nishiki/ansible-role-bind
1
0
Fork 0
Code Issues Pull requests Releases 2 Activity Actions

feat: remove old zones files

Browse source
This commit is contained in:
Adrien Waksberg 2018-03-31 17:50:50 +02:00
parent 62fd27111e
commit 3716a1ac8a
5 changed files with 76 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -63,6 +63,7 @@ bind_zones:
mail: root@hello.local mail: root@hello.local
serial: 2017092201 serial: 2017092201
dnssec: no dnssec: no
state: disabled
records: records:
- { name: '@', type: ns, value: localhost. } - { name: '@', type: ns, value: localhost. }
- { name: hello, type: a, value: 4.3.2.1 } - { name: hello, type: a, value: 4.3.2.1 }

30
tasks/zones.yml
View file

@ -1,18 +1,44 @@
- name: create zone folder
file:
path: '/etc/bind/zones/{{ item.key }}'
owner: bind
group: bind
mode: 0755
state: directory
with_dict: '{{ bind_zones }}'
when: item.value.state is not defined or item.value.state != 'absent'
- name: copy zone files - name: copy zone files
template: template:
src: db.j2 src: db.j2
dest: '/etc/bind/zones/db.{{ item.key }}' dest: '/etc/bind/zones/{{ item.key }}/db'
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
with_dict: '{{ bind_zones }}' with_dict: '{{ bind_zones }}'
register: zone register: zone
when: item.value.state is not defined or item.value.state != 'absent'
notify: reload bind notify: reload bind
- name: dnssec sign - name: dnssec sign
shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}' shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/{{ item.item.key }}/db'
args: args:
chdir: /etc/bind/keys chdir: /etc/bind/keys
with_items: '{{ zone.results }}' with_items: '{{ zone.results }}'
when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec
notify: reload bind notify: reload bind
- name: get zones files
find:
path: /etc/bind/zones
file_type: directory
recurse: no
register: zone_folders
- name: delete old zone file
file:
path: '{{ item.path }}'
state: absent
with_items: '{{ zone_folders.files }}'
when: item.path|basename not in bind_zones or ('state' in bind_zones[item.path|basename] and bind_zones[item.path|basename].state == 'absent')

6
templates/named.conf.local.j2
View file

@ -1,12 +1,13 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% for zone, value in bind_zones.iteritems() %} {% for zone, value in bind_zones.iteritems() %}
{% if 'state' not in value or value.state|lower not in ['disabled', 'absent'] %}
zone "{{ zone }}" IN { zone "{{ zone }}" IN {
type master; type master;
{% if 'dnssec' in value and value.dnssec %} {% if 'dnssec' in value and value.dnssec %}
file "/etc/bind/zones/db.{{ zone }}.signed"; file "/etc/bind/zones/{{ zone }}/db.signed";
{% else %} {% else %}
file "/etc/bind/zones/db.{{ zone }}"; file "/etc/bind/zones/{{ zone }}/db";
{% endif %} {% endif %}
{% if 'allow_transfer' in value and value.dnssec %} {% if 'allow_transfer' in value and value.dnssec %}
allow-transfer { allow-transfer {
@ -21,4 +22,5 @@ zone "{{ zone }}" IN {
{% endfor %} {% endfor %}
{% endif %} {% endif %}
}; };
{% endif %}
{% endfor %} {% endfor %}

20
test/integration/bind/default.yml
View file

@ -38,6 +38,26 @@
- { name: '@', type: ns, value: localhost. } - { name: '@', type: ns, value: localhost. }
- { name: '@', type: txt, value: RFufr9qzCi9vnJeWUB2FMNDCtu8ZtP6WE2jl2OFvIiz6pv2dwfzEXBgTC8SI1UzsmlkFYS7vxkHeYuOCLQ95BkOl0YP85ejQQlz8DNbcMcUdAoDtmlaZ9jeXnU7RgCXs5F9ggsmM9B6mFMhZWo1lzwsX86UAR5nw7rIO3cbGo9oUcMTShVFDkTPnoNhP7MTE0L4M99yv8ZLptmS2GP6goHXZgTdFIyYCdfziQgoENcloUI3KshDscsoh6H6I2LA } - { name: '@', type: txt, value: RFufr9qzCi9vnJeWUB2FMNDCtu8ZtP6WE2jl2OFvIiz6pv2dwfzEXBgTC8SI1UzsmlkFYS7vxkHeYuOCLQ95BkOl0YP85ejQQlz8DNbcMcUdAoDtmlaZ9jeXnU7RgCXs5F9ggsmM9B6mFMhZWo1lzwsX86UAR5nw7rIO3cbGo9oUcMTShVFDkTPnoNhP7MTE0L4M99yv8ZLptmS2GP6goHXZgTdFIyYCdfziQgoENcloUI3KshDscsoh6H6I2LA }
- { name: hello, type: a, value: 4.3.2.1 } - { name: hello, type: a, value: 4.3.2.1 }
disabled.local:
ns_primary: ns1.disabled.local
mail: root@disabled.local
serial: 2017092201
dnssec: no
state: disabled
records:
- { name: '@', type: mx, priority: 20, value: mail.test.local. }
absent.local:
ns_primary: ns1.absent.local
mail: root@absent.local
serial: 2017092201
dnssec: no
state: absent
records:
- { name: '@', type: mx, priority: 20, value: mail.test.local. }
roles: roles:
- ansible-role-bind - ansible-role-bind

28
test/integration/bind/serverspec/bind_spec.rb
View file

@ -17,11 +17,18 @@ puts '================================'
end end
%w[ %w[
db.test.local test.local
db.test.local.signed hello.local
db.hello.local disabled.local
].each do |file| ].each do |zone|
describe file("/etc/bind/zones/#{file}") do describe file("/etc/bind/zones/#{zone}") do
it { should be_directory }
it { should be_mode 755 }
it { should be_owned_by 'bind' }
it { should be_grouped_into 'bind' }
end
describe file("/etc/bind/zones/#{zone}/db") do
it { should be_file } it { should be_file }
it { should be_mode 644 } it { should be_mode 644 }
it { should be_owned_by 'root' } it { should be_owned_by 'root' }
@ -29,6 +36,17 @@ end
end end
end end
describe file('/etc/bind/zones/test.local/db.signed') do
it { should be_file }
it { should be_mode 644 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
describe file('/etc/bind/zones/absent.local') do
it { should_not exist }
end
describe file('/etc/bind/named.conf.local') do describe file('/etc/bind/named.conf.local') do
it { should be_file } it { should be_file }
it { should be_mode 644 } it { should be_mode 644 }