From 109cf859ab13690ddc5d1c5e6c0a2b53fb982548 Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 15 Aug 2020 12:00:29 +0200 Subject: [PATCH] Add modified vavrusa.knot role --- .gitignore | 1 - requirements.yml | 1 - roles/vavrusa.knot/README.md | 125 ++++++++++++++++++ roles/vavrusa.knot/defaults/main.yml | 22 ++++ roles/vavrusa.knot/handlers/main.yml | 3 + roles/vavrusa.knot/meta/.galaxy_install_info | 1 + roles/vavrusa.knot/meta/main.yml | 129 +++++++++++++++++++ roles/vavrusa.knot/tasks/from_pkgs.yml | 32 +++++ roles/vavrusa.knot/tasks/from_source.yml | 54 ++++++++ roles/vavrusa.knot/tasks/main.yml | 29 +++++ roles/vavrusa.knot/templates/knot.conf.j2 | 52 ++++++++ roles/vavrusa.knot/vars/main.yml | 2 + 12 files changed, 449 insertions(+), 2 deletions(-) create mode 100644 roles/vavrusa.knot/README.md create mode 100644 roles/vavrusa.knot/defaults/main.yml create mode 100644 roles/vavrusa.knot/handlers/main.yml create mode 100644 roles/vavrusa.knot/meta/.galaxy_install_info create mode 100644 roles/vavrusa.knot/meta/main.yml create mode 100644 roles/vavrusa.knot/tasks/from_pkgs.yml create mode 100644 roles/vavrusa.knot/tasks/from_source.yml create mode 100644 roles/vavrusa.knot/tasks/main.yml create mode 100644 roles/vavrusa.knot/templates/knot.conf.j2 create mode 100644 roles/vavrusa.knot/vars/main.yml diff --git a/.gitignore b/.gitignore index 9a800d2..e488411 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ roles/geerlingguy.* -roles/vavrusa.* .vault-password *.retry inventory* diff --git a/requirements.yml b/requirements.yml index a4946b6..adcc6ab 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,4 +2,3 @@ - name: geerlingguy.munin - name: geerlingguy.nginx - name: geerlingguy.certbot -- name: vavrusa.knot diff --git a/roles/vavrusa.knot/README.md b/roles/vavrusa.knot/README.md new file mode 100644 index 0000000..c4e4f39 --- /dev/null +++ b/roles/vavrusa.knot/README.md @@ -0,0 +1,125 @@ +Knot DNS authoritative +====================== + +Installs [Knot DNS][knot-dns] authoritative DNS server on Debian/Ubuntu/RedHat or FreeBSD. + +Requirements +------------ + +None. + +Role Variables +-------------- + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + knot_from_source: false # Default + +Set either of this to `true` or `false` to choose installation from sources or distribution packages. + + knot_git_branch: master + +If building from sources, pick a git branch or tag. + + knot_install_dir: /usr/local + +If building from sources, pick an installation prefix (`/usr/local` means the binary will be installed in `/usr/local/sbin/knotd` for example). + + knot_user: knot + knot_group: knot + +Create a user for running Knot DNS daemon. + + knot_daemon: knot + +Pick a different name for Knot DNS daemon service. + + knot_interfaces: + - 127.0.0.1 + - 192.168.1.1@5353 + +Make Knot DNS listen on specific interfaces or ports. By default it listens on default IPv4/v6 interfaces and localhost. + + knot_zones: + - { name: 'example.com', file: '/tmp/example.zone', template: 'default', module: 'mymodule' } + +List of enabled zones. `name` is the only mandatory field, rest is undefined by default. +You can reference defined templates or modules here. + + knot_config_extras: | + server: + rate-limit: 10 + template: + - id: default + semantic-checks: on + +Extend configuration with server-specific or more advanced configuration here. Here you can define additional templates, ACLs or remotes, +or redefine server options. + +Dependencies +------------ + +None. + +Example Playbook +---------------- + +The role can be configured as a slave using just `knot_zones` and `knot_extras` to define remotes, you can complete these +from host variables or include from a file: + + - hosts: slaves + roles: + - role: knot.auth + knot_zones: + - { name: 'example.com' } + knot_extras: | + remote: + - id: master + address: 192.168.1.1 + acl: + - id: master_acl + address: 192.179.1.1 + action: notify + template: + - id: default + master: master + acl: master_acl + +Example master role is the opposite, except this role doesn't guarantee bootstrapping of the zone files, you have to do this +yourself, for example with [synchronize][ansible-synchronize]: + + - hosts: master01 + roles: + - role: knot.auth + knot_zones: + - { name: 'example.com' } + knot_keys: + - { id: 'slave1_key', algorithm: 'hmac-md5', secret: 'Wg==' } + knot_extras: | + remote: + - id: slave01 + address: 192.168.2.1 + key: slave_key + acl: + - id: slaves + address: 192.168.2.0/24 + action: transfer + key: slave_key + template: + - id: default + storage: /var/lib/zones + notify: slave01 + acl: slaves + +License +------- + +BSD + +Author Information +------------------ + +* [www.knot-dns.cz][knot-dns] + +[knot-dns]: http://www.knot-dns.cz +[ansible-synchronize]: http://docs.ansible.com/ansible/synchronize_module.html diff --git a/roles/vavrusa.knot/defaults/main.yml b/roles/vavrusa.knot/defaults/main.yml new file mode 100644 index 0000000..4beef60 --- /dev/null +++ b/roles/vavrusa.knot/defaults/main.yml @@ -0,0 +1,22 @@ +--- +## Installation options +knot_from_source: false +knot_git_branch: master +knot_install_dir: "" +knot_user: knot +knot_group: knot +knot_daemon: knot +## Configuration options +knot_interfaces: + - 127.0.0.1@5300 + - ::1@5300 + - "{{ ansible_default_ipv4.address }}" + - "{{ ansible_default_ipv6.address }}" +knot_keys: + - { id: 'slave1_key', algorithm: 'hmac-md5', secret: 'Wg==' } +knot_zones: + - { name: 'example.com', template: 'default' } +knot_extras: | + server: + rate-limit: 10 + diff --git a/roles/vavrusa.knot/handlers/main.yml b/roles/vavrusa.knot/handlers/main.yml new file mode 100644 index 0000000..c65b201 --- /dev/null +++ b/roles/vavrusa.knot/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart knot + service: "name={{ knot_daemon }} state=restarted" diff --git a/roles/vavrusa.knot/meta/.galaxy_install_info b/roles/vavrusa.knot/meta/.galaxy_install_info new file mode 100644 index 0000000..ce8793a --- /dev/null +++ b/roles/vavrusa.knot/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Sat Aug 15 07:15:43 2020', version: master} diff --git a/roles/vavrusa.knot/meta/main.yml b/roles/vavrusa.knot/meta/main.yml new file mode 100644 index 0000000..366ca85 --- /dev/null +++ b/roles/vavrusa.knot/meta/main.yml @@ -0,0 +1,129 @@ +--- +galaxy_info: + author: Knot DNS + description: High performance authoritative-only DNS server + company: CZ.NIC + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: BSD + min_ansible_version: 1.2 + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + platforms: + - name: EL + versions: + # - all + # - 5 + - 6 + - 7 + #- name: GenericUNIX + # versions: + # - all + # - any + - name: Fedora + versions: + - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + #- name: GenericBSD + # versions: + # - all + # - any + - name: FreeBSD + versions: + - all + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + - name: Ubuntu + versions: + - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + #- name: GenericLinux + # versions: + # - all + # - any + - name: Debian + versions: + - all + # + # Below are all categories currently available. Just as with + # the platforms above, uncomment those that apply to your role. + # + categories: + #- cloud + #- cloud:ec2 + #- cloud:gce + #- cloud:rax + #- clustering + #- database + #- database:nosql + #- database:sql + #- development + #- monitoring + - networking + #- packaging + #- system + #- web +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/roles/vavrusa.knot/tasks/from_pkgs.yml b/roles/vavrusa.knot/tasks/from_pkgs.yml new file mode 100644 index 0000000..efb1519 --- /dev/null +++ b/roles/vavrusa.knot/tasks/from_pkgs.yml @@ -0,0 +1,32 @@ +--- +# Ubuntu +- name: repository (Ubuntu) + apt_repository: repo="ppa:cz.nic-labs/knot-dns" state=present + when: ansible_distribution == "Ubuntu" + +# Debian +- name: repository keys (Debian) + apt_key: url=https://deb.knot-dns.cz/knot/apt.gpg state=present + when: ansible_distribution == "Debian" +- name: repository (Debian) + apt_repository: repo="deb https://deb.knot-dns.cz/knot/ {{ ansible_lsb.codename }} main" state=present + when: ansible_distribution == "Debian" + +# Debian Family (Debian, Ubuntu) +- name: packages (Debian/Ubuntu) + apt: pkg=knot update_cache=yes state=present + when: ansible_os_family == "Debian" + +# FreeBSD Family +- name: packages (FreeBSD) + pkgng: name={{ item }} state=present + loop: + - dns/knot2 + when: ansible_os_family == "FreeBSD" + +# RedHat Family (RedHat, Fendora, CentOS, Amazon, etc) +- name: packages (RedHat) + yum: > + name=knot + state=present + when: ansible_os_family == "RedHat" diff --git a/roles/vavrusa.knot/tasks/from_source.yml b/roles/vavrusa.knot/tasks/from_source.yml new file mode 100644 index 0000000..f97c8e3 --- /dev/null +++ b/roles/vavrusa.knot/tasks/from_source.yml @@ -0,0 +1,54 @@ +--- +# Fetch dependencies (platform-specific) +- name: install dependencies + apt: pkg={{ item }} update_cache=yes cache_valid_time=86400 state=present + loop: + - gcc + - make + - libc6-dev + - libtool + - autoconf + - liburcu-dev + - libgnutls28-dev + - libjansson-dev + when: ansible_os_family == "Debian" +- name: dependencies (FreeBSD) + pkgng: name={{ item }} state=present + loop: + - security/nettle + - security/gnutls + - devel/jansson + - sysutils/liburcu + - databases/lmdb + when: ansible_os_family == "FreeBSD" + +# Clone and build from sources +- name: git clone + git: repo=http://gitlab.labs.nic.cz/labs/knot.git dest=/usr/local/src/knot version={{ knot_git_branch }} update=yes +- name: configure + shell: autoreconf -if && ./configure --prefix={{ knot_install_dir }} chdir=/usr/local/src/knot creates=/usr/local/src/knot/Makefile +- name: build + command: make -j{{ansible_processor_count}} chdir=/usr/local/src/knot creates=/usr/local/src/knot/src/knotd +- name: install + command: make install chdir=/usr/local/src/knot creates={{ knot_install_dir }}/sbin/knotd + +# Post-installation +- name: add knot group + group: + name={{ knot_group }} + comment="Knot DNS" +- name: add knot user + user: + name={{ knot_user }} + comment="Knot DNS" + home={{ knot_install_dir }} + shell=/bin/false + groups={{knot_group}} + system=yes + +- name: make sure directories are writeable + file: path={{ item }} state=directory owner={{ knot_user }} + with_items: + - "{{ knot_install_dir }}/etc/knot" + - "{{ knot_install_dir }}/var/lib/knot" + - "{{ knot_install_dir }}/var/run/lib/knot" diff --git a/roles/vavrusa.knot/tasks/main.yml b/roles/vavrusa.knot/tasks/main.yml new file mode 100644 index 0000000..39f6ca4 --- /dev/null +++ b/roles/vavrusa.knot/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: install from source + include: from_source.yml + when: knot_from_source +- name: install from packages + include: from_pkgs.yml + when: not knot_from_source + +# Post-install +- name: set config path (FreeBSD) + lineinfile: dest=/etc/rc.conf regexp='^knot_config=' line="knot_config={{ knot_install_dir }}/etc/knot/knot.conf" + when: ansible_os_family == "FreeBSD" + +# Configuration +- name: configure knot + template: > + src=knot.conf.j2 + dest={{ knot_install_dir }}/etc/knot/knot.conf + mode=640 + owner={{ knot_user }} + group={{ knot_group }} + validate="knotc -c %s conf-check" + notify: restart knot + tags: dns +- name: enable knot + service: > + name={{ knot_daemon }} + enabled=True + state=started diff --git a/roles/vavrusa.knot/templates/knot.conf.j2 b/roles/vavrusa.knot/templates/knot.conf.j2 new file mode 100644 index 0000000..9d81a71 --- /dev/null +++ b/roles/vavrusa.knot/templates/knot.conf.j2 @@ -0,0 +1,52 @@ +# {{ ansible_managed }} + +# Server options +server: + rundir: {{ knot_install_dir }}/var/run/knot + user: "{{ knot_user }}:{{ knot_group }}" +{% for addr in knot_interfaces %} + listen: {{ addr }} +{% endfor %} + +log: + - target: syslog + any: info + +# Key lists +key: +{% for key in knot_keys %} + - id: {{ key.id }} +{% if 'algorithm' in key %} + algorithm: {{ key.algorithm }} +{% endif %} +{% if 'secret' in key %} + secret: {{ key.secret }} +{% endif %} +{% endfor %} + +# Server-specific extras +{{ knot_extras }} + +# Zone lists +zone: +{% for zone in knot_zones %} + - domain: {{ zone.name }} +{% if 'template' in zone %} + template: {{ zone.template }} +{% endif %} +{% if 'module' in zone %} + module: {{ zone.module }} +{% endif %} +{% if 'file' in zone %} + file: "{{ zone.file }}" +{% endif %} +{% if 'notify' in zone %} + notify: {{ zone.notify }} +{% endif %} +{% if 'acl' in zone %} + acl: {{ zone.acl }} +{% endif %} + dnssec-signing: on + dnssec-policy: default +{% endfor %} + diff --git a/roles/vavrusa.knot/vars/main.yml b/roles/vavrusa.knot/vars/main.yml new file mode 100644 index 0000000..7342169 --- /dev/null +++ b/roles/vavrusa.knot/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for knot.auth