1ba4559fd8
The dict is the same as for the private loop, and while we're not writing the private date, we are iterating over it which causes it to be printed to the log. Change-Id: I42069f15e59a8615b41082dce1440ae7c51b8260
87 lines
2.3 KiB
YAML
87 lines
2.3 KiB
YAML
- name: Install packages
|
|
package:
|
|
name:
|
|
- bind9
|
|
- git
|
|
- rsync
|
|
state: present
|
|
- name: Ensure base zone directory exists
|
|
file:
|
|
path: /var/lib/bind/zones
|
|
state: directory
|
|
- name: Clone zone repos
|
|
git:
|
|
repo: "{{ item.url }}"
|
|
refspec: "{{ item.refspec | default(omit) }}"
|
|
version: "{{ item.version | default(omit) }}"
|
|
dest: "/opt/source/{{ item.name }}"
|
|
loop: "{{ dns_repos }}"
|
|
- name: Set base rsync options
|
|
set_fact:
|
|
_rsync_options:
|
|
- "--chmod=u+rwX,g+rX,o+rX"
|
|
- "--chown=bind:bind"
|
|
- name: Synchronize zone repos to zone directories
|
|
delegate_to: "{{ inventory_hostname }}"
|
|
synchronize:
|
|
src: "/opt/source/{{ item.source }}"
|
|
dest: "/var/lib/bind/zones/{{ item.name }}"
|
|
rsync_opts: '{{ _rsync_options + ["--ignore-existing"] if item.unmanaged|default(False) else _rsync_options }}'
|
|
loop: "{{ dns_zones }}"
|
|
notify: Reload named
|
|
- name: Install tsig key
|
|
no_log: true
|
|
template:
|
|
src: templates/bind.key.j2
|
|
dest: "/etc/bind/tsig.key"
|
|
owner: root
|
|
group: bind
|
|
mode: 0440
|
|
vars:
|
|
key: "{{ tsig_key }}"
|
|
name: tsig
|
|
- name: Ensure base dnssec key directory exists
|
|
file:
|
|
path: /etc/bind/keys
|
|
state: directory
|
|
# The key directories must exist for every zone, regardless of whether
|
|
# there are any keys in them.
|
|
- name: Ensure zone dnssec key directories exist
|
|
loop: "{{ dns_zones }}"
|
|
file:
|
|
path: "/etc/bind/keys/{{ item.name }}"
|
|
state: directory
|
|
owner: root
|
|
group: bind
|
|
mode: 0750
|
|
- name: Install dnssec public keys
|
|
loop: "{{ dnssec_keys | dict2items }}"
|
|
no_log: true
|
|
copy:
|
|
dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.key"
|
|
content: "{{ item.value.public }}"
|
|
owner: root
|
|
group: bind
|
|
mode: 0440
|
|
- name: Install dnssec private keys
|
|
no_log: true
|
|
loop: "{{ dnssec_keys | dict2items }}"
|
|
copy:
|
|
dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.private"
|
|
content: "{{ item.value.private }}"
|
|
owner: root
|
|
group: bind
|
|
mode: 0440
|
|
- name: Install bind config
|
|
template:
|
|
src: templates/named.conf.j2
|
|
dest: /etc/bind/named.conf
|
|
owner: root
|
|
group: bind
|
|
mode: 0444
|
|
notify: Reload named
|
|
- name: Enable named
|
|
service:
|
|
name: bind9
|
|
enabled: true
|