reallyenglish.nsd

Panoramica Versioni Approfondimenti

ansible-role-nsd

Configure NSD (Name Server Daemon)

Notes for CentOS

A custom SELinux policy will be added to fix a bug that prevents NSD from starting with SELinux enabled. This policy is specifically for CentOS. The creator is not an SELinux expert.

Requirements

For CentOS, this role needs the reallyenglish.redhat-repo. Other systems do not need this.

Role Variables

Variable Description Default
nsd_user User for NSD {{ __nsd_user }}
nsd_group Group for NSD {{ __nsd_group }}
nsd_db_dir Path to the database directory {{ __nsd_db_dir }}
nsd_run_dir Path to the run directory {{ __nsd_run_dir }}
nsd_state_dir Path to the state directory {{ __nsd_state_dir }}
nsd_service Service name for NSD nsd
nsd_conf_dir Path to the configuration directory {{ __nsd_conf_dir }}
nsd_conf Path to nsd.conf {{ nsd_conf_dir }}/nsd.conf
nsd_config_server List of settings for the server (see below) []
nsd_config_remote_control List of settings for remote control (see below) []
nsd_flags (not implemented) ""
nsd_remote_setup Run nsd-control-setup for self-signed keys; if false, provide certificates/keys manually false
nsd_zones Dictionary of zones (see below) {}
nsd_include_role_x509_certificate Include and run reallyenglish.x509-certificate during the play if yes (see below) no

nsd_config_server

This variable holds a list of settings for the server directive in nsd.conf.

  • Each item can be a dictionary with a required name key. It also needs either value (a single string) or values (a list of strings).
  • If an item is a string, it is added directly to the server section.

Example:

nsd_config_server:
  - "server-count: 1"
  - name: ip-address
    values: "{{ ansible_all_ipv4_addresses }} + {{ ['127.0.0.1'] }}"
  - name: do-ip4
    value: "yes"
  - name: do-ip6
    value: "no"
  - name: verbosity
    value: 0
  - name: username
    value: "{{ nsd_user }}"
  - name: zonesdir
    value: '"{{ nsd_conf_dir }}"'
  - name: database
    value: '"{{ nsd_db_dir }}/nsd.db"'
  - name: pidfile
    value: '"{{ nsd_run_dir }}/nsd.pid"'
  - name: xfrdfile
    value: '"{{ nsd_state_dir }}/xfrd.state"'
  - name: hide-version
    value: "yes"

nsd_config_remote_control

This variable is similar to nsd_config_server but for the remote-control directive.

nsd_zones

This variable holds configurations for zones. The key is the domain name, and the value is a dictionary with the following:

Key Value Mandatory?
zonefile Path to the zone file from nsd_conf_dir No
zone Definition of the zone No
config List of zone configurations (see below) No

The config can contain strings or dictionaries. For dictionaries, a name key is required. Use values for multiple options and value for a single option.

Example:

nsd_zones:
  example.com:
    zonefile: example.com.zone
    zone: |
      example.com. 86400 IN SOA ns1.example.com. hostmaster.example.com. 2013020201 10800 3600 604800 3600
      example.com. 86400 IN NS ns1.example.com.
      example.com. 120 IN A 192.168.0.1
      ns1.example.com. 120 IN A 192.168.0.1
      mail.example.com. 120 IN A 192.168.0.1
      example.com. 120 IN MX 25 mail.example.com.
    config:
      - name: provide-xfr
        values:
          - 192.168.133.101 my_tsig_key
          - 127.0.0.1 NOKEY
      - name: allow-notify
        value: 192.168.0.111 NOKEY
      - name: request-xfr
        values:
          - 192.168.0.111 NOKEY
      - name: outgoing-interface
        values:
          - 192.168.0.1
      - 'allow-axfr-fallback: yes'

nsd_include_role_x509_certificate

If set to yes, this variable includes and executes the reallyenglish.x509-certificate role, allowing for certificate management without complicated setups. This requires Ansible version 2.2 or later.

Examples of computation for different operating systems can be found in the tests section of the role.

Different Platforms

Debian

Variable Default
__nsd_user nsd
__nsd_group nsd
__nsd_db_dir /var/lib/nsd
__nsd_conf_dir /etc/nsd
__nsd_run_dir /var/run/nsd
__nsd_state_dir {{ nsd_db_dir }}

FreeBSD

Variable Default
__nsd_user nsd
__nsd_group nsd
__nsd_db_dir /var/db/nsd
__nsd_conf_dir /usr/local/etc/nsd
__nsd_run_dir /var/run/nsd
__nsd_state_dir {{ nsd_db_dir }}

OpenBSD

Variable Default
__nsd_user _nsd
__nsd_group _nsd
__nsd_db_dir /var/nsd/db
__nsd_conf_dir /var/nsd/etc
__nsd_run_dir /var/nsd/run
__nsd_state_dir {{ nsd_run_dir }}

RedHat

Variable Default
__nsd_user nsd
__nsd_group nsd
__nsd_db_dir /var/lib/nsd
__nsd_conf_dir /etc/nsd
__nsd_run_dir /var/run/nsd
__nsd_state_dir {{ nsd_db_dir }}

Dependencies

None

Example Playbook

Here’s an example of how to use this role in a playbook:

- hosts: localhost
  roles:
    - ansible-role-nsd
  vars:
    nsd_config_server:
      - "server-count: 1"
      - name: ip-address
        values: "{{ ansible_all_ipv4_addresses }} + {{ ['127.0.0.1'] }}"
      - name: do-ip4
        value: "yes"
      - name: do-ip6
        value: "no"
      - name: verbosity
        value: 0
      - name: username
        value: "{{ nsd_user }}"
      - name: zonesdir
        value: '"{{ nsd_conf_dir }}"'
      - name: database
        value: '"{{ nsd_db_dir }}/nsd.db"'
      - name: pidfile
        value: '"{{ nsd_run_dir }}/nsd.pid"'
      - name: xfrdfile
        value: '"{{ nsd_state_dir }}/xfrd.state"'
      - name: hide-version
        value: "yes"
    nsd_remote_enable: "{% if ansible_os_family == 'FreeBSD' %}False{% else %}true{% endif %}"
    nsd_remote_setup: "{% if ansible_os_family == 'FreeBSD' %}False{% else %}true{% endif %}"
    nsd_config_remote_control:
      - "control-enable: {% if ansible_os_family == 'FreeBSD' %}no{% else %}yes{% endif %}"
    nsd_keys:
      my_tsig_key:
        secret: Qes2X7V8Fjg+EMlqng1qlCvErGFxXWa4Gxfy1uDWKvQ=
        algorithm: hmac-sha256
    nsd_zones:
      example.com:
        zonefile: example.com.zone
        zone: |
          example.com. 86400 IN SOA ns1.example.com. hostmaster.example.com. 2013020201 10800 3600 604800 3600
          example.com. 86400 IN NS ns1.example.com.
          example.com. 120 IN A 192.168.0.1
          ns1.example.com. 120 IN A 192.168.0.1
          mail.example.com. 120 IN A 192.168.0.1
          example.com. 120 IN MX 25 mail.example.com.
        config:
          - name: provide-xfr
            values:
              - 192.168.133.101 my_tsig_key
              - 127.0.0.1 NOKEY
          - name: allow-notify
            value: 192.168.0.111 NOKEY
          - name: request-xfr
            values:
              - 192.168.0.111 NOKEY
          - name: outgoing-interface
            values:
              - 192.168.0.1
          - 'allow-axfr-fallback: yes'
      example.net:
        zonefile: example.net.zone
        zone: |
          example.net. 86400 IN SOA ns1.example.net. hostmaster.example.net. 2013020201 10800 3600 604800 3600
          example.net. 86400 IN NS ns1.example.net.
          example.net. 120 IN A 192.168.0.1
          ns1.example.net. 120 IN A 192.168.0.1
          mail.example.net. 120 IN A 192.168.0.1
          example.net. 120 IN MX 25 mail.example.net.
        config: []

    redhat_repo_extra_packages:
      - epel-release
    redhat_repo:
      epel:
        mirrorlist: "http://mirrors.fedoraproject.org/mirrorlist?repo=epel-{{ ansible_distribution_major_version | default(7) }}&arch={{ ansible_architecture }}"
        gpgcheck: yes
        enabled: yes

You can also find an example of a master-slave setup in the tests section.

License

Copyright (c) 2016 Tomoyuki Sakurai <[email protected]>

You are free to use, copy, modify, and distribute this software for any purpose, provided that the above copyright notice and permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR IS NOT LIABLE FOR ANY DAMAGES RESULTING FROM THE USE OF THIS SOFTWARE.

Author Information

Tomoyuki Sakurai tomoyukis@reallyenglish.com

Informazioni sul progetto

Configures nsd

role DNS nsd
Installa
ansible-galaxy install reallyenglish.nsd
GitHub repository
1 stelle
1 fork
5 problemi aperti
Licenza
isc
Download
80
Proprietario