Monty Taylor 1ba4559fd8 Don't log the public loop on master-nameserver
The dict is the same as for the private loop, and while we're not
writing the private date, we are iterating over it which causes
it to be printed to the log.

Change-Id: I42069f15e59a8615b41082dce1440ae7c51b8260
2020-04-08 16:38:15 -05:00

87 lines
2.3 KiB
YAML

- name: Install packages
package:
name:
- bind9
- git
- rsync
state: present
- name: Ensure base zone directory exists
file:
path: /var/lib/bind/zones
state: directory
- name: Clone zone repos
git:
repo: "{{ item.url }}"
refspec: "{{ item.refspec | default(omit) }}"
version: "{{ item.version | default(omit) }}"
dest: "/opt/source/{{ item.name }}"
loop: "{{ dns_repos }}"
- name: Set base rsync options
set_fact:
_rsync_options:
- "--chmod=u+rwX,g+rX,o+rX"
- "--chown=bind:bind"
- name: Synchronize zone repos to zone directories
delegate_to: "{{ inventory_hostname }}"
synchronize:
src: "/opt/source/{{ item.source }}"
dest: "/var/lib/bind/zones/{{ item.name }}"
rsync_opts: '{{ _rsync_options + ["--ignore-existing"] if item.unmanaged|default(False) else _rsync_options }}'
loop: "{{ dns_zones }}"
notify: Reload named
- name: Install tsig key
no_log: true
template:
src: templates/bind.key.j2
dest: "/etc/bind/tsig.key"
owner: root
group: bind
mode: 0440
vars:
key: "{{ tsig_key }}"
name: tsig
- name: Ensure base dnssec key directory exists
file:
path: /etc/bind/keys
state: directory
# The key directories must exist for every zone, regardless of whether
# there are any keys in them.
- name: Ensure zone dnssec key directories exist
loop: "{{ dns_zones }}"
file:
path: "/etc/bind/keys/{{ item.name }}"
state: directory
owner: root
group: bind
mode: 0750
- name: Install dnssec public keys
loop: "{{ dnssec_keys | dict2items }}"
no_log: true
copy:
dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.key"
content: "{{ item.value.public }}"
owner: root
group: bind
mode: 0440
- name: Install dnssec private keys
no_log: true
loop: "{{ dnssec_keys | dict2items }}"
copy:
dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.private"
content: "{{ item.value.private }}"
owner: root
group: bind
mode: 0440
- name: Install bind config
template:
src: templates/named.conf.j2
dest: /etc/bind/named.conf
owner: root
group: bind
mode: 0444
notify: Reload named
- name: Enable named
service:
name: bind9
enabled: true