From aa7c9d1c916b0fb252d41b41c12cfcaff0a8793d Mon Sep 17 00:00:00 2001 From: louis Date: Tue, 9 May 2023 21:19:48 +0200 Subject: [PATCH 1/2] Bump Integration Workflow to v1.0.0 --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 52f374b..ccb3217 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,7 +5,7 @@ on: push: branches: - main - tags: + tags: - '**' # Push events to every tag including hierarchical tags like v1.0/beta paths-ignore: - ".*" @@ -19,6 +19,6 @@ on: jobs: integration: name: Integration - uses: systemli/github-ansible-workflow/.github/workflows/ansible-integration-workflow.yaml@main + uses: systemli/github-ansible-workflow/.github/workflows/ansible-integration-workflow.yaml@v1.0.0 with: distros: '[ "debian11", "debian10" ]' From c234b489b05eeaa8ac994701a9b83b8c8a5387a3 Mon Sep 17 00:00:00 2001 From: louis Date: Tue, 9 May 2023 22:29:09 +0200 Subject: [PATCH 2/2] Make linter happy --- .ansible-lint | 3 +- handlers/main.yml | 9 ++-- tasks/create_ddns_keys.yml | 12 ++++-- tasks/main.yml | 84 +++++++++++++++++++------------------- tasks/monit.yml | 5 +-- 5 files changed, 57 insertions(+), 56 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 5ea69a7..b465989 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,3 @@ --- skip_list: - - fqcn-builtins - - no-handler # Tasks that run when changed should likely be handlers. + - no-handler # Tasks that run when changed should likely be handlers. diff --git a/handlers/main.yml b/handlers/main.yml index b6cdbb8..e498feb 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,20 +1,19 @@ --- - - name: Restart bind9 - service: + ansible.builtin.service: name: bind9 state: restarted - name: Reload bind9 - service: + ansible.builtin.service: name: bind9 state: reloaded - name: Restart monit - service: + ansible.builtin.service: name: monit state: restarted - name: Zone file change - debug: + ansible.builtin.debug: msg: "dummy handler" diff --git a/tasks/create_ddns_keys.yml b/tasks/create_ddns_keys.yml index ff5ea2b..18df985 100644 --- a/tasks/create_ddns_keys.yml +++ b/tasks/create_ddns_keys.yml @@ -1,29 +1,33 @@ +--- - name: Determine if DDNS key already exists become: false delegate_to: localhost - stat: + ansible.builtin.stat: path: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.private" register: update_keyfile_tmp when: item.update_keyfile is defined - name: Generate DDNS key - shell: "tsig-keygen -a {{ item.update_key_algorithm | d('hmac-sha512') }} {{ item.name }}_{{ item.update_keyfile }}_update > /etc/bind/keys/{{ item.update_keyfile }}.private" + ansible.builtin.shell: "tsig-keygen -a {{ item.update_key_algorithm | d('hmac-sha512') }} {{ item.name }}_{{ item.update_keyfile }}_update > /etc/bind/keys/{{ item.update_keyfile }}.private" args: chdir: "{{ bind9_zonedir }}" register: ddns_key + changed_when: ddns_key.rc != 0 when: item.update_keyfile is defined and not update_keyfile_tmp.stat.exists - name: Copy DDNS key to control host - fetch: + ansible.builtin.fetch: src: "/etc/bind/keys/{{ item.update_keyfile }}.private" dest: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.private" + mode: "0640" flat: true when: ddns_key.changed - name: Create dummy DDNS public key file on control host become: false delegate_to: localhost - file: + ansible.builtin.file: path: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.key" + mode: "0640" state: touch when: ddns_key.changed diff --git a/tasks/main.yml b/tasks/main.yml index 53d219e..26c2cee 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,13 +1,12 @@ --- - - name: Install bind9 packages - apt: + ansible.builtin.apt: pkg: "{{ bind9_packages }}" state: present cache_valid_time: 600 - name: Copy bind9 defaults file - template: + ansible.builtin.template: src: "{{ bind9_templates | default('') }}bind/default.j2" dest: /etc/default/bind9 owner: root @@ -20,7 +19,7 @@ when: bind9_named_logging block: - name: Ensure existence of the log directory - file: + ansible.builtin.file: path: "{{ bind9_log_path }}" state: directory owner: "{{ bind9_user }}" @@ -28,7 +27,7 @@ mode: 0755 - name: Configure log rotate for bind9 - template: + ansible.builtin.template: src: "{{ bind9_templates | default('') }}logrotate.d/bind.j2" dest: /etc/logrotate.d/bind owner: root @@ -36,18 +35,18 @@ mode: 0644 - name: Create dynamic DNS keys - include_tasks: create_ddns_keys.yml + ansible.builtin.include_tasks: create_ddns_keys.yml with_items: - "{{ bind9_zones_static + bind9_zones_dynamic }}" when: bind9_generate_ddns_key | bool - name: Configure bind9 named.conf files - template: + ansible.builtin.template: src: "{{ bind9_templates | default('') }}bind/{{ item }}.j2" dest: /etc/bind/{{ item }} owner: root group: "{{ bind9_group }}" - mode: 0644 + mode: "0644" with_items: - named.conf.local - named.conf.options @@ -57,7 +56,7 @@ register: bind9_named_conf - name: Check validity of named.conf - command: named-checkconf + ansible.builtin.command: named-checkconf register: bind9_reg_named_checkconf become: true become_user: "{{ bind9_user }}" @@ -66,30 +65,30 @@ ansible_ssh_pipelining: True - name: Create bind9 directory for master zones - file: + ansible.builtin.file: path: "{{ bind9_zonedir }}" state: directory owner: root group: "{{ bind9_group }}" - mode: 02775 + mode: "02775" when: bind9_authoritative | default() - name: Create bind9 directory for master zone includes - file: + ansible.builtin.file: path: "{{ bind9_zonedir }}/includes" state: directory owner: root group: "{{ bind9_group }}" - mode: 0755 + mode: "0755" when: bind9_authoritative | default() - name: Install bind9 authoritative include files - template: + ansible.builtin.template: src: "bind/zones/includes/{{ item }}.j2" dest: "{{ bind9_zonedir }}/includes/{{ item }}" owner: root group: "{{ bind9_group }}" - mode: 0644 + mode: "0644" with_items: "{{ bind9_authoritative_includes }}" when: bind9_authoritative | default() notify: @@ -97,12 +96,12 @@ - Reload bind9 - name: Install bind9 rndc key - template: + ansible.builtin.template: src: "{{ bind9_templates | default('') }}bind/rndc.key.j2" dest: /etc/bind/rndc.key owner: "{{ bind9_user }}" group: "{{ bind9_group }}" - mode: 0640 + mode: "0640" when: bind9_rndc_key | default() notify: - Restart bind9 @@ -110,7 +109,7 @@ - role:bind9:rndc_key - name: Create bind9 directory for keys - file: + ansible.builtin.file: path: /etc/bind/keys state: directory owner: "{{ bind9_user }}" @@ -123,12 +122,12 @@ # TODO: DDNS: move keys into vault file - name: Copy over DDNS keys for zones with update_keyfile - copy: + ansible.builtin.copy: src: bind/zones/{{ item.update_keyfile }}.key dest: /etc/bind/keys/{{ item.update_keyfile }}.key owner: "{{ bind9_user }}" group: "{{ bind9_group }}" - mode: 0644 + mode: "0644" with_items: - "{{ bind9_zones_static + bind9_zones_dynamic }}" when: @@ -137,12 +136,12 @@ - item.update_keyfile | default() - name: Copy over DDNS private keys for zones with update_keyfile - copy: + ansible.builtin.copy: src: bind/zones/{{ item.update_keyfile }}.private dest: /etc/bind/keys/{{ item.update_keyfile }}.private owner: "{{ bind9_user }}" group: "{{ bind9_group }}" - mode: 0600 + mode: "0600" with_items: - "{{ bind9_zones_static + bind9_zones_dynamic }}" when: @@ -152,7 +151,7 @@ # TODO: DNSSEC: implement key rollover - name: Determine if DNSSEC keys for zones already exist - find: + ansible.builtin.find: paths: /etc/bind/keys patterns: "K{{ item.name }}.+008+*" register: bind9_reg_dnssec_keys_tmp @@ -167,14 +166,15 @@ # Filter out all skipped results (e.g. if item.dnssec is set to False) - name: Set bind9_reg_dnssec_keys - set_fact: + ansible.builtin.set_fact: bind9_reg_dnssec_keys: "{{ bind9_reg_dnssec_keys_tmp.results | selectattr('skipped', 'undefined') | list }}" - name: Generate bind9 key signing keys for zones - command: dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK {{ item.item.name }} + ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK {{ item.item.name }} args: chdir: /etc/bind/keys register: bind9_reg_keygen_ksk + changed_when: bind9_reg_keygen_ksk.rc != 0 become: true become_user: "{{ bind9_user }}" with_items: "{{ bind9_reg_dnssec_keys }}" @@ -188,10 +188,11 @@ - role:bind9:dnssec - name: Generate bind9 zone signing keys for zones - command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE {{ item.item.name }} + ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE {{ item.item.name }} args: chdir: /etc/bind/keys register: bind9_reg_keygen_zsk + changed_when: bind9_reg_keygen_zsk.rc != 0 become: true become_user: "{{ bind9_user }}" with_items: "{{ bind9_reg_dnssec_keys }}" @@ -205,7 +206,7 @@ - role:bind9:dnssec - name: Read in key signing keys from key files (DNSKEY) - command: "grep 'IN DNSKEY' /etc/bind/keys/{{ item.stdout }}.key" + ansible.builtin.command: "grep 'IN DNSKEY' /etc/bind/keys/{{ item.stdout }}.key" register: bind9_reg_ksk changed_when: false with_items: "{{ bind9_reg_keygen_ksk.results }}" @@ -217,7 +218,7 @@ - role:bind9:dnssec - name: Generate DS records from key signing keys - command: "dnssec-dsfromkey -2 /etc/bind/keys/{{ item.stdout }}.key" + ansible.builtin.command: "dnssec-dsfromkey -2 /etc/bind/keys/{{ item.stdout }}.key" register: bind9_reg_ksk_ds changed_when: false with_items: "{{ bind9_reg_keygen_ksk.results }}" @@ -229,12 +230,13 @@ - role:bind9:dnssec - name: Generate notification message - set_fact: - notification_message: 'New key signing key (KSK) for zone "{{ item.0.item.item.item.name }}" needs to be inserted/updated at registrar (use the format that the registrar demands): + ansible.builtin.set_fact: + notification_message: | + New key signing key (KSK) for zone "{{ item.0.item.item.item.name }}" needs to be inserted/updated at registrar (use the format that the registrar demands): -{{ item.0.stdout }} + {{ item.0.stdout }} -{{ item.1.stdout }}' + {{ item.1.stdout }} with_together: - "{{ bind9_reg_ksk.results }}" - "{{ bind9_reg_ksk_ds.results }}" @@ -267,7 +269,7 @@ # send message to matrix - name: Set matrix notification message - set_fact: + ansible.builtin.set_fact: bind9_matrix_notifier_text: "{{ notification_message }}" ignore_errors: "{{ ansible_check_mode }}" with_together: @@ -281,9 +283,8 @@ tags: - role:bind9:dnssec - - name: Send message to matrix via webhook - uri: + ansible.builtin.uri: url: "{{ bind9_matrix_notifier_url }}" method: POST body: "{{ bind9_matrix_notifier_body | to_nice_json }}" @@ -301,14 +302,13 @@ tags: - role:bind9:dnssec - - name: Create dynamic bind9 zone files - template: + ansible.builtin.template: src: "{{ bind9_templates | default('') }}bind/zones/db.template.j2" dest: "{{ bind9_zonedir }}/db.{{ item.name }}" owner: root group: "{{ bind9_group }}" - mode: 0644 + mode: "0644" with_items: "{{ bind9_zones_dynamic }}" when: - bind9_authoritative | default() @@ -320,12 +320,12 @@ - role:bind9:zones - name: Install static bind9 zone files - copy: + ansible.builtin.copy: src: bind/zones/db.{{ item.name }} dest: "{{ bind9_zonedir }}/db.{{ item.name }}" owner: root group: "{{ bind9_group }}" - mode: 0644 + mode: "0644" force: "{{ item.force_update | default('yes') }}" with_items: "{{ bind9_zones_static }}" when: @@ -338,7 +338,7 @@ - role:bind9:zones - name: Check validity of zone files - command: named-checkzone {{ item.name }} {{ bind9_zonedir }}/db.{{ item.name }} + ansible.builtin.command: named-checkzone {{ item.name }} {{ bind9_zonedir }}/db.{{ item.name }} register: bind9_reg_named_checkzone become: true become_user: "{{ bind9_user }}" @@ -351,5 +351,5 @@ ansible_ssh_pipelining: True - name: Import monit tasks - import_tasks: monit.yml + ansible.builtin.import_tasks: monit.yml when: bind9_monit_enabled | default() diff --git a/tasks/monit.yml b/tasks/monit.yml index f6f6714..06312f0 100644 --- a/tasks/monit.yml +++ b/tasks/monit.yml @@ -1,12 +1,11 @@ --- - - name: Ensure monit configs are present - copy: + ansible.builtin.copy: src: "monit/conf.d/{{ item }}" dest: "/etc/monit/conf.d/{{ item }}" owner: root group: root - mode: 0600 + mode: "0600" with_items: - bind9 notify: Restart monit