  zonefile: "{{ secondary_zones_dir }}/{{ item.zone_name }}"
+{% for master in item.masters %}
+  allow-notify: {{ master.ip }} NOKEY
+  request-xfr: AXFR {{ master.ip }} NOKEY
+{% endfor %}
+