-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathplaybook.yml
465 lines (407 loc) · 13.2 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
---
- hosts: all
become: yes
vars:
dns1: dns1
dns2: dns2
domain: foo-domain.com
manage_resolv_conf: true
manage_pyenv: false
rndc_key_secret: 'eZ6B0A4vjLetGWwiUtyGvpD8BnvErM/LOLiNOZYYmxr4GnYegyOLxFOeciPB3pWsdISj29R0dB87mHu0rt9EOQ=='
rndc_key_data: |
key "rndc-key" {
algorithm hmac-sha512;
secret "{{ rndc_key_secret }}";
};
tasks:
- name: Fix /etc/hosts
tags:
- pre_task
copy:
dest: /etc/hosts
content: |
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
{{ ansible_eth1.ipv4.address }} {{ ansible_nodename }}.{{ domain }} {{ ansible_hostname }} {{ dns1 }}.{{ domain }} {{ dns2 }}.{{ domain }}
when:
ansible_os_family == 'Debian'
- name: Installing pre-req packages
tags:
- pre_task
package:
name: "{{ packages }}"
state: present
vars:
packages:
- apt-file
- build-essential
- curl
- git
- libapt-pkg-dev
- libbz2-dev
- libffi-dev
- libncurses5-dev
- libncursesw5-dev
- libreadline-dev
- libsqlite3-dev
- libssl1.0-dev
- llvm
- make
- tk-dev
- wget
- xz-utils
- zlib1g-dev
- dnsutils
- ntp
- ntpdate
when:
ansible_os_family == 'Debian'
- name: configure ntp.conf
tags:
- pre_task
notify: restart ntp
copy:
dest: /etc/ntp.conf
content: |
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
tinker panic
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
owner: root
group: root
mode: 0644
when:
ansible_os_family == 'Debian'
- name: Create /home/vagrant/.ssh
tags:
- pre_task
file:
state: directory
path: /home/vagrant/.ssh
mode: 0700
owner: vagrant
group: vagrant
- name: Create authorized_keys
tags:
- pre_task
authorized_key:
state: present
path: /home/vagrant/.ssh/authorized_keys
exclusive: false
user: vagrant
key: "{{ ssh_keys }}"
validate_certs: false
manage_dir: false
vars:
ssh_keys: |
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
- name: Download the insecure private_key for vagrant
tags:
- pre_task
get_url:
url: "{{ item.url }}"
dest: "/home/vagrant/.ssh/{{ item.name }}"
owner: vagrant
group: vagrant
mode: "{{ item.mode }}"
loop:
- url: 'https://raw.githubusercontent.com/hashicorp/vagrant/master/keys/vagrant.pub'
mode: '0644'
name: 'id_rsa.pub'
- url: 'https://raw.githubusercontent.com/hashicorp/vagrant/master/keys/vagrant'
mode: '0600'
name: 'id_rsa'
- name: Install bind9
tags:
- pre_task
package:
state: present
name: "{{ packages }}"
vars:
packages:
- bind9
when:
ansible_os_family == 'Debian'
- name: Create /etc/bind/named.conf.default-zones
tags:
- pre_task
copy:
dest: /etc/bind/named.conf.default-zones
content: |
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
owner: root
group: bind
mode: 0644
validate: /usr/sbin/named-checkconf %s
when:
ansible_os_family == 'Debian'
- name: Create /etc/bind/rndc.conf
tags:
- pre_task
copy:
dest: /etc/bind/rndc.conf
content: |
{{ rndc_key_data }}
options {
default-server 127.0.0.1;
default-key rndc-key;
};
owner: root
group: bind
mode: 0640
when:
ansible_os_family == 'Debian'
- name: Create /etc/bind/named.conf.local
tags:
- pre_task
copy:
dest: /etc/bind/named.conf.local
content: |
include "/etc/bind/zones.rfc1918";
include "/etc/bind/rndc.key";
// declares control channels to be used by the rndc utility.
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};
server 127.0.0.1 {
keys { rndc-key; };
};
zone "{{ domain }}" {
type master;
file "/etc/bind/db.{{ domain }}";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/db.192.168.1";
};
owner: root
group: bind
mode: 0644
validate: /usr/sbin/named-checkconf %s
when:
ansible_os_family == 'Debian'
- name: Create /etc/bind/named.conf.options
tags:
- pre_task
notify: restart bind
copy:
dest: /etc/bind/named.conf.options
content: |
acl foo-domain-internal {
0.0.0.0/0;
};
// acl to allow zone transfers
acl trusted-foo-domain-internal {
0.0.0.0/0;
};
options {
directory "/var/cache/bind";
// Use the following DNS fowarders to resolve queries that we cannot
forwarders {
10.0.2.3;
8.8.8.8;
};
allow-query {
foo-domain-internal;
};
allow-query-cache {
foo-domain-internal;
};
recursion yes;
allow-recursion {
foo-domain-internal;
};
allow-transfer {
trusted-foo-domain-internal;
};
notify yes;
empty-zones-enable yes;
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
owner: root
group: bind
mode: 0644
validate: /usr/sbin/named-checkconf %s
when:
ansible_os_family == 'Debian'
- name: Create /etc/bind/db.192.168.1
notify: restart bind
tags:
- pre_task
copy:
dest: /etc/bind/db.192.168.1
content: |
$TTL 2H
@ IN SOA ns1.{{ domain }}. root.{{ domain }}. (
2018070500 ; Serial
28800 ; Refresh (8 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
86400 ; Minimum-TTL (24 hours)
)
; NS records
IN NS ns1.{{ domain }}.
IN NS ns2.{{ domain }}.
; PTR records
10 IN PTR {{ dns1 }}.{{ domain }}.
11 IN PTR {{ dns2 }}.{{ domain }}.
20 IN PTR dc-app-01.{{ domain }}.
21 IN PTR dc-app-02.{{ domain }}.
22 IN PTR aa-foo-01.{{ domain }}.
23 IN PTR zz-bar-01.{{ domain }}.
owner: root
group: bind
mode: 0644
when:
ansible_os_family == 'Debian'
- name: Create /etc/bind/db.foo-domain.com
tags:
- pre_task
copy:
dest: /etc/bind/db.{{ domain }}
content: |
$TTL 2H
@ IN SOA ns1.{{ domain }}. root.{{ domain }}. (
2018070500 ; Serial
28800 ; Refresh (8 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
86400 ; Minimum-TTL (24 hours)
)
; NS records
@ IN NS ns1.{{ domain }}.
@ IN NS ns2.{{ domain }}.
; Nameserver A records
ns1.{{ domain }}. IN A 192.168.1.10
ns2.{{ domain }}. IN A 192.168.1.11
; A records
dc-app-01.{{ domain }}. IN A 192.168.1.20
dc-app-02.{{ domain }}. IN A 192.168.1.21
aa-foo-01.{{ domain }}. IN A 192.168.1.22
zz-bar-01.{{ domain }}. IN A 192.168.1.23
; CNAME records
app-01.{{ domain }}. IN CNAME dc-app-01.{{ domain }}.
{{ dns1 }}.{{ domain }}. IN CNAME ns1.{{ domain }}.
{{ dns2 }}.{{ domain }}. IN CNAME ns2.{{ domain }}.
owner: root
group: bind
mode: 0644
when:
ansible_os_family == 'Debian'
- name: Create /etc/bind/rndc.key
tags:
- pre_task
no_log: true
copy:
dest: /etc/bind/rndc.key
content: "{{ rndc_key_data }}"
owner: root
group: bind
mode: 0640
when:
ansible_os_family == 'Debian'
- name: Start bind9
service:
name: bind9
state: started
enabled: true
when:
ansible_os_family == 'Debian'
- name: Initialize pyenv
command: .ci/init-pyenv
args:
chdir: /dnsq-build
creates: /root/.pyenv/versions/python-dnsq-2.7.15
when:
manage_pyenv == True
handlers:
- name: restart bind
service:
name: bind9
state: restarted
when:
ansible_os_family == 'Debian'
- name: restart ntp
service:
name: ntp
state: restarted
when:
ansible_os_family == 'Debian'
post_tasks:
- name: Configure /etc/resolv.conf
copy:
dest: /etc/resolv.conf
backup: true
content: |
search {{ domain }}
domain {{ domain }}
nameserver 127.0.0.1
when:
manage_resolv_conf == True