Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added key directroy customization #73

Merged
merged 1 commit into from
Aug 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -137,4 +137,5 @@ bind9_log_categories:

bind9_generate_ddns_key: true
bind9_zonedir: /etc/bind/zones
bind9_keydir: /etc/bind/keys
bind9_local_keydir: files/bind/zones
16 changes: 8 additions & 8 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@

- name: Create bind9 directory for keys
ansible.builtin.file:
path: /etc/bind/keys
path: "{{ bind9_keydir }}"
state: directory
owner: "{{ bind9_user }}"
group: "{{ bind9_group }}"
Expand All @@ -114,7 +114,7 @@
- name: Copy over DDNS keys for zones with update_keyfile
ansible.builtin.copy:
src: bind/zones/{{ item.update_keyfile }}.key
dest: /etc/bind/keys/{{ item.update_keyfile }}.key
dest: "{{ bind9_keydir }}/{{ item.update_keyfile }}.key"
owner: "{{ bind9_user }}"
group: "{{ bind9_group }}"
mode: "0644"
Expand All @@ -128,7 +128,7 @@
- name: Copy over DDNS private keys for zones with update_keyfile
ansible.builtin.copy:
src: bind/zones/{{ item.update_keyfile }}.private
dest: /etc/bind/keys/{{ item.update_keyfile }}.private
dest: "{{ bind9_keydir }}/{{ item.update_keyfile }}.private"
owner: "{{ bind9_user }}"
group: "{{ bind9_group }}"
mode: "0600"
Expand All @@ -142,7 +142,7 @@
# TODO: DNSSEC: implement key rollover
- name: Determine if DNSSEC keys for zones already exist
ansible.builtin.find:
paths: /etc/bind/keys
paths: "{{ bind9_keydir }}"
patterns: "K{{ item.name }}.+008+*"
register: bind9_reg_dnssec_keys_tmp
with_items:
Expand All @@ -162,7 +162,7 @@
- name: Generate bind9 key signing keys for zones
ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 4096 -n ZONE -f KSK {{ item.item.name }}
args:
chdir: /etc/bind/keys
chdir: "{{ bind9_keydir }}"
register: bind9_reg_keygen_ksk
changed_when: bind9_reg_keygen_ksk.rc != 0
become: true
Expand All @@ -180,7 +180,7 @@
- name: Generate bind9 zone signing keys for zones
ansible.builtin.command: dnssec-keygen -a RSASHA256 -b 2048 -n ZONE {{ item.item.name }}
args:
chdir: /etc/bind/keys
chdir: "{{ bind9_keydir }}"
register: bind9_reg_keygen_zsk
changed_when: bind9_reg_keygen_zsk.rc != 0
become: true
Expand All @@ -196,7 +196,7 @@
- role:bind9:dnssec

- name: Read in key signing keys from key files (DNSKEY)
ansible.builtin.command: "grep 'IN DNSKEY' /etc/bind/keys/{{ item.stdout }}.key"
ansible.builtin.command: "grep 'IN DNSKEY' {{ bind9_keydir }}/{{ item.stdout }}.key"
register: bind9_reg_ksk
changed_when: false
with_items: "{{ bind9_reg_keygen_ksk.results }}"
Expand All @@ -208,7 +208,7 @@
- role:bind9:dnssec

- name: Generate DS records from key signing keys
ansible.builtin.command: "dnssec-dsfromkey -2 /etc/bind/keys/{{ item.stdout }}.key"
ansible.builtin.command: "dnssec-dsfromkey -2 {{ bind9_keydir }}/{{ item.stdout }}.key"
register: bind9_reg_ksk_ds
changed_when: false
with_items: "{{ bind9_reg_keygen_ksk.results }}"
Expand Down
2 changes: 1 addition & 1 deletion templates/bind/named.conf.options.j2
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ options {
{% if bind9_dnssec|default() %}

// Look here for DNSSEC keys
key-directory "/etc/bind/keys";
key-directory "{{ bind9_keydir }}";
{% endif %}
};

Expand Down
4 changes: 2 additions & 2 deletions templates/bind/zones/db.template.j2
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
mx_records:
- priority: 10
name: mx1.example.org.
caa_records:
caa_records:
- 0 issue "example-ca.org"
rrs:
- label: subdomain
Expand All @@ -22,7 +22,7 @@
;; {{ ansible_managed }}
$ORIGIN .
{# Default TTL of zone records. `negative_ttl` is a deprecated name of this variable. #}
$TTL {{ zone.default_ttl|default(zone.negative_ttl|default('3600')) }} ; 1 hour.
$TTL {{ zone.default_ttl|default(zone.negative_ttl|default('3600')) }} ; 1 hour.
{# We first deal in detail with SOA and NS, which are requiered, and root zone registers
Empezamos detallando el SOA y NS, que son indispensables, y registros de raíz de zona #}
{{ zone.name }} IN SOA {{ zone.primary|default(zone.ns_records.0) }}. {{ zone.admin|default(bind9_admin) }}. (
Expand Down