From c187c1005cd9abde2291272cef0253c22d390fec Mon Sep 17 00:00:00 2001 From: richard Date: Sun, 20 Sep 2015 15:41:18 -0400 Subject: [PATCH] setup bind config files in ns.xai-corp.net role --- home.xai-corp.net.yml | 5 +- roles/home.xai-corp.net/tasks/main.yml | 2 + roles/home.xai-corp.net/tasks/vhosts.yml | 15 ++ roles/ns.xai-corp.net/defaults/main.yml | 11 + roles/ns.xai-corp.net/handlers/main.yml | 12 + roles/ns.xai-corp.net/meta/main.yml | 8 + roles/ns.xai-corp.net/tasks/main.yml | 23 ++ .../templates/localhost.zone.j2 | 12 + roles/ns.xai-corp.net/templates/named.conf.j2 | 205 ++++++++++++++++++ .../templates/xai-corp.net.external.j2 | 17 ++ .../templates/xai-corp.net.internal.j2 | 34 +++ .../templates/xai-corp.net.reverse.j2 | 19 ++ roles/ns.xai-corp.net/vars/_extravars.yml | 10 + roles/user-richard/templates/procmailrc.j2 | 8 + 14 files changed, 380 insertions(+), 1 deletion(-) create mode 100644 roles/home.xai-corp.net/tasks/vhosts.yml create mode 100644 roles/ns.xai-corp.net/defaults/main.yml create mode 100644 roles/ns.xai-corp.net/handlers/main.yml create mode 100644 roles/ns.xai-corp.net/meta/main.yml create mode 100644 roles/ns.xai-corp.net/tasks/main.yml create mode 100644 roles/ns.xai-corp.net/templates/localhost.zone.j2 create mode 100644 roles/ns.xai-corp.net/templates/named.conf.j2 create mode 100644 roles/ns.xai-corp.net/templates/xai-corp.net.external.j2 create mode 100644 roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 create mode 100644 roles/ns.xai-corp.net/templates/xai-corp.net.reverse.j2 create mode 100644 roles/ns.xai-corp.net/vars/_extravars.yml diff --git a/home.xai-corp.net.yml b/home.xai-corp.net.yml index 44fc3e5..d6523d2 100644 --- a/home.xai-corp.net.yml +++ b/home.xai-corp.net.yml @@ -2,7 +2,10 @@ # playbook to install django test on home.xai-corp.net - hosts: home - remote_user: root + remote_user: anansibsible + gather_facts: no + become: true roles: - home.xai-corp.net + - ns.xai-corp.net diff --git a/roles/home.xai-corp.net/tasks/main.yml b/roles/home.xai-corp.net/tasks/main.yml index 3f97018..8db67b1 100644 --- a/roles/home.xai-corp.net/tasks/main.yml +++ b/roles/home.xai-corp.net/tasks/main.yml @@ -1,3 +1,5 @@ --- # tasks/main.yml # define tasks here + +- include: vhosts.yml diff --git a/roles/home.xai-corp.net/tasks/vhosts.yml b/roles/home.xai-corp.net/tasks/vhosts.yml new file mode 100644 index 0000000..317a0ab --- /dev/null +++ b/roles/home.xai-corp.net/tasks/vhosts.yml @@ -0,0 +1,15 @@ +--- + # + # setup the vhosts for apache based websites + + +- name: fetch existing vhosts + fetch: src=/etc/apache2/vhost-available/{{ item }} dest=backups/ + with_items: + - 00_default_ssl_vhost.conf + - 00_default_vhost.conf + - 01_home_vhost.conf + - 02_test_vhost.conf + - 04_sql_vhost.conf + - 05_mail_vhost.conf + - default_vhost.include diff --git a/roles/ns.xai-corp.net/defaults/main.yml b/roles/ns.xai-corp.net/defaults/main.yml new file mode 100644 index 0000000..734b43e --- /dev/null +++ b/roles/ns.xai-corp.net/defaults/main.yml @@ -0,0 +1,11 @@ +--- +# defaults/main.yml +# define default variable values here + +bind: + zonefiles: + - xai-corp.net.internal + - localhost.zone + - xai-corp.net.external + - xai-corp.net.reverse + diff --git a/roles/ns.xai-corp.net/handlers/main.yml b/roles/ns.xai-corp.net/handlers/main.yml new file mode 100644 index 0000000..f8b2e0e --- /dev/null +++ b/roles/ns.xai-corp.net/handlers/main.yml @@ -0,0 +1,12 @@ +--- +# handlers/main.yml +# define handlers here + +#- name: restart +# service: name= state=restarted + +#- name: stop +# service: name= state=stopped + +- name: restart bind + service: name=named state=restarted \ No newline at end of file diff --git a/roles/ns.xai-corp.net/meta/main.yml b/roles/ns.xai-corp.net/meta/main.yml new file mode 100644 index 0000000..edcec77 --- /dev/null +++ b/roles/ns.xai-corp.net/meta/main.yml @@ -0,0 +1,8 @@ +--- +# meta/main.yml +# define dependancies here + +# dependencies: + # - { role: geerlingguy.java } + +dependencies: [] \ No newline at end of file diff --git a/roles/ns.xai-corp.net/tasks/main.yml b/roles/ns.xai-corp.net/tasks/main.yml new file mode 100644 index 0000000..2e07bbe --- /dev/null +++ b/roles/ns.xai-corp.net/tasks/main.yml @@ -0,0 +1,23 @@ +--- +# tasks/main.yml +# define tasks here + +- name: set correct permissions on dirs + file: state=directory path=/var/bind/{{ item }} owner=root group=named mode=0770 + with_items: + - pri + - sec + - dyn + notify: + - restart bind + +- name: copy zone files to /var/bind/pri + template: src={{ item }}.j2 dest=/var/bind/pri/{{ item }} owner=root group=named mode=0750 + with_items: "{{ bind.zonefiles }}" + notify: + - restart bind + +- name: copy named.conf to /etc/bind/ + template: src=named.conf.j2 dest=/etc/bind/named.conf owner=root group=named mode=0640 + notify: + - restart bind diff --git a/roles/ns.xai-corp.net/templates/localhost.zone.j2 b/roles/ns.xai-corp.net/templates/localhost.zone.j2 new file mode 100644 index 0000000..1b5e725 --- /dev/null +++ b/roles/ns.xai-corp.net/templates/localhost.zone.j2 @@ -0,0 +1,12 @@ +$TTL 1W +@ IN SOA localhost. root.localhost. ( + 20150920 ; Serial + 28800 ; Refresh + 14400 ; Retry + 604800 ; Expire - 1 week + 86400 ) ; Minimum +@ IN NS localhost. +@ IN A 127.0.0.1 + +@ IN AAAA ::1 + diff --git a/roles/ns.xai-corp.net/templates/named.conf.j2 b/roles/ns.xai-corp.net/templates/named.conf.j2 new file mode 100644 index 0000000..d08d92c --- /dev/null +++ b/roles/ns.xai-corp.net/templates/named.conf.j2 @@ -0,0 +1,205 @@ +/* + * Refer to the named.conf(5) and named(8) man pages, and the documentation + * in /usr/share/doc/bind-9 for more details. + * Online versions of the documentation can be found here: + * http://www.isc.org/software/bind/documentation + * + * If you are going to set up an authoritative server, make sure you + * understand the hairy details of how DNS works. Even with simple mistakes, + * you can break connectivity for affected parties, or cause huge amounts of + * useless Internet traffic. + */ + +acl "xfer" { + /* Deny transfers by default except for the listed hosts. + * If we have other name servers, place them here. + */ + none; +}; + +/* + * You might put in here some ips which are allowed to use the cache or + * recursive queries + */ +acl "trusted" { + 127.0.0.0/8; + 192.168.2.0/24; + ::1/128; +}; + +options { + directory "/var/bind"; + pid-file "/var/run/named/named.pid"; + + /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ + //bindkeys-file "/etc/bind/bind.keys"; + + /*listen-on-v6 { ::1; };*/ + listen-on { 127.0.0.1; 192.168.2.12; }; + + allow-query { + /* + * Accept queries from our "trusted" ACL. We will + * allow anyone to query our master zones below. + * This prevents us from becoming a free DNS server + * to the masses. + */ + trusted; + }; + + allow-query-cache { + /* Use the cache for the "trusted" ACL. */ + trusted; + }; + +// allow-recursion { +// /* Only trusted addresses are allowed to use recursion. */ +// trusted; +// }; + + allow-transfer { + /* Zone tranfers are denied by default. */ + none; + }; + + allow-update { + /* Don't allow updates, e.g. via nsupdate. */ + none; + }; + + /* + * If you've got a DNS server around at your upstream provider, enter its + * IP address here, and enable the line below. This will make you benefit + * from its cache, thus reduce overall DNS traffic in the Internet. + * + * Uncomment the following lines to turn on DNS forwarding, and change + * and/or update the forwarding ip address(es): + */ + + forward first; + forwarders { + // 207.164.234.129; // Your ISP NS + // 207.164.234.193; // Your ISP NS + // 4.2.2.1; // Level3 Public DNS + // 4.2.2.2; // Level3 Public DNS + 8.8.8.8; // Google Open DNS + 8.8.4.4; // Google Open DNS + }; + + + + //dnssec-enable yes; + //dnssec-validation yes; + + /* + * As of bind 9.8.0: + * "If the root key provided has expired, + * named will log the expiration and validation will not work." + */ + //dnssec-validation auto; + + /* if you have problems and are behind a firewall: */ + //query-source address * port 53; +}; + + +logging { + channel default_log { + file "/var/log/named/named.log" versions 3 size 5M; + severity notice; + print-time yes; + print-severity yes; + print-category yes; + }; + + category default { default_log; }; + category general { default_log; }; +}; + + +include "/etc/bind/rndc.key"; +controls { + inet 127.0.0.1 port 953 allow { 127.0.0.1/24; ::1/128; } keys { "rndc-key"; }; +}; + +view "internal" { + match-clients { 192.168.2.12; localhost; 192.168.2.0/24; }; + recursion yes; + + zone "." in { + type hint; + file "/var/bind/named.cache"; + }; + + zone "localhost" IN { + type master; + file "pri/localhost.zone"; + notify no; + }; + + zone "127.in-addr.arpa" IN { + type master; + file "pri/localhost.zone"; + notify no; + }; + + zone "xai-corp.net." IN { + type master; + file "pri/xai-corp.net.internal"; + allow-transfer { none; }; + }; + + zone "2.168.192.in-addr.arpa." IN { + type master; + file "pri/xai-corp.net.reverse"; + allow-update { none; }; + }; + +}; + +view "external" { + match-clients { none; }; + recursion no; + + +// zone "xai-corp.net" { +// type master; +// file "pri/xai-corp.net.external"; +// allow-query { none; }; +// allow-transfer { 127.0.0.1; }; +// }; +}; + +/* + * Briefly, a zone which has been declared delegation-only will be effectively + * limited to containing NS RRs for subdomains, but no actual data beyond its + * own apex (for example, its SOA RR and apex NS RRset). This can be used to + * filter out "wildcard" or "synthesized" data from NAT boxes or from + * authoritative name servers whose undelegated (in-zone) data is of no + * interest. + * See http://www.isc.org/software/bind/delegation-only for more info + */ + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +//zone "YOUR-DOMAIN.TLD" { +// type master; +// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone"; +// allow-query { any; }; +// allow-transfer { xfer; }; +//}; + +//zone "YOUR-SLAVE.TLD" { +// type slave; +// file "/var/bind/sec/YOUR-SLAVE.TLD.zone"; +// masters { ; }; + + /* Anybody is allowed to query but transfer should be controlled by the master. */ +// allow-query { any; }; +// allow-transfer { none; }; + + /* The master should be the only one who notifies the slaves, shouldn't it? */ +// allow-notify { ; }; +// notify no; +//}; diff --git a/roles/ns.xai-corp.net/templates/xai-corp.net.external.j2 b/roles/ns.xai-corp.net/templates/xai-corp.net.external.j2 new file mode 100644 index 0000000..b009f28 --- /dev/null +++ b/roles/ns.xai-corp.net/templates/xai-corp.net.external.j2 @@ -0,0 +1,17 @@ +$ORIGIN xai-corp.net. +$TTL 2d +@ IN SOA ns.xai-corp.net. root.xai-corp.net. ( + 20150920;serial + 3h ;refresh + 1h ;retry + 1w ;expiry + 1d ) ;minimum + +xai-corp.net. IN NS ns.xai-corp.net. +xai-corp.net. IN A 208.94.116.179 +xai-corp.net. IN A 208.94.116.21 +xai-corp.net. IN A 208.94.117.26 +www.xai-corp.net. IN A 208.94.116.179 +www.xai-corp.net. IN A 208.94.116.21 +www.xai-corp.net. IN A 208.94.117.26 + diff --git a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 new file mode 100644 index 0000000..2038bb7 --- /dev/null +++ b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 @@ -0,0 +1,34 @@ +$TTL 1D +@ IN SOA xai-corp.net. root.xai-corp.net. ( + 20150920; serial + 3h ; refresh + 1h ; retry + 1w ; expiry + 1d ) ; minimum + +xai-corp.net. IN NS ns.xai-corp.net. +xai-corp.net. IN MX 0 mail.xai-corp.net. +xai-corp.net. IN TXT "v=spf1 ip4:192.168.2.12/32 mx ptr mx:mail.xai-corp.net ~all" +ns IN A 192.168.2.12 +mail IN A 192.168.2.12 +getafix IN CNAME ns +test IN CNAME ns +home IN CNAME ns +tunedb IN CNAME ns +sql IN CNAME ns +jenkins IN CNAME ns +cik IN CNAME ns +phonecat IN CNAME ns +blog IN CNAME ns +www IN A 208.94.116.179 + IN A 208.94.116.21 + IN A 208.94.117.26 +gateway IN A 192.168.2.1 +wireless IN A 192.168.2.3 +printer IN A 192.168.2.13 +scanner IN CNAME printer +laser IN A 192.168.2.14 +tv IN A 192.168.2.16 +xaicorp1 IN A 192.168.2.103 +garden IN A 192.168.2.20 + diff --git a/roles/ns.xai-corp.net/templates/xai-corp.net.reverse.j2 b/roles/ns.xai-corp.net/templates/xai-corp.net.reverse.j2 new file mode 100644 index 0000000..c8b8856 --- /dev/null +++ b/roles/ns.xai-corp.net/templates/xai-corp.net.reverse.j2 @@ -0,0 +1,19 @@ +$TTL 24h +$ORIGIN 2.168.192.IN-ADDR.ARPA. +@ IN SOA ns.xai-corp.net. root.xai-corp.net. ( + 20150920; serial + 3h ; refresh + 1h ; retry + 1w ; expiry + 1d ) ; minimum + +@ IN NS ns.xai-corp.net. + +1 IN PTR gateway.xai-corp.net. +3 IN PTR wireless.xai-corp.net. +13 IN PTR printer.xai-corp.net. +14 IN PTR laser.xai-corp.net. +16 IN PTR tv.xai-corp.net. +103 IN PTR xaicorp1.xai-corp.net. +12 IN PTR home.xai-corp.net. + diff --git a/roles/ns.xai-corp.net/vars/_extravars.yml b/roles/ns.xai-corp.net/vars/_extravars.yml new file mode 100644 index 0000000..0bee844 --- /dev/null +++ b/roles/ns.xai-corp.net/vars/_extravars.yml @@ -0,0 +1,10 @@ +--- +# vars/_extravars.yml +# define extra variable values here +# this file should be loaded via an include_vars statement in the task. +# often this is used for managing differences in os. + +# Variable setup. +#- name: Include OS-Specific variables +# include_vars: "{{ ansible_os_family }}.yml" + diff --git a/roles/user-richard/templates/procmailrc.j2 b/roles/user-richard/templates/procmailrc.j2 index 5ab198a..05b0b60 100644 --- a/roles/user-richard/templates/procmailrc.j2 +++ b/roles/user-richard/templates/procmailrc.j2 @@ -77,6 +77,14 @@ DELIVER=/usr/libexec/dovecot/deliver * ^From.*news@linkedin.com | $DELIVER -m Newsletters +:0: +* ^From.*aws-marketing-email-replies@amazon.com +| $DELIVER -m Newsletters + +:0: +* ^From.*info@connectmusic.ca +| $DELIVER -m Newsletters + # -------------------------------------------------- # Paypal receipts :0: