systemli · ulvida · Jul 1, 2022 · Jul 2, 2022 · Jul 3, 2022 · Jul 5, 2022
diff --git a/README.md b/README.md
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -7,11 +7,36 @@ bind9_group: bind
 # Listen on IPv6 interfaces
 bind9_ipv6: yes
 
+# bind9_templates: Directory for bind9 files templates
+# The role can handle different sets of templates for bind and zones configuration.
+# It presently proposes two sets of templates:
+#
+# * the defaults one, "", wich is a general purpose configuration set, that has evolved with the role.
+#   It's files live in {{ role_path }}/templates/ directory
+# * a second new set for a strict authoritative bind NS server: `strict_authoritative` It accepts DNS queries
+#   only for zones it is authoritative for. Templates try to be smart: `allow-transfer` for secunday NS servers
+#   and `notify-also` for hidden slaves are automatically set, and can be overwitten zone by zone, as well as
+#   `allow-query` and `notify` clauses. 
+#   It's files live in {{ role_path }}/templates/strict_authoritative/ directory
+#   Note that several default variables `bind9_*` have different meanings than with default templates' set.   
+#
+# bind9_templates must be set as an absolute directory or relative to the `templates` directory of the role, and 
+# must include it's trailing "/". For instance, for the `strict_authoritative` set of templates, you can define: 
+#
+#   bind9_templates: strict_authoritative/
+#
+# You can design and set your own templates (PRs welcome!), for example with:
+# bind9_templates: "{{ playbook_dir }}/host_vars/<my_host>/templates/"
+bind9_templates: ""
+
 # Run bind as a DNS recursor?
+# variable used only by default templates, not strict_authoritative
 bind9_recursor: no
 
 # Run bind as authoritative nameserver?
-bind9_authoritative: no
+# variable used by default templates and as conditionnal of several tasks
+# If using `strict_authoritative/` templates, this variable _must_ be true
+bind9_authoritative: "{{ true if bind9_templates == 'strict_authoritative/' else false }}"
 
 # run bind with forwarding?
 bind9_forward: no
@@ -35,12 +60,17 @@ bind9_notify_explicit: no
 # Default zone type
 bind9_zone_type: master
 
+## //!\\ Several of the following variables have different meanings or (no meaning at all) depending on the templates' set you use
+## See here after bind9_template variable. 
+
 # Permitted hosts/networks for recursion (when configured as recursor)
+# variable used only by default templates, not strict_authoritative
 bind9_our_networks:
   - localhost
   - localnets
 
 # Permitted hosts/networks for zone transfers
+# variable used only by default templates, not strict_authoritative
 bind9_our_neighbors:
   - localhost
   - localnets
@@ -49,21 +79,53 @@ bind9_our_neighbors:
 bind9_rndc_algorithm: hmac-md5
 # bind9_rndc_key:
 
-# Global primaries for all zones (if configured as secondary)
-# bind9_masters:
-#  - name: ns-primary
-#    addresses:
-#      - 1.2.3.4
-
-# Primaries for particular zones (if configured as secondary)
-# bind9_masters_extra:
-#  - name: ns-primary
-#    addresses:
-#      - 1.2.3.4
-
-# Global secondaries for all zones (if configured as primary)
-# bind9_slaves:
-#  - 1.2.3.4
+# Global primaries for all zones (if configured as secondary), default masters if not defined in the zone
+#   bind9_masters:
+#    - name: ns-primary
+#      addresses:
+#        - 1.2.3.4
+
+# Primaries for particular zones (if configured as secondary), that can also be used in also-notify directives
+#   bind9_masters_extra:
+#    - name: "ns-primary"
+#      addresses:
+#        - 1.2.3.4
+#    - name: ...
+#      addresses:
+#      - ...
+
+# Note that the role wil create masters lists _as well as_ ACLs for each element of `bind9_masters` and `bind9_masters_extra`
+# allowing the magic to be able to put the same _names_ in the following parameters
+
+# Global secondaries for all zones (if configured as primary), default slaves if not specifically defined for the zone
+#   bind9_slaves:
+#   - 1.2.3.4
+#   - ns-primary 
+#   - ...
+# This variable, that can be overwritten zone by zone (see README) is mainly used to build the `allow-transfer` clause of
+# each zone. 
+# Notice that we set here the name `ns-primary` defined above. This wouldn't be possible in BIND9 configuration, if 
+# `ns-primary` is a masters list. Here, for slaves, i.e. to set `allow-transfer` at the masters level, we are in fact
+# referring to the ACL weith the same name. 
+
+# bind9_acl: 
+# undefined by default, this variable allows to define a set of access control lists (ACL) to use in slaves, allow-query
+# or allow-transfer definitions. In YAML, `bind9_acl` has the same format as `bind9_masters`, except that, morover IPs, it can
+# contain networks definitions (IP/MASK).
+
+## The following variables are default values for all zones, that can be overwritten zone by zone. 
+
+# bind9_also_notify:
+# undefined by default, a list of IPs or masters lists that defines the global `also-notify` clause in configuration. 
+# By default, `bind9_also_notify` items are automatically included in `allow-transfer` clause in each zone. 
+
+# bind9_also_allow_transfer:
+# As stated above, by default, slaves and also-notify hosts are automatically included in the allow-transfer clauses of zones.
+# You can define here any _additional_ IP or ACL you would like, by default, to also allow transfer. 
+
+# bind9_allow_transfer: 
+# Defining this variables bypasses the previous mechanism of including slaves and also-notify hosts in the allow-transfer clause
+# of the zone in its master servers, and sets the `allow-transfer` to its content.
 
 # Enable BIND's XML statistics-channels (for monitoring purposes)
 bind9_statistics_enabled: False
@@ -75,6 +137,11 @@ bind9_statistics_enabled: False
 bind9_zones_dynamic: []
 bind9_zones_static: []
 
+# With this value, the `copy` module will look for zone files in `files/bind/zones/` in the playbook directory
+bind9_zone_files: bind/zones/
+# Overwrite, for instance if you want to put your db.* zone files in your host vars: 
+# bind9_zone_files: '{{ playbook_dir }}/host_vars/{{ ansible_hostname }}/files/bind/zones/'
+
 # Authoritative include files
 bind9_authoritative_includes: []
 
@@ -111,12 +178,6 @@ bind9_packages:
   - bind9
   - dnsutils
 
-# Directory for bind9 files templates
-bind9_templates: ""
-# The default value takes templates form the {{ role_path }}/templates/ directory of the role
-# You can set your own templates, for example with:
-# bind9_templates: "{{ playbook_dir }}/host_vars/<my_host>/templates/"
-
 # Logging
 bind9_named_logging: False
 bind9_log_path: /var/log/bind

diff --git a/meta/main.yml b/meta/main.yml
@@ -5,7 +5,7 @@ galaxy_info:
   description: Role to install and maintain the Bind9 nameserver on Debian
   company: systemli.org
   license: GPLv3
-  min_ansible_version: "2.4"
+  min_ansible_version: '2.10'
   galaxy_tags:
     - bind9
     - dns

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -16,7 +16,7 @@
   notify:
     - restart bind9
 
-- name: Setup logs
+- name: bind9 logs configuration
   block:
     - name: ensure existence of the log directory
       file:
@@ -144,14 +144,27 @@
     - item.type|default(bind9_zone_type) == 'master'
     - item.update_keyfile|default()
 
+- name: view zones  
+  debug:
+    var: item
+    verbosity: 2
+  with_items:
+    - '{{ bind9_zones_dynamic | union( bind9_zones_static ) }}'
+  when:
+    - bind9_authoritative|default()
+    - bind9_dnssec|default() or item.dnssec|default(bind9_dnssec_zones_default_enabled)
+    - item.dnssec|default(bind9_dnssec_zones_default_enabled)
+  tags:
+    - role:bind9:dnssec
+
 # TODO: DNSSEC: implement key rollover
 - name: determine if DNSSEC keys for zones already exist
   find:
     paths: /etc/bind/keys
     patterns: "K{{ item.name }}.+008+*"
   register: bind9_reg_dnssec_keys_tmp
   with_items:
-    - "{{ bind9_zones_dynamic }} + {{ bind9_zones_static }}"
+    - '{{ bind9_zones_dynamic | union( bind9_zones_static ) }}'
   when:
     - bind9_authoritative|default()
     - bind9_dnssec|default() or item.dnssec|default(bind9_dnssec_zones_default_enabled)
@@ -160,7 +173,7 @@
     - role:bind9:dnssec
 
 # Filter out all skipped results (e.g. if item.dnssec is set to False)
-- name: Set bind9_reg_dnssec_keys
+- name: set bind9_reg_dnssec_keys fact
   set_fact:
     bind9_reg_dnssec_keys: "{{ bind9_reg_dnssec_keys_tmp.results|selectattr('skipped', 'undefined')|list }}"
 
@@ -315,7 +328,7 @@
 
 - name: install static bind9 zone files
   copy:
-    src: bind/zones/db.{{ item.name }}
+    src: '{{ bind9_zone_files }}db.{{ item.name }}'
     dest: /etc/bind/zones/db.{{ item.name }}
     owner: root
     group: "{{ bind9_group }}"

diff --git a/templates/bind/named.conf.local.j2 b/templates/bind/named.conf.local.j2
@@ -5,8 +5,14 @@
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
+{% if bind9_statistics_enabled %}
+statistics-channels {
+  inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
+};
 
+{% endif %}
 {% if bind9_masters|default() %}
+// masters for zones and allow-notify
 {%   for master in bind9_masters %}
 masters {{ master.name }} {
 {%     for addr in master.addresses %}
@@ -24,11 +30,16 @@ masters {{ master.name }} {
 };
 {%   endfor %}
 {% endif %}
+{% if bind9_acl is defined %}
 
-{% if bind9_statistics_enabled %}
-statistics-channels {
-  inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
+	// Custom acls
+{%   for acl_item in bind9_acl %}
+acl {{ acl_item.name }} {
+{%     for item_address in acl_item.addresses %}
+	{{ item_address }};
+{%     endfor %}
 };
+{%   endfor %}
 {% endif %}
 
 // The following zones are managed by this DNS Server //
@@ -38,44 +49,63 @@ zone "{{ zone.name }}" {
     type {{ zone_type }};
 {%   if zone_type == 'master' %}
     file "/etc/bind/zones/db.{{ zone.name }}";
-{%     if bind9_notify_explicit|default() %}
+{%     if zone.allow_query is defined %}
+    allow-query {
+{%       for allow_query_item in zone.allow_query %}
+        {{ allow_query_item }};
+{%       endfor %}
+    };
+{%     endif %}
+{%     if zone.allow_transfer is defined %}
+    allow-transfer {
+{%       for allow_transfer_item in zone.allow_transfer %}
+        {{ allow_transfer_item }};
+{%       endfor %}
+    };
+{%     endif %}
+{%     if bind9_notify_explicit %}
     notify explicit;
-{%     elif zone.notify|default(true) %}
-    notify yes;
+{%     elif zone.notify | default(true) %}
+    notify {{ zone.notify | default(true) | ternary ('yes','no') }};
 {%     endif %}
-{%     if (bind9_dnssec|default() or zone.dnssec|default()) and zone.dnssec|default(bind9_dnssec_zones_default_enabled) %}
+{%     if zone.also_notify is defined %}
+    also-notify {
+{%       for also_notify_item in zone.also_notify %}
+        {{ also_notify_item }};
+{%       endfor %}
+    };
+{%     endif %}
+{%     if (bind9_dnssec or zone.dnssec | default() ) and zone.dnssec | default( bind9_dnssec_zones_default_enabled ) %}
     auto-dnssec maintain;
     inline-signing yes;
 {%     endif %}
-{%     if zone.update_policy_grant|default() %}
+{%     if zone.update_policy_grant | default() %}
     update-policy {
         grant {{ zone.name }}_ddns_update {{ zone.update_policy_grant }};
     };
 {%     endif %}
 {%   elif zone_type == 'slave' %}
     file "/var/lib/bind/db.{{ zone.name }}";
-{%     if zone.masters|default() or bind9_masters|default() %}
+{%     if zone.masters | default() or bind9_masters | default() %}
     notify no;
     masters {
-{%       if zone.masters|default() %}
+{%       if zone.masters | default() %}
 {%         for master in zone.masters %}
         {{ master }};
 {%         endfor %}
-{%       elif bind9_masters|default() %}
+{%       elif bind9_masters | default() %}
 {%         for master in bind9_masters %}
         {{ master.name }};
 {%         endfor %}
 {%       endif %}
     };
 {%     endif %}
-{%   else %}
-{%      if zone_type == 'forward' %}
+{%   elif zone_type == 'forward' %}
     forwarders {
-{%         for fwd in zone.forwarders %}
+{%     for fwd in zone.forwarders %}
         {{ fwd }}; 
-{%         endfor %}
+{%     endfor %}
    }; 
-{%     endif %}
 {%   endif %}
 };
 {% endfor %}
diff --git a/templates/bind/named.conf.options.j2 b/templates/bind/named.conf.options.j2
@@ -1,3 +1,6 @@
+// BIND 9 Configuration - generated by systemli.bind9 ansible role
+// DO NOT edit, change your ansible config and re-run your ansible playbooks
+
 options {
 	directory "/var/cache/bind";
 
@@ -12,9 +15,9 @@ options {
 
 {% if bind9_forward|default() %}
   forwarders {
-    {% for forwarder in bind9_forward_servers %}
+{%   for forwarder in bind9_forward_servers %}
       {{ forwarder }};
-    {% endfor %}
+{%   endfor %}
   };
 {% endif %}                                                                                                                                                   
 
@@ -89,8 +92,8 @@ acl our_neighbors {
 {%   endfor %}
 {% endif %}
 };
-
 {% if bind9_named_logging %}
+
 logging {
   channel bind_log {
     file "{{ bind9_log_path }}/bind.log" versions {{ bind9_log_versions }} size {{ bind9_log_size }};
@@ -99,8 +102,8 @@ logging {
     print-severity yes;
     print-time yes;
   };
-  {% for category in bind9_log_categories %}
+{%   for category in bind9_log_categories %}
   category {{ category.name }} { {{ category.destination }}; };
-  {% endfor %}
+{%   endfor %}
 };
 {% endif %}
diff --git a/templates/strict_authoritative/bind/default.j2 b/templates/strict_authoritative/bind/default.j2
@@ -0,0 +1 @@
+../../bind/default.j2