Initial commit

.gitignore

@@ -0,0 +1,2 @@
+*.key
+secret_vars.yml

roles/bind/README.md

@@ -0,0 +1,73 @@
+# Ansible Role bind
+
+## Description
+
+This role is used to manage bind configuration on my server.
+I run bind inside a container I build from debian image.
+
+It's a very basic image as it only install bind and prepare the mounted /data to match /etc/bind & such.
+
+I'll push this container repo ASAP.
+
+However, this role is meant to be used with non-containerized environment.
+
+
+## Private variables
+
+The first task include a file named "secret_vars.yml"
+
+This file includes these variables, you must set your own file in order proper fonction of the role.
+
+```yaml
+public_ip_addr: "{{ipify_public_ip}}" # Yes, it's a shortcut for A record in my case
+ip_router: 10.xxx.xxx.xxx # eg. used as forwarder
+
+domains_acl:
+  - name: gandi-net
+    ipv4:
+      - 217.70.176.0/20
+  - name: example-org
+    ipv4:
+      - 1.2.3.4
+```
+
+## Usage
+
+You need to prepare your own vars file for bind, named as your wish, e.g. the name of the server.
+There is a template of this file in `vars/example_vars.yml`
+
+You also need to prepare you own `secret_vars.yml` (can be vaulted too).  
+
+Place them in `roles/bind/vars/`, they will be loaded with:
+
+```yaml
+- name: Include vars files, see README.md for full list
+  include_vars: "{{item}}"
+  tags: always
+  loop:
+    "vars/{{e_bind_vars_file}}.yml"
+    "vars/secret_vars.yml"
+```
+
+If using docker_compose with dto/bind9 image, extra var `e_use_docker_compose` should be set to _True_.
+If set to _False_, bind9 will be installed via package manager (Debian only for now)
+
+## Playbook file example
+
+You might want to set your extra vars inside your `deploy_bind.yml`:
+
+`deploy_bind.yml`:
+```yaml
+---
+- name: Deploy bind on server 1 within docker
+  hosts: server1
+  gather_facts: yes
+  roles:
+    - { role: bind, e_bind_vars_file: server1_vars.yml, e_use_docker_compose: True }
+
+- name: Deploy bind on server 2
+  hosts: server2
+  gather_facts: yes
+  roles:
+    - { role: bind, e_bind_vars_file: example_vars.yml, e_use_docker_compose: False }
+```

roles/bind/files/etc/db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

roles/bind/files/etc/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

roles/bind/files/etc/db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

roles/bind/files/etc/db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

roles/bind/files/etc/db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

roles/bind/files/etc/zones.rfc1918

@@ -0,0 +1,20 @@
+zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

roles/bind/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+- name: restart bind on OS
+  service:
+    name: bind9
+    state: restarted
+    enabled: yes
+  listen: restart bind
+  when: not e_use_docker_compose | bool
+
+- name: restart docker_compose bind
+  docker_compose:
+    project_src: "{{docker_compose_bind_folder_path}}"
+    state: present
+    restarted: yes
+  listen: restart bind
+  when: e_use_docker_compose | bool

roles/bind/tasks/install-Debian-docker.yml

@@ -0,0 +1,15 @@
+---
+- name: Directory exists
+  file:
+    path: "{{item}}"
+    state: directory
+    mode: 0750
+  with_items:
+    - "{{docker_compose_bind_folder_path}}"
+
+- name: Template docker-compose file
+  template:
+    src: docker-compose-ext.yml.j2
+    dest: "{{docker_compose_bind_folder_path}}/docker-compose.yml"
+    mode: 0640
+  notify: restart bind

roles/bind/tasks/install-Debian.yml

@@ -0,0 +1,5 @@
+---
+- name: install bind9
+  package:
+    name: bind9
+    state: present

roles/bind/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+- name: Include docker_compose vars file
+  include_vars: vars/docker_compose.yml
+  tags: always
+  when: e_use_docker_compose | bool
+
+- name: Include vars files, see README.md for full list
+  include_vars: "{{item}}"
+  tags: always
+  loop:
+    - "vars/{{e_bind_vars_file}}"
+    - "vars/secret_vars.yml"
+
+- name: Get public IP
+  ipify_facts:
+  tags: always
+  register: public_ip
+
+- name: include install task
+  include_tasks: "tasks/install-{{ansible_os_family}}.yml"
+  when: not e_use_docker_compose | bool
+
+- name: include docker install task
+  include_tasks: "tasks/install-{{ansible_os_family}}-docker.yml"
+  when: e_use_docker_compose | bool
+
+- name: Directories exist
+  file:
+    path: "{{item}}"
+    state: directory
+    mode: 0750
+  with_items:
+    - "{{remote_bind_data_folder}}"
+    - "{{remote_bind_cache_folder}}"
+    - "{{remote_bind_data_folder}}/conf.d"
+
+- name: Push bind default config
+  copy:
+    src: "{{local_bind_etc_folder}}"
+    dest: "{{remote_bind_etc_folder}}"
+    owner: root
+    group: bind
+    mode: 0640
+  notify: restart bind
+  tags:
+    copy
+
+- name: Copy key file and set it as not world-readable
+  copy:
+    src: "{{local_bind_key_file_path}}"
+    dest: "{{remote_bind_data_folder}}"
+    mode: 0440
+    owner: root
+    group: bind
+  when: local_bind_key_file_path and local_bind_key_file_path|length and remote_bind_key_file_path and remote_bind_key_file_path|length
+
+- name: Templating configuration files
+  template:
+    src: "{{item.src}}"
+    dest: "{{item.dest}}"
+    mode: 0640
+  loop:
+    - { src: 'named.conf.j2', dest: '{{remote_bind_etc_folder}}/named.conf' }
+    - { src: 'named.conf.default-zones.j2', dest: '{{remote_bind_etc_folder}}/named.conf.default-zones' }
+    - { src: 'named.conf.options.j2', dest: '{{remote_bind_etc_folder}}/named.conf.options' }
+    - { src: 'named.conf.local.j2', dest: '{{remote_bind_etc_folder}}/named.conf.local' }
+    - { src: 'zones.j2', dest: '{{remote_bind_etc_folder}}/conf.d/' }
+  tags:
+    - templating_dbg_1
+  notify: restart bind
+
+- name: Templating db files
+  template:
+    src: db.base.j2
+    dest: "{{remote_bind_db_folder}}/db.{{item.name}}"
+  loop:
+    "{{ zones|flatten(levels=1) }}"
+  tags:
+    - templating_dbg_2
+  notify: restart bind
+
+# - name: reload nameserver

roles/bind/tasks/tasks-compose.yml

@@ -0,0 +1,15 @@
+---
+- name: Directorie exists
+  file:
+    path: "{{item}}"
+    state: directory
+    mode: 0750
+  with_items:
+    - "{{docker_compose_nginx_folder_path}}"
+
+- name: Template docker-compose file
+  template:
+    src: docker-compose-ext.yml.j2
+    dest: "{{docker_compose_bind_folder_path}}/docker-compose.yml"
+    mode: 0640
+  notify: restart bind_ext

roles/bind/templates/db.base.j2

@@ -0,0 +1,24 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+{# item should be bind_xxx_zones.zone #}
+{# include a $ORIGIN block ? #}
+{% block header %}
+$TTL    3600
+@       IN      SOA     {{item.dns_fqdn}} {{item.soa_email}} (
+                   {{item.soa_parameters.serial}}           ; Serial
+                         {{item.soa_parameters.refresh}}           ; Refresh [1h]
+                          {{item.soa_parameters.retry}}           ; Retry   [10m]
+                        {{item.soa_parameters.expire}}           ; Expire  [1d]
+                          {{item.soa_parameters.neg_cache_ttl}} )         ; Negative Cache TTL [1h]
+;
+{% endblock %}
+@       IN      NS      sid.example.com.
+@       IN      MX      10 sid.example.com.
+
+{% block records %}
+{% for key, type_record in item.records.items() %}
+  {% for record in type_record %}
+{{ '{:8}{:8}{:8}{:16}'.format(record.name, record.inet_class, key, record.record) }}
+  {% endfor %}
+
+{% endfor %}
+{% endblock %}

roles/bind/templates/docker-compose-ext.yml.j2

@@ -0,0 +1,22 @@
+version: '3'
+
+services:
+  bind_ext:
+    container_name: bind_ext
+    hostname: bind_ext
+    image: dto/bind9:latest
+    volumes:
+      - {{remote_bind_data_folder}}:/data/
+      - {{remote_bind_cache_folder}}:/var/cache/bind
+
+    networks:
+      front:
+        ipv4_address: {{bind_container_ip_addr}}
+
+
+### Networks definitions
+
+networks:
+  front:
+    external:
+      name: "{{docker_vlan10_network}}"

roles/bind/templates/named.conf.default-zones.j2

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/usr/share/dns/root.hints";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+