From 45e8128487ce978ab9583bf4ff9d5e1c1f177978 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 26 May 2018 19:57:58 -0300 Subject: [PATCH] Refactor named.conf.local & logging across platforms --- bind/config.sls | 4 +- bind/files/arch/named.conf | 12 -- bind/files/arch/named.conf.local | 57 --------- bind/files/freebsd/named.conf.local | 113 ------------------ ...amed.conf.local => named.conf.local.jinja} | 2 + ....conf.logging => named.conf.logging.jinja} | 0 bind/files/redhat/named.conf | 40 ------- bind/files/redhat/named.conf.local | 82 ------------- bind/files/suse/named.conf | 31 ----- bind/files/suse/named.conf.local | 77 ------------ bind/map.jinja | 10 +- pillar.example | 57 +++++---- 12 files changed, 34 insertions(+), 451 deletions(-) delete mode 100644 bind/files/arch/named.conf.local delete mode 100644 bind/files/freebsd/named.conf.local rename bind/files/{debian/named.conf.local => named.conf.local.jinja} (98%) rename bind/files/{debian/named.conf.logging => named.conf.logging.jinja} (100%) delete mode 100644 bind/files/redhat/named.conf.local delete mode 100644 bind/files/suse/named.conf.local diff --git a/bind/config.sls b/bind/config.sls index 380fdbb..83204f4 100644 --- a/bind/config.sls +++ b/bind/config.sls @@ -59,7 +59,7 @@ bind_config: bind_local_config: file.managed: - name: {{ map.local_config }} - - source: 'salt://{{ map.config_source_dir }}/named.conf.local' + - source: salt://bind/files/named.conf.local.jinja - template: jinja - user: {{ salt['pillar.get']('bind:config:user', map.user) }} - group: {{ salt['pillar.get']('bind:config:group', map.group) }} @@ -140,7 +140,7 @@ bind_default_zones: bind_logging_config: file.managed: - name: {{ map.logging_config }} - - source: salt://{{ map.config_source_dir }}/named.conf.logging + - source: salt://bind/files/named.conf.logging.jinja - template: jinja - user: {{ salt['pillar.get']('bind:config:user', map.user) }} - group: {{ salt['pillar.get']('bind:config:group', map.group) }} diff --git a/bind/files/arch/named.conf b/bind/files/arch/named.conf index 3aab9ba..46dbd7a 100644 --- a/bind/files/arch/named.conf +++ b/bind/files/arch/named.conf @@ -64,16 +64,4 @@ zone "." IN { // allow-transfer { any; }; //}; -//logging { -// channel xfer-log { -// file "/var/log/named.log"; -// print-category yes; -// print-severity yes; -// severity info; -// }; -// category xfer-in { xfer-log; }; -// category xfer-out { xfer-log; }; -// category notify { xfer-log; }; -//}; - include "{{ map.local_config }}"; diff --git a/bind/files/arch/named.conf.local b/bind/files/arch/named.conf.local deleted file mode 100644 index a7fb87c..0000000 --- a/bind/files/arch/named.conf.local +++ /dev/null @@ -1,57 +0,0 @@ -# vim: sts=2 ts=2 sw=2 et ai -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; - -{%- macro zone(key, args, file, masters) %} -zone "{{ key }}" { - type {{ args['type'] }}; - {% if args['type'] == 'forward' -%} - {% if args['forward'] is defined -%} - forward {{ args['forward'] }}; - {%- endif %} - forwarders { - {% for forwarder in args.forwarders -%} - {{ forwarder }}; - {%- endfor %} - }; - {% else -%} - file "{{ file }}"; - {%- if args['allow-transfer'] is defined %} - allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; }; - {%- endif %} - {%- if args['also-notify'] is defined %} - also-notify { {{ args.get('also-notify', []) | join('; ') }}; }; - {%- endif %} - {%- if args['type'] == "master" -%} - {% if args['notify'] %} - notify yes; - {% else %} - notify no; - {%- endif -%} - {% else %} - notify no; - {%- if masters is iterable and masters is not string %} - masters { - {%- for item in masters %} - {{ item }}; - {%- endfor %} - }; - {%- else %} - masters { {{ masters }} }; - {%- endif %} - {%- endif %} - {%- endif %} -}; -{%- endmacro %} - -{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%} -{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} -{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} -{{ zone(key, args, file, masters) }} -{% endfor %} - diff --git a/bind/files/freebsd/named.conf.local b/bind/files/freebsd/named.conf.local deleted file mode 100644 index 43e9fda..0000000 --- a/bind/files/freebsd/named.conf.local +++ /dev/null @@ -1,113 +0,0 @@ -# vim: sts=2 ts=2 sw=2 et ai -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; - -{%- macro zone(key, args, file, masters) %} -zone "{{ key }}" { - type {{ args['type'] }}; - {% if args['type'] == 'forward' -%} - {% if args['forward'] is defined -%} - forward {{ args['forward'] }}; - {%- endif %} - forwarders { - {% for forwarder in args.forwarders -%} - {{ forwarder }}; - {%- endfor %} - }; - {% else -%} - {% if args['dnssec'] is defined and args['dnssec'] -%} - file "{{ map.named_directory }}/{{ file }}.signed"; - {% else -%} - file "{{ map.named_directory }}/{{ file }}"; - {%- endif %} - {%- if args['allow-update'] is defined %} - allow-update { {{args['allow-update']}}; }; - {%- endif %} - {%- if args.update_policy is defined %} - update-policy { - {%- for policy in args.update_policy %} - {{ policy }}; - {%- endfor %} - }; - {%- endif %} - {%- if args['allow-transfer'] is defined %} - allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; }; - {%- endif %} - {%- if args['also-notify'] is defined %} - also-notify { {{ args.get('also-notify', []) | join('; ') }}; }; - {%- endif %} - {%- if args['type'] == "master" -%} - {% if args['notify'] %} - notify yes; - {% else %} - notify no; - {%- endif -%} - {% else %} - notify no; - {%- if masters is iterable and masters is not string %} - masters { - {%- for item in masters %} - {{ item }}; - {%- endfor %} - }; - {%- else %} - masters { {{ masters }} }; - {%- endif %} - {%- endif %} - {%- endif %} -}; -{%- endmacro %} - -{%- if salt['pillar.get']('bind:configured_views', {}) is not defined %} -include "{{ map.default_zones_config }}"; -{%- endif %} - -{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%} -{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} -{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} -{{ zone(key, args, file, masters) }} -{% endfor %} - -{% for view, view_data in salt['pillar.get']('bind:configured_views', {}).items() %} - -view {{ view }} { -{%- if view == 'default' %} - include "{{ map.default_zones_config }}"; -{%- endif %} - -match-clients { -{%- for acl in view_data.get('match_clients', {}) %} - {{ acl }}; -{%- endfor %} -}; - -{% for key, args in view_data.get('configured_zones', {}).items() -%} -{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %} -{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %} - {{ zone(key, args, file, masters) }} -{%- endfor %} -}; -{%- endfor %} - -{% if salt['pillar.get']("bind:use_querylog", False) %} -logging { - channel "querylog" { - file "{{ map.log_dir }}/query.log"; - print-time yes; - }; - category queries { querylog; }; -}; -{% endif %} - -{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %} -acl {{ name }} { - {%- for d in data %} - {{ d }}; - {%- endfor %} -}; -{%- endfor %} diff --git a/bind/files/debian/named.conf.local b/bind/files/named.conf.local.jinja similarity index 98% rename from bind/files/debian/named.conf.local rename to bind/files/named.conf.local.jinja index 13ec45e..0189407 100644 --- a/bind/files/debian/named.conf.local +++ b/bind/files/named.conf.local.jinja @@ -109,6 +109,7 @@ match-clients { }; {%- endfor %} +{%- if salt['pillar.get']('bind:config:enable_logging', True) %} {%- if salt['pillar.get']('bind:config:use_extensive_logging', False) %} include "{{ map.logging_config }}"; {% else %} @@ -120,6 +121,7 @@ logging { category queries { querylog; }; }; {%- endif %} +{%- endif %} {%- if salt['pillar.get']('bind:controls', False) %} controls { diff --git a/bind/files/debian/named.conf.logging b/bind/files/named.conf.logging.jinja similarity index 100% rename from bind/files/debian/named.conf.logging rename to bind/files/named.conf.logging.jinja diff --git a/bind/files/redhat/named.conf b/bind/files/redhat/named.conf index 681410d..93e5202 100644 --- a/bind/files/redhat/named.conf +++ b/bind/files/redhat/named.conf @@ -32,46 +32,6 @@ options { managed-keys-directory "/var/named/dynamic"; }; -logging { - channel default_debug { - file "data/named.run"; - severity dynamic; - }; - -{%- for channel, value in salt['pillar.get']('bind:config:logging:channels', {}).items() -%} - {%- if value is iterable %} - channel {{ channel }} { - {%- for statement, item in value.items() %} - {{ statement }} {{ item }}; - {%- endfor %} - }; - {%- endif %} -{%- endfor %} - -{%- for statement, value in salt['pillar.get']('bind:config:logging:category', {}).items() %} - category {{ statement }} { - {%- for item in value %} - {{ item }}; - {%- endfor %} - }; -{%- endfor %} - -{%- for statement, value in salt['pillar.get']('bind:config:logging', {}).items() -%} - {%- if statement not in ( 'channels', 'category' ) %} - {%- if value is iterable and value is not string %} - {{ statement }} { - {%- for item in value %} - {{ item }}; - {%- endfor %} - }; - {%- else %} - {{ statement }} {{ value }}; - {%- endif %} - {%- endif %} -{%- endfor %} - -}; - zone "." IN { type hint; file "named.ca"; diff --git a/bind/files/redhat/named.conf.local b/bind/files/redhat/named.conf.local deleted file mode 100644 index fc5907a..0000000 --- a/bind/files/redhat/named.conf.local +++ /dev/null @@ -1,82 +0,0 @@ -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; - -{%- macro zone(key, args, file, masters) %} -zone "{{ key }}" IN { - type {{ args['type'] }}; - {% if args['type'] == 'forward' -%} - {% if args['forward'] is defined -%} - forward {{ args['forward'] }}; - {%- endif %} - forwarders { - {% for forwarder in args.forwarders -%} - {{ forwarder }}; - {%- endfor %} - }; - {% else -%} - {% if args['dnssec'] is defined and args['dnssec'] -%} - file "{{ file }}.signed"; - {% else -%} - file "{{ file }}"; - {%- endif %} - {%- if args['allow-update'] is defined %} - allow-update { {{args['allow-update']}}; }; - {%- endif %} - {%- if args.update_policy is defined %} - update-policy { - {%- for policy in args.update_policy %} - {{ policy }}; - {%- endfor %} - }; - {%- endif %} - {%- if args['allow-transfer'] is defined %} - allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; }; - {%- endif %} - {%- if args['also-notify'] is defined %} - also-notify { {{ args.get('also-notify', []) | join('; ') }}; }; - {%- endif %} - {%- if args['type'] == 'slave' %} - {%- if args['allow-notify'] is defined %} - allow-notify { {{ args.get('allow-notify', []) | join('; ') }}; }; - {%- endif %} - {%- endif %} - {%- if args['type'] == "master" -%} - {% if args['notify'] %} - notify yes; - {% else %} - notify no; - {%- endif -%} - {% else %} - notify no; - {%- if masters is iterable and masters is not string %} - masters { - {%- for item in masters %} - {{ item }}; - {%- endfor %} - }; - {%- else %} - masters { {{ masters }} }; - {%- endif %} - {%- endif %} - {%- endif %} -}; -{%- endmacro %} - -{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%} -{%- set file = args.get('file', salt['pillar.get']("bind:available_zones:" + key + ":file")) %} -{%- set masters = args.get('masters', salt['pillar.get']("bind:available_zones:" + key + ":masters")) %} -{{ zone(key, args, file, masters) }} -{% endfor %} - -{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %} -acl {{ name }} { - {%- for d in data %} - {{ d }}; - {%- endfor %} -}; -{%- endfor %} diff --git a/bind/files/suse/named.conf b/bind/files/suse/named.conf index 5188bdf..73bdebd 100644 --- a/bind/files/suse/named.conf +++ b/bind/files/suse/named.conf @@ -108,37 +108,6 @@ options { }; -# To configure named's logging remove the leading '#' characters of the -# following examples. -#logging { -# # Log queries to a file limited to a size of 100 MB. -# channel query_logging { -# file "/var/log/named_querylog" -# versions 3 size 100M; -# print-time yes; // timestamp log entries -# }; -# category queries { -# query_logging; -# }; -# -# # Or log this kind alternatively to syslog. -# channel syslog_queries { -# syslog user; -# severity info; -# }; -# category queries { syslog_queries; }; -# -# # Log general name server errors to syslog. -# channel syslog_errors { -# syslog user; -# severity error; -# }; -# category default { syslog_errors; }; -# -# # Don't log lame server messages. -# category lame-servers { null; }; -#}; - # The following zone definitions don't need any modification. The first one # is the definition of the root name servers. The second one defines # localhost while the third defines the reverse lookup for localhost. diff --git a/bind/files/suse/named.conf.local b/bind/files/suse/named.conf.local deleted file mode 100644 index e0a2d4d..0000000 --- a/bind/files/suse/named.conf.local +++ /dev/null @@ -1,77 +0,0 @@ -// -// Do any local configuration here -// -{%- macro zone(key, args, file, masters) %} -zone "{{ key }}" IN { - type {{ args['type'] }}; - {% if args['type'] == 'forward' -%} - {% if args['forward'] is defined -%} - forward {{ args['forward'] }}; - {%- endif %} - forwarders { - {% for forwarder in args.forwarders -%} - {{ forwarder }}; - {%- endfor %} - }; - {% else -%} - {% if args['dnssec'] is defined and args['dnssec'] -%} - file "{{ file }}.signed"; - {% else -%} - file "{{ file }}"; - {%- endif %} - {%- if args['allow-update'] is defined %} - allow-update { {{args['allow-update']}}; }; - {%- endif %} - {%- if args.update_policy is defined %} - update-policy { - {%- for policy in args.update_policy %} - {{ policy }}; - {%- endfor %} - }; - {%- endif %} - {%- if args['allow-transfer'] is defined %} - allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; }; - {%- endif %} - {%- if args['also-notify'] is defined %} - also-notify { {{ args.get('also-notify', []) | join('; ') }}; }; - {%- endif %} - {%- if args['type'] == 'slave' %} - {%- if args['allow-notify'] is defined %} - allow-notify { {{ args.get('allow-notify', []) | join('; ') }}; }; - {%- endif %} - {%- endif %} - {%- if args['type'] == "master" -%} - {% if args['notify'] %} - notify yes; - {% else %} - notify no; - {%- endif -%} - {% else %} - notify no; - {%- if masters is iterable and masters is not string %} - masters { - {%- for item in masters %} - {{ item }}; - {%- endfor %} - }; - {%- else %} - masters { {{ masters }} }; - {%- endif %} - {%- endif %} - {%- endif %} -}; -{%- endmacro %} - -{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%} -{%- set file = args.get('file', salt['pillar.get']("bind:available_zones:" + key + ":file")) %} -{%- set masters = args.get('masters', salt['pillar.get']("bind:available_zones:" + key + ":masters")) %} -{{ zone(key, args, file, masters) }} -{% endfor %} - -{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %} -acl {{ name }} { - {%- for d in data %} - {{ d }}; - {%- endfor %} -}; -{%- endfor %} diff --git a/bind/map.jinja b/bind/map.jinja index 24b2999..c8f05ce 100644 --- a/bind/map.jinja +++ b/bind/map.jinja @@ -1,6 +1,6 @@ {% set map = salt['grains.filter_by']({ 'Debian': { - 'pkgs': ['bind9', 'bind9utils', 'dnssec-tools'], + 'pkgs': ['bind9', 'bind9utils'], 'service': 'bind9', 'config_source_dir': 'bind/files/debian', 'zones_source_dir': 'zones', @@ -33,7 +33,7 @@ 'named_directory': '/var/named', 'log_dir': '/var/log/named', 'log_mode': '640', - 'user': 'root', + 'user': 'named', 'group': 'named', 'mode': '640', 'options': { @@ -89,12 +89,6 @@ 'mode': '640', }, }, merge=salt['grains.filter_by']({ - 'jessie': { - 'pkgs': ['bind9', 'bind9utils'], - }, - 'stretch': { - 'pkgs': ['bind9', 'bind9utils'], - }, }, grain='oscodename', merge=salt['grains.filter_by']({ 'Ubuntu': { 'log_dir': '/var/log/named', diff --git a/pillar.example b/pillar.example index 9282788..c7ffc73 100644 --- a/pillar.example +++ b/pillar.example @@ -22,34 +22,7 @@ bind: user: root # File & Directory user group: named # File & Directory group mode: 640 # File & Directory mode - options: - allow-recursion: '{ any; }' # Never include this on a public resolver -# RedHat defaults, needed to generate default config file - listen-on: 'port 53 { 127.0.0.1; }' - listen-on-v6: 'port 53 { ::1; }' - allow-query: '{ localhost; }' - recursion: 'yes' - dnssec-enable: 'yes' - dnssec-validation: 'yes' -# End RedHat defaults - protocol: 4 # Force bind to serve only one IP protocol - # (ipv4: 4, ipv6: 6). Omitting this reverts to - # binds default of both. - -# Debian and FreeBSD based systems - default_zones: True # If set to True, the default-zones configuration - # will be enabled. Defaults to False. - - includes: # Include any additional configuration file(s) in - - /some/additional/named.conf # named.conf - -# Debian based systems optional configs -bind: - config: - options: - querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no) - - + enable_logging: true # Enable basic query logging use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html default_log: @@ -106,6 +79,33 @@ bind: query-errors: - query-errors_log + options: + allow-recursion: '{ any; }' # Never include this on a public resolver +# RedHat defaults, needed to generate default config file + listen-on: 'port 53 { 127.0.0.1; }' + listen-on-v6: 'port 53 { ::1; }' + allow-query: '{ localhost; }' + recursion: 'yes' + dnssec-enable: 'yes' + dnssec-validation: 'yes' +# End RedHat defaults + protocol: 4 # Force bind to serve only one IP protocol + # (ipv4: 4, ipv6: 6). Omitting this reverts to + # binds default of both. + +# Debian and FreeBSD based systems + default_zones: True # If set to True, the default-zones configuration + # will be enabled. Defaults to False. + + includes: # Include any additional configuration file(s) in + - /some/additional/named.conf # named.conf + +# Debian based systems optional configs +bind: + config: + options: + querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no) + rndc_client: # Generate rndc.conf file it uses previously defined keys options: default: @@ -158,7 +158,6 @@ bind: - 10.161.64.168 - my_net - configured_zones: # Debian based systems can have zones using only configured_zones sub.domain.com: # This zone will be copied from zones_source_dir file: sub.domain.com # You can optionally specify name of a file here.