diff --git a/README.md b/README.md index 76a23b1..a2781c5 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ bind_zones: mail: root@hello.local serial: 2017092201 dnssec: no + state: disabled records: - { name: '@', type: ns, value: localhost. } - { name: hello, type: a, value: 4.3.2.1 } diff --git a/tasks/zones.yml b/tasks/zones.yml index c7ee246..515e6bf 100644 --- a/tasks/zones.yml +++ b/tasks/zones.yml @@ -1,18 +1,44 @@ +- name: create zone folder + file: + path: '/etc/bind/zones/{{ item.key }}' + owner: bind + group: bind + mode: 0755 + state: directory + with_dict: '{{ bind_zones }}' + when: item.value.state is not defined or item.value.state != 'absent' + - name: copy zone files template: src: db.j2 - dest: '/etc/bind/zones/db.{{ item.key }}' + dest: '/etc/bind/zones/{{ item.key }}/db' owner: root group: root mode: 0644 with_dict: '{{ bind_zones }}' register: zone + when: item.value.state is not defined or item.value.state != 'absent' notify: reload bind - name: dnssec sign - shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}' + shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/{{ item.item.key }}/db' args: chdir: /etc/bind/keys with_items: '{{ zone.results }}' when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec notify: reload bind + +- name: get zones files + find: + path: /etc/bind/zones + file_type: directory + recurse: no + register: zone_folders + +- name: delete old zone file + file: + path: '{{ item.path }}' + state: absent + with_items: '{{ zone_folders.files }}' + when: item.path|basename not in bind_zones or ('state' in bind_zones[item.path|basename] and bind_zones[item.path|basename].state == 'absent') + diff --git a/templates/named.conf.local.j2 b/templates/named.conf.local.j2 index 68b1c4e..8079c05 100644 --- a/templates/named.conf.local.j2 +++ b/templates/named.conf.local.j2 @@ -1,12 +1,13 @@ # {{ ansible_managed }} {% for zone, value in bind_zones.iteritems() %} +{% if 'state' not in value or value.state|lower not in ['disabled', 'absent'] %} zone "{{ zone }}" IN { type master; {% if 'dnssec' in value and value.dnssec %} - file "/etc/bind/zones/db.{{ zone }}.signed"; + file "/etc/bind/zones/{{ zone }}/db.signed"; {% else %} - file "/etc/bind/zones/db.{{ zone }}"; + file "/etc/bind/zones/{{ zone }}/db"; {% endif %} {% if 'allow_transfer' in value and value.dnssec %} allow-transfer { @@ -21,4 +22,5 @@ zone "{{ zone }}" IN { {% endfor %} {% endif %} }; +{% endif %} {% endfor %} diff --git a/test/integration/bind/default.yml b/test/integration/bind/default.yml index 6b58ea3..25cfae3 100644 --- a/test/integration/bind/default.yml +++ b/test/integration/bind/default.yml @@ -38,6 +38,26 @@ - { name: '@', type: ns, value: localhost. } - { name: '@', type: txt, value: RFufr9qzCi9vnJeWUB2FMNDCtu8ZtP6WE2jl2OFvIiz6pv2dwfzEXBgTC8SI1UzsmlkFYS7vxkHeYuOCLQ95BkOl0YP85ejQQlz8DNbcMcUdAoDtmlaZ9jeXnU7RgCXs5F9ggsmM9B6mFMhZWo1lzwsX86UAR5nw7rIO3cbGo9oUcMTShVFDkTPnoNhP7MTE0L4M99yv8ZLptmS2GP6goHXZgTdFIyYCdfziQgoENcloUI3KshDscsoh6H6I2LA } - { name: hello, type: a, value: 4.3.2.1 } + disabled.local: + ns_primary: ns1.disabled.local + mail: root@disabled.local + serial: 2017092201 + dnssec: no + state: disabled + records: + - { name: '@', type: mx, priority: 20, value: mail.test.local. } + absent.local: + ns_primary: ns1.absent.local + mail: root@absent.local + serial: 2017092201 + dnssec: no + state: absent + records: + - { name: '@', type: mx, priority: 20, value: mail.test.local. } + + + + roles: - ansible-role-bind diff --git a/test/integration/bind/serverspec/bind_spec.rb b/test/integration/bind/serverspec/bind_spec.rb index 4c37eb1..0806630 100644 --- a/test/integration/bind/serverspec/bind_spec.rb +++ b/test/integration/bind/serverspec/bind_spec.rb @@ -17,11 +17,18 @@ puts '================================' end %w[ - db.test.local - db.test.local.signed - db.hello.local -].each do |file| - describe file("/etc/bind/zones/#{file}") do + test.local + hello.local + disabled.local +].each do |zone| + describe file("/etc/bind/zones/#{zone}") do + it { should be_directory } + it { should be_mode 755 } + it { should be_owned_by 'bind' } + it { should be_grouped_into 'bind' } + end + + describe file("/etc/bind/zones/#{zone}/db") do it { should be_file } it { should be_mode 644 } it { should be_owned_by 'root' } @@ -29,6 +36,17 @@ end end end +describe file('/etc/bind/zones/test.local/db.signed') do + it { should be_file } + it { should be_mode 644 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } +end + +describe file('/etc/bind/zones/absent.local') do + it { should_not exist } +end + describe file('/etc/bind/named.conf.local') do it { should be_file } it { should be_mode 644 }