92 lines
2.3 KiB
YAML
92 lines
2.3 KiB
YAML
# NOTE: I had to disable bind and manually create the fizz.buzz zone with the sqlite backend or else the metadata updates would have no effect.
|
|
- name: Install packages
|
|
package:
|
|
name:
|
|
- powerdns
|
|
state: present
|
|
|
|
- name: Install service configuration
|
|
copy:
|
|
src: "files/{{ item }}_rc.conf"
|
|
dest: "/etc/rc.conf.d/{{ item }}"
|
|
mode: 0644
|
|
owner: root
|
|
group: wheel
|
|
loop:
|
|
- pdns
|
|
|
|
- name: Create directories
|
|
file:
|
|
name: "{{ item }}"
|
|
state: directory
|
|
mode: 0755
|
|
owner: pdns
|
|
group: pdns
|
|
loop:
|
|
- /var/lib/powerdns
|
|
- /var/lib/powerdns/zones/
|
|
|
|
- name: Copy files
|
|
copy:
|
|
src: "files/{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0644
|
|
owner: root
|
|
group: wheel
|
|
loop:
|
|
- src: pdns.conf
|
|
dest: /usr/local/etc/pdns/
|
|
- src: bind.conf
|
|
dest: /usr/local/etc/pdns/
|
|
|
|
- name: Initialize DB
|
|
command: "sudo -u pdns sqlite3 -init /usr/local/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3"
|
|
args:
|
|
creates: "/var/lib/powerdns/pdns.sqlite3"
|
|
|
|
- name: Copy files
|
|
copy:
|
|
src: "files/{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0644
|
|
owner: pdns
|
|
group: pdns
|
|
loop:
|
|
- src: master.db
|
|
dest: /var/lib/powerdns/zones/
|
|
|
|
- name: Check TSIG keys
|
|
command: pdnsutil list-tsig-keys
|
|
register: tsigkeys
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- name: Generate key for Secure AXFR replication
|
|
command: pdnsutil generate-tsig-key secureaxfr hmac-sha512
|
|
when: '"secureaxfr" not in tsigkeys.stdout'
|
|
|
|
- name: Check allowed TSIG keys for AXFR
|
|
command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-AXFR
|
|
register: tsigaxfr
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- name: Allow AXFR from the secureaxfr tsig key
|
|
command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR secureaxfr
|
|
when: '"secureaxfr" not in tsigaxfr.stdout'
|
|
|
|
- name: Generate key for kubernetes external dns
|
|
command: pdnsutil generate-tsig-key externaldns hmac-sha512
|
|
when: '"externaldns" not in tsigkeys.stdout'
|
|
|
|
- name: Check allowed TSIG keys for TSIG-ALLOW-DNSUPDATE
|
|
command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-DNSUPDATE
|
|
register: tsigallowupdate
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- name: Allow AXFR from the secureaxfr tsig key
|
|
command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-DNSUPDATE externaldns
|
|
when: '"externaldns" not in tsigallowupdate.stdout'
|
|
|