66ceb321a6
This adds the concept of an unmanaged domain; for unmanaged domains we will write out the zone file only if it doesn't already exist. acme.opendev.org is added as an unmanaged domain. It will be managed by other ansible roles which add TXT records for ACME authentication. The initial template comes from the dependent change, and this ensures the bind configuration is always valid. For flexibility and testing purposes, we allow passing an extra refspec and version to the git checkout. This is one way to pull in changes for speculative CI runs (I looked into having the hosts under test checkout from Zuul; but by the time we're 3-ansible call's deep on the DNS hosts-under-test it's a real pain. For the amount of times we update this, it's easier to just allow a speculative change that can take a gerrit URL; for an example see [1]) [1] https://review.openstack.org/#/c/641155/10/playbooks/group_vars/dns.yaml Testing is enhanced to check for zone files and correct configuration stanzas. Depends-On: https://review.openstack.org/641154 Depends-On: https://review.openstack.org/641168 Change-Id: I9ef5cfc850c3458c63aff46cfaa0d49a5d194e87
94 lines
2.2 KiB
ReStructuredText
94 lines
2.2 KiB
ReStructuredText
Configure a hidden master nameserver
|
|
|
|
This role installs and configures bind9 to be a hidden master
|
|
nameserver.
|
|
|
|
**Role Variables**
|
|
|
|
.. zuul:rolevar:: tsig_key
|
|
:type: dict
|
|
|
|
The TSIG key used to control named.
|
|
|
|
.. zuul:rolevar:: algorithm
|
|
|
|
The algorithm used by the key.
|
|
|
|
.. zuul:rolevar:: secret
|
|
|
|
The secret portion of the key.
|
|
|
|
.. zuul:rolevar:: dnssec_keys
|
|
:type: dict
|
|
|
|
This is a dictionary of DNSSEC keys. Each entry is a dnssec key,
|
|
where the dictionary key is the dnssec key id and the value is the
|
|
a dictionary with the following contents:
|
|
|
|
.. zuul:rolevar:: zone
|
|
|
|
The name of the zone for this key.
|
|
|
|
.. zuul:rolevar:: public
|
|
|
|
The public portion of this key.
|
|
|
|
.. zuul:rolevar:: private
|
|
|
|
The private portion of this key.
|
|
|
|
.. zuul:rolevar:: dns_repos
|
|
:type: list
|
|
|
|
A list of zone file repos to check out on the server. Each item in
|
|
the list is a dictionary with the following keys:
|
|
|
|
.. zuul:rolevar:: name
|
|
|
|
The name of the repo.
|
|
|
|
.. zuul:rolevar:: url
|
|
|
|
The URL of the git repository.
|
|
|
|
.. zuul:rolevar:: refspec
|
|
|
|
Add an additional refspec passed to the git checkout
|
|
|
|
.. zuul:rolevar:: version
|
|
|
|
An additional version passed to the git checkout
|
|
|
|
.. zuul:rolevar:: dns_zones
|
|
:type: list
|
|
|
|
A list of zones that should be served by named. Each item in the
|
|
list is a dictionary with the following keys:
|
|
|
|
.. zuul:rolevar:: name
|
|
|
|
The name of the zone.
|
|
|
|
.. zuul:rolevar:: source
|
|
|
|
The repo name and path of the directory containing the zone
|
|
file. For example if a repo was provided to
|
|
:zuul:rolevar:`master-nameserver.dns_repos.name` with the name
|
|
``example.com``, and within that repo, the ``zone.db`` file was
|
|
located at ``zones/example_com/zone.db``, then the value here
|
|
should be ``example.com/zones/example_com``.
|
|
|
|
.. zuul:rolevar:: unmanaged
|
|
:type: bool
|
|
:default: False
|
|
|
|
If ``True`` the zone is considered unmanaged. The ``source``
|
|
file will be put in place if it does not exist, but will
|
|
otherwise be left alone.
|
|
|
|
.. zuul:rolevar:: dns_notify
|
|
:type: list
|
|
|
|
A list of IP addresses of nameservers which named should notify on
|
|
updates.
|