diff --git a/bind/files/suse/default b/bind/files/suse/default new file mode 100644 index 0000000..adce6aa --- /dev/null +++ b/bind/files/suse/default @@ -0,0 +1,70 @@ +{% set protocol = salt['pillar.get']('bind:config:protocol', False) -%} +{% set param = [] -%} +{% if protocol -%} + {{ param.append('-' + protocol|string) }} +{% endif -%} +## Path: Network/DNS/Name Server +## Description: Names server settings + +## Type: yesno +## Default: yes +## ServiceRestart: lwresd,named +# +# Shall the DNS server 'named' or the LightWeight RESolver Daemon, lwresd run +# in the chroot jail /var/lib/named/? +# +# Each time you start one of the daemons with the init script, /etc/named.conf, +# /etc/named.conf.include, /etc/rndc.key, and all files listed in +# NAMED_CONF_INCLUDE_FILES will be copied relative to /var/lib/named/. +# +# The pid file will be in /var/lib/named/var/run/named/ and named named.pid +# or lwresd.pid. +# +NAMED_RUN_CHROOTED="yes" + +## Type: string +## Default: "" +## ServiceRestart: lwresd,named +# +# Additional arguments when starting the name daemon with the init script +# /etc/init.d/named or rcnamed. +# +# For example "-n 2" to use two CPUs if named is unable to determine the +# number of available CPUs. +# +# See man 8 named for all available commandline options. +# +# "-t /var/lib/named/var" is added if NAMED_RUN_CHROOTED is set to yes. +# +# "-u named" is used in any case by the init script to run the named daemon as +# user 'named' after completing privileged operations. +# +NAMED_ARGS="{{ param|join(' ') }}" +## Type: string +## Default: "" +## ServiceReload: named +# +# All mentioned config files will be copied relativ to /var/lib/named/, when +# 'named' is started in the chroot jail. +# +# /etc/named.conf and /etc/rndc.key are always copied. Also all files from +# include statements in named.conf. +# +# Filenames can be relative to /etc/named.d/. +# +# Please take care of the order if one file needs a setting of another. +# +# Example: "/etc/named-dhcpd.key ldap.dump rndc-access.conf" +# +NAMED_CONF_INCLUDE_FILES="{{ map.local_config }} {{ salt['pillar.get']('bind:config:includes', [])|join(' ') }}" + +## Type: string +## Default: "createNamedConfInclude" +## ServiceReload: named +# +# Programms to be executed each time the DNS server 'named' is started or +# reloaded. +# +# Filenames can be relative to /usr/share/bind/. +# +NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude" diff --git a/bind/files/suse/named.conf b/bind/files/suse/named.conf new file mode 100644 index 0000000..5188bdf --- /dev/null +++ b/bind/files/suse/named.conf @@ -0,0 +1,176 @@ +# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany. +# All rights reserved. +# +# Author: Frank Bodammer, Lars Mueller +# +# /etc/named.conf +# +# This is a sample configuration file for the name server BIND 9. It works as +# a caching only name server without modification. +# +# A sample configuration for setting up your own domain can be found in +# /usr/share/doc/packages/bind/sample-config. +# +# A description of all available options can be found in +# /usr/share/doc/packages/bind/misc/options. + +options { + + # The directory statement defines the name server's working directory + + directory "/var/lib/named"; + + # enable DNSSEC validation + # + # If BIND logs error messages about the root key being expired, you + # will need to update your keys. See https://www.isc.org/bind-keys + # + # dnssec-enable yes (default), indicates that a secure DNS service + # is being used which may be one, or more, of TSIG + # (for securing zone transfers or DDNS updates), SIG(0) + # (for securing DDNS updates) or DNSSEC. + + #dnssec-enable yes; + + # dnssec-validation yes (default), indicates that a resolver + # (a caching or caching-only name server) will attempt to validate + # replies from DNSSEC enabled (signed) zones. To perform this task + # the server also needs either a valid trusted-keys clause + # (containing one or more trusted-anchors or a managed-keys clause. + + #dnssec-validation auto; + managed-keys-directory "/var/lib/named/dyn/"; + + # Write dump and statistics file to the log subdirectory. The + # pathenames are relative to the chroot jail. + + dump-file "/var/log/named_dump.db"; + statistics-file "/var/log/named.stats"; + + # The forwarders record contains a list of servers to which queries + # should be forwarded. Enable this line and modify the IP address to + # your provider's name server. Up to three servers may be listed. + + #forwarders { 192.0.2.1; 192.0.2.2; }; + + # Enable the next entry to prefer usage of the name server declared in + # the forwarders section. + + #forward first; + + # The listen-on record contains a list of local network interfaces to + # listen on. Optionally the port can be specified. Default is to + # listen on all interfaces found on your system. The default port is + # 53. + + #listen-on port 53 { 127.0.0.1; }; + + # The listen-on-v6 record enables or disables listening on IPv6 + # interfaces. Allowed values are 'any' and 'none' or a list of + # addresses. + + listen-on-v6 { any; }; + + # The next three statements may be needed if a firewall stands between + # the local server and the internet. + + #query-source address * port 53; + #transfer-source * port 53; + #notify-source * port 53; + + # The allow-query record contains a list of networks or IP addresses + # to accept and deny queries from. The default is to allow queries + # from all hosts. + + #allow-query { 127.0.0.1; }; + + # If notify is set to yes (default), notify messages are sent to other + # name servers when the the zone data is changed. Instead of setting + # a global 'notify' statement in the 'options' section, a separate + # 'notify' can be added to each zone definition. + + notify no; + + disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; + +{#- Allow inclusion of arbitrary statements #} +{%- for statement, value in salt['pillar.get']('bind:config:options', map.get('options', {})).items() -%} + {%- if value is iterable and value is not string %} + {{ statement }} { + {%- for item in value %} + {{ item }}; + {%- endfor %} + }; + {%- else %} + {{ statement }} {{ value }}; + {%- endif %} +{%- endfor %} + +}; + +# To configure named's logging remove the leading '#' characters of the +# following examples. +#logging { +# # Log queries to a file limited to a size of 100 MB. +# channel query_logging { +# file "/var/log/named_querylog" +# versions 3 size 100M; +# print-time yes; // timestamp log entries +# }; +# category queries { +# query_logging; +# }; +# +# # Or log this kind alternatively to syslog. +# channel syslog_queries { +# syslog user; +# severity info; +# }; +# category queries { syslog_queries; }; +# +# # Log general name server errors to syslog. +# channel syslog_errors { +# syslog user; +# severity error; +# }; +# category default { syslog_errors; }; +# +# # Don't log lame server messages. +# category lame-servers { null; }; +#}; + +# The following zone definitions don't need any modification. The first one +# is the definition of the root name servers. The second one defines +# localhost while the third defines the reverse lookup for localhost. + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { + type master; + file "127.0.0.zone"; +}; + + +# Include the meta include file generated by createNamedConfInclude. This +# includes all files as configured in NAMED_CONF_INCLUDE_FILES from +# /etc/sysconfig/named + +include "/etc/named.conf.include"; + +# You can insert further zone records for your own domains below or create +# single files in /etc/named.d/ and add the file names to +# NAMED_CONF_INCLUDE_FILES. +# See /usr/share/doc/packages/bind/README.SUSE for more details. diff --git a/bind/files/suse/named.conf.local b/bind/files/suse/named.conf.local new file mode 100644 index 0000000..e0a2d4d --- /dev/null +++ b/bind/files/suse/named.conf.local @@ -0,0 +1,77 @@ +// +// Do any local configuration here +// +{%- macro zone(key, args, file, masters) %} +zone "{{ key }}" IN { + type {{ args['type'] }}; + {% if args['type'] == 'forward' -%} + {% if args['forward'] is defined -%} + forward {{ args['forward'] }}; + {%- endif %} + forwarders { + {% for forwarder in args.forwarders -%} + {{ forwarder }}; + {%- endfor %} + }; + {% else -%} + {% if args['dnssec'] is defined and args['dnssec'] -%} + file "{{ file }}.signed"; + {% else -%} + file "{{ file }}"; + {%- endif %} + {%- if args['allow-update'] is defined %} + allow-update { {{args['allow-update']}}; }; + {%- endif %} + {%- if args.update_policy is defined %} + update-policy { + {%- for policy in args.update_policy %} + {{ policy }}; + {%- endfor %} + }; + {%- endif %} + {%- if args['allow-transfer'] is defined %} + allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; }; + {%- endif %} + {%- if args['also-notify'] is defined %} + also-notify { {{ args.get('also-notify', []) | join('; ') }}; }; + {%- endif %} + {%- if args['type'] == 'slave' %} + {%- if args['allow-notify'] is defined %} + allow-notify { {{ args.get('allow-notify', []) | join('; ') }}; }; + {%- endif %} + {%- endif %} + {%- if args['type'] == "master" -%} + {% if args['notify'] %} + notify yes; + {% else %} + notify no; + {%- endif -%} + {% else %} + notify no; + {%- if masters is iterable and masters is not string %} + masters { + {%- for item in masters %} + {{ item }}; + {%- endfor %} + }; + {%- else %} + masters { {{ masters }} }; + {%- endif %} + {%- endif %} + {%- endif %} +}; +{%- endmacro %} + +{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%} +{%- set file = args.get('file', salt['pillar.get']("bind:available_zones:" + key + ":file")) %} +{%- set masters = args.get('masters', salt['pillar.get']("bind:available_zones:" + key + ":masters")) %} +{{ zone(key, args, file, masters) }} +{% endfor %} + +{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %} +acl {{ name }} { + {%- for d in data %} + {{ d }}; + {%- endfor %} +}; +{%- endfor %} diff --git a/bind/map.jinja b/bind/map.jinja index 4d0284e..7dcdc22 100644 --- a/bind/map.jinja +++ b/bind/map.jinja @@ -73,6 +73,21 @@ 'group': 'bind', 'mode': '640' }, + 'Suse': { + 'pkgs': ['bind'], + 'service': 'named', + 'config_source_dir': 'bind/files/suse', + 'zones_source_dir': 'zones', + 'config': '/etc/named.conf', + 'local_config': '/etc/named.d/named.conf.local', + 'default_config': '/etc/sysconfig/named', + 'named_directory': '/var/lib/named', + 'log_dir': '/var/log/named', + 'log_mode': '640', + 'user': 'root', + 'group': 'named', + 'mode': '640', + }, }, merge=salt['grains.filter_by']({ 'jessie': { 'pkgs': ['bind9', 'bind9utils'],