diff --git a/README.md b/README.md index 3771e6e..616ca05 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,30 @@ And similarly `zone_my_reverse_inaddr_arpa` and `zone_my_reverse_ip6_arpa` for I * deploy role to your servers +### DDNS updates + +## Key generation + +If you want to have your DDNS keys created by this role configure `bind9_generate_ddns_key`: + +```yaml +- bind9_generate_ddns_key: true +``` + +Keys will by default be stored to `files/bind/zones` withinin your playbook location, but you can customize this with `bind9_local_keydir` + +```yaml +- bind9_local_keydir: credentials/bind +``` + +## Zone database + +Please note that for DDNS updates to work, the location of the zone files needs to be writable by the BIND process. +Linux distros with Mandatory Access Control (Apparmor, SELinux) ususally don't allow writing to the default `/etc/bind/zones` path. In order to circumvent this you may want to change the zone files location to `/var/lib/bind/zones` instead: + +```yaml +- bind9_zonedir: /var/lib/bind/zones +``` ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index e3c05f5..d55fbd9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -137,3 +137,7 @@ bind9_log_categories: destination: bind_log - name: lame-servers destination: 'null' + +bind9_generate_ddns_key: true +bind9_zonedir: /etc/bind/zones +bind9_local_keydir: files/bind/zones \ No newline at end of file diff --git a/tasks/create_ddns_keys.yml b/tasks/create_ddns_keys.yml new file mode 100644 index 0000000..1bea0ab --- /dev/null +++ b/tasks/create_ddns_keys.yml @@ -0,0 +1,29 @@ +- name: determine if DDNS key already exists + become: false + delegate_to: localhost + stat: + path: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.private" + register: update_keyfile_tmp + when: item.update_keyfile is defined + +- name: generate DDNS key + shell: "tsig-keygen -a {{ item.update_key_algorithm | d('hmac-sha512') }} {{ item.name }}_{{ item.update_keyfile }}_update > /etc/bind/keys/{{ item.update_keyfile }}.private" + args: + chdir: "{{ bind9_zonedir }}" + register: ddns_key + when: item.update_keyfile is defined and not update_keyfile_tmp.stat.exists + +- name: copy DDNS key to control host + fetch: + src: "/etc/bind/keys/{{ item.update_keyfile }}.private" + dest: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.private" + flat: true + when: ddns_key.changed + +- name: create dummy DDNS public key file on control host + become: false + delegate_to: localhost + file: + path: "{{ bind9_local_keydir }}/{{ item.update_keyfile }}.key" + state: touch + when: ddns_key.changed \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 18be3bf..eb3ed83 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,6 +35,11 @@ group: "{{ bind9_group }}" mode: 0644 +- include_tasks: create_ddns_keys.yml + with_items: + - "{{ bind9_zones_static + bind9_zones_dynamic }}" + when: bind9_generate_ddns_key | bool + - name: Configure bind9 named.conf files template: src: "{{ bind9_templates | default('') }}bind/{{ item }}.j2" @@ -61,7 +66,7 @@ - name: Create bind9 directory for master zones file: - path: /etc/bind/zones + path: "{{ bind9_zonedir }}" state: directory owner: root group: "{{ bind9_group }}" @@ -70,7 +75,7 @@ - name: Create bind9 directory for master zone includes file: - path: /etc/bind/zones/includes + path: "{{ bind9_zonedir }}/includes" state: directory owner: root group: "{{ bind9_group }}" @@ -80,7 +85,7 @@ - name: Install bind9 authoritative include files template: src: "bind/zones/includes/{{ item }}.j2" - dest: "/etc/bind/zones/includes/{{ item }}" + dest: "{{ bind9_zonedir }}/includes/{{ item }}" owner: root group: "{{ bind9_group }}" mode: 0644 @@ -299,7 +304,7 @@ - name: Create dynamic bind9 zone files template: src: "{{ bind9_templates | default('') }}bind/zones/db.template.j2" - dest: /etc/bind/zones/db.{{ item.name }} + dest: "{{ bind9_zonedir }}/db.{{ item.name }}" owner: root group: "{{ bind9_group }}" mode: 0644 @@ -316,7 +321,7 @@ - name: Install static bind9 zone files copy: src: bind/zones/db.{{ item.name }} - dest: /etc/bind/zones/db.{{ item.name }} + dest: "{{ bind9_zonedir }}/db.{{ item.name }}" owner: root group: "{{ bind9_group }}" mode: 0644 @@ -331,8 +336,8 @@ tags: - role:bind9:zones -- name: Check validity of zone files - command: named-checkzone {{ item.name }} /etc/bind/zones/db.{{ item.name }} +- name: check validity of zone files + command: named-checkzone {{ item.name }} {{ bind9_zonedir }}/db.{{ item.name }} register: bind9_reg_named_checkzone become: true become_user: "{{ bind9_user }}" diff --git a/templates/bind/named.conf.local.j2 b/templates/bind/named.conf.local.j2 index 1bc87fb..4064532 100644 --- a/templates/bind/named.conf.local.j2 +++ b/templates/bind/named.conf.local.j2 @@ -37,7 +37,7 @@ statistics-channels { zone "{{ zone.name }}" { type {{ zone_type }}; {% if zone_type == 'master' %} - file "/etc/bind/zones/db.{{ zone.name }}"; + file "{{ bind9_zonedir }}/db.{{ zone.name }}"; {% if bind9_notify_explicit|default() %} notify explicit; {% elif zone.notify|default(true) %} diff --git a/templates/bind/named.conf.options.j2 b/templates/bind/named.conf.options.j2 index e0d7446..415223a 100644 --- a/templates/bind/named.conf.options.j2 +++ b/templates/bind/named.conf.options.j2 @@ -58,8 +58,8 @@ options { {% endif %} }; -{% if bind9_zones_static|selectattr('update_keyfile','defined')|list|default() %} -{% for zone in bind9_zones_static|selectattr('update_keyfile','defined')|list|default([]) %} +{% if bind9_zones_static|selectattr('update_key_secret','defined')|list|default() %} +{% for zone in bind9_zones_static|selectattr('update_key_secret','defined')|list|default([]) %} {% if zone_type|default(bind9_zone_type|default('master')) == 'master' %} {% if loop.first %} // The following keys are used for dynamic DNS updates @@ -72,6 +72,17 @@ key "{{ zone.name }}_ddns_update" { {% endfor %} {% endif %} +{% if bind9_zones_static|selectattr('update_keyfile','defined')|list|default() %} +{% for zone in bind9_zones_static|selectattr('update_keyfile','defined')|list|default([]) %} +{% if zone_type|default(bind9_zone_type|default('master')) == 'master' %} +{% if loop.first %} +// The following keys are used for dynamic DNS updates +{% endif %} +{{ lookup('file', 'bind/zones/'+zone.update_keyfile+'.private') }} +{% endif %} +{% endfor %} +{% endif %} + acl our_networks { // Permitted for queries {% if bind9_our_networks|default() %}