renamed roles

roles/nameservers/files/snmpd_bind.conf

@@ -0,0 +1,12 @@
+# The default config file is... /etc/snmp/bind.config
+# This is the path to rndc.
+rndc=/usr/sbin/rndc
+# This is the the path to the named stats file.
+stats_file=/etc/bind/named.stats
+# This is a 0/1 boolean for if rndc should be called.
+# If you are using netdata, you most likely want to set this to 0.
+call_rndc=1
+# This is a 0/1 boolean for this is being used as a LibreNMS agent.
+agent=0
+# This is a 0/1 boolean for if the stats file should be zeroed before calling rndc stats.
+zero_stats=1

roles/nameservers/handlers/main.yml

@@ -0,0 +1,14 @@
+- name: restart_named
+  service:
+    name: "named"
+    state: restarted
+
+- name: restart_snmpd
+  service:
+    name: "snmpd"
+    state: restarted
+
+- name: restart_unbound
+  service:
+    name: "unbound"
+    state: restarted

roles/nameservers/tasks/configure_bind_snmpd.yml

@@ -0,0 +1,44 @@
+- name: nameserver | snmpd | install needed modules
+  package:
+    name: "{{ perl_readbackwards }}"
+    state: present
+
+- name: nameserver | snmpd | get script
+  get_url:
+    url: "https://github.com/librenms/librenms-agent/raw/master/snmp/bind"
+    dest: "/etc/snmp/bind"
+    mode: "0755"
+    owner: "root"
+    group: "root"
+
+- name: nameserver | snmpd | create configuration
+  copy:
+    dest: "/etc/snmp/bind.conf"
+    src: "snmpd_bind.conf"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+
+- name: nameserver | snmpd | create statistics file
+  file:
+    path: /var/cache/bind/stats
+    state: touch
+    owner: "bind"
+    group: "bind"
+
+- name: nameserver | snmpd | configure named for statistics
+  lineinfile:
+    path: "{{ named_conf_options }}"
+    state: present
+    line: '\tstatistics-file "/var/cache/bind/stats";\n\tzone-statistics yes;'
+    insertafter: "options {"
+    validate: "/usr/sbin/named-checkconf %s"
+  notify: restart_named
+
+- name: nameserver | snmpd | configure extend
+  lineinfile:
+    path: "{{ snmpd_conf }}"
+    state: present
+    line: "extend bind /etc/snmp/bind"
+    insertafter: "# SECTION: Extends"
+  notify: restart_snmpd

roles/nameservers/tasks/configure_unbound_snmpd.yml

@@ -0,0 +1,15 @@
+- name: nameserver | snmpd | get script
+  get_url:
+    url: "https://github.com/librenms/librenms-agent/raw/master/snmp/unbound"
+    dest: "/etc/snmp/unbound"
+    mode: "0755"
+    owner: "root"
+    group: "root"
+
+- name: nameserver | snmpd | configure extend
+  lineinfile:
+    path: "{{ snmpd_conf }}"
+    state: present
+    line: "extend unbound {{ sudo }} /etc/snmp/unbound"
+    insertafter: "# SECTION: Extends"
+  notify: restart_snmpd

roles/nameservers/tasks/disable-systemd-resolved.yml

@@ -0,0 +1,23 @@
+- name: nameserver | systemd-resolved | edit config
+  lineinfile:
+    path: "/etc/systemd/resolved.conf"
+    regexp: "^.*DNSStubListener=.*$"
+    state: present
+    line: "DNSStubListener=no"
+
+- name: nameserver | systemd-resolved | stop and disable service
+  service:
+    name: "systemd-resolved"
+    state: stopped
+    enabled: false
+
+- name: nameserver | systemd-resolved | remove /etc/resolv.conf (symlink)
+  file:
+    path: "/etc/resolv.conf"
+    state: absent
+
+- name: nameserver | systemd-resolved | create new /etc/resolv.conf
+  copy:
+    dest: "/etc/resolv.conf"
+    content: |
+      nameserver 127.0.0.1

roles/nameservers/tasks/install_bind.yml

@@ -0,0 +1,26 @@
+- name: nameserver | bind | install packages
+  package:
+    name: "{{ bind_package }}"
+    state: present
+
+- name: nameserver | bind | basic configuration
+  replace:
+    path: "{{ named_conf_options }}"
+    regexp: "{{ item.regexp }}"
+    replace: "{{ item.option }}"
+    validate: "{{ named_checkconf }} %s"
+  loop:
+    - { regexp: '^\s*listen-on \{(?:[\s\n]*(?:\d{1,3}\.){3}\d{1,3};)*[\s\n]*\};', option: "\tlisten-on { {{ ansible_default_ipv4.address }}; };"}
+    - { regexp: '^\s*listen-on-v6 \{[\s\n]*any;[\s\n]*\};', option: "\tlisten-on-v6 { {{ ansible_default_ipv6.address }}; };"}
+    - { regexp: '^\s*listen-on-v6 \{(?:[\s\n]*[\da-z:]*;)[\s\n]*\};', option: "\tlisten-on-v6 { {{ ansible_default_ipv6.address }}; };"}
+  notify: restart_named
+
+- name: nameserver | bind | basic configuration cont'd
+  lineinfile:
+    path: "{{ named_conf_options }}"
+    regexp: '^\s*listen-on \{.*\};'
+    state: present
+    line: "\tlisten-on { {{ ansible_default_ipv4.address }}; };"
+    insertafter: "options {"
+    validate: "{{ named_checkconf }} %s"
+  notify: restart_named

roles/nameservers/tasks/install_unbound.yml

@@ -0,0 +1,19 @@
+- name: nameserver | unbound | install packages
+  package:
+    name: "{{ unbound_package }}"
+    state: present
+
+- name: nameserver | unbound | copy config
+  template:
+    src: "unbound_network.conf.j2"
+    dest: "/etc/unbound/unbound.conf.d/network.conf"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+    validate: "unbound-checkconf %s"
+
+- name: nameserver | unbound | enable service
+  service:
+    name: "unbound"
+    state: started
+    enabled: True

roles/nameservers/tasks/main.yml

@@ -0,0 +1,21 @@
+# Load distro-specific variables
+- include_vars: "{{ ansible_distribution }}.yml"
+  tags: always
+
+- block:
+  - block:
+    - include_tasks: install_unbound.yml
+    - include_tasks: configure_unbound_snmpd.yml
+    when: unbound == true
+
+  - name: nameserver | unbound | disable systemd-resolved
+    include_tasks: disable-systemd-resolved.yml
+    when: bind == true or unbound == true
+
+  - block:
+    - include_tasks: install_bind.yml
+    - include_tasks: configure_bind_snmpd.yml
+    when: bind == true
+
+  rescue:
+    - set_fact: task_failed=true

roles/nameservers/templates/unbound_network.conf.j2

@@ -0,0 +1,23 @@
+server:
+        ip-freebind: yes
+        {% if wg_local_ip is defined %}
+        interface: {{ wg_local_ip | ipaddr('address') }}
+        {% else %}
+        interface: {{ ansible_default_ipv4.address }}
+        {% endif %}
+        interface: 127.0.0.1
+        interface: 127.0.0.53
+        interface: ::1
+        outgoing-interface: {{ ansible_default_ipv4.address }}
+        {% if ansible_default_ipv6.address is defined %}
+        outgoing-interface: {{ ansible_default_ipv6.address }}
+        {% endif %}
+        access-control: 192.168.1.0/24 allow
+        access-control: 192.168.3.0/24 allow
+        access-control: 172.16.0.0/24 allow
+        extended-statistics: yes
+        statistics-cumulative: yes
+
+remote-control:
+        control-enable: yes
+        control-interface: 127.0.0.1

roles/nameservers/vars/Archlinux.yml

@@ -0,0 +1,9 @@
+bind_package: bind
+unbound_package: unbound
+perl_readbackwards: perl-file-readbackwards
+
+# named / bind specific
+named_conf_zones: /etc/named.conf
+named_conf_options: /etc/named.conf
+named_conf_local: /etc/named.conf
+named_checkconf: /usr/bin/named-checkconf

roles/nameservers/vars/Debian.yml

@@ -0,0 +1,9 @@
+bind_package: bind9
+unbound_package: unbound
+perl_readbackwards: libfile-readbackwards-perl
+
+# named / bind specific
+named_conf_zones: /etc/bind/named.conf.default-zones
+named_conf_options: /etc/bind/named.conf.options
+named_conf_local: /etc/bind/named.conf.local
+named_checkconf: /usr/sbin/named-checkconf

roles/nameservers/vars/Ubuntu.yml

@@ -0,0 +1,9 @@
+bind_package: bind9
+unbound_package: unbound
+perl_readbackwards: libfile-readbackwards-perl
+
+# named / bind specific
+named_conf_zones: /etc/bind/named.conf.default-zones
+named_conf_options: /etc/bind/named.conf.options
+named_conf_local: /etc/bind/named.conf.local
+named_checkconf: /usr/sbin/named-checkconf