diff --git a/bind/setup_dns.yml b/bind/setup_dns.yml new file mode 100644 index 0000000000000000000000000000000000000000..e5cc2507fd2cd485da24d1c3a099846ffea4e61e --- /dev/null +++ b/bind/setup_dns.yml @@ -0,0 +1,115 @@ +--- +# Defining the remote server where the package will be deployed +- name: "Setup DNS on machine" + hosts: dns + become: true + tasks: + - name: Install bind9 + ansible.builtin.apt: + name: + - bind9 + - bind9-utils + - bind9-doc + - bind9-dnsutils + state: present + + - name: Get IPv4 address of br-fflux if connected to VPN + # ip addr show dev br-fflux primary scope global | sed -e's/^.*inet \([^ ]*\)\/.*$/\1/;t;d' + ansible.builtin.shell: ip -4 addr show dev br-fflux primary scope global | sed -e's/^.*inet \([^ ]*\)\/.*$/\1/;t;d' + register: ipv4_addr + changed_when: false + failed_when: ipv4_addr.stdout == "" + ignore_errors: true + - name: Get IPv6 address of br-fflux if connected to VPN + # ip addr show dev br-fflux primary scope global | sed -e's/^.*inet6 \([^ ]*\)\/.*$/\1/;t;d' + ansible.builtin.shell: ip -6 addr show dev br-fflux primary scope global | sed -e's/^.*inet6 \([^ ]*\)\/.*$/\1/;t;d' + register: ipv6_addr + changed_when: false + failed_when: ipv6_addr.stdout == "" + ignore_errors: true + when: not ipv4_addr.failed + + - name: Copy bind9 files + ansible.builtin.copy: + src: "{{ server_config_dir }}/bind/{{ item }}" + dest: "/etc/bind/{{ item }}" + owner: root + group: root + mode: "0644" + loop: + - db.freifunk.lu + - named.conf + - named.local.conf + - name: Copy named.options.conf with template (IP for local resolving) + ansible.builtin.template: + src: "{{ server_config_dir }}/bind/named.options.conf.j2" + dest: "/etc/bind/named.options.conf" + owner: root + group: root + mode: "0644" + + # We keep the content of default-zones, but we don't use the same name. We prefer "named.NAME.conf" instead of "named.conf.NAME" + - name: Check if default-zones has been moved + ansible.builtin.stat: + path: /etc/bind/named.conf.default-zones + register: default_zones + - name: Move default-zones + ansible.builtin.copy: + remote_src: true + src: /etc/bind/named.conf.default-zones + dest: /etc/bind/named.default-zones.conf + owner: root + group: root + mode: "0644" + when: default_zones.stat.exists + - name: Delete previous default-zones + ansible.builtin.file: + path: /etc/bind/named.conf.default-zones + state: absent + when: default_zones.stat.exists + + - name: Delete default bind9 files + ansible.builtin.file: + path: /etc/bind/{{ item }} + state: absent + loop: + - named.conf.local + - named.conf.options + + # Make sure nobody else binds to port 53 + - name: Make sure systemd-resolved does not bind to port 53 + ansible.builtin.lineinfile: + path: /etc/systemd/resolved.conf + regexp: '^#DNSStubListener=yes$' + line: 'DNSStubListener=no' + state: present + owner: root + group: root + mode: "0644" + failed_when: false # If the file doens't exist, it's not a problem + - name: Reload systemd-resolved + ansible.builtin.service: + name: systemd-resolved + state: reloaded + failed_when: false # If resolved doesn't exist, it's not a problem + - name: Make sure dnsmasq doesn't bind to port 53 + ansible.builtin.lineinfile: + path: /etc/dnsmasq.conf + regexp: '^port=53$' + line: 'port=0' + state: present + owner: root + group: root + mode: "0644" + failed_when: false # If the file doens't exist, it's not a problem + - name: Reload dnsmasq + ansible.builtin.service: + name: dnsmasq + state: reloaded + failed_when: false # If dnsmasq doesn't exist, it's not a problem + + - name: Enable and start bind9 + ansible.builtin.service: + name: bind9 + state: started + enabled: true