dns/entries: Rewrite role to use nsupdate module instead of custom makefile construct

4 years ago · 02b501f4a5
parent 2b0345be62
commit 02b501f4a5
7 changed files with 19 additions and 59 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -37,7 +37,6 @@ global_credentials_directory: "credentials"
 global_public_key_directory: "public_keys"

 global_dns_list_directory: "{{ global_public_key_directory }}/dns"
-global_dns_changes_directory: "{{ global_configuration_environment_directory }}/dns_changes"
 global_dns_session_key_name: "local-ddns"
 global_dns_session_key_path: "/var/run/named/session.key"
 global_dns_session_key_algorithm: "hmac-sha512"
--- a/roles/dns/application/tasks/main.yml
+++ b/roles/dns/application/tasks/main.yml
@ -38,24 +38,6 @@
    mode: "u=rw,g=r,o=r"
  notify: reload bind9

- name: Create directory for dynamic DNS changes
-  file:
-    path: "{{ global_dns_changes_directory }}"
-    state: directory
-    owner: root
-    group: root
-    mode: u=rwx,g=r,o=
-  tags: dns_debug
-
- name: Store makefile for dynamic DNS changes
-  template:
-    src: nsupdate.makefile
-    dest: "{{ global_dns_changes_directory }}/makefile"
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=
-  tags: dns_debug
-
 - name: Enable bind9 service
  systemd:
    name: "{{ global_bind_service_name }}"
--- a/roles/dns/application/templates/nsupdate.makefile
+++ b/roles/dns/application/templates/nsupdate.makefile
@ -1,8 +0,0 @@
-#targets := $(addsuffix ~DONE,$(wildcard *~update))
-#
-#.PHONY: all
-#all: $(targets)
-
-%~update~DONE: %~update
-	nsupdate -l "$<"
-	touch "$@"
--- a/roles/dns/entries/defaults/main.yml
+++ b/roles/dns/entries/defaults/main.yml
@ -4,12 +4,6 @@
 dns_zone_domain: "{{ lookup('pipe', global_public_key_directory|quote + '/dns_zone.py ' + domain|quote) }}" # domain of dns zone
 dns_system_domain: "{{ lookup('file', global_dns_list_directory + '/' + dns_zone_domain) }}" # domain of dns authority server

-entries_name_prefix: "server"
-entries_name: "{{ entries_name_prefix }}:{{ effective_domain }}" # Name for zone part file
-entries_file: "{{ global_dns_changes_directory }}/{{ entries_name }}~update"
-
 ttl_default: "{{ global_dns_ttl }}" # TTL for all entries where none was given

-# entries (example: [{domain: "example.com.", ttl: 86400, class: "IN", type: "A", data: "0.0.0.0"},"example.com. IN AAAA ::",…], type/data or raw required)
-entries_delete: yes # delete similar records as given before
-entries_delete_all_types: no # For all given domains delete all records, not just of the types set
+# entries (example: [{domain: "example.com.", ttl: 86400, class: "IN", type: "A", data: "0.0.0.0"},"example.com. IN AAAA ::",…], type/data or raw required, class will be ignored)
--- a/roles/dns/entries/tasks/main.yml
+++ b/roles/dns/entries/tasks/main.yml
@ -1,32 +1,27 @@
 ---

- name: Store changes in dns entries on the remote
-  copy:
-    content: |
-      #jinja2:trim_blocks: False
-      zone {{ dns_zone_domain }}.
-      ttl {{ ttl_default }}
-      {%- if entries_delete %}{% for entry in entries %}{% if entry|mapping %}
-      update delete {{ entry.domain | default('@') | domain_relative_to(domain) }} 0 {{ entry.class | default('IN') }}{% if not entries_delete_all_types %} {{ entry.type }}{% endif %}
-      {%- endif %}{% endfor %}{% endif %}
-      {% for entry in entries %}{% if entry|mapping -%}
-      update add {{ entry.domain | default('@') | domain_relative_to(domain) }} {{ entry.ttl | default(ttl_default) }} {{ entry.class | default('IN') }} {{ entry.type }} {{ entry.data }}
-      {% else -%}
-      {% if not entry|regex_search('^(update )?(add|del(ete)?) ') %}update add {% endif %}{{ entry }}
-      {% endif %}{% endfor %}
-      send
-    dest: "{{ entries_file }}"
-    owner: "{{ global_local_user }}"
-    group: "{{ global_local_user }}"
-    mode: u=rw,g=r,o=r
+- name: Gain TSIG key to apply DNS record changes
+  tsig_interpreter:
+    path: "{{ global_dns_session_key_path }}"
+  register: tsig_key
  delegate_to: "{{ dns_system_domain }}"
  tags:
    - dns_entries

- name: Update dns entries at dns host
-  make:
-    chdir: "{{ global_dns_changes_directory }}"
-    target: "{{ entries_file | basename }}~DONE"
+- name: Apply changes in DNS records
+  nsupdate:
+    server: "127.0.0.1" # delegated to correct system
+    key_algorithm: "{{ tsig_key.key_algorithm }}"
+    key_name: "{{ tsig_key.key_name }}"
+    key_secret: "{{ tsig_key.key_secret }}"
+    zone: "{{ dns_zone_domain }}"
+    record: "{{ item.domain | default('@') | domain_relative_to(effective_domain) }}."
+    ttl: "{{ item.ttl | default(ttl_default) }}"
+    type: "{{ item.type }}"
+    value: "{{ item.data }}"
+  loop: "{{ entries | dns_entries_interpreter }}"
+  loop_control:
+    label: "{{ item.domain | default('@') | domain_relative_to(effective_domain) }}. {{ item.type }}"
  delegate_to: "{{ dns_system_domain }}"
  tags:
    - dns_entries
--- a/roles/dns/master/tasks/main.yml
+++ b/roles/dns/master/tasks/main.yml
@ -70,6 +70,5 @@
  import_role:
    name: dns/entries
  vars:
-    entries_name_prefix: initial
    # domain
    # entries
--- a/roles/dns/server_entries/defaults/main.yml
+++ b/roles/dns/server_entries/defaults/main.yml
@ -5,7 +5,6 @@ service_system_domain: "{{ inventory_hostname }}" # domain of server running the

 entries: "{{ ip_entries + sshfp_entries + custom_entries }}"
 ip_entries:
-  - update delete {{ domain }}. IN SSHFP # delete all SSHFP records for this host before
  - domain: "{{ domain }}."
    type: "A"
    data: "{{ hostvars[service_system_domain].ansible_default_ipv4.address }}"