saltstack-formulas/bind-formula
1
0
Fork 0
mirror of https://github.com/saltstack-formulas/bind-formula.git synced 2025-04-15 17:20:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

New features and pillar.example

Browse source
This commit is contained in:
Pieprzycki Piotr 2017-10-18 22:35:21 +02:00
parent 1adf5f196b
commit 2947dde649
6 changed files with 308 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
bind/config.sls
View file

@ -130,6 +130,23 @@ bind_default_zones:
- group: root
- context:
map: {{ map }}
{%- if salt['pillar.get']('bind:config:use_extensive_logging', False) %}
bind_logging_config:
file.managed:
- name: {{ map.logging_config }}
- source: salt://{{ map.config_source_dir }}/named.conf.logging
- template: jinja
- user: {{ salt['pillar.get']('bind:config:user', map.user) }}
- group: {{ salt['pillar.get']('bind:config:group', map.group) }}
- mode: {{ salt['pillar.get']('bind:config:mode', '644') }}
- context:
map: {{ map }}
- require:
- pkg: bind
- watch_in:
- service: bind
{%- endif %}
{% endif %}
{% for zone, zone_data in salt['pillar.get']('bind:configured_zones', {}).items() -%}

65
bind/files/debian/named.conf.local
View file

@ -41,6 +41,12 @@ zone "{{ key }}" {
{%- if args['also-notify'] is defined %}
also-notify { {{ args.get('also-notify', []) | join('; ') }}; };
{%- endif %}
{%- if args['allow-query'] is defined %}
allow-query { {{ args.get('allow-query', []) | join('; ') }}; };
{%- endif %}
{%- if args['zone-statistics'] is defined %}
zone-statistics yes;
{%- endif %}
{%- if args['type'] == "master" -%}
{% if args['notify'] %}
notify yes;
@ -68,8 +74,17 @@ include "{{ map.default_zones_config }}";
{%- endif %}
{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%}
{%- if salt['pillar.get']("bind:configured_zones:" + key + ":file") -%}
{%- set file = salt['pillar.get']("bind:configured_zones:" + key + ":file") %}
{% else %}
{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %}
{%- endif -%}
{%- if salt['pillar.get']("bind:configured_zones:" + key + ":masters") -%}
{%- set masters = salt['pillar.get']("bind:configured_zones:" + key + ":masters") %}
{% else %}
{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %}
{%- endif -%}
{{ zone(key, args, file, masters) }}
{% endfor %}
@ -94,6 +109,9 @@ match-clients {
};
{%- endfor %}
{%- if salt['pillar.get']('bind:config:use_extensive_logging', False) %}
include "{{ map.logging_config }}";
{% else %}
logging {
channel "querylog" {
file "{{ map.log_dir }}/query.log";
@ -101,6 +119,45 @@ logging {
};
category queries { querylog; };
};
{%- endif %}
{%- if salt['pillar.get']('bind:controls', False) %}
controls {
{%- for name, control in salt['pillar.get']('bind:controls').iteritems() if control.get('enabled', True) %}
inet {{ control.get('bind', {}).get('address', '127.0.0.1') }} port {{ control.get('bind', {}).get('port', 953) }}
{%- if control.get('allow') %}
allow {
{%- for allow in control.allow %}
{{ allow }};
{%- endfor %}
}
{%- endif %}
{%- if control.get('keys') %}
keys {
{%- for key in control.get('keys') %}
{{ key }};
{%- endfor %}
}
{%- endif %};
{%- endfor %}
};
{%- endif %}
{%- if salt['pillar.get']('bind:statistics', False) %}
statistics-channels {
{%- for name, channel in salt['pillar.get']('bind:statistics').iteritems() if channel.get('enabled', True) %}
inet {{ channel.get('bind', {}).get('address', '127.0.0.1') }} port {{ channel.get('bind', {}).get('port', 953) }}
{%- if channel.get('allow') %}
allow {
{%- for allow in channel.allow %}
{{ allow }};
{%- endfor %}
}
{%- endif %};
{%- endfor %}
};
{%- endif %}
{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %}
acl {{ name }} {
@ -109,3 +166,11 @@ acl {{ name }} {
{%- endfor %}
};
{%- endfor %}
{%- for name, data in salt['pillar.get']('bind:configured_masters', {}).items() %}
masters {{ name }} {
{%- for d in data %}
{{ d }};
{%- endfor %}
};
{%- endfor %}

120
bind/files/debian/named.conf.logging Normal file
View file

@ -0,0 +1,120 @@
// Configuration based on https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html
logging {
channel default_log {
file "{{ map.log_dir }}/default" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel auth_servers_log {
file "{{ map.log_dir }}/auth_servers" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnssec_log {
file "{{ map.log_dir }}/dnssec" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel zone_transfers_log {
file "{{ map.log_dir }}/zone_transfers" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel ddns_log {
file "{{ map.log_dir }}/ddns" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel client_security_log {
file "{{ map.log_dir }}/client_security" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rate_limiting_log {
file "{{ map.log_dir }}/rate_limiting" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rpz_log {
file "{{ map.log_dir }}/rpz" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
//
// If you have the category queries defined, and you dont want query logging
// by default, make sure you add option querylog no; - then you can toggle
// query logging on (and off again) using command rndc querylog
//
channel queries_log {
file "{{ map.log_dir }}/queries" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel query-errors_log {
file "{{ map.log_dir }}/query-errors" versions {{salt['pillar.get']('bind:config:use_extensive_logging:versions', '3')}} size {{salt['pillar.get']('bind:config:use_extensive_logging:size', '20m')}};
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
channel default_syslog {
print-time yes;
print-category yes;
print-severity yes;
syslog daemon;
severity info;
};
channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
file "named.run";
severity dynamic;
};
category default { default_syslog; default_debug; default_log; };
category config { default_syslog; default_debug; default_log; };
category dispatch { default_syslog; default_debug; default_log; };
category network { default_syslog; default_debug; default_log; };
category general { default_syslog; default_debug; default_log; };
category resolver { auth_servers_log; default_debug; };
category cname { auth_servers_log; default_debug; };
category delegation-only { auth_servers_log; default_debug; };
category lame-servers { auth_servers_log; default_debug; };
category edns-disabled { auth_servers_log; default_debug; };
category dnssec { dnssec_log; default_debug; };
category notify { zone_transfers_log; default_debug; };
category xfer-in { zone_transfers_log; default_debug; };
category xfer-out { zone_transfers_log; default_debug; };
category update{ ddns_log; default_debug; };
category update-security { ddns_log; default_debug; };
category client{ client_security_log; default_debug; };
category security { client_security_log; default_debug; };
category rate-limit { rate_limiting_log; default_debug; };
category spill { rate_limiting_log; default_debug; };
category database { rate_limiting_log; default_debug; };
category rpz { rpz_log; default_debug; };
category queries { queries_log; };
category query-errors {query-errors_log; };
};

4
bind/files/zone.jinja
View file

@ -11,9 +11,9 @@
{%- set zone_expiry = soa['expiry'] if soa['expiry'] is defined else '2w' %}
{%- set zone_nxdomain = soa['nxdomain'] if soa['nxdomain'] is defined else '1m' %}
{%- if soa['ttl'] is defined -%}
{% if soa['ttl'] is defined %}
$TTL {{ soa['ttl'] }}
{%- endif %}
{% endif %}
@ {{ zone_class }} SOA {{ zone_ns }} {{ zone_contact }} (
{{ zone_serial }} ; serial
{{ zone_refresh }} ; refresh

6
bind/map.jinja
View file

@ -10,12 +10,16 @@
'options_config': '/etc/bind/named.conf.options',
'default_config': '/etc/default/bind9',
'default_zones_config': '/etc/bind/named.conf.default-zones',
'logging_config': '/etc/bind/named.conf.logging',
'named_directory': '/var/cache/bind/zones',
'log_dir': '/var/log/bind9',
'log_mode': '644',
'user': 'bind',
'group': 'bind',
'mode': '644'
'mode': '644',
'options': {
'querylog': 'no'
}
},
'RedHat': {
'pkgs': ['bind'],

102
pillar.example
View file

@ -32,19 +32,115 @@ bind:
dnssec-enable: 'yes'
dnssec-validation: 'yes'
# End RedHat defaults
protocol: 4 # Force bind to serve only one IP protocol
# (ipv4: 4, ipv6: 6). Omitting this reverts to
# binds default of both.
# Debian and FreeBSD based systems
# Debian and FreeBSD based systems
default_zones: True # If set to True, the default-zones configuration
# will be enabled. Defaults to False.
includes: # Include any additional configuration file(s) in
- /some/additional/named.conf # named.conf
# End Debian based systems
# Debian based systems optional configs
bind:
config:
options:
querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no)
#use_extensive_logging: True # Enable extensive config for logging
use_extensive_logging: # Enable extensive config for logging
versions: 5 # Additionaly you can set how many files will be stored
size: '100m' # Maximum size of a individual file
controls:
local:
enabled: true
bind:
address: 127.0.0.1
port: 953
allow:
- 127.0.0.1
keys:
- core_dhcp
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 953
allow:
- 10.161.161.168
- my_net
keys:
- core_dhcp
statistics: # Enable statistics-channel
local:
enabled: true
bind:
address: 127.0.0.1
port: 8053
allow:
- 127.0.0.1
myip4:
enabled: true
bind:
address: 10.161.161.168
port: 8123
allow:
- 10.161.64.168
- my_net
configured_zones: # Debian based systems can have zones using only configured_zones
sub.domain.com: # This zone will be copied from zones_source_dir
file: sub.domain.com # You can optionally specify name fd a file for the zone here.
type: master # Yo don't have define zone again in available_zones.
# This feature is backward compatibile and only available in debian
notify: False # if type master you need specify notify True/False
sub2.domain.com:
file: sub2.domain.com
type: master
notify: True
allow-query:
- any
allow-transfer:
- my_net
allow-update: 'none'
also-notify:
- 1.2.3.4
- 1.2.3.3
zone-statistics: yes # Enable detailed statistics for zone. You need enable statistics first
test.zone.com:
file: test.zone.com
type: slave
notify: False
masters:
- my_dns_masters # You can specify masters by using name
test.zone2.com: # Zone definied in default style of this formula
type: slave # You need specify all info inside available_zones
notify: False
configured_masters: # Configure master dns
my_dns_masters:
- 10.10.20.20
- 10.10.30.30
available_zones: # Configuration required in default style
test.zone2.com:
file: test.zone2.com # You are required specify file name here
masters: # As also masters if you have slave type zone
- 10.167.73.21
- 10.174.60.44
# End Debian based systems features
### Keys, Zones, ACLs and Views ###