diff --git a/tasks/base.yml b/tasks/base.yml new file mode 100644 index 0000000..9b00360 --- /dev/null +++ b/tasks/base.yml @@ -0,0 +1,45 @@ +- name: install packages for bind9 + apt: + name: '{{ item }}' + state: present + with_items: + - bind9 + - bind9-host + - cron + +- name: create zone directory + file: + path: /etc/bind/zones + owner: bind + group: bind + mode: 0700 + state: directory + +- name: create log directory + file: + path: /var/log/named + owner: bind + group: bind + mode: 0700 + state: directory + +- name: copy bind configuration files + template: + src: '{{ item }}.j2' + dest: '/etc/bind/{{ item }}' + owner: root + group: root + mode: 0644 + with_items: + - named.conf + - named.conf.options + - named.conf.local + notify: restart bind + +- name: create keys directory + file: + path: /etc/bind/keys + owner: root + group: bind + mode: 0750 + state: directory diff --git a/tasks/keys.yml b/tasks/keys.yml index 0cfbcc9..397c60b 100644 --- a/tasks/keys.yml +++ b/tasks/keys.yml @@ -4,7 +4,6 @@ with_dict: '{{ bind_zones }}' when: item.value.dnssec is defined and item.value.dnssec register: st - tags: bind - name: generated keys for dnssec 1/2 shell: 'dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom -n ZONE {{ item.item.key }}' @@ -13,7 +12,6 @@ with_items: '{{ st.results }}' when: item.stat is defined and not item.stat.exists register: stdout - tags: bind - name: move key file 1/2 copy: @@ -27,7 +25,6 @@ - '{{ stdout.results }}' - ['key', 'private'] when: not item[0].skipped is defined - tags: bind - name: link key file 1/2 file: @@ -40,7 +37,6 @@ - '{{ stdout.results }}' - ['key', 'private'] when: not item[0].skipped is defined - tags: bind - name: remove old key file 1/2 file: @@ -50,7 +46,6 @@ - '{{ stdout.results }}' - ['key', 'private'] when: not item[0].skipped is defined - tags: bind - name: generated keys for dnssec 2/2 shell: 'dnssec-keygen -f KSK -a RSASHA256 -b 4096 -r /dev/urandom -n ZONE {{ item.item.key }}' @@ -59,7 +54,6 @@ with_items: '{{ st.results }}' when: item.stat is defined and not item.stat.exists register: stdout - tags: bind - name: move key file 2/2 copy: @@ -73,7 +67,6 @@ - '{{ stdout.results }}' - ['key', 'private'] when: not item[0].skipped is defined - tags: bind - name: link key file 2/2 file: @@ -86,7 +79,6 @@ - '{{ stdout.results }}' - ['key', 'private'] when: not item[0].skipped is defined - tags: bind - name: remove old key file 2/2 file: @@ -96,4 +88,3 @@ - '{{ stdout.results }}' - ['key', 'private'] when: not item[0].skipped is defined - tags: bind diff --git a/tasks/main.yml b/tasks/main.yml index b028ca0..e8e346a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,87 +1,13 @@ -- name: install packages for bind9 - apt: - name: '{{ item }}' - state: present - with_items: - - bind9 - - bind9-host - - cron - tags: bind - -- name: create zone directory - file: - path: /etc/bind/zones - owner: bind - group: bind - mode: 0700 - state: directory - tags: bind - -- name: create log directory - file: - path: /var/log/named - owner: bind - group: bind - mode: 0700 - state: directory - tags: bind - -- name: copy bind configuration files - template: - src: '{{ item }}.j2' - dest: '/etc/bind/{{ item }}' - owner: root - group: root - mode: 0644 - with_items: - - named.conf - - named.conf.options - - named.conf.local - notify: restart bind - tags: bind - -- name: create keys directory - file: - path: /etc/bind/keys - owner: root - group: bind - mode: 0750 - state: directory +- include: base.yml tags: bind - include: keys.yml when: bind_role == 'master' - -- name: copy zone files - template: - src: db.j2 - dest: '/etc/bind/zones/db.{{ item.key }}' - owner: root - group: root - mode: 0644 - with_dict: '{{ bind_zones }}' - register: zone - notify: reload bind tags: bind -- name: dnssec sign - shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}' - args: - chdir: /etc/bind/keys - with_items: '{{ zone.results }}' - when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec - notify: reload bind +- include: zones.yml tags: bind - -- name: add cron dnssec - template: - src: dnssec.j2 - dest: /etc/cron.weekly/dnssec - owner: root - group: root - mode: 0700 - tags: bind - + - name: enable and start bind9 service: name: bind9 diff --git a/tasks/zones.yml b/tasks/zones.yml new file mode 100644 index 0000000..c7ee246 --- /dev/null +++ b/tasks/zones.yml @@ -0,0 +1,18 @@ +- name: copy zone files + template: + src: db.j2 + dest: '/etc/bind/zones/db.{{ item.key }}' + owner: root + group: root + mode: 0644 + with_dict: '{{ bind_zones }}' + register: zone + notify: reload bind + +- name: dnssec sign + shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}' + args: + chdir: /etc/bind/keys + with_items: '{{ zone.results }}' + when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec + notify: reload bind