dns: Transfered master zones from makefile approach to dynamic updates approach

dehydrated
Felix Stupp 5 years ago
parent 0232319ccd
commit ae42f963a2
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7

@ -36,6 +36,7 @@ global_credentials_directory: "credentials"
global_public_key_directory: "public_keys" global_public_key_directory: "public_keys"
global_dns_list_directory: "{{ global_public_key_directory }}/dns" global_dns_list_directory: "{{ global_public_key_directory }}/dns"
global_dns_changes_directory: "{{ global_public_key_directory }}/dns_changes" # TODO merge with global_dns_list_directory
global_dns_session_key_name: "local-ddns" global_dns_session_key_name: "local-ddns"
global_dns_session_key_path: "/var/run/named/session.key" global_dns_session_key_path: "/var/run/named/session.key"
global_dns_session_key_algorithm: "hmac-sha512" global_dns_session_key_algorithm: "hmac-sha512"
@ -79,7 +80,7 @@ global_apt_sources_directory: "/etc/apt/sources.list.d"
global_bind_service_name: "named.service" global_bind_service_name: "named.service"
global_bind_configuration_directory: "/etc/bind" global_bind_configuration_directory: "/etc/bind"
global_dns_zones_environment_directory: "{{ global_configuration_environment_directory }}/dns-zones" global_bind_data_directory: "/var/lib/bind"
global_dns_upstream_servers: global_dns_upstream_servers:
- "9.9.9.11" - "9.9.9.11"

@ -4,35 +4,48 @@
nvak_dns_slaves: [] nvak_dns_slaves: []
roles: roles:
- role: dns/master - role: dns/master
domain: banananet.work vars:
main_nameserver_domain: ns1.banananet.work domain: banananet.work
responsible_mail_name: admin.banananet.work responsible_mail_name: admin.banananet.work
slaves: "{{ nvak_dns_slaves }}" slaves: "{{ nvak_dns_slaves }}"
entries: | entries:
; Name Servers # limit CA
@ IN NS ns1 - type: CAA
ns1 IN A {{ ansible_default_ipv4.address }} data: 0 issue "letsencrypt.org"
ns1 IN AAAA {{ ansible_default_ipv6.address }} # other entries
; Public use domains - domain: mc.wg
_minecraft._tcp.wg IN SRV 10 10 25565 mc.wg type: A
mc.wg IN A 85.131.171.106 data: 85.131.171.106
_minecraft._tcp.mc.wg IN SRV 10 10 25565 mc.wg - domain: _minecraft._tcp.wg
type: SRV
data: 10 10 25565 mc.wg
- domain: _minecraft._tcp.mc.wg
type: SRV
data: 10 10 25565 mc.wg
- role: dns/master - role: dns/master
domain: forumderschan.de vars:
main_nameserver_domain: ns1.banananet.work domain: forumderschan.de
responsible_mail_name: admin.banananet.work responsible_mail_name: admin.banananet.work
slaves: "{{ nvak_dns_slaves }}" slaves: "{{ nvak_dns_slaves }}"
entries: | entries:
; Name Servers # Glue record
@ IN NS ns1.banananet.work. - type: NS
data: ns1.banananet.work.
# limit CA
- type: CAA
data: 0 issue "letsencrypt.org"
- role: dns/master - role: dns/master
domain: stadtpiraten-karlsruhe.de vars:
main_nameserver_domain: ns1.banananet.work domain: stadtpiraten-karlsruhe.de
responsible_mail_name: admin.banananet.work responsible_mail_name: admin.banananet.work
slaves: "{{ nvak_dns_slaves }}" slaves: "{{ nvak_dns_slaves }}"
entries: | entries:
; Name Servers # Glue record
@ IN NS ns1.banananet.work. - type: NS
data: ns1.banananet.work.
# limit CA
- type: CAA
data: 0 issue "letsencrypt.org"
- name: Add public available hosts to dns zones - name: Add public available hosts to dns zones
hosts: public_available hosts: public_available

@ -5,10 +5,6 @@ options_configuration: "{{ global_bind_configuration_directory }}/named.conf.opt
zones_configuration: "{{ global_bind_configuration_directory }}/named.conf.local" zones_configuration: "{{ global_bind_configuration_directory }}/named.conf.local"
zones_directory: "{{ global_bind_configuration_directory }}/zones" zones_directory: "{{ global_bind_configuration_directory }}/zones"
zones_environment_link_name: "conf"
zones_environment_link: "{{ global_dns_zones_environment_directory }}/{{ zones_environment_link_name }}"
zones_environment_database_name: "zone.db"
apparmor_profile_name: "usr.sbin.named" apparmor_profile_name: "usr.sbin.named"
apparmor_profile: "{{ global_apparmor_profiles_directory }}/{{ apparmor_profile_name }}" apparmor_profile: "{{ global_apparmor_profiles_directory }}/{{ apparmor_profile_name }}"
apparmor_profile_local: "{{ global_apparmor_profiles_local_directory }}/{{ apparmor_profile_name }}" apparmor_profile_local: "{{ global_apparmor_profiles_local_directory }}/{{ apparmor_profile_name }}"

@ -1,5 +0,0 @@
---
- name: reload apparmor profile
command: "/usr/sbin/apparmor_parser -r {{ apparmor_profile }}"
notify: restart bind9

@ -28,21 +28,6 @@
mode: u=rwx,g=rx,o= mode: u=rwx,g=rx,o=
loop: loop:
- "{{ zones_directory }}" - "{{ zones_directory }}"
- "{{ global_dns_zones_environment_directory }}"
- name: Upload makefile to domain zones configuration environment
template:
src: zones.makefile
dest: "{{ global_dns_zones_environment_directory }}/makefile"
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Create link in domain zone configuration environment
file:
state: link
src: "{{ zones_directory }}"
dest: "{{ zones_environment_link }}"
- name: Configure bind9 options - name: Configure bind9 options
template: template:
@ -53,15 +38,6 @@
mode: "u=rw,g=r,o=r" mode: "u=rw,g=r,o=r"
notify: reload bind9 notify: reload bind9
- name: Allow bind using apparmor to write zone files
template:
src: aa-profile.local
dest: "{{ apparmor_profile_local }}"
owner: root
group: root
mode: "u=rw,g=r,o="
notify: reload apparmor profile
- name: Enable bind9 service - name: Enable bind9 service
systemd: systemd:
name: "{{ global_bind_service_name }}" name: "{{ global_bind_service_name }}"

@ -1,10 +0,0 @@
{{ zones_directory }}/* rw,
{{ zones_directory }}/*/tmp-* rwk,
# Journal files required by Bind to save temporary changes
{{ zones_directory }}/*/zone.db.jbk rwk,
{{ zones_directory }}/*/zone.db.jnl rwk,
{{ zones_directory }}/*/zone.db.jnw rwk,
{{ zones_directory }}/*/zone.db.signed rwk,
{{ zones_directory }}/*/zone.db.signed.jbk rwk,
{{ zones_directory }}/*/zone.db.signed.jnl rwk,
{{ zones_directory }}/*/zone.db.signed.jnw rwk,

@ -1,11 +0,0 @@
dest:={{ zones_environment_link_name }}
db_name:={{ zones_environment_database_name }}
zone_dirs:=$(wildcard *.*/)
zones:=$(zone_dirs:/=)
.PHONY: all
all: $(addprefix ${dest}/,$(addsuffix /${db_name},${zones}))
${dest}/%/${db_name}: %/*.db
cat $(sort $^) | sed '0,/^ 0$$/s// '"$$(($$(date +%s) / 60))"'/' > "$@";

@ -5,7 +5,10 @@ dns_zone_domain: "{{ lookup('pipe', global_public_key_directory|quote + '/dns_zo
dns_system_domain: "{{ lookup('file', global_dns_list_directory + '/' + dns_zone_domain) }}" # domain of dns authority server dns_system_domain: "{{ lookup('file', global_dns_list_directory + '/' + dns_zone_domain) }}" # domain of dns authority server
entries_name: "server:{{ domain }}" # Name for zone part file entries_name: "server:{{ domain }}" # Name for zone part file
local_file: "{{ global_dns_changes_directory }}/{{ entries_name }}"
domain_zone_file: "{{ domain_environment_directory }}/{{ entries_name }}.db" ttl_default: "{{ global_dns_ttl }}" # TTL for all entries where none was given
# entries (in bind zone file format) # entries (example: [{domain: "example.com.", ttl: 86400, class: "IN", type: "A", data: "0.0.0.0"},"example.com. IN AAAA ::",…], type/data or raw required)
entries_delete: yes # delete similar records as given before
entries_delete_all_types: no # For all given domains delete all records, not just of the types set

@ -1,25 +1,34 @@
--- ---
- name: Store dns entries at dns host - name: Store changes in dns entries locally
copy: copy:
content: "{{ entries }}" content: |
dest: "{{ domain_zone_file }}" #jinja2:trim_blocks: False
owner: root zone {{ dns_zone_domain }}.
group: root ttl {{ ttl_default }}
mode: u=rw,g=r,o= {%- if entries_delete %}{% for entry in entries %}{% if entry|mapping %}
register: result_store_entries update delete {{ entry.domain | default('@') | domain_relative_to(domain) }} 0 {{ entry.class | default('IN') }}{% if not entries_delete_all_types %} {{ entry.type }}{% endif %}
delegate_to: "{{ dns_system_domain }}" {%- endif %}{% endfor %}{% endif %}
{% for entry in entries %}{% if entry|mapping -%}
- name: Rebuild zone files update add {{ entry.domain | default('@') | domain_relative_to(domain) }} {{ entry.ttl | default(ttl_default) }} {{ entry.class | default('IN') }} {{ entry.type }} {{ entry.data }}
make: {% else -%}
chdir: "{{ global_dns_zones_environment_directory }}" {% if not entry|regex_search('^(update )?(add|del(ete)?) ') %}update add {% endif %}{{ entry }}
when: result_store_entries.changed {% endif %}{% endfor %}
register: result_rebuild_zone send
delegate_to: "{{ dns_system_domain }}" dest: "{{ local_file }}"
owner: "{{ global_local_user }}"
group: "{{ global_local_user }}"
mode: u=rw,g=r,o=r
delegate_to: localhost
register: entries_changes_file
tags:
- dns_entries
- name: Reload bind9 - name: Update dns entries at dns host
systemd: command:
name: "{{ global_bind_service_name }}" cmd: nsupdate -l # local mode
state: reloaded stdin: "{{ lookup('file', local_file) }}\n"
when: result_rebuild_zone.changed
delegate_to: "{{ dns_system_domain }}" delegate_to: "{{ dns_system_domain }}"
when: entries_changes_file.changed
tags:
- dns_entries

@ -1,3 +0,0 @@
---
domain_environment_directory: "{{ global_dns_zones_environment_directory }}/{{ dns_zone_domain }}" # Given by dns/master

@ -5,14 +5,7 @@
name: "{{ global_bind_service_name }}" name: "{{ global_bind_service_name }}"
state: restarted state: restarted
# SYNC following with handlers of role dns/server_entries
- name: reload bind9 - name: reload bind9
systemd: systemd:
name: "{{ global_bind_service_name }}" name: "{{ global_bind_service_name }}"
state: reloaded state: reloaded
- name: rebuild dns zones
make:
chdir: "{{ global_dns_zones_environment_directory }}"
notify: reload bind9

@ -4,8 +4,9 @@
domain_directory: "{{ zones_directory }}/{{ domain }}" domain_directory: "{{ zones_directory }}/{{ domain }}"
configuration_file: "{{ domain_directory }}/zone.conf" configuration_file: "{{ domain_directory }}/zone.conf"
database_file: "{{ domain_directory }}/{{ zones_environment_database_name }}" data_directory: "{{ global_bind_data_directory }}/{{ domain }}"
keys_directory: "{{ domain_directory }}/keys" database_file: "{{ data_directory }}/zone.db"
keys_directory: "{{ data_directory }}/keys"
dns_list_file: "{{ global_dns_list_directory }}/{{ domain }}" dns_list_file: "{{ global_dns_list_directory }}/{{ domain }}"

@ -9,41 +9,42 @@
mode: "u=rw,g=r,o=" mode: "u=rw,g=r,o="
delegate_to: localhost delegate_to: localhost
- name: Create zone directory writeable for bind - name: Create zone directory
file: file:
path: "{{ domain_directory }}" path: "{{ domain_directory }}"
state: directory state: directory
owner: "{{ dns_user }}" owner: root
group: "{{ dns_user }}" group: "{{ dns_user }}"
mode: u=rwx,g=rx,o= mode: u=rwx,g=rx,o=
- name: Create key directory - name: Create data directory
file: file:
path: "{{ keys_directory }}" path: "{{ data_directory }}"
state: directory state: directory
owner: "{{ dns_user }}" owner: "{{ dns_user }}"
group: "{{ dns_user }}" group: "{{ dns_user }}"
mode: u=rwx,g=rx,o= mode: u=rwx,g=rx,o=
- name: Create domain environment directory - name: Create key directory
file: file:
path: "{{ domain_environment_directory }}" path: "{{ keys_directory }}"
state: directory state: directory
owner: root owner: "{{ dns_user }}"
group: root group: "{{ dns_user }}"
mode: u=rwx,g=rx,o= mode: u=rwx,g=rx,o=
# TODO Copy public ZSK to localhost # TODO Copy public ZSK to localhost
- name: Store main database of zone {{ domain }} - name: Store database of zone {{ domain }}
template: template:
src: zone.db src: zone.db
dest: "{{ domain_environment_directory }}/0_main.db" dest: "{{ database_file }}"
owner: root owner: "{{ dns_user }}"
group: root group: "{{ dns_user }}"
mode: u=rw,g=r,o= mode: u=rw,g=r,o=
force: no # Do not override dynamic changes
validate: "named-checkzone {{ domain }} %s" validate: "named-checkzone {{ domain }} %s"
notify: rebuild dns zones notify: reload bind9
- name: Configure zone {{ domain }} - name: Configure zone {{ domain }}
template: template:
@ -64,3 +65,11 @@
notify: reload bind9 notify: reload bind9
- meta: flush_handlers - meta: flush_handlers
- name: Configure additional records
import_role:
name: dns/entries
vars:
entries_name: "initial:{{ domain }}"
# domain
# entries

@ -22,6 +22,11 @@ zone "{{ domain }}" {
// dnssec // dnssec
inline-signing yes; inline-signing yes;
dnssec-policy "{{ domain }}-policy"; dnssec-policy "{{ domain }}-policy";
// dynamic updates
update-policy {
grant local-ddns zonesub any;
grant * selfsub .;
};
// notify & transfer // notify & transfer
notify yes; notify yes;
allow-transfer { allow-transfer {

@ -7,11 +7,10 @@ $TTL {{ ttl_default }}
{{ ttl }} {{ ttl }}
) )
; Certification Authority Authorization @ IN NS {{ main_nameserver_domain }}.
@ IN CAA 0 issue "letsencrypt.org" {{ main_nameserver_domain }}. IN A {{ ansible_default_ipv4.address }}
{{ main_nameserver_domain }}. IN AAAA {{ ansible_default_ipv6.address }}
{% if dname_subdomain | length > 0 %} {% if dname_subdomain | length > 0 %}
{{ dname_subdomain }} IN DNAME @ {{ dname_subdomain }} IN DNAME @
{% endif %} {% endif %}
{{ entries }}

@ -1,3 +0,0 @@
---
domain_environment_directory: "{{ global_dns_zones_environment_directory }}/{{ domain }}" # Fixed for usage in other roles

@ -3,11 +3,14 @@
# domain (of service running) # domain (of service running)
service_system_domain: "{{ inventory_hostname }}" # domain of server running the service service_system_domain: "{{ inventory_hostname }}" # domain of server running the service
entries: | entries: "{{ ip_entries + sshfp_entries + custom_entries }}"
{{ ip_entries }} ip_entries:
{{ custom_entries }} - update delete {{ domain }}. IN SSHFP # delete all SSHFP records for this host before
ip_entries: | - domain: "{{ domain }}."
{{ domain }}. IN A {{ hostvars[service_system_domain].ansible_default_ipv4.address }} type: "A"
{{ domain }}. IN AAAA {{ hostvars[service_system_domain].ansible_default_ipv6.address }} data: "{{ hostvars[service_system_domain].ansible_default_ipv4.address }}"
{{ lookup('pipe', global_public_key_directory|quote + '/ssh_dns_fp.py --host ' + service_system_domain|quote + ' --domain ' + domain|quote) }} - domain: "{{ domain }}."
custom_entries: "" type: "AAAA"
data: "{{ hostvars[service_system_domain].ansible_default_ipv6.address }}"
sshfp_entries: "{{ (lookup('pipe', global_public_key_directory|quote + '/ssh_dns_fp.py --host ' + service_system_domain|quote + ' --domain ' + domain|quote)).split('\n') }}"
custom_entries: []

Loading…
Cancel
Save