Initial commit

.gitignore

@@ -0,0 +1,66 @@
+# Linux files
+*~
+
+# OS X files
+.DS_Store
+.AppleDouble
+.LSOverride
+Icon
+._*
+.Spotlight-V100
+.Trashes
+
+# Windows files
+Thumbs.db
+ehthumbs.db
+Desktop.ini
+$RECYCLE.BIN/
+
+# Vim files
+.*.s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+*~
+
+# SublimeText project files
+*.sublime-workspace
+
+# TextMate files
+*.tmproj
+*.tmproject
+tmtags
+
+# Eclipse files (covers most of the basic stuff, you might need to add more)
+.classpath
+.project
+.settings
+
+# Intellij files
+*.iml
+*.ipr
+*.iws
+.idea/
+
+# Emacs files
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+
+# Org-mode files
+.org-id-locations
+*_archive
+
+# Testing files
+.molecule/
+.cache
+.molecule
+.tox
+.vagrant
+molecule/*/.molecule
+tests/__pycache__

.travis.yml

@@ -0,0 +1,14 @@
+---
+sudo: required
+language: python
+services:
+  - docker
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -o Dpkg::Options::="--force-confold" --force-yes -y docker-ce
+install:
+  - pip install tox-travis
+script:
+  - tox
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -0,0 +1,96 @@
+# Ansible role to install and maintain the Bind9 nameserver on Debian
+
+[![Build Status](https://travis-ci.org/systemli/ansible-role-bind9.svg?branch=master)](https://travis-ci.org/systemli/ansible-role-bind9) [![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-bind9-blue.svg)](https://galaxy.ansible.com/systemli/bind9/)
+
+This role installs and configures the Bind9 nameserver on Debian.
+
+Features:
+* Support for configuring an authoritative nameserver for DNS zones and/or
+  a DNS recursor
+* Extensive DNSSEC support:
+  * automatic KSK and ZSK key creation
+  * automatic zone DNSSEC configuration
+  * support t osend DNSKEY/DS formatted output over XMPP
+* Support for hidden primary and authoritative secondary configuration
+* Preliminary support for dynamic creation of zone files from variables
+
+## Dependencies
+
+For the XMPP notification feature, `python-xmpp` needs to be installed.
+
+## Role varibles
+
+```
+# User and group for bind
+bind9_user: bind
+bind9_group: bind
+
+# Listen on IPv6 interfaces
+bind9_ipv6: yes
+
+# Run bind as a DNS recursor?
+bind9_recursor: no
+
+# Run bind as authoritative nameserver?
+bind9_authoritative: no
+
+# Setup DNSSEC for recursor and zones?
+bind9_dnssec: no
+
+# Run bind as a hidden master (i.e. limit queries to our_networks)
+bind9_hidden_master: no
+
+# Only notify nameservers from also-notify, not from the zone NS records.
+# Necessary to keep traffic between nameservers in private network.
+bind9_notify_explicit: no
+
+# Default zone type
+bind9_zone_type: master
+
+# Permitted hosts/networks for recursion (when configured as recursor)
+bind9_our_networks:
+  - localhost
+  - localnets
+
+# Permitted hosts/networks for zone transfers
+bind9_our_neighbors:
+  - localhost
+  - localnets
+
+# Install custom rndc.key
+bind9_rndc_algorithm: hmac-md5
+#bind9_rndc_key:
+
+# Global primaries for all zones (if configured as secondary)
+#bind9_masters:
+#  - name: ns-primary
+#    addresses:
+#      - 1.2.3.4
+
+# Global secondaries for all zones (if configured as primary)
+#bind9_slaves:
+#  - 1.2.3.4
+
+# DNS Zones
+# bind9_zone_dynamic: zone files created from template
+# bind9_zone_static:  zone files copied from `files/bind/zones/`
+bind9_zones_dynamic: []
+bind9_zones_static: []
+
+# Send DNSSEC ZSK in DNSKEY and DS format over XMPP after it got created
+bind9_dnssec_notify_xmpp: no
+bind9_dnssec_notify_xmpp_user: [email protected]
+bind9_dnssec_notify_xmpp_password: insecure
+bind9_dnssec_notify_xmpp_rcpt: [email protected]
+
+# Install monit file for bind9 named
+bind9_monit_enabled: no
+```
+
+## License
+
+This Ansible role is licensed under the GNU GPLv3.
+
+## Author
+
+Copyright 2017-2018 systemli.org (https://www.systemli.org/)

defaults/main.yml

@@ -0,0 +1,66 @@
+---
+
+# User and group for bind
+bind9_user: bind
+bind9_group: bind
+
+# Listen on IPv6 interfaces
+bind9_ipv6: yes
+
+# Run bind as a DNS recursor?
+bind9_recursor: no
+
+# Run bind as authoritative nameserver?
+bind9_authoritative: no
+
+# Setup DNSSEC for recursor and zones?
+bind9_dnssec: no
+
+# Run bind as a hidden master (i.e. limit queries to our_networks)
+bind9_hidden_master: no
+
+# Only notify nameservers from also-notify, not from the zone NS records.
+# Necessary to keep traffic between nameservers in private network.
+bind9_notify_explicit: no
+
+# Default zone type
+bind9_zone_type: master
+
+# Permitted hosts/networks for recursion (when configured as recursor)
+bind9_our_networks:
+  - localhost
+  - localnets
+
+# Permitted hosts/networks for zone transfers
+bind9_our_neighbors:
+  - localhost
+  - localnets
+
+# Install custom rndc.key
+bind9_rndc_algorithm: hmac-md5
+#bind9_rndc_key:
+
+# Global primaries for all zones (if configured as secondary)
+#bind9_masters:
+#  - name: ns-primary
+#    addresses:
+#      - 1.2.3.4
+
+# Global secondaries for all zones (if configured as primary)
+#bind9_slaves:
+#  - 1.2.3.4
+
+# DNS Zones
+# bind9_zone_dynamic: zone files created from template
+# bind9_zone_static:  zone files copied from `files/bind/zones/`
+bind9_zones_dynamic: []
+bind9_zones_static: []
+
+# Send DNSSEC ZSK in DNSKEY and DS format over XMPP after it got created
+bind9_dnssec_notify_xmpp: no
+bind9_dnssec_notify_xmpp_user: [email protected]
+bind9_dnssec_notify_xmpp_password: insecure
+bind9_dnssec_notify_xmpp_rcpt: [email protected]
+
+# Install monit file for bind9 named
+bind9_monit_enabled: no

files/monit/conf.d/bind9

@@ -0,0 +1,4 @@
+check process named with pidfile /run/named/named.pid
+    start program = "/usr/sbin/service bind9 start" with timeout 60 seconds
+    stop program  = "/usr/sbin/service bind9 stop"
+    group server

handlers/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: restart bind9
+  service:
+    name: bind9
+    state: restarted
+
+- name: reload bind9
+  service:
+    name: bind9
+    state: reloaded
+
+- name: restart monit
+  service:
+    name: monit
+    state: restarted

meta/main.yml

@@ -0,0 +1,19 @@
+---
+galaxy_info:
+  author: systemli
+  description: Role to install and maintain the Bind9 nameserver on Debian
+  company: systemli.org
+  license: GPLv3
+  min_ansible_version: 2.2
+  galaxy_tags:
+    - bind9
+    - dns
+    - nameserver
+    - recursor
+  platforms:
+  - name: Debian
+    versions:
+      - jessie
+      - stretch
+  notifications:
+    webhooks: https://galaxy.ansible.com/api/v1/notifications/

molecule/default/Dockerfile.j2

@@ -0,0 +1,3 @@
+FROM {{ item.image }}
+
+RUN apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean

molecule/default/INSTALL.rst

@@ -0,0 +1,39 @@
+*******
+Install
+*******
+
+This set of playbooks have specific dependencies on Ansible due to the modules
+being used.
+
+Requirements
+============
+
+* Ansible 2.2 or higher
+* Docker Engine
+* docker-py
+
+Install OS dependencies on Debian 9 (Stretch)
+
+.. code-block:: bash
+
+  # apt-get update
+  # apt-get install -y python-pip libssl-dev python-docker
+  ## If installing Molecule from source.
+  # apt-get install -y libffi-dev git
+
+Install OS dependencies on Ubuntu 16.x
+
+.. code-block:: bash
+
+  $ sudo apt-get update
+  $ sudo apt-get install -y python-pip libssl-dev docker-engine
+  # If installing Molecule from source.
+  $ sudo apt-get install -y libffi-dev git
+
+Install using pip:
+
+.. code-block:: bash
+
+  $ sudo pip install ansible
+  $ sudo pip install docker-py
+  $ sudo pip install molecule --pre

molecule/default/create.yml

@@ -0,0 +1,47 @@
+---
+- name: Create
+  hosts: localhost
+  connection: local
+  gather_facts: False
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_ephemeral_directory: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}"
+    molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}"
+  tasks:
+    - name: Create Dockerfiles from image names
+      template:
+        src: "{{ molecule_scenario_directory }}/Dockerfile.j2"
+        dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}"
+      with_items: "{{ molecule_yml.platforms }}"
+      register: platforms
+
+    - name: Discover local Docker images
+      docker_image_facts:
+        name: "molecule_local/{{ item.item.name }}"
+      with_items: "{{ platforms.results }}"
+      register: docker_images
+
+    - name: Build an Ansible compatible image
+      docker_image:
+        path: "{{ molecule_ephemeral_directory }}"
+        name: "molecule_local/{{ item.item.image }}"
+        dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}"
+        force: "{{ item.item.force | default(True) }}"
+      with_items: "{{ platforms.results }}"
+      when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0
+
+    - name: Create molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        hostname: "{{ item.name }}"
+        image: "molecule_local/{{ item.image }}"
+        state: started
+        recreate: False
+        log_driver: syslog
+        command: "{{ item.command | default('sleep infinity') }}"
+        privileged: "{{ item.privileged | default(omit) }}"
+        volumes: "{{ item.volumes | default(omit) }}"
+        capabilities: "{{ item.capabilities | default(omit) }}"
+      with_items: "{{ molecule_yml.platforms }}"

molecule/default/destroy.yml

@@ -0,0 +1,16 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: False
+  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+  vars:
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}"
+  tasks:
+    - name: Destroy molecule instance(s)
+      docker_container:
+        name: "{{ item.name }}"
+        state: absent
+        force_kill: "{{ item.force_kill | default(True) }}"
+      with_items: "{{ molecule_yml.platforms }}"