talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity
1e47ff3f64
machine_setup/ansible/roles/public_dns/tasks/freebsd.yaml
Tom Alexander 9e107d4a75
Add bastion and certificate jails.
2024-07-03 20:50:51 -04:00

151 lines
4.0 KiB
YAML
Raw Blame History

- name: Install packages
package:
name:
- powerdns
state: present
- name: Install service configuration
copy:
src: "files/{{ item }}_rc.conf"
dest: "/etc/rc.conf.d/{{ item }}"
mode: 0644
owner: root
group: wheel
loop:
- pdns
- name: Create directories
file:
name: "{{ item }}"
state: directory
mode: 0755
owner: pdns
group: pdns
loop:
- /var/lib/powerdns
- /var/lib/powerdns/zones
- name: Copy files
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: root
group: wheel
loop:
- src: pdns.conf
dest: /usr/local/etc/pdns/
- src: bind.conf
dest: /usr/local/etc/pdns/
- name: Copy files
copy:
src: "files/{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
owner: pdns
group: pdns
loop:
- src: master.db
dest: /var/lib/powerdns/zones/
- name: Initialize DB
command: "sudo -u pdns sqlite3 -init /usr/local/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3"
register: initdb
args:
creates: "/var/lib/powerdns/pdns.sqlite3"
- name: Initialize DB
when: initdb.changed
register: initsql
command: "sudo -u pdns zone2sql zone2sql --gsqlite=yes --named-conf=/usr/local/etc/pdns/bind.conf --transactions=yes"
- name: Initialize DB
when: initdb.changed
command: "sudo -u pdns sqlite3 /var/lib/powerdns/pdns.sqlite3"
args:
stdin: "{{ initsql.stdout }}"
- name: Check TSIG keys
command: pdnsutil list-tsig-keys
register: tsigkeys
changed_when: false
check_mode: no
- name: Generate key for Secure AXFR replication
command: pdnsutil generate-tsig-key secureaxfr hmac-sha512
when: '"secureaxfr" not in tsigkeys.stdout'
- name: Check allowed TSIG keys for AXFR
command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-AXFR
register: tsigaxfr
changed_when: false
check_mode: no
- name: Allow AXFR from the secureaxfr tsig key
command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR secureaxfr
when: '"secureaxfr" not in tsigaxfr.stdout'
- name: Generate key for kubernetes external dns
command: pdnsutil generate-tsig-key externaldns hmac-sha512
when: '"externaldns" not in tsigkeys.stdout'
- name: Check allowed TSIG keys for TSIG-ALLOW-DNSUPDATE
command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-DNSUPDATE
register: tsigallowupdate
changed_when: false
check_mode: no
- name: Allow AXFR from the secureaxfr tsig key
command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-DNSUPDATE externaldns
when: '"externaldns" not in tsigallowupdate.stdout'
- name: Check ALLOW-DNSUPDATE-FROM
command: pdnsutil get-meta fizz.buzz ALLOW-DNSUPDATE-FROM
register: allowdnsupdatefrom
changed_when: false
check_mode: no
- name: Allow IP addresses
command: pdnsutil add-meta fizz.buzz ALLOW-DNSUPDATE-FROM 10.215.1.0/24
when: '"10.215.1.0/24" not in allowdnsupdatefrom.stdout'
- name: Allow IP addresses
command: pdnsutil add-meta fizz.buzz ALLOW-DNSUPDATE-FROM 68.197.252.15/32
when: '"68.197.252.15/32" not in allowdnsupdatefrom.stdout'
- name: Allow AXFR from the externaldns tsig key
command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR externaldns
when: '"externaldns" not in tsigaxfr.stdout'
- name: Check AXFR-MASTER-TSIG
command: pdnsutil get-meta fizz.buzz AXFR-MASTER-TSIG
register: signnotify
changed_when: false
check_mode: no
- name: Sign the notifications
command: pdnsutil set-meta fizz.buzz AXFR-MASTER-TSIG secureaxfr
when: '"secureaxfr" not in signnotify.stdout'
- name: Check NOTIFY-DNSUPDATE
command: pdnsutil get-meta fizz.buzz NOTIFY-DNSUPDATE
register: notifydnsupdate
changed_when: false
check_mode: no
- name: Send out notifications on dns update
command: pdnsutil set-meta fizz.buzz NOTIFY-DNSUPDATE 1
when: '"1" not in notifydnsupdate.stdout'
- name: Check zone kind
command: pdnsutil show-zone fizz.buzz
register: showzone
changed_when: false
check_mode: no
- name: Set to Master to enable pushing updates
command: pdnsutil set-kind fizz.buzz primary
when: '"Master" not in showzone.stdout'
Reference in New Issue View Git Blame Copy Permalink