feat: remove old zones files
This commit is contained in:
parent
62fd27111e
commit
3716a1ac8a
5 changed files with 76 additions and 9 deletions
|
@ -63,6 +63,7 @@ bind_zones:
|
||||||
mail: root@hello.local
|
mail: root@hello.local
|
||||||
serial: 2017092201
|
serial: 2017092201
|
||||||
dnssec: no
|
dnssec: no
|
||||||
|
state: disabled
|
||||||
records:
|
records:
|
||||||
- { name: '@', type: ns, value: localhost. }
|
- { name: '@', type: ns, value: localhost. }
|
||||||
- { name: hello, type: a, value: 4.3.2.1 }
|
- { name: hello, type: a, value: 4.3.2.1 }
|
||||||
|
|
|
@ -1,18 +1,44 @@
|
||||||
|
- name: create zone folder
|
||||||
|
file:
|
||||||
|
path: '/etc/bind/zones/{{ item.key }}'
|
||||||
|
owner: bind
|
||||||
|
group: bind
|
||||||
|
mode: 0755
|
||||||
|
state: directory
|
||||||
|
with_dict: '{{ bind_zones }}'
|
||||||
|
when: item.value.state is not defined or item.value.state != 'absent'
|
||||||
|
|
||||||
- name: copy zone files
|
- name: copy zone files
|
||||||
template:
|
template:
|
||||||
src: db.j2
|
src: db.j2
|
||||||
dest: '/etc/bind/zones/db.{{ item.key }}'
|
dest: '/etc/bind/zones/{{ item.key }}/db'
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_dict: '{{ bind_zones }}'
|
with_dict: '{{ bind_zones }}'
|
||||||
register: zone
|
register: zone
|
||||||
|
when: item.value.state is not defined or item.value.state != 'absent'
|
||||||
notify: reload bind
|
notify: reload bind
|
||||||
|
|
||||||
- name: dnssec sign
|
- name: dnssec sign
|
||||||
shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}'
|
shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/{{ item.item.key }}/db'
|
||||||
args:
|
args:
|
||||||
chdir: /etc/bind/keys
|
chdir: /etc/bind/keys
|
||||||
with_items: '{{ zone.results }}'
|
with_items: '{{ zone.results }}'
|
||||||
when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec
|
when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec
|
||||||
notify: reload bind
|
notify: reload bind
|
||||||
|
|
||||||
|
- name: get zones files
|
||||||
|
find:
|
||||||
|
path: /etc/bind/zones
|
||||||
|
file_type: directory
|
||||||
|
recurse: no
|
||||||
|
register: zone_folders
|
||||||
|
|
||||||
|
- name: delete old zone file
|
||||||
|
file:
|
||||||
|
path: '{{ item.path }}'
|
||||||
|
state: absent
|
||||||
|
with_items: '{{ zone_folders.files }}'
|
||||||
|
when: item.path|basename not in bind_zones or ('state' in bind_zones[item.path|basename] and bind_zones[item.path|basename].state == 'absent')
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
{% for zone, value in bind_zones.iteritems() %}
|
{% for zone, value in bind_zones.iteritems() %}
|
||||||
|
{% if 'state' not in value or value.state|lower not in ['disabled', 'absent'] %}
|
||||||
|
|
||||||
zone "{{ zone }}" IN {
|
zone "{{ zone }}" IN {
|
||||||
type master;
|
type master;
|
||||||
{% if 'dnssec' in value and value.dnssec %}
|
{% if 'dnssec' in value and value.dnssec %}
|
||||||
file "/etc/bind/zones/db.{{ zone }}.signed";
|
file "/etc/bind/zones/{{ zone }}/db.signed";
|
||||||
{% else %}
|
{% else %}
|
||||||
file "/etc/bind/zones/db.{{ zone }}";
|
file "/etc/bind/zones/{{ zone }}/db";
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if 'allow_transfer' in value and value.dnssec %}
|
{% if 'allow_transfer' in value and value.dnssec %}
|
||||||
allow-transfer {
|
allow-transfer {
|
||||||
|
@ -21,4 +22,5 @@ zone "{{ zone }}" IN {
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
};
|
};
|
||||||
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
@ -38,6 +38,26 @@
|
||||||
- { name: '@', type: ns, value: localhost. }
|
- { name: '@', type: ns, value: localhost. }
|
||||||
- { name: '@', type: txt, value: RFufr9qzCi9vnJeWUB2FMNDCtu8ZtP6WE2jl2OFvIiz6pv2dwfzEXBgTC8SI1UzsmlkFYS7vxkHeYuOCLQ95BkOl0YP85ejQQlz8DNbcMcUdAoDtmlaZ9jeXnU7RgCXs5F9ggsmM9B6mFMhZWo1lzwsX86UAR5nw7rIO3cbGo9oUcMTShVFDkTPnoNhP7MTE0L4M99yv8ZLptmS2GP6goHXZgTdFIyYCdfziQgoENcloUI3KshDscsoh6H6I2LA }
|
- { name: '@', type: txt, value: RFufr9qzCi9vnJeWUB2FMNDCtu8ZtP6WE2jl2OFvIiz6pv2dwfzEXBgTC8SI1UzsmlkFYS7vxkHeYuOCLQ95BkOl0YP85ejQQlz8DNbcMcUdAoDtmlaZ9jeXnU7RgCXs5F9ggsmM9B6mFMhZWo1lzwsX86UAR5nw7rIO3cbGo9oUcMTShVFDkTPnoNhP7MTE0L4M99yv8ZLptmS2GP6goHXZgTdFIyYCdfziQgoENcloUI3KshDscsoh6H6I2LA }
|
||||||
- { name: hello, type: a, value: 4.3.2.1 }
|
- { name: hello, type: a, value: 4.3.2.1 }
|
||||||
|
disabled.local:
|
||||||
|
ns_primary: ns1.disabled.local
|
||||||
|
mail: root@disabled.local
|
||||||
|
serial: 2017092201
|
||||||
|
dnssec: no
|
||||||
|
state: disabled
|
||||||
|
records:
|
||||||
|
- { name: '@', type: mx, priority: 20, value: mail.test.local. }
|
||||||
|
absent.local:
|
||||||
|
ns_primary: ns1.absent.local
|
||||||
|
mail: root@absent.local
|
||||||
|
serial: 2017092201
|
||||||
|
dnssec: no
|
||||||
|
state: absent
|
||||||
|
records:
|
||||||
|
- { name: '@', type: mx, priority: 20, value: mail.test.local. }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- ansible-role-bind
|
- ansible-role-bind
|
||||||
|
|
|
@ -17,11 +17,18 @@ puts '================================'
|
||||||
end
|
end
|
||||||
|
|
||||||
%w[
|
%w[
|
||||||
db.test.local
|
test.local
|
||||||
db.test.local.signed
|
hello.local
|
||||||
db.hello.local
|
disabled.local
|
||||||
].each do |file|
|
].each do |zone|
|
||||||
describe file("/etc/bind/zones/#{file}") do
|
describe file("/etc/bind/zones/#{zone}") do
|
||||||
|
it { should be_directory }
|
||||||
|
it { should be_mode 755 }
|
||||||
|
it { should be_owned_by 'bind' }
|
||||||
|
it { should be_grouped_into 'bind' }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file("/etc/bind/zones/#{zone}/db") do
|
||||||
it { should be_file }
|
it { should be_file }
|
||||||
it { should be_mode 644 }
|
it { should be_mode 644 }
|
||||||
it { should be_owned_by 'root' }
|
it { should be_owned_by 'root' }
|
||||||
|
@ -29,6 +36,17 @@ end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe file('/etc/bind/zones/test.local/db.signed') do
|
||||||
|
it { should be_file }
|
||||||
|
it { should be_mode 644 }
|
||||||
|
it { should be_owned_by 'root' }
|
||||||
|
it { should be_grouped_into 'root' }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/bind/zones/absent.local') do
|
||||||
|
it { should_not exist }
|
||||||
|
end
|
||||||
|
|
||||||
describe file('/etc/bind/named.conf.local') do
|
describe file('/etc/bind/named.conf.local') do
|
||||||
it { should be_file }
|
it { should be_file }
|
||||||
it { should be_mode 644 }
|
it { should be_mode 644 }
|
||||||
|
|
Loading…
Reference in a new issue