diff --git a/README.rst b/README.rst index 322b3a6..c88ae43 100644 --- a/README.rst +++ b/README.rst @@ -31,9 +31,23 @@ Example Pillar .. code:: yaml bind: - config: - name: /etc/named.conf - source: salt://bind/files/named.conf - user: root - group: named - mode: 640 + configured_zones: + sub.domain.com: + type: master + notify: False + configured_views: + myview1: + match_clients: + - client1 + - client2 + configured_zones: + my.zone: + type: master + notify: False + +See *bind/pillar.example*. + +Notes +===== + +* When using views all zones must be configured in views! diff --git a/bind/config.sls b/bind/config.sls index a0cb04d..1ea12a0 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -3,6 +3,29 @@ include: - bind +{{ map.log_dir }}: + file.directory: + - user: root + - group: bind + - mode: 775 + +bind_restart: + service.running: + - name: bind9 + - reload: False + - watch: + - file: {{ map.log_dir }}/query.log + - require: + - file: {{ map.log_dir }}/query.log + +{{ map.log_dir }}/query.log: + file.managed: + - user: bind + - group: bind + - mode: 644 + - require: + - file: {{ map.log_dir }} + named_directory: file.directory: - name: {{ map.named_directory }} @@ -80,6 +103,7 @@ bind_local_config: map: {{ map }} - require: - pkg: bind + - file: {{ map.log_dir }}/query.log - watch_in: - service: bind @@ -109,14 +133,6 @@ bind_default_zones: - watch_in: - service: bind -{{ map.log_dir }}: - file.directory: - - user: root - - group: bind - - mode: 775 - - template: jinja - - /etc/logrotate.d/{{ map.service }}: file.managed: - source: salt://bind/files/debian/logrotate_bind @@ -155,3 +171,32 @@ signed-{{file}}: {% endif %} {% endfor %} + +{%- for view, view_data in salt['pillar.get']('bind:configured_views', {}).iteritems() %} +{% for key,args in view_data.get('configured_zones', {}).iteritems() -%} +{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} +{% if args['type'] == "master" -%} +zones-{{ file }}: + file.managed: + - name: {{ map.named_directory }}/{{ file }} + - source: 'salt://bind/zones/{{ file }}' + - user: {{ salt['pillar.get']('bind:config:user', map.user) }} + - group: {{ salt['pillar.get']('bind:config:group', map.group) }} + - mode: {{ salt['pillar.get']('bind:config:mode', '644') }} + - watch_in: + - service: bind + - require: + - file: {{ map.named_directory }} + +{% if args['dnssec'] is defined and args['dnssec'] -%} +signed-{{file}}: + cmd.run: + - cwd: {{ map.named_directory }} + - name: zonesigner -zone {{ key }} {{ file }} + - prereq: + - file: zones-{{ file }} +{% endif %} + +{% endif %} +{% endfor %} +{% endfor %} diff --git a/bind/files/debian/named.conf b/bind/files/debian/named.conf index 80f3eb5..80314b0 100644 --- a/bind/files/debian/named.conf +++ b/bind/files/debian/named.conf @@ -9,4 +9,3 @@ include "/etc/bind/named.conf.key"; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; -include "/etc/bind/named.conf.default-zones"; diff --git a/bind/files/debian/named.conf.local b/bind/files/debian/named.conf.local index 3376cf9..68e2b0b 100644 --- a/bind/files/debian/named.conf.local +++ b/bind/files/debian/named.conf.local @@ -7,9 +7,7 @@ // organization //include "/etc/bind/zones.rfc1918"; -{% for key,args in salt['pillar.get']('bind:configured_zones', {}).iteritems() -%} -{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} -{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} +{%- macro zone(key, args, file, masters) %} zone "{{ key }}" { type {{ args['type'] }}; {% if args['dnssec'] is defined and args['dnssec'] -%} @@ -20,6 +18,13 @@ zone "{{ key }}" { {% if args['allow-update'] is defined -%} allow-update { {{args['allow-update']}}; }; {%- endif %} + {%- if args.update_policy is defined %} + update-policy { + {%- for policy in args.update_policy %} + {{ policy }}; + {%- endfor %} + }; + {%- endif %} {% if args['type'] == "master" -%} {% if args['notify'] -%} notify yes; @@ -31,8 +36,39 @@ zone "{{ key }}" { masters { {{ masters }} }; {%- endif %} }; +{%- endmacro %} + +{%- if not pillar.bind.configured_views is defined %} +include "/etc/bind/named.conf.default-zones"; +{%- endif %} + +{% for key,args in salt['pillar.get']('bind:configured_zones', {}).iteritems() -%} +{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} +{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} +{{ zone(key, args, file, masters) }} {% endfor %} +{% for view, view_data in salt['pillar.get']('bind:configured_views', {}).iteritems() %} + +view {{ view }}{ +{%- if view == 'default' %} + include "/etc/bind/named.conf.default-zones"; +{%- endif %} + +match-clients{ +{%- for acl in view_data.get('match_clients', {}) %} + {{ acl }}; +{%- endfor %} +}; + +{% for key,args in view_data.get('configured_zones', {}).iteritems() -%} +{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} +{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} + {{ zone(key, args, file, masters) }} +{%- endfor %} +}; +{%- endfor %} + logging { channel "querylog" { file "{{ map.log_dir }}/query.log"; print-time yes; }; category queries { querylog; }; diff --git a/pillar.example b/pillar.example index 82f4c84..2d322db 100644 --- a/pillar.example +++ b/pillar.example @@ -29,6 +29,17 @@ bind: type: master allow-update: "key core_dhcp" notify: True + configured_views: + myview1: + match_clients: + - client1 + - client2 + configured_zones: + my.zone: + type: master + notify: False + update_policy: + - "grant core_dhcp name dns_entry_allowed_to_update. ANY" bind: available_zones: