Add dns-server role

2017-01-07 15:41:21 +01:00 · 2017-01-07 15:41:21 +01:00 · 4bad44c464
commit 4bad44c464
parent 21aefb8633
7 changed files with 240 additions and 0 deletions
--- a/roles/dns/handlers/main.yml
+++ b/roles/dns/handlers/main.yml
@ -0,0 +1,7 @@
 ---
 - name: Restart powerdns
  service: name={{item}} state=restarted
  with_items:
   - pdns
   - pdns-recursor
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -0,0 +1,33 @@
 ---
 - name: Enable backports
  apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
 - name: Install powerdns
  apt: name={{item}} default_release=jessie-backports state=latest
  tags: dns
  with_items:
   - pdns-server
   - pdns-recursor
 - name: Create zone directory
  file: path=/etc/powerdns/bind/ state=directory
  tags: dns
 - name: Configure powerdns
  template: src={{item}}.j2 dest=/etc/powerdns/{{item}}
  tags: dns
  notify: Restart powerdns
  with_items:
   - pdns.conf
   - recursor.conf
   - bindbackend.conf
   - bind/23.172.in-addr.arpa.zone
   - bind/binary.kitchen.zone
 - name: Start the powerdns services
  service: name={{item}} state=started enabled=yes
  tags: dns
  with_items:
   - pdns
   - pdns-recursor
--- a/roles/dns/templates/bind/23.172.in-addr.arpa.zone.j2
+++ b/roles/dns/templates/bind/23.172.in-addr.arpa.zone.j2
@ -0,0 +1,52 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
 					2016123001; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
 				IN	NS	ns.binary.kitchen.
 ; Management
 11.1				IN	PTR	apcusv.binary.kitchen.
 41.1				IN	PTR	ap01.binary.kitchen.
 42.1				IN	PTR	ap02.binary.kitchen.
 61.1				IN	PTR	kraut.binary.kitchen.
 81.1				IN	PTR	kraut-bmc.binary.kitchen.
 254.1				IN	PTR	v2301.core.binary.kitchen.
 ; Services
 1.2				IN	PTR	aveta.binary.kitchen.
 2.2				IN	PTR	salat.binary.kitchen.
 4.2				IN	PTR	sulis.binary.kitchen.
 6.2				IN	PTR	nabia.binary.kitchen.
 7.2				IN	PTR	taranis.binary.kitchen.
 11.2				IN	PTR	homer.binary.kitchen.
 12.2				IN	PTR	lock.binary.kitchen.
 13.2				IN	PTR	matrix.binary.kitchen.
 35.2				IN	PTR	sushi.binary.kitchen.
 44.2				IN	PTR	cashdesk.binary.kitchen.
 60.2				IN	PTR	punsch.binary.kitchen.
 91.2				IN	PTR	spiegelei.binary.kitchen.
 254.2				IN	PTR	v2302.core.binary.kitchen.
 ; Members
 $GENERATE 1-240 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 254.3				IN	PTR	v2303.core.binary.kitchen.
 ; Guests
 $GENERATE 1-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
 254.4				IN	PTR	v2304.core.binary.kitchen.
 ; Management RZ
 61.8				IN	PTR	ruben.binary.kitchen.
 81.8				IN	PTR	ruben-bmc.binary.kitchen.
 254.8				IN	PTR	switch0.erx-rz.binary.kitchen.
 ; VPN RZ
 1.10				IN	PTR	vtun0.erx-rz.binary.kitchen.
 $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
 ; Point-to-Point
 1.96				IN	PTR	v4000.rtr1.binary.kitchen.
 2.96				IN	PTR	gi-1-0-48.core.binary.kitchen.
 ; Loopback
 1.99				IN	PTR	core.binary.kitchen.
 2.99				IN	PTR	rtr1.binary.kitchen.
 3.99				IN	PTR	erx-bk.binary.kitchen.
 4.99				IN	PTR	erx-rz.binary.kitchen.
--- a/roles/dns/templates/bind/binary.kitchen.zone.j2
+++ b/roles/dns/templates/bind/binary.kitchen.zone.j2
@ -0,0 +1,69 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
 					2016123001; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
 				IN	NS	ns.binary.kitchen.
 ; External
 				IN	A	213.166.246.4
 www				IN	A	213.166.246.4
 ; Freifunk
 xsffr1				IN	A	10.90.224.11
 xsffr2				IN	A	10.90.224.12
 xsffr1-bmc			IN	A	10.90.224.21
 xsffr2-bmc			IN	A	10.90.224.22
 confluence			IN	A	185.53.218.134
 ; Aliases
 ldap				IN	A	172.23.2.1
 ldap				IN	A	172.23.2.2
 ldap				IN	A	213.166.246.2
 ldap1				IN	A	172.23.2.1
 ldap2				IN	A	172.23.2.2
 ldapm				IN	A	213.166.246.2
 librenms			IN	A	172.23.2.6
 racktables			IN	A	172.23.2.6
 ; Management
 apcusv				IN	A	172.23.1.11
 ap01				IN	A	172.23.1.41
 ap02				IN	A	172.23.1.42
 kraut				IN	A	172.23.1.61
 kraut-bmc			IN	A	172.23.1.81
 v2301.core			IN	A	172.23.1.254
 ; Services
 aveta				IN	A	172.23.2.1
 salat				IN	A	172.23.2.2
 sulis				IN	A	172.23.2.4
 nabia				IN	A	172.23.2.6
 taranis				IN	A	172.23.2.7
 homer				IN	A	172.23.2.11
 lock				IN	A	172.23.2.12
 matrix				IN	A	172.23.2.13
 sushi				IN	A	172.23.2.35
 cashdesk			IN	A	172.23.2.44
 punsch				IN	A	172.23.2.60
 spiegelei			IN	A	172.23.2.91
 v2302.core			IN	A	172.23.2.254
 ; Members
 $GENERATE 1-240 dhcp-${0,3,d}-03	IN	A 172.23.3.$
 v2303.core			IN	A	172.23.3.254
 ; Guests
 $GENERATE 1-240 dhcp-${0,3,d}-04	IN	A 172.23.4.$
 v2304.core			IN	A	172.23.4.254
 ; Management RZ
 ruben				IN	A	172.23.8.61
 ruben-bmc			IN	A	172.23.8.81
 switch0.erx-rz			IN	A	172.23.8.254
 ; VPN RZ
 $GENERATE 2-254 vpn-${0,3,d}-10	IN	A 172.23.10.$
 ; Point-to-Point
 v4000.rtr1			IN	A	172.23.96.1
 gi-1-0-48.core			IN	A	172.23.96.2
 ; Loopback
 core				IN	A	172.23.99.1
 rtr1				IN	A	172.23.99.2
 erx-bk				IN	A	172.23.99.3
 erx-rz				IN	A	172.23.99.4
--- a/roles/dns/templates/bindbackend.conf.j2
+++ b/roles/dns/templates/bindbackend.conf.j2
@ -0,0 +1,11 @@
 zone "23.172.in-addr.arpa" {
 	type master;
 	file "/etc/powerdns/bind/23.172.in-addr.arpa.zone";
 	allow-update { none; };
 };
 zone "binary.kitchen" {
 	type master;
 	file "/etc/powerdns/bind/binary.kitchen.zone";
 	allow-update { none; };
 };
--- a/roles/dns/templates/pdns.conf.j2
+++ b/roles/dns/templates/pdns.conf.j2
@ -0,0 +1,34 @@
 #################################
 # allow-recursion       List of subnets that are allowed to recurse
 #
 allow-recursion=127.0.0.1,172.23.0.0/16
 #################################
 # daemon        Operate as a daemon
 #
 daemon=yes
 #################################
 # launch        Which backends to launch and order to query them in
 #
 launch=bind
 #################################
 # recursor      If recursion is desired, IP address of a recursing nameserver
 #
 recursor=127.0.0.1:5300
 #################################
 # setgid        If set, change group id to this gid for more security
 #
 setgid=pdns
 #################################
 # setuid        If set, change user id to this uid for more security
 #
 setuid=pdns
 #################################
 # bind-config   Location of the Bind configuration file to parse.
 #
 bind-config=/etc/powerdns/bindbackend.conf
--- a/roles/dns/templates/recursor.conf.j2
+++ b/roles/dns/templates/recursor.conf.j2
@ -0,0 +1,34 @@
 #################################
 # allow-from    If set, only allow these comma separated netmasks to recurse
 #
 allow-from=127.0.0.0/8
 #################################
 # daemon        Operate as a daemon
 #
 daemon=yes
 #################################
 # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
 local-address=127.0.0.1
 #################################
 # local-port    port to listen on
 #
 local-port=5300
 #################################
 # quiet Suppress logging of questions and answers
 #
 quiet=on
 #################################
 # setgid        If set, change group id to this gid for more security
 #
 setgid=pdns
 #################################
 # setuid        If set, change user id to this uid for more security
 #
 setuid=pdns