From 5820aa4371aec8218426cdceab3360c6955fe018 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=98ystein=20Bedin?= Date: Wed, 2 Aug 2017 14:40:08 +0000 Subject: Moving common DNS roles out of the playbook area (#605) --- roles/dns-views/tasks/main.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 roles/dns-views/tasks/main.yml (limited to 'roles/dns-views') diff --git a/roles/dns-views/tasks/main.yml b/roles/dns-views/tasks/main.yml new file mode 100644 index 000000000..7165b4269 --- /dev/null +++ b/roles/dns-views/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: "Generate ACL list for DNS server" + set_fact: + acl_list: "{{ acl_list | default([]) + [ (hostvars[item]['private_v4'] + '/32') ] }}" + with_items: "{{ groups['cluster_hosts'] }}" + +- name: "Generate the private view" + set_fact: + private_named_view: + - name: "private" + acl_entry: "{{ acl_list }}" + zone: + - dns_domain: "{{ full_dns_domain }}" + +- name: "Generate the public view" + set_fact: + public_named_view: + - name: "public" + zone: + - dns_domain: "{{ full_dns_domain }}" + forwarder: "{{ public_dns_nameservers }}" + +- name: "Generate the final named_config_views" + set_fact: + named_config_views: "{{ private_named_view + public_named_view }}" -- cgit v1.2.3 From 06abd17792fafc3adec3916f56c69800690b1431 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Tue, 5 Sep 2017 15:56:43 +0200 Subject: Document global DNS security options (#694) * Document global DNS security options Related changes: * Do not create a view if externally managed. * Allow to specify the recursion settings for public/private views defined by the dns-view role. Signed-off-by: Bogdan Dobrelya * Document public_dns_nameservers better Also use it as the private view forwarder Signed-off-by: Bogdan Dobrelya --- roles/dns-views/defaults/main.yml | 4 ++++ roles/dns-views/tasks/main.yml | 7 ++++++- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 roles/dns-views/defaults/main.yml (limited to 'roles/dns-views') diff --git a/roles/dns-views/defaults/main.yml b/roles/dns-views/defaults/main.yml new file mode 100644 index 000000000..c9f8248af --- /dev/null +++ b/roles/dns-views/defaults/main.yml @@ -0,0 +1,4 @@ +--- +external_nsupdate_keys: {} +named_private_recursion: 'yes' +named_public_recursion: 'no' diff --git a/roles/dns-views/tasks/main.yml b/roles/dns-views/tasks/main.yml index 7165b4269..ffbad2e3f 100644 --- a/roles/dns-views/tasks/main.yml +++ b/roles/dns-views/tasks/main.yml @@ -8,18 +8,23 @@ set_fact: private_named_view: - name: "private" + recursion: "{{ named_private_recursion }}" acl_entry: "{{ acl_list }}" zone: - dns_domain: "{{ full_dns_domain }}" + forwarder: "{{ public_dns_nameservers }}" + when: external_nsupdate_keys['private'] is undefined - name: "Generate the public view" set_fact: public_named_view: - name: "public" + recursion: "{{ named_public_recursion }}" zone: - dns_domain: "{{ full_dns_domain }}" forwarder: "{{ public_dns_nameservers }}" + when: external_nsupdate_keys['public'] is undefined - name: "Generate the final named_config_views" set_fact: - named_config_views: "{{ private_named_view + public_named_view }}" + named_config_views: "{{ private_named_view|default([]) + public_named_view|default([]) }}" -- cgit v1.2.3