From 8fd018e7ec446881ed128e2c93a58e1f9659ea41 Mon Sep 17 00:00:00 2001 From: guillaume pernot Date: Sun, 20 Aug 2023 15:48:33 +0200 Subject: [PATCH] Added key directroy customization Closes #72 --- defaults/main.yml | 1 + tasks/main.yml | 16 ++++++++-------- templates/bind/named.conf.options.j2 | 2 +- templates/bind/zones/db.template.j2 | 4 ++-- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f25479d..ffa82ed 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -137,4 +137,5 @@ bind9_log_categories: bind9_generate_ddns_key: true bind9_zonedir: /etc/bind/zones +bind9_keydir: /etc/bind/keys bind9_local_keydir: files/bind/zones diff --git a/tasks/main.yml b/tasks/main.yml index 19c383a..f54e0fa 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -100,7 +100,7 @@ - name: Create bind9 directory for keys ansible.builtin.file: - path: /etc/bind/keys + path: "{{ bind9_keydir }}" state: directory owner: "{{ bind9_user }}" group: "{{ bind9_group }}" @@ -114,7 +114,7 @@ - name: Copy over DDNS keys for zones with update_keyfile ansible.builtin.copy: src: bind/zones/{{ item.update_keyfile }}.key - dest: /etc/bind/keys/{{ item.update_keyfile }}.key + dest: "{{ bind9_keydir }}/{{ item.update_keyfile }}.key" owner: "{{ bind9_user }}" group: "{{ bind9_group }}" mode: "0644" @@ -128,7 +128,7 @@ - name: Copy over DDNS private keys for zones with update_keyfile ansible.builtin.copy: src: bind/zones/{{ item.update_keyfile }}.private - dest: /etc/bind/keys/{{ item.update_keyfile }}.private + dest: "{{ bind9_keydir }}/{{ item.update_keyfile }}.private" owner: "{{ bind9_user }}" group: "{{ bind9_group }}" mode: "0600" @@ -142,7 +142,7 @@ # TODO: DNSSEC: implement key rollover - name: Determine if DNSSEC keys for zones already exist ansible.builtin.find: - paths: /etc/bind/keys + paths: "{{ bind9_keydir }}" patterns: "K{{ item.name }}.+008+*" register: bind9_reg_dnssec_keys_tmp with_items: @@ -162,7 +162,7 @@ - name: Generate bind9 key signing keys for zones ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK {{ item.item.name }} args: - chdir: /etc/bind/keys + chdir: "{{ bind9_keydir }}" register: bind9_reg_keygen_ksk changed_when: bind9_reg_keygen_ksk.rc != 0 become: true @@ -180,7 +180,7 @@ - name: Generate bind9 zone signing keys for zones ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE {{ item.item.name }} args: - chdir: /etc/bind/keys + chdir: "{{ bind9_keydir }}" register: bind9_reg_keygen_zsk changed_when: bind9_reg_keygen_zsk.rc != 0 become: true @@ -196,7 +196,7 @@ - role:bind9:dnssec - name: Read in key signing keys from key files (DNSKEY) - ansible.builtin.command: "grep 'IN DNSKEY' /etc/bind/keys/{{ item.stdout }}.key" + ansible.builtin.command: "grep 'IN DNSKEY' {{ bind9_keydir }}/{{ item.stdout }}.key" register: bind9_reg_ksk changed_when: false with_items: "{{ bind9_reg_keygen_ksk.results }}" @@ -208,7 +208,7 @@ - role:bind9:dnssec - name: Generate DS records from key signing keys - ansible.builtin.command: "dnssec-dsfromkey -2 /etc/bind/keys/{{ item.stdout }}.key" + ansible.builtin.command: "dnssec-dsfromkey -2 {{ bind9_keydir }}/{{ item.stdout }}.key" register: bind9_reg_ksk_ds changed_when: false with_items: "{{ bind9_reg_keygen_ksk.results }}" diff --git a/templates/bind/named.conf.options.j2 b/templates/bind/named.conf.options.j2 index 64f90eb..f83bbc1 100644 --- a/templates/bind/named.conf.options.j2 +++ b/templates/bind/named.conf.options.j2 @@ -51,7 +51,7 @@ options { {% if bind9_dnssec|default() %} // Look here for DNSSEC keys - key-directory "/etc/bind/keys"; + key-directory "{{ bind9_keydir }}"; {% endif %} }; diff --git a/templates/bind/zones/db.template.j2 b/templates/bind/zones/db.template.j2 index 05082dc..7bf912f 100644 --- a/templates/bind/zones/db.template.j2 +++ b/templates/bind/zones/db.template.j2 @@ -12,7 +12,7 @@ mx_records: - priority: 10 name: mx1.example.org. - caa_records: + caa_records: - 0 issue "example-ca.org" rrs: - label: subdomain @@ -22,7 +22,7 @@ ;; {{ ansible_managed }} $ORIGIN . {# Default TTL of zone records. `negative_ttl` is a deprecated name of this variable. #} -$TTL {{ zone.default_ttl|default(zone.negative_ttl|default('3600')) }} ; 1 hour. +$TTL {{ zone.default_ttl|default(zone.negative_ttl|default('3600')) }} ; 1 hour. {# We first deal in detail with SOA and NS, which are requiered, and root zone registers Empezamos detallando el SOA y NS, que son indispensables, y registros de raĆ­z de zona #} {{ zone.name }} IN SOA {{ zone.primary|default(zone.ns_records.0) }}. {{ zone.admin|default(bind9_admin) }}. (