diff --git a/inventory/group_vars/dns b/inventory/group_vars/dns new file mode 100644 index 0000000000..f32edc5a82 --- /dev/null +++ b/inventory/group_vars/dns @@ -0,0 +1,16 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 30000 +mem_size: 2048 +num_cpus: 2 + +# for systems that do not match the above - specify the same parameter in +# the host_vars/$hostname file + +udp_ports: [ 53 ] +tcp_ports: [ 53 ] + +fas_client_groups: sysadmin-main,sysadmin-dns + +nrpe_procs_warn: 300 +nrpe_procs_crit: 500 diff --git a/inventory/host_vars/ns-osu01.fedoraproject.org b/inventory/host_vars/ns-osu01.fedoraproject.org new file mode 100644 index 0000000000..2607212ccb --- /dev/null +++ b/inventory/host_vars/ns-osu01.fedoraproject.org @@ -0,0 +1,14 @@ +--- +nm: 255.255.255.128 +gw: 140.211.169.193 +dns: 140.211.166.130 + +volgroup: /dev/vg_guests + +eth0_ip: 140.211.169.203 +ansible_ssh_host: ns-osu01.fedoraproject.org + +postfix_group: vpn + +vmhost: osuosl03.fedoraproject.org +datacenter: osuosl diff --git a/inventory/inventory b/inventory/inventory index b57ba8c3c1..74998deed7 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -358,6 +358,7 @@ ns03.phx2.fedoraproject.org ns04.phx2.fedoraproject.org ns05.fedoraproject.org ns-sb01.fedoraproject.org +ns-osu01.fedoraproject.org [packages] packages03.phx2.fedoraproject.org diff --git a/playbooks/groups/dns.yml b/playbooks/groups/dns.yml new file mode 100644 index 0000000000..ca37eac2b0 --- /dev/null +++ b/playbooks/groups/dns.yml @@ -0,0 +1,51 @@ +# create a new fas server +# +# + +- name: make dns server + hosts: ns-osu01.fedoraproject.org + user: root + gather_facts: False + accelerate: "{{ accelerated }}" + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - include: "{{ tasks }}/virt_instance_create.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" + +- name: make the box be real + hosts: ns-osu01.fedoraproject.org + user: root + gather_facts: True + accelerate: "{{ accelerated }}" + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "{{ private }}/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - hosts + - rkhunter + - denyhosts + - nagios_client + - fas_client + - collectd/base + - rsyncd + - sudo + - dns + + tasks: + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/dns/files/GeoIP.sh b/roles/dns/files/GeoIP.sh new file mode 100755 index 0000000000..f728ee25ef --- /dev/null +++ b/roles/dns/files/GeoIP.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# This copyrighted material is made available to anyone wishing to use, modify, +# copy, or redistribute it subject to the terms and conditions of the GNU +# General Public License v.2. This program is distributed in the hope that it +# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the +# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# See the GNU General Public License for more details. You should have +# received a copy of the GNU General Public License along with this program; +# if not, write to the Free Software Foundation, Inc., 51 Franklin Street, +# Fifth Floor, Boston, MA 02110-1301, USA. + +[ -f GeoIPCountryCSV.zip ] || wget -q -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip +unzip -q GeoIPCountryCSV.zip || exit 1 + +awk -F \" '{print $10","$6","$8}' GeoIPCountryWhois.csv > cbe.csv +rm -f GeoIPCountryWhois.csv + +(for c in $(awk -F , '{print $1}' cbe.csv | sort -u) +do + echo "acl \"$c\" {" + grep "^$c," cbe.csv | awk -F , 'function s(b,e,l,m,n) {l = int(log(e-b+1)/log(2)); m = 2^32-2^l; n = and(m,e); if (n == and(m,b)) printf "\t%u.%u.%u.%u/%u;\n",b/2^24%256,b/2^16%256,b/2^8%256,b%256,32-l; else {s(b,n-1); s(n,e)}} s($2,$3)' + echo -e "};\n" +done) > etc/GeoIP.acl + +rm -f cbe.csv + +/etc/init.d/named reload > /dev/null + +exit 0 + diff --git a/roles/dns/files/logrotate-named b/roles/dns/files/logrotate-named new file mode 100644 index 0000000000..7e78e18ce3 --- /dev/null +++ b/roles/dns/files/logrotate-named @@ -0,0 +1,7 @@ +/var/named/chroot/log/named.log { + missingok + create 0644 named named + postrotate + /sbin/service named reload 2> /dev/null > /dev/null || true + endscript +} diff --git a/roles/dns/files/named b/roles/dns/files/named new file mode 100644 index 0000000000..82e6b6b618 --- /dev/null +++ b/roles/dns/files/named @@ -0,0 +1,7 @@ +# Currently, you can use the following options: +# ROOTDIR="/some/where" -- will run named in a chroot environment. +# you must set up the chroot environment before +# doing this. +# OPTIONS="whatever" -- These additional options will be passed to named +# at startup. Don't add -t here, use ROOTDIR instead. +ROOTDIR=/var/named/chroot diff --git a/roles/dns/files/named.ca b/roles/dns/files/named.ca new file mode 100644 index 0000000000..37b1a5879a --- /dev/null +++ b/roles/dns/files/named.ca @@ -0,0 +1,85 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Feb 04, 2008 +; related version of root zone: 2008020400 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; formerly NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; formerly C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; formerly TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 +; +; formerly NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; formerly NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; formerly NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; formerly AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803f:235 +; +; formerly NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +; +; operated by VeriSign, Inc. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; operated by RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; operated by ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +; +; operated by WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of File diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf new file mode 100644 index 0000000000..532af9c643 --- /dev/null +++ b/roles/dns/files/named.conf @@ -0,0 +1,278 @@ +// named.conf file for ns-master.fedoraproject.org +// located in /var/named/chroot/etc/named.conf +// By: Elliot Lee +// 2005/12/21 for fedoraproject.org +// Based on the same file for ns-master.gnome.org +// By: Matthew Galgoci +// 2003/10/13 for gnome.org +// + +// Setup for GeoDNS +include "etc/GeoIP.acl"; + +key "rndckey" { + algorithm hmac-md5; + secret "41x7Lj4MEobl58VDDK97ItQTGQq7MlahOcmlTYpxTDnS0ALgBaYWXg5KbnBp"; +}; +// dns1.j2solutions.net - run by Jesse Keating +acl "slaves" { 209.124.61.35; }; +// +acl "everyone-v4" { 0.0.0.0/0; }; +acl "everyone-v6" { ::0/0; }; +acl "everyone" { 0.0.0.0/0; ::0/0; }; +// +acl "ns_redhat" { 66.187.233.210; 209.132.183.2; 66.187.229.10; }; +// +acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 10.5.126.0/24; 10.5.127.0/24; }; +acl "rh-slaves" { 172.16.52.28; 10.11.255.27; 10.11.255.3; }; +acl "rh" { 10.0.0.0/8; }; +// +options { + directory "/"; + auth-nxdomain yes; + allow-query { everyone; }; + dnssec-enable yes; + query-source address * port *; + query-source-v6 address * port *; + allow-transfer { localhost; slaves; rh-slaves; rh;}; + transfer-source * port 53; + pid-file "var/run/named/named.pid"; + statistics-file "log/named.stats"; + provide-ixfr no; + + version "cowbell++"; + listen-on port 53 { + everyone-v4; + }; + listen-on-v6 port 53 { + everyone-v6; + }; + notify yes; + minimal-responses yes; + // internal nameservers shouldn't ratelimit + // rate-limit requests + //rate-limit { + // responses-per-second 25; + // window 5; + //}; +}; +// +logging { + channel "normal" { + syslog; + severity info; + print-time yes; + print-category yes; + print-severity yes; + }; + category "default" { "normal"; }; + category "general" { "normal"; }; + category "database" { "null"; }; + category "security" { "normal"; }; + category "config" { "normal"; }; + category "resolver" { "normal"; }; + category "xfer-in" { "normal"; }; + category "xfer-out" { "normal"; }; + category "notify" { "normal"; }; + category "client" { "null"; }; + category "network" { "null"; }; + category "update" { "normal"; }; + category "queries" { "null"; }; + category "dispatch" { "null"; }; + category "dnssec" { "normal"; }; + category "lame-servers" { "null"; }; +}; +// +// Who can rndc our server (only localhost)... +// +controls { + inet 127.0.0.1 port 953 allow { localhost; } keys { rndckey; }; +}; + +view "PHX2" { + match-clients { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; }; + allow-recursion { localhost; phx2net; rh-slaves; rh; }; + recursion yes; + # make sure we forward only for redhat.com lookups + zone "redhat.com" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + # also, we need to forward some jboss.org for fuse-fabric/bugzilla2fedmsg + zone "jboss.org" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "88.5.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "4.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "5.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "186.132.209.in-addr.arpa." { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "qa.fedoraproject.org" { + type master; + file "master/qa.fedoraproject.org"; + }; + + zone "phx2.fedoraproject.org" { + type master; + file "master/phx2.fedoraproject.org"; + }; + + zone "mgmt.fedoraproject.org" { + type master; + file "master/mgmt.fedoraproject.org"; + }; + + zone "arm.fedoraproject.org" { + type master; + file "master/arm.fedoraproject.org"; + }; + + zone "78.5.10.in-addr.arpa" { + type master; + file "master/78.5.10.in-addr.arpa"; + }; + + zone "79.5.10.in-addr.arpa" { + type master; + file "master/79.5.10.in-addr.arpa"; + }; + + zone "124.5.10.in-addr.arpa" { + type master; + file "master/124.5.10.in-addr.arpa"; + }; + + zone "125.5.10.in-addr.arpa" { + type master; + file "master/125.5.10.in-addr.arpa"; + }; + + zone "126.5.10.in-addr.arpa" { + type master; + file "master/126.5.10.in-addr.arpa"; + }; + + zone "127.5.10.in-addr.arpa" { + type master; + file "master/127.5.10.in-addr.arpa"; + }; + + zone "128.5.10.in-addr.arpa" { + type master; + file "master/128.5.10.in-addr.arpa"; + }; + + zone "130.5.10.in-addr.arpa" { + type master; + file "master/130.5.10.in-addr.arpa"; + }; + + zone "131.5.10.in-addr.arpa" { + type master; + file "master/131.5.10.in-addr.arpa"; + }; + + + zone "fedoraproject.org" { + type master; + file "master/DEFAULT/fedoraproject.org.signed"; + }; + + include "etc/zones.conf"; +}; + + +// The zones +view "NA" { + match-clients { US; CA; MX; }; + recursion no; + zone "fedoraproject.org" { + type master; + file "master/NA/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "master/NA/cloud.fedoraproject.org.signed"; + }; + include "etc/zones.conf"; +}; + +view "GB" { + match-clients { GB; IE; IS; NO; }; + recursion no; + zone "fedoraproject.org" { + type master; + file "master/GB/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "master/GB/cloud.fedoraproject.org.signed"; + }; + include "etc/zones.conf"; +}; + + +// This is not "EU" countries, I just wanted a short way to represent Europe. +view "EU" { + match-clients { AT; BE; BG; CY; CZ; DE; DK; EE; ES; FI; FR; GR; HU; IT; LT; LU; LV; MT; NL; PL; PT; RO; RU; SE; UA; }; + recursion no; + zone "fedoraproject.org" { + type master; + file "master/EU/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "master/EU/cloud.fedoraproject.org.signed"; + }; + include "etc/zones.conf"; +}; + + +view "DEFAULT" { + match-clients { any; }; + recursion no; + zone "fedoraproject.org" { + type master; + file "master/DEFAULT/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "master/DEFAULT/cloud.fedoraproject.org.signed"; + }; + include "etc/zones.conf"; +}; + +// Enabling bind9 statistics on localhost for collectd +statistics-channels { + inet 127.0.0.1 port 8053; +}; diff --git a/roles/dns/files/rndc.conf b/roles/dns/files/rndc.conf new file mode 100644 index 0000000000..ce30d3526c --- /dev/null +++ b/roles/dns/files/rndc.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: rndc.conf,v 1.1 2007/03/21 18:40:16 mmcgrath Exp $ */ + +/* + * Sample rndc configuration file. + */ + +options { + default-server localhost; + default-key "rndckey"; +}; + +server localhost { + key "rndckey"; +}; + +include "/etc/rndc.key"; + diff --git a/roles/dns/files/update-dns b/roles/dns/files/update-dns new file mode 100755 index 0000000000..8f40da3ce1 --- /dev/null +++ b/roles/dns/files/update-dns @@ -0,0 +1,34 @@ +#!/bin/bash +tmpdir=`mktemp -d` +dnsgit='https://infrastructure.fedoraproject.org/infra/dns.git' +destdir='/var/named/chroot/master/' + +cd $tmpdir + +# clone the dnsgit repo +git clone $dnsgit >> /dev/null +if [ $? != 0 ]; then + echo "Error cloning dns git repo" + exit 1 +fi + +cd dns +# diff the two dirs - if they are the same - do nothing +diff -qurN built/ $destdir >>/dev/null +if [ $? != 0 ]; then + # rsync our new files overtop of the destdir files + rsync -a -q --delete-after built/ $destdir + if [ $? != 0 ]; then + echo "Error rsyncing files overtop from git repo:: $tmpdir/dns/built" + exit 1 + fi + + # change context so the chroot can cope + chown -R named.named $destdir + chcon -u system_u $destdir/* $destdir/*/* + # reload named + /sbin/service named reload +fi + + +rm -rf $tmpdir diff --git a/roles/dns/files/zones.conf b/roles/dns/files/zones.conf new file mode 100644 index 0000000000..19b0ca7933 --- /dev/null +++ b/roles/dns/files/zones.conf @@ -0,0 +1,249 @@ +zone "." { + type hint; + file "cache/named.ca"; +}; +zone "fedora.us" { + type master; + file "master/fedora.us.signed"; +}; +zone "fedora.my" { + type master; + file "master/fedora.my"; +}; +zone "fedora.com.my" { + type master; + file "master/fedora.com.my"; +}; +zone "fedora.pt" { + type master; + file "master/fedora.pt"; +}; +zone "fedoralinux.com" { + type master; + file "master/fedoralinux.com.signed"; +}; +zone "fedoralinux.net" { + type master; + file "master/fedoralinux.net.signed"; +}; +zone "fedoralinux.org" { + type master; + file "master/fedoralinux.org.signed"; +}; +zone "fedoramagazine.org" { + type master; + file "master/fedoramagazine.org.signed"; +}; +zone "fedoraproject.com" { + type master; + file "master/fedoraproject.com.signed"; +}; +zone "fedoraproject.com.my" { + type master; + file "master/fedoraproject.com.my"; +}; +zone "fedoraproject.su" { + type master; + file "master/fedoraproject.su"; +}; + +zone "fedoraproject.net" { + type master; + file "master/fedoraproject.net.signed"; +}; +zone "fedoraproject.co.uk" { + type master; + file "master/fedoraproject.co.uk"; +}; +zone "fedorahosted.org" { + type master; + file "master/fedorahosted.org.signed"; +}; +//zone "fedoraproject.org" { +// type master; +// file "master/fedoraproject.org.signed"; +//}; + +zone "vpn.fedoraproject.org" { + type master; + file "master/vpn.fedoraproject.org.signed"; +}; + +zone "fedorapeople.org" { + type master; + file "master/fedorapeople.org.signed"; +}; +zone "fedoraproject.org.uk" { + type master; + file "master/fedoraproject.org.uk.signed"; +}; +zone "smolts.org" { + type master; + file "master/smolts.org.signed"; +}; +zone "fedoracommunity.org" { + type master; + file "master/fedoracommunity.org.signed"; +}; +zone "nspluginwrapper.org" { + type master; + file "master/nspluginwrapper.org.signed"; +}; +zone "k12linux.org" { + type master; + file "master/k12linux.org.signed"; +}; +zone "projectofedora.org" { + type master; + file "master/projectofedora.org.signed"; +}; +zone "168.192.in-addr.arpa" { + type master; + file "master/168.192.in-addr.arpa.signed"; +}; +zone "2.203.67.in-addr.arpa" { + type master; + file "master/2.203.67.in-addr.arpa"; +}; + +zone "184.132.209.in-addr.arpa" { + type master; + file "master/184.132.209.in-addr.arpa"; +}; + +zone "192-255.169.211.140.in-addr.arpa" { + type master; + file "master/192-255.169.211.140.in-addr.arpa"; +}; + +zone "port389.org" { + type master; + file "master/port389.org.signed"; +}; + +zone "389tcp.org" { + type master; + file "master/389tcp.org.signed"; +}; + +zone "fpaste.org" { + type master; + file "master/fpaste.org"; +}; + +// +// Zones added from registrar in 2011-12-15 +// + +zone "fedora-bd.org" { + type master; + file "master/fedora-bd.org"; +}; +zone "fedora.asia" { + type master; + file "master/fedora.asia"; +}; +zone "fedora.cr" { + type master; + file "master/fedora.cr"; +}; +zone "fedora.me" { + type master; + file "master/fedora.me"; +}; +zone "fedora.mobi" { + type master; + file "master/fedora.mobi"; +}; +zone "fedora.org.cn" { + type master; + file "master/fedora.org.cn"; +}; +zone "fedora.pe" { + type master; + file "master/fedora.pe"; +}; +zone "fedora.tk" { + type master; + file "master/fedora.tk"; +}; +zone "fedora.xxx" { + type master; + file "master/fedora.xxx"; +}; +zone "fedoramirror.net" { + type master; + file "master/fedoramirror.net"; +}; +zone "fedoraproject.asia" { + type master; + file "master/fedoraproject.asia"; +}; +zone "fedoraproject.cn" { + type master; + file "master/fedoraproject.cn"; +}; +zone "fedoraproject.com.cn" { + type master; + file "master/fedoraproject.com.cn"; +}; +zone "fedoraproject.com.gr" { + type master; + file "master/fedoraproject.com.gr"; +}; +zone "fedoraproject.cz" { + type master; + file "master/fedoraproject.cz"; +}; +zone "fedoraproject.eu" { + type master; + file "master/fedoraproject.eu"; +}; +zone "fedoraproject.gr" { + type master; + file "master/fedoraproject.gr"; +}; +zone "fedoraproject.my" { + type master; + file "master/fedoraproject.my"; +}; +zone "fedoraproject.net.cn" { + type master; + file "master/fedoraproject.net.cn"; +}; +zone "fedoraproject.pe" { + type master; + file "master/fedoraproject.pe"; +}; +zone "fedoraproject.xxx" { + type master; + file "master/fedoraproject.xxx"; +}; +zone "fedorasucks.com" { + type master; + file "master/fedorasucks.com"; +}; +zone "firewalld.org" { + type master; + file "master/firewalld.org"; +}; +zone "spreadfedora.com" { + type master; + file "master/spreadfedora.com"; +}; +zone "flocktofedora.com" { + type master; + file "master/flocktofedora.com"; +}; +zone "flocktofedora.org" { + type master; + file "master/flocktofedora.org"; +}; +zone "flocktofedora.net" { + type master; + file "master/flocktofedora.net"; +}; +zone "release-monitoring.org" { + type master; + file "master/release-monitoring.org"; +}; diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml new file mode 100644 index 0000000000..fab99fb557 --- /dev/null +++ b/roles/dns/tasks/main.yml @@ -0,0 +1,112 @@ +--- +- name: install packages + yum: name={{ item }} state=present + with_items: + - bind + - unzip + - git + tags: + - packages + +- name: create directories + file: path=/var/named/chroot/{{ item }} state=directory owner=named group=named mode=0755 + with_items: + - "" + - "etc" + - "etc/named" + - "cache" + - "dev" + - "log" + - "var" + - "usr" + - "usr/lib" + - "usr/lib/bind" + - "var/named" + - "var/run" + - "var/run/named" + - "master" + +- name: create chroot random + command: /bin/mknod /var/named/chroot/dev/random c 1 8 + args: + creates: /var/named/chroot/dev/random + +- name: create chroot null + command: /bin/mknod /var/named/chroot/dev/null c 1 3 + args: + creates: /var/named/chroot/dev/null + +- name: create chroot zero + command: /bin/mknod /var/named/chroot/dev/zero c 1 5 + args: + creates: /var/named/chroot/dev/zero + +- name: copy rndc config + copy: src={{ item}} dest=/etc/ + with_items: + - rndc.conf + - rndc.key + notify: + - restart named + tags: + - config + +- name: copy named cache + copy: src=named.ca dest=/var/named/chroot/cache/named.ca + notify: + - restart named + tags: + - config + +- name: copy named sysconfig + copy: src=named dest=/etc/sysconfig/named mode=0644 owner=root group=root + notify: + - restart named + tags: + - config + +- name: copy GeoIP.sh + copy: src=GeoIP.sh dest=/var/named/chroot/GeoIP.sh mode=0755 + notify: + - create GeoIP acl + - restart named + tags: + - config + +- name: create GeoIP acl + command: /var/named/chroot/GeoIP.sh + args: + creates: /var/named/chroot/etc/GeoIP.acl + notify: + - restart named + +- name: copy update-dns + copy: src=update-dns dest=/usr/local/bin/update-dns mode=0755 + notify: + - restart named + tags: + - config + +- name: copy zones + copy: src=zones.conf dest=/var/named/chroot/etc/zones.conf owner=root group=root mode=0644 + notify: + - restart named + tags: + - config + +- name: copy named config + template: src=named.conf dest=/var/named/chroot/etc/named.conf mode=0644 owner=root group=root + notify: + - restart named + tags: + - config + +- name: update dns + command: /usr/local/bin/update-dns + notify: + - restart named + tags: + - config + +- name: named service + service: name=named state=started enabled=yes