prepare dns secondaries

2024-10-03 23:02:04 +02:00
parent 7e947d39ce
commit b668d71b86
7 changed files with 110 additions and 79 deletions
--- a/roles/nameserver/handlers/main.yml
+++ b/roles/nameserver/handlers/main.yml
@@ -16,4 +16,9 @@
 - name: restart_pdns
  service:
    name: "pdns"
+    state: restarted
+
+- name: restart_mysqld
+  service:
+    name: "mysqld"
    state: restarted
--- a/roles/nameserver/tasks/install_powerdns_server.yml
+++ b/roles/nameserver/tasks/install_powerdns_server.yml
@@ -1,55 +1,58 @@
- name: nameserver | powerdns-server | install packages
+- name: Nameserver | powerdns-server | install packages
  package:
    name: "{{ powerdns_server_package }}"
    state: present

- name: nameserver | powerdns-server | install backends
+- name: Nameserver | powerdns-server | install backends
  package:
    name: "{{ item.package }}"
    state: latest
  with_items: "{{ powerdns_backends }}"

- name: nameserver | powerdns-server | install and configure database
+- name: Nameserver | powerdns-server | install and configure database
+  when:
+    - powerdns_primary is defined
+    - powerdns_primary is true
  block:
    - include_role: name=database # required. The name of the role to be executed.

-    - name: nameserver | powerdns-server | install python mysql client
+    - name: Nameserver | powerdns-server | install python mysql client
      package:
        name: "{{ python_mysql_client }}"
        state: present
    
-    - name: nameserver | powerdns-server | create database
+    - name: Nameserver | powerdns-server | create database
      mysql_db:
-        name: "{{ pdns_db_name }}" # required. name of the database to add or remove. I(name=all) May only be provided if I(state) is C(dump) or C(import). List of databases is provided with I(state=dump), I(state=present) and I(state=absent). if name=all Works like --all-databases option for mysqldump (Added in 2.0).
-        state: present # not required. choices: present;absent;dump;import. The database state
-        encoding: "utf8" # not required. Encoding mode to use, examples include C(utf8) or C(latin1_swedish_ci)
-        config_file: "/etc/mysql/my.cnf" # not required. Specify a config file from which user and password are to be read.
-        login_unix_socket: "{{ pdns_mysql_socket }}"  # not required. The path to a Unix domain socket for local connections.
+        name: "{{ pdns_db_name }}"
+        state: present
+        encoding: "utf8"
+        config_file: "/etc/mysql/my.cnf"
+        login_unix_socket: "{{ pdns_mysql_socket }}"
      register: database_exists
    
-    - name: nameserver | powerdns-server | import database
+    - name: Nameserver | powerdns-server | import database
      mysql_db:
        name: "{{ pdns_db_name }}"
        state: import
-        target: "{{ pdns_mysql_schema }}" # not required. Location, on the remote host, of the dump file to read from or write to. Uncompressed SQL files (C(.sql)) as well as bzip2 (C(.bz2)), gzip (C(.gz)) and xz (Added in 2.0) compressed files are supported.
-        config_file: "/etc/mysql/my.cnf" # not required. Specify a config file from which user and password are to be read.
-        login_unix_socket: "{{ pdns_mysql_socket }}"  # not required. The path to a Unix domain socket for local connections.
+        target: "{{ pdns_mysql_schema }}" 
+        config_file: "/etc/mysql/my.cnf"
+        login_unix_socket: "{{ pdns_mysql_socket }}"
      when: database_exists.changed
    
-    - name: nameserver | powerdns-server | create database user
+    - name: Nameserver | powerdns-server | create database user
      mysql_user:
-        name: "{{ pdns_db_user }}" # required. Name of the user (role) to add or remove.
+        name: "{{ pdns_db_user }}" 
        password: "{{ pdns_db_passwd | default(lookup('password', '/etc/powerdns/pdns.d/.mysqlpw length=20')) }}" # not required. Set the user's password..
        host: localhost
-        priv: "{{ pdns_db_name }}.*:ALL" # not required. MySQL privileges string in the format: C(db.table:priv1,priv2). Multiple privileges can be specified by separating each one using a forward slash: C(db.table:priv/db.table:priv). The format is based on MySQL C(GRANT) statement. Database and table names can be quoted, MySQL-style. If column privileges are used, the C(priv1,priv2) part must be exactly as returned by a C(SHOW GRANT) statement. If not followed, the module will always report changes. It includes grouping columns by permission (C(SELECT(col1,col2)) instead of C(SELECT(col1),SELECT(col2))).
-        append_privs: False # not required. Append the privileges defined by priv to the existing ones for this user instead of overwriting existing ones.
-        sql_log_bin: True # not required. Whether binary logging should be enabled or disabled for the connection.
-        state: present # not required. choices: absent;present. Whether the user should exist. When C(absent), removes the user.
-        update_password: on_create # not required. choices: always;on_create. C(always) will update passwords if they differ. C(on_create) will only set the password for newly created users.
-        config_file: "/etc/mysql/my.cnf" # not required. Specify a config file from which user and password are to be read.
-        login_unix_socket: "{{ pdns_mysql_socket }}"  # not required. The path to a Unix domain socket for local connections.
+        priv: "{{ pdns_db_name }}.*:ALL"
+        append_privs: False
+        sql_log_bin: True
+        state: present
+        update_password: on_create
+        config_file: "/etc/mysql/my.cnf"
+        login_unix_socket: "{{ pdns_mysql_socket }}"
    
-    - name: nameserver | powerdns-server | create database users for secondaries
+    - name: Nameserver | powerdns-server | create database users for secondaries
      mysql_user:
        name: "{{ pdns_db_user }}"
        password: "{{ pdns_db_passwd | default(lookup('password', '/etc/powerdns/pdns.d/.mysqlpw length=20')) }}"
@@ -62,8 +65,18 @@
        config_file: "/etc/mysql/my.cnf"
        login_unix_socket: "{{ pdns_mysql_socket }}"
      loop: "{{ pdns_secondaries }}"
-    
-    - name: nameserver | powerdns-server | copy config
+
+    - name: Nameserver | powerdns-server | configure mysql for network
+      ini_file:
+        path: "/etc/mysql/mariadb.conf.d/50-server.cnf"
+        section: "mysqld"
+        option: "bind-address"
+        value: "{{ ansible_default_ipv4.address }}"
+        state: present
+        no_extra_spaces: False # not required. Do not insert spaces before and after '=' symbol.
+      notify: restart_mysqld
+
+    - name: Nameserver | powerdns-server | copy config
      template:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
@@ -74,17 +87,28 @@
      loop:
        - { src: "powerdns-server-pri-mysql-config.j2", dest: "/etc/powerdns/pdns.d/mysql.conf" }
        - { src: "powerdns-server-pri-api-config.j2", dest: "/etc/powerdns/pdns.d/api.conf"}
-  when:
-    - powerdns_primary is defined
-    - powerdns_primary is true
  notify: restart_pdns

- name: nameserver | powerdns-server | disable bind
+- name: Nameserver | powerdns-server | configure backends for secondaries
+  when:
+    - powerdns_primary is defined
+    - powerdns_primary is false
+    - powerdns_secondary is defined
+    - powerdns_secondary is true
+  template:
+    src: "powerdns-server-pri-mysql-config.j2"
+    dest: "/etc/powerdns/pdns.d/mysql.conf"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+    force: no
+
+- name: Nameserver | powerdns-server | disable bind
  block:
-    - name: nameserver | powerdns-server | get running services
+    - name: Nameserver | powerdns-server | get running services
      service_facts:

-    - name: nameserver | powerdns-server | disable bind
+    - name: Nameserver | powerdns-server | disable bind
      service:
        name: "named"
        state: stopped
@@ -93,7 +117,7 @@
      vars:
        service_names: "{{ services|dict2items|map(attribute='value.name')|list }}"

- name: nameserver | powerdns-server | enable service
+- name: Nameserver | powerdns-server | enable service
  service:
    name: "pdns"
    state: started
--- a/roles/nameserver/tasks/main.yml
+++ b/roles/nameserver/tasks/main.yml
@@ -3,53 +3,53 @@
  tags: always

 - block:
-  - name: nameserver | unbound | install and configure
-    block:
-      - name: nameserver | unbound | install
-        include_tasks: install_unbound.yml
-      - name: nameserver | unbound | configure
-        include_tasks: configure_unbound_snmpd.yml
+  - name: Nameserver | unbound | install and configure
    when:
      - unbound is defined
      - unbound is true
      - powerdns_recursor is not defined or powerdns_recursor is false
+    block:
+      - name: Nameserver | unbound | install
+        include_tasks: install_unbound.yml
+      - name: Nameserver | unbound | configure
+        include_tasks: configure_unbound_snmpd.yml

-  - name: nameserver | unbound | disable systemd-resolved
+  - name: Nameserver | unbound | disable systemd-resolved
    include_tasks: disable-systemd-resolved.yml
    when: bind is true or unbound is true or powerdns_recursor is true

-  - name: nameserver | powerdns-recursor | install and configure
-    block:
-      - name: nameserver| powerdns-recursor | install
-        include_tasks: install_powerdns_recursor.yml
-      - name: nameserver | powerdns-recursor | configure
-        include_tasks: configure_powerdns_recursor_snmpd.yml
+  - name: Nameserver | powerdns-recursor | install and configure
    when:
      - powerdns_recursor is defined
      - powerdns_recursor is true
      - unbound is not defined or unbound is false
-
-  - name: nameserver | bind | install and configure
    block:
-      - name: nameserver | bind | install
-        include_tasks: install_bind.yml
-      - name: nameserver | bind | configure
-        include_tasks: configure_bind_snmpd.yml
+      - name: Nameserver| powerdns-recursor | install
+        include_tasks: install_powerdns_recursor.yml
+      - name: Nameserver | powerdns-recursor | configure
+        include_tasks: configure_powerdns_recursor_snmpd.yml
+
+  - name: Nameserver | bind | install and configure
    when:
      - bind is defined
      - bind is true
      - powerdns_server is not defined or powerdns_server is false
-
-  - name: nameserver | powerdns-server | install and configure
    block:
-      - name: nameserver | powerdns-server | install
-        include_tasks: install_powerdns_server.yml
-      - name: nameserver | powerdns-server | configure
-        include_tasks: configure_powerdns_server_snmpd.yml
+      - name: Nameserver | bind | install
+        include_tasks: install_bind.yml
+      - name: Nameserver | bind | configure
+        include_tasks: configure_bind_snmpd.yml
+
+  - name: Nameserver | powerdns-server | install and configure
    when:
      - powerdns_server is defined
      - powerdns_server is true
      - bind is not defined or bind is false
+    block:
+      - name: Nameserver | powerdns-server | install
+        include_tasks: install_powerdns_server.yml
+      - name: Nameserver | powerdns-server | configure
+        include_tasks: configure_powerdns_server_snmpd.yml

  rescue:
    - set_fact: task_failed=true
--- a/roles/nameserver/templates/powerdns-server-sec-mysql-config
+++ b/roles/nameserver/templates/powerdns-server-sec-mysql-config
@@ -0,0 +1,4 @@
+launch += gmysql
+gmysql-host = {{ pdns_pri_server }}
+gmysql-password = {{ pdns_db_passwd | default(lookup('password', '/etc/powerdns/pdns.d/.mysqlpw length=20')) }}
+gmysql-dnssec = Yes
--- a/roles/nameserver/vars/main.yml
+++ b/roles/nameserver/vars/main.yml
@@ -1,16 +1,16 @@
 $ANSIBLE_VAULT;1.1;AES256
-33393637343963633639303764623635356261393833353539626539396635666264393865333738
-3666356534343238656532373735383161666232373536380a366134386664653133323936383364
-36616330356462373436313032303133656433316566373632656532333166323439663465343139
-6165353566313464370a343066616239366166333563333364333634643635636135636230346633
-61393731323835666338626262326538346362613561666533623839333566613033363037636364
-39643031343232366437316263356339613163333033383664616532343433653131616438383663
-38623631323233656238373264346235656530613261303863633964373736653531333236356537
-65386166396262343430313431646439663234313561346463316563313832356635653865363333
-63653362326535323864353738376132663266353161386461613538313063633332383538316634
-39313664323337303861666361636633613631623438613434303964373065396263663232386131
-38383235373066633338633938303663623331376330356635343661303061663535346639336464
-31646530386533636165346233626532643437336136373731313738313463373436313334613834
-38633136613935373466366138336538623266346333313831646339626433396366373761656337
-39356365383762363662666162313932323831386133336631383039383132623661646566376265
-613335613464393433626139343731393633
+61303361653739306432353266666164316662373337626436323530663765393231373432623163
+6137383465666332313434343038343738666434646233300a633832353361656438316635363433
+35313563366132303832653761663639663135303864383434346566313434653965633233633262
+3337343536366534360a613539633535313362633366666431373534356334666661386266316132
+66323735313438366432356132313537353463313563633133323832346561306266653838366662
+30373136656363336164366662656362316235623530666239396665326165616666663339303932
+32643462623363383237636435313564626138373638656235313733306138396366623966636132
+31633539383834613335343636323230353530363366353430343036343838353763373134623165
+38633164643165326638613535323330363835396661326566373064316435346563393935333437
+61653633646365343165306564366631316234386430363538636535313436646232326634616365
+62373066306130373161343664666163623434336663356561613166353137373163323639343034
+61653261346637306461346164626535353335346461326233303162656539333031613932353832
+31653063666163633862393334386365633862363034353861643734363031383137323163326637
+39346531646231363832303037383837336164326330646634343934643135626234646265356535
+656462656539613538373764656134373037