Commit e98bc95d authored by zaiken's avatar zaiken 💬 Committed by root

Ajout DNS sur les routers (Kriek et Lorrabelle)

parent bb106864
# rezo_basic.yaml
# Ce rôle réalise le déploiement classique pour une machine du rézo
# après une installation. Se référer au fichier README.md pour plus de
# précisions.
---
- hosts: '{{ target }}'
remote_user: root
tasks:
- name: Upgrade the machine
apt:
update_cache: yes
upgrade: yes
- name: Install sudo
apt:
name: sudo
- include_role:
name: apt-dater
- name: Install ZSH
apt:
name: zsh
- name: Install vim
apt:
name: vim
- name: Install Molly-Guard
apt:
name: molly-guard
- name: Install Htop
apt:
name: htop
- name: Install Mtr
apt:
name: mtr-tiny
- name: Install Lnav
apt:
name: lnav
- name: Install Nload
apt:
name: nload
- name: Install tmux
apt:
name: tmux
- include_role:
name: sendmail
- include_role:
name: apticron
- include_role:
name: motd
- include_role:
name: ldap
- include_role:
name: snmp
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
logging{
channel simple_log {
file "/var/log/named/bind.log" versions 3 size 5m;
severity error;
print-time yes;
print-severity yes;
print-category yes;
};
category default{
simple_log;
};
channel querylog {
file "/var/log/named/queries.log" versions 3 size 5m;
severity error;
print-time yes;
print-severity yes;
print-category yes;
};
category queries{
querylog;
};
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
//allow-transfer {
// 127.0.0.1;
//};
//allow-query { any; };
//listen-on { any; };
listen-on-v6 { any; };
//auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { any; };
//statistics-file "/var/run/named/stats";
//zone-statistics yes;
};
/var/local/dns/** rw,
/usr/local/dns/generated/dns.rez.zone r,
- name: Install bind9
apt:
name: isc-dhcp-server
name: bind9
- file:
path: /var/log/named
state: directory
mode: 0755
mode: 0764
- file:
path: /var/log/named/bind.log
owner: bind
group: bind
- name: Copy configuration
path: /var/local/dns
state: directory
mode: 0764
- name: Copy configuration LOCAL
copy:
src: named.conf.local
dest: /etc/bind/named.conf.local
mode: 0644
owner: root
owner: bind
group: bind
- name: Copy configuration LOGGING
copy:
src: named.conf.logging
dest: /etc/bind/named.conf.logging
mode: 0744
owner: bind
group: bind
- name: Copy configuration DEFAULT
copy:
src: named.conf.default
dest: /etc/bind/named.conf.default
mode: 0644
owner: bind
group: bind
- name: Copy configuration OPTIONS
copy:
src: named.conf.options
dest: /etc/bind/named.conf.options
mode: 0644
owner: bind
group: bind
- name: Copy zone rezo
copy:
src: zone_rezo
dest: /var/local/dns/zones_rezo
mode: 0644
owner: root
owner: bind
group: bind
- name: Install iso8601
apt:
name: python3-iso8601
- name: Copy apparmor configuration
copy:
src: usr.sbin.named
dest: /etc/apparmor.d/local/usr.sbin.named
mode: 0644
owner: bind
group: bind
- name: Get re2o-service for dns
git:
repo: https://gitlab.federez.net/re2o/dns.git
dest: /usr/local/dns
force: yes
- name: Get re2oApi for dns
git:
repo: https://gitlab.federez.net/re2o/re2oapi.git
dest: /usr/local/dns/re2oapi
force: yes
- name: Create generated directory
file:
path: /usr/local/dns/generated
state: directory
mode: 0755
- name: Configure service
template:
src: config.ini.j2
dest: /usr/local/dhcp/config.ini
dest: /usr/local/dns/config.ini
mode: 0600
- name: Reload apparmor
service:
name: apparmor
state: reloaded
- name: Create crontab
cron:
cron_file: re2o-services
......@@ -48,3 +96,9 @@
user: root
job: "cd /usr/local/dns/ && /usr/bin/python3 /usr/local/dhcp/main.py > /dev/null 2>&1 && systemctl reload bind9"
- name: Restart bind9
service:
name: bind9
state: restarted
[Re2o]
hostname = {{ re2o_address }}
username = {{ service_user }}
password = {{ service_user_pass }}
password = {{ service_user_password }}
failover peer "dhcp-failover" {
{% if primary %}
primary;
split 255;
{% else %}
secondary;
{% endif %}
mclt 3600;
address {{ address }};
port 647;
peer address {{ peer_address }};
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
default-lease-time 18000;
max-lease-time 21600;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
option ntp-servers {{ ntp_server }};
option www-server {{ www_server|join(', ') }};
option irc-server {{ irc_server }};
option smtp-server {{ smtp_server }};
include "/etc/dhcp/dhcp-failover.conf";
#Vlan federez
subnet {{ federez.subnet }} netmask {{ federez.subnet_mask }} {
interface {{ federez.interface }};
option routers {{ federez.routers }};
option domain-name-servers {{ federez.dns }};
option subnet-mask {{ federez.subnet_mask }};
option broadcast-address {{ federez.subnet_mask }};
pool {
range {{ federez.pool_begin }} {{ federez.pool_end }};
failover peer "dhcp-failover";
}
}
{% for list in lists %}
include "/usr/local/dhcp/generated/{{ list }}.list";
{% endfor %}
{% for subnet in subnets %}
# Subnet {{ subnet.name }}
subnet {{ subnet.subnet }} netmask {{ subnet.netmask }} {
interface {{ subnet.interface }};
option subnet-mask {{ subnet.netmask }};
option broadcast-address {{ subnet.broadcast }};
{% if 'routers' in subnet %}
option routers {{ subnet.routers }};
{% endif %}
option domain-name-servers {{ subnet.dns | join(", ") }};
option domain-name {{ subnet.domain_name }};
deny unknown-clients;
}
{% endfor %}
......@@ -5,6 +5,7 @@
- hosts: gateways
remote_user: root
roles:
- dns
- configure_routers_network
- keepalived
- install_network_driver
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment