From 4bad44c46469d8b3c9ff001b036f82360cc3e8c1 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Sat, 7 Jan 2017 15:41:21 +0100
Subject: [PATCH] Add dns-server role

---
 roles/dns/handlers/main.yml                   |  7 ++
 roles/dns/tasks/main.yml                      | 33 +++++++++
 .../bind/23.172.in-addr.arpa.zone.j2          | 52 ++++++++++++++
 .../dns/templates/bind/binary.kitchen.zone.j2 | 69 +++++++++++++++++++
 roles/dns/templates/bindbackend.conf.j2       | 11 +++
 roles/dns/templates/pdns.conf.j2              | 34 +++++++++
 roles/dns/templates/recursor.conf.j2          | 34 +++++++++
 7 files changed, 240 insertions(+)
 create mode 100644 roles/dns/handlers/main.yml
 create mode 100644 roles/dns/tasks/main.yml
 create mode 100644 roles/dns/templates/bind/23.172.in-addr.arpa.zone.j2
 create mode 100644 roles/dns/templates/bind/binary.kitchen.zone.j2
 create mode 100644 roles/dns/templates/bindbackend.conf.j2
 create mode 100644 roles/dns/templates/pdns.conf.j2
 create mode 100644 roles/dns/templates/recursor.conf.j2

diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml
new file mode 100644
index 0000000..766a614
--- /dev/null
+++ b/roles/dns/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Restart powerdns
+  service: name={{item}} state=restarted
+  with_items:
+   - pdns
+   - pdns-recursor
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
new file mode 100644
index 0000000..2ad5ada
--- /dev/null
+++ b/roles/dns/tasks/main.yml
@@ -0,0 +1,33 @@
+---
+
+- name: Enable backports
+  apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
+
+- name: Install powerdns
+  apt: name={{item}} default_release=jessie-backports state=latest
+  tags: dns
+  with_items:
+   - pdns-server
+   - pdns-recursor
+
+- name: Create zone directory
+  file: path=/etc/powerdns/bind/ state=directory
+  tags: dns
+
+- name: Configure powerdns
+  template: src={{item}}.j2 dest=/etc/powerdns/{{item}}
+  tags: dns
+  notify: Restart powerdns
+  with_items:
+   - pdns.conf
+   - recursor.conf
+   - bindbackend.conf
+   - bind/23.172.in-addr.arpa.zone
+   - bind/binary.kitchen.zone
+
+- name: Start the powerdns services
+  service: name={{item}} state=started enabled=yes
+  tags: dns
+  with_items:
+   - pdns
+   - pdns-recursor
diff --git a/roles/dns/templates/bind/23.172.in-addr.arpa.zone.j2 b/roles/dns/templates/bind/23.172.in-addr.arpa.zone.j2
new file mode 100644
index 0000000..8258e38
--- /dev/null
+++ b/roles/dns/templates/bind/23.172.in-addr.arpa.zone.j2
@@ -0,0 +1,52 @@
+$ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
+$TTL 1h				; default time-to-live
+@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
+					2016123001; serial
+					1d; refresh
+					2h; retry
+					4w; expire
+					1h; minimum time-to-live
+				)
+				IN	NS	ns.binary.kitchen.
+; Management
+11.1				IN	PTR	apcusv.binary.kitchen.
+41.1				IN	PTR	ap01.binary.kitchen.
+42.1				IN	PTR	ap02.binary.kitchen.
+61.1				IN	PTR	kraut.binary.kitchen.
+81.1				IN	PTR	kraut-bmc.binary.kitchen.
+254.1				IN	PTR	v2301.core.binary.kitchen.
+; Services
+1.2				IN	PTR	aveta.binary.kitchen.
+2.2				IN	PTR	salat.binary.kitchen.
+4.2				IN	PTR	sulis.binary.kitchen.
+6.2				IN	PTR	nabia.binary.kitchen.
+7.2				IN	PTR	taranis.binary.kitchen.
+11.2				IN	PTR	homer.binary.kitchen.
+12.2				IN	PTR	lock.binary.kitchen.
+13.2				IN	PTR	matrix.binary.kitchen.
+35.2				IN	PTR	sushi.binary.kitchen.
+44.2				IN	PTR	cashdesk.binary.kitchen.
+60.2				IN	PTR	punsch.binary.kitchen.
+91.2				IN	PTR	spiegelei.binary.kitchen.
+254.2				IN	PTR	v2302.core.binary.kitchen.
+; Members
+$GENERATE 1-240 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
+254.3				IN	PTR	v2303.core.binary.kitchen.
+; Guests
+$GENERATE 1-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
+254.4				IN	PTR	v2304.core.binary.kitchen.
+; Management RZ
+61.8				IN	PTR	ruben.binary.kitchen.
+81.8				IN	PTR	ruben-bmc.binary.kitchen.
+254.8				IN	PTR	switch0.erx-rz.binary.kitchen.
+; VPN RZ
+1.10				IN	PTR	vtun0.erx-rz.binary.kitchen.
+$GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
+; Point-to-Point
+1.96				IN	PTR	v4000.rtr1.binary.kitchen.
+2.96				IN	PTR	gi-1-0-48.core.binary.kitchen.
+; Loopback
+1.99				IN	PTR	core.binary.kitchen.
+2.99				IN	PTR	rtr1.binary.kitchen.
+3.99				IN	PTR	erx-bk.binary.kitchen.
+4.99				IN	PTR	erx-rz.binary.kitchen.
diff --git a/roles/dns/templates/bind/binary.kitchen.zone.j2 b/roles/dns/templates/bind/binary.kitchen.zone.j2
new file mode 100644
index 0000000..2007148
--- /dev/null
+++ b/roles/dns/templates/bind/binary.kitchen.zone.j2
@@ -0,0 +1,69 @@
+$ORIGIN binary.kitchen		; base for unqualified names
+$TTL 1h				; default time-to-live
+@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
+					2016123001; serial
+					1d; refresh
+					2h; retry
+					4w; expire
+					1h; minimum time-to-live
+				)
+				IN	NS	ns.binary.kitchen.
+; External
+				IN	A	213.166.246.4
+www				IN	A	213.166.246.4
+; Freifunk
+xsffr1				IN	A	10.90.224.11
+xsffr2				IN	A	10.90.224.12
+xsffr1-bmc			IN	A	10.90.224.21
+xsffr2-bmc			IN	A	10.90.224.22
+confluence			IN	A	185.53.218.134
+; Aliases
+ldap				IN	A	172.23.2.1
+ldap				IN	A	172.23.2.2
+ldap				IN	A	213.166.246.2
+ldap1				IN	A	172.23.2.1
+ldap2				IN	A	172.23.2.2
+ldapm				IN	A	213.166.246.2
+librenms			IN	A	172.23.2.6
+racktables			IN	A	172.23.2.6
+; Management
+apcusv				IN	A	172.23.1.11
+ap01				IN	A	172.23.1.41
+ap02				IN	A	172.23.1.42
+kraut				IN	A	172.23.1.61
+kraut-bmc			IN	A	172.23.1.81
+v2301.core			IN	A	172.23.1.254
+; Services
+aveta				IN	A	172.23.2.1
+salat				IN	A	172.23.2.2
+sulis				IN	A	172.23.2.4
+nabia				IN	A	172.23.2.6
+taranis				IN	A	172.23.2.7
+homer				IN	A	172.23.2.11
+lock				IN	A	172.23.2.12
+matrix				IN	A	172.23.2.13
+sushi				IN	A	172.23.2.35
+cashdesk			IN	A	172.23.2.44
+punsch				IN	A	172.23.2.60
+spiegelei			IN	A	172.23.2.91
+v2302.core			IN	A	172.23.2.254
+; Members
+$GENERATE 1-240 dhcp-${0,3,d}-03	IN	A 172.23.3.$
+v2303.core			IN	A	172.23.3.254
+; Guests
+$GENERATE 1-240 dhcp-${0,3,d}-04	IN	A 172.23.4.$
+v2304.core			IN	A	172.23.4.254
+; Management RZ
+ruben				IN	A	172.23.8.61
+ruben-bmc			IN	A	172.23.8.81
+switch0.erx-rz			IN	A	172.23.8.254
+; VPN RZ
+$GENERATE 2-254 vpn-${0,3,d}-10	IN	A 172.23.10.$
+; Point-to-Point
+v4000.rtr1			IN	A	172.23.96.1
+gi-1-0-48.core			IN	A	172.23.96.2
+; Loopback
+core				IN	A	172.23.99.1
+rtr1				IN	A	172.23.99.2
+erx-bk				IN	A	172.23.99.3
+erx-rz				IN	A	172.23.99.4
diff --git a/roles/dns/templates/bindbackend.conf.j2 b/roles/dns/templates/bindbackend.conf.j2
new file mode 100644
index 0000000..b751647
--- /dev/null
+++ b/roles/dns/templates/bindbackend.conf.j2
@@ -0,0 +1,11 @@
+zone "23.172.in-addr.arpa" {
+	type master;
+	file "/etc/powerdns/bind/23.172.in-addr.arpa.zone";
+	allow-update { none; };
+};
+
+zone "binary.kitchen" {
+	type master;
+	file "/etc/powerdns/bind/binary.kitchen.zone";
+	allow-update { none; };
+};
diff --git a/roles/dns/templates/pdns.conf.j2 b/roles/dns/templates/pdns.conf.j2
new file mode 100644
index 0000000..7154a15
--- /dev/null
+++ b/roles/dns/templates/pdns.conf.j2
@@ -0,0 +1,34 @@
+#################################
+# allow-recursion       List of subnets that are allowed to recurse
+#
+allow-recursion=127.0.0.1,172.23.0.0/16
+
+#################################
+# daemon        Operate as a daemon
+#
+daemon=yes
+
+#################################
+# launch        Which backends to launch and order to query them in
+#
+launch=bind
+
+#################################
+# recursor      If recursion is desired, IP address of a recursing nameserver
+#
+recursor=127.0.0.1:5300
+
+#################################
+# setgid        If set, change group id to this gid for more security
+#
+setgid=pdns
+
+#################################
+# setuid        If set, change user id to this uid for more security
+#
+setuid=pdns
+
+#################################
+# bind-config   Location of the Bind configuration file to parse.
+#
+bind-config=/etc/powerdns/bindbackend.conf
diff --git a/roles/dns/templates/recursor.conf.j2 b/roles/dns/templates/recursor.conf.j2
new file mode 100644
index 0000000..f2742a9
--- /dev/null
+++ b/roles/dns/templates/recursor.conf.j2
@@ -0,0 +1,34 @@
+#################################
+# allow-from    If set, only allow these comma separated netmasks to recurse
+#
+allow-from=127.0.0.0/8
+
+#################################
+# daemon        Operate as a daemon
+#
+daemon=yes
+
+#################################
+# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
+#
+local-address=127.0.0.1
+
+#################################
+# local-port    port to listen on
+#
+local-port=5300
+
+#################################
+# quiet Suppress logging of questions and answers
+#
+quiet=on
+
+#################################
+# setgid        If set, change group id to this gid for more security
+#
+setgid=pdns
+
+#################################
+# setuid        If set, change user id to this uid for more security
+#
+setuid=pdns