Files
@ a54e10aa3488
Branch filter:
Location: freifunk/Ansible-Configuration/bind/setup_dns.yml
a54e10aa3488
3.8 KiB
text/x-yaml
feat: switch from HideMe to Mullvad VPN
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 | ---
# Defining the remote server where the package will be deployed
- name: "Setup DNS on machine"
hosts: dns
become: true
tasks:
- name: Install bind9
ansible.builtin.apt:
name:
- bind9
- bind9-utils
- bind9-doc
- bind9-dnsutils
state: present
- name: Get IPv4 address of br-fflux if connected to VPN
# ip addr show dev br-fflux primary scope global | sed -e's/^.*inet \([^ ]*\)\/.*$/\1/;t;d'
ansible.builtin.shell: ip -4 addr show dev br-fflux primary scope global | sed -e's/^.*inet \([^ ]*\)\/.*$/\1/;t;d'
register: ipv4_addr
changed_when: false
failed_when: ipv4_addr.stdout == ""
ignore_errors: true
- name: Get IPv6 address of br-fflux if connected to VPN
# ip addr show dev br-fflux primary scope global | sed -e's/^.*inet6 \([^ ]*\)\/.*$/\1/;t;d'
ansible.builtin.shell: ip -6 addr show dev br-fflux primary scope global | sed -e's/^.*inet6 \([^ ]*\)\/.*$/\1/;t;d'
register: ipv6_addr
changed_when: false
failed_when: ipv6_addr.stdout == ""
ignore_errors: true
when: not ipv4_addr.failed
- name: Copy bind9 files
ansible.builtin.copy:
src: "{{ server_config_dir }}/bind/{{ item }}"
dest: "/etc/bind/{{ item }}"
owner: root
group: root
mode: "0644"
loop:
- db.freifunk.lu
- named.conf
- named.local.conf
- name: Copy named.options.conf with template (IP for local resolving)
ansible.builtin.template:
src: "{{ server_config_dir }}/bind/named.options.conf.j2"
dest: "/etc/bind/named.options.conf"
owner: root
group: root
mode: "0644"
# We keep the content of default-zones, but we don't use the same name. We prefer "named.NAME.conf" instead of "named.conf.NAME"
- name: Check if default-zones has been moved
ansible.builtin.stat:
path: /etc/bind/named.conf.default-zones
register: default_zones
- name: Move default-zones
ansible.builtin.copy:
remote_src: true
src: /etc/bind/named.conf.default-zones
dest: /etc/bind/named.default-zones.conf
owner: root
group: root
mode: "0644"
when: default_zones.stat.exists
- name: Delete previous default-zones
ansible.builtin.file:
path: /etc/bind/named.conf.default-zones
state: absent
when: default_zones.stat.exists
- name: Delete default bind9 files
ansible.builtin.file:
path: /etc/bind/{{ item }}
state: absent
loop:
- named.conf.local
- named.conf.options
# Make sure nobody else binds to port 53
- name: Make sure systemd-resolved does not bind to port 53
ansible.builtin.lineinfile:
path: /etc/systemd/resolved.conf
regexp: '^#DNSStubListener=yes$'
line: 'DNSStubListener=no'
state: present
owner: root
group: root
mode: "0644"
failed_when: false # If the file doens't exist, it's not a problem
- name: Reload systemd-resolved
ansible.builtin.service:
name: systemd-resolved
state: reloaded
failed_when: false # If resolved doesn't exist, it's not a problem
- name: Make sure dnsmasq doesn't bind to port 53
ansible.builtin.lineinfile:
path: /etc/dnsmasq.conf
regexp: '^port=53$'
line: 'port=0'
state: present
owner: root
group: root
mode: "0644"
failed_when: false # If the file doens't exist, it's not a problem
- name: Reload dnsmasq
ansible.builtin.service:
name: dnsmasq
state: reloaded
failed_when: false # If dnsmasq doesn't exist, it's not a problem
- name: Enable and start bind9
ansible.builtin.service:
name: bind9
state: started
enabled: true
|