update requirements.yml and ansible.config

start home.xai-corp.net and home02.xai-corp.net playbooks

roles/ns.xai-corp.net/defaults/main.yml

@@ -3,6 +3,9 @@
 # define default variable values here
 
 bind:
+  user: root
+  group: bind
+  service: bind9
   zonefiles:
     - xai-corp.net.internal
     - localhost.zone

roles/ns.xai-corp.net/handlers/main.yml

@@ -9,4 +9,4 @@
 #  service: name=<service> state=stopped
 
 - name: restart bind
-  service: name=named state=restarted
+  service: name={{ bind.service }} state=restarted

roles/ns.xai-corp.net/tasks/main.yml

@@ -2,22 +2,35 @@
 # tasks/main.yml
 # define tasks here
 
-- name: set correct permissions on dirs
-  file: state=directory path=/var/bind/{{ item }} owner=root group=named mode=0770
+- name: install bind package
+  apt:
+    name: "{{ item }}"
+    update_cache: yes
+    state: latest
   with_items:
-    - pri
-    - sec
-    - dyn
+    - bind9
+
+- name: set correct permissions for logging
+  file:
+    state=directory
+    path=/var/log/named/
+    owner={{ bind.user }}
+    group={{ bind.group }}
+    mode=0777
   notify:
     - restart bind
 
-- name: copy zone files to /var/bind/pri
-  template: src={{ item }}.j2 dest=/var/bind/pri/{{ item }} owner=root group=named mode=0750
+- name: copy zone files to /etc/bind/
+  template: src={{ item }}.j2 dest=/etc/bind/db.{{ item }} owner={{ bind.user }} group={{ bind.group }} mode=0644
   with_items: "{{ bind.zonefiles }}"
   notify:
     - restart bind
 
-- name: copy named.conf to /etc/bind/
-  template: src=named.conf.j2 dest=/etc/bind/named.conf owner=root group=named mode=0640
+- name: copy named.confs to /etc/bind/
+  template: src={{ item }}.j2 dest=/etc/bind/{{ item }} owner={{ bind.user }} group={{ bind.group }} mode=0640
+  with_items:
+    - named.conf.local
+    - named.conf.options
+    - named.conf.default-zones
   notify:
     - restart bind

roles/ns.xai-corp.net/templates/named.conf.default-zones.j2

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+view "defaults" {
+    zone "." {
+            type hint;
+            file "/etc/bind/db.root";
+    };
+
+    // be authoritative for the localhost forward and reverse zones, and for
+    // broadcast zones as per RFC 1912
+
+    zone "localhost" {
+            type master;
+            file "/etc/bind/db.local";
+    };
+
+    zone "127.in-addr.arpa" {
+            type master;
+            file "/etc/bind/db.127";
+    };
+
+    zone "0.in-addr.arpa" {
+            type master;
+            file "/etc/bind/db.0";
+    };
+
+    zone "255.in-addr.arpa" {
+            type master;
+            file "/etc/bind/db.255";
+    };
+};

roles/ns.xai-corp.net/templates/named.conf.local.j2

@@ -0,0 +1,85 @@
+# named.conf.local
+#
+# - local zones and views
+
+view "internal" {
+	match-clients { trusted; };
+	recursion yes;
+
+	// zone "." in {
+	// 	type hint;
+	// 	file "/etc/bind/named.cache";
+	// };
+
+	zone "localhost" IN {
+		type master;
+		file "/etc/bind/db.127";
+		notify no;
+	};
+
+	zone "127.in-addr.arpa" IN {
+		type master;
+		file "/etc/bind/db.127";
+		notify no;
+	};
+
+	zone "xai-corp.net." IN {
+		type master;
+		file "/etc/bind/db.xai-corp.net.internal";
+		allow-transfer { none; };
+	};
+
+	zone "2.168.192.in-addr.arpa." IN {
+		type master;
+		file "/etc/bind/db.xai-corp.net.reverse";
+		allow-update { none; };
+	};
+
+};
+
+view "external" {
+	match-clients { none; };
+	recursion no;
+
+
+//	zone "xai-corp.net" {
+//		type master;
+//		file "/etc/bind/db.xai-corp.net.external";
+//		allow-query { none; };
+//		allow-transfer { 127.0.0.1; };
+//	};
+};
+
+/*
+ * Briefly, a zone which has been declared delegation-only will be effectively
+ * limited to containing NS RRs for subdomains, but no actual data beyond its
+ * own apex (for example, its SOA RR and apex NS RRset). This can be used to
+ * filter out "wildcard" or "synthesized" data from NAT boxes or from
+ * authoritative name servers whose undelegated (in-zone) data is of no
+ * interest.
+ * See http://www.isc.org/software/bind/delegation-only for more info
+ */
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+//zone "YOUR-DOMAIN.TLD" {
+//	type master;
+//	file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
+//	allow-query { any; };
+//	allow-transfer { xfer; };
+//};
+
+//zone "YOUR-SLAVE.TLD" {
+//	type slave;
+//	file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
+//	masters { <MASTER>; };
+
+	/* Anybody is allowed to query but transfer should be controlled by the master. */
+//	allow-query { any; };
+//	allow-transfer { none; };
+
+	/* The master should be the only one who notifies the slaves, shouldn't it? */
+//	allow-notify { <MASTER>; };
+//	notify no;
+//};

roles/ns.xai-corp.net/templates/named.conf.options.j2

@@ -0,0 +1,81 @@
+/*
+ * Refer to the named.conf(5) and named(8) man pages, and the documentation
+ * in /usr/share/doc/bind-9 for more details.
+ * Online versions of the documentation can be found here:
+ * http://www.isc.org/software/bind/documentation
+ *
+ * If you are going to set up an authoritative server, make sure you
+ * understand the hairy details of how DNS works. Even with simple mistakes,
+ * you can break connectivity for affected parties, or cause huge amounts of
+ * useless Internet traffic.
+ */
+
+acl "xfer" {
+    /* Deny transfers by default except for the listed hosts.
+     * If we have other name servers, place them here.
+     */
+    none;
+};
+
+/*
+ * You might put in here some ips which are allowed to use the cache or
+ * recursive queries
+ */
+acl "trusted" {
+    127.0.0.0/8;
+    192.168.2.0/24;
+    ::1/128;
+};
+
+options {
+        directory "/var/cache/bind";
+
+        // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+        // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+
+        forward first;
+        forwarders {
+        //	207.164.234.129;	// Your ISP NS
+        //	207.164.234.193;	// Your ISP NS
+        //	4.2.2.1;		// Level3 Public DNS
+        //	4.2.2.2;		// Level3 Public DNS
+            8.8.8.8;		// Google Open DNS
+            8.8.4.4;		// Google Open DNS
+        };
+
+        //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+
+        auth-nxdomain no;    # conform to RFC1035
+        listen-on-v6 { any; };
+};
+
+
+
+logging {
+    channel default_log {
+        file "/var/log/named/named.log" versions 3 size 5M;
+        severity notice;
+        print-time yes;
+        print-severity yes;
+        print-category yes;
+    };
+
+    category default { default_log; };
+    category general { default_log; };
+};
+
+
+include "/etc/bind/rndc.key";
+controls {
+    inet 127.0.0.1 port 953 allow { 127.0.0.1/24; ::1/128; } keys { "rndc-key"; };
+};

roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2

@@ -8,9 +8,9 @@ $TTL 1D
 
 xai-corp.net.           IN NS   ns.xai-corp.net.
 xai-corp.net.           IN MX   0 mail.xai-corp.net.
-xai-corp.net.           IN TXT  "v=spf1 ip4:192.168.2.12/32 mx ptr mx:mail.xai-corp.net ~all"
-ns                      IN A    192.168.2.12
-mail                    IN A    192.168.2.12
+xai-corp.net.           IN TXT  "v=spf1 ip4:192.168.2.11/32 mx ptr mx:mail.xai-corp.net ~all"
+ns                      IN A    192.168.2.22
+mail                    IN A    192.168.2.11
 getafix                 IN CNAME        ns
 test                    IN CNAME        ns
 home                    IN CNAME        ns