saltstack-formulas/bind-formula
1
0
Fork 0
mirror of https://github.com/saltstack-formulas/bind-formula.git synced 2025-04-17 02:00:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Refactor named.conf.local & logging across platforms

Browse source
This commit is contained in:
Javier Bértoli 2018-05-26 19:57:58 -03:00
parent faddeab70e
commit 45e8128487
12 changed files with 34 additions and 451 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bind/config.sls
View file

@ -59,7 +59,7 @@ bind_config:
bind_local_config: bind_local_config:
file.managed: file.managed:
- name: {{ map.local_config }} - name: {{ map.local_config }}
- source: 'salt://{{ map.config_source_dir }}/named.conf.local' - source: salt://bind/files/named.conf.local.jinja
- template: jinja - template: jinja
- user: {{ salt['pillar.get']('bind:config:user', map.user) }} - user: {{ salt['pillar.get']('bind:config:user', map.user) }}
- group: {{ salt['pillar.get']('bind:config:group', map.group) }} - group: {{ salt['pillar.get']('bind:config:group', map.group) }}
@ -140,7 +140,7 @@ bind_default_zones:
bind_logging_config: bind_logging_config:
file.managed: file.managed:
- name: {{ map.logging_config }} - name: {{ map.logging_config }}
- source: salt://{{ map.config_source_dir }}/named.conf.logging - source: salt://bind/files/named.conf.logging.jinja
- template: jinja - template: jinja
- user: {{ salt['pillar.get']('bind:config:user', map.user) }} - user: {{ salt['pillar.get']('bind:config:user', map.user) }}
- group: {{ salt['pillar.get']('bind:config:group', map.group) }} - group: {{ salt['pillar.get']('bind:config:group', map.group) }}

12
bind/files/arch/named.conf
View file

@ -64,16 +64,4 @@ zone "." IN {
// allow-transfer { any; }; // allow-transfer { any; };
//}; //};
//logging {
// channel xfer-log {
// file "/var/log/named.log";
// print-category yes;
// print-severity yes;
// severity info;
// };
// category xfer-in { xfer-log; };
// category xfer-out { xfer-log; };
// category notify { xfer-log; };
//};
include "{{ map.local_config }}"; include "{{ map.local_config }}";

57
bind/files/arch/named.conf.local
View file

@ -1,57 +0,0 @@
# vim: sts=2 ts=2 sw=2 et ai
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
{%- macro zone(key, args, file, masters) %}
zone "{{ key }}" {
type {{ args['type'] }};
{% if args['type'] == 'forward' -%}
{% if args['forward'] is defined -%}
forward {{ args['forward'] }};
{%- endif %}
forwarders {
{% for forwarder in args.forwarders -%}
{{ forwarder }};
{%- endfor %}
};
{% else -%}
file "{{ file }}";
{%- if args['allow-transfer'] is defined %}
allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; };
{%- endif %}
{%- if args['also-notify'] is defined %}
also-notify { {{ args.get('also-notify', []) | join('; ') }}; };
{%- endif %}
{%- if args['type'] == "master" -%}
{% if args['notify'] %}
notify yes;
{% else %}
notify no;
{%- endif -%}
{% else %}
notify no;
{%- if masters is iterable and masters is not string %}
masters {
{%- for item in masters %}
{{ item }};
{%- endfor %}
};
{%- else %}
masters { {{ masters }} };
{%- endif %}
{%- endif %}
{%- endif %}
};
{%- endmacro %}
{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%}
{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %}
{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %}
{{ zone(key, args, file, masters) }}
{% endfor %}

113
bind/files/freebsd/named.conf.local
View file

@ -1,113 +0,0 @@
# vim: sts=2 ts=2 sw=2 et ai
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
{%- macro zone(key, args, file, masters) %}
zone "{{ key }}" {
type {{ args['type'] }};
{% if args['type'] == 'forward' -%}
{% if args['forward'] is defined -%}
forward {{ args['forward'] }};
{%- endif %}
forwarders {
{% for forwarder in args.forwarders -%}
{{ forwarder }};
{%- endfor %}
};
{% else -%}
{% if args['dnssec'] is defined and args['dnssec'] -%}
file "{{ map.named_directory }}/{{ file }}.signed";
{% else -%}
file "{{ map.named_directory }}/{{ file }}";
{%- endif %}
{%- if args['allow-update'] is defined %}
allow-update { {{args['allow-update']}}; };
{%- endif %}
{%- if args.update_policy is defined %}
update-policy {
{%- for policy in args.update_policy %}
{{ policy }};
{%- endfor %}
};
{%- endif %}
{%- if args['allow-transfer'] is defined %}
allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; };
{%- endif %}
{%- if args['also-notify'] is defined %}
also-notify { {{ args.get('also-notify', []) | join('; ') }}; };
{%- endif %}
{%- if args['type'] == "master" -%}
{% if args['notify'] %}
notify yes;
{% else %}
notify no;
{%- endif -%}
{% else %}
notify no;
{%- if masters is iterable and masters is not string %}
masters {
{%- for item in masters %}
{{ item }};
{%- endfor %}
};
{%- else %}
masters { {{ masters }} };
{%- endif %}
{%- endif %}
{%- endif %}
};
{%- endmacro %}
{%- if salt['pillar.get']('bind:configured_views', {}) is not defined %}
include "{{ map.default_zones_config }}";
{%- endif %}
{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%}
{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %}
{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %}
{{ zone(key, args, file, masters) }}
{% endfor %}
{% for view, view_data in salt['pillar.get']('bind:configured_views', {}).items() %}
view {{ view }} {
{%- if view == 'default' %}
include "{{ map.default_zones_config }}";
{%- endif %}
match-clients {
{%- for acl in view_data.get('match_clients', {}) %}
{{ acl }};
{%- endfor %}
};
{% for key, args in view_data.get('configured_zones', {}).items() -%}
{%- set file = salt['pillar.get']("bind:available_zones:" + key + ":file") %}
{%- set masters = salt['pillar.get']("bind:available_zones:" + key + ":masters") %}
{{ zone(key, args, file, masters) }}
{%- endfor %}
};
{%- endfor %}
{% if salt['pillar.get']("bind:use_querylog", False) %}
logging {
channel "querylog" {
file "{{ map.log_dir }}/query.log";
print-time yes;
};
category queries { querylog; };
};
{% endif %}
{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %}
acl {{ name }} {
{%- for d in data %}
{{ d }};
{%- endfor %}
};
{%- endfor %}

2
bind/files/debian/named.conf.local → bind/files/named.conf.local.jinja
View file

@ -109,6 +109,7 @@ match-clients {
}; };
{%- endfor %} {%- endfor %}
{%- if salt['pillar.get']('bind:config:enable_logging', True) %}
{%- if salt['pillar.get']('bind:config:use_extensive_logging', False) %} {%- if salt['pillar.get']('bind:config:use_extensive_logging', False) %}
include "{{ map.logging_config }}"; include "{{ map.logging_config }}";
{% else %} {% else %}
@ -120,6 +121,7 @@ logging {
category queries { querylog; }; category queries { querylog; };
}; };
{%- endif %} {%- endif %}
{%- endif %}
{%- if salt['pillar.get']('bind:controls', False) %} {%- if salt['pillar.get']('bind:controls', False) %}
controls { controls {

0
bind/files/debian/named.conf.logging → bind/files/named.conf.logging.jinja
View file

40
bind/files/redhat/named.conf
View file

@ -32,46 +32,6 @@ options {
managed-keys-directory "/var/named/dynamic"; managed-keys-directory "/var/named/dynamic";
}; };
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
{%- for channel, value in salt['pillar.get']('bind:config:logging:channels', {}).items() -%}
{%- if value is iterable %}
channel {{ channel }} {
{%- for statement, item in value.items() %}
{{ statement }} {{ item }};
{%- endfor %}
};
{%- endif %}
{%- endfor %}
{%- for statement, value in salt['pillar.get']('bind:config:logging:category', {}).items() %}
category {{ statement }} {
{%- for item in value %}
{{ item }};
{%- endfor %}
};
{%- endfor %}
{%- for statement, value in salt['pillar.get']('bind:config:logging', {}).items() -%}
{%- if statement not in ( 'channels', 'category' ) %}
{%- if value is iterable and value is not string %}
{{ statement }} {
{%- for item in value %}
{{ item }};
{%- endfor %}
};
{%- else %}
{{ statement }} {{ value }};
{%- endif %}
{%- endif %}
{%- endfor %}
};
zone "." IN { zone "." IN {
type hint; type hint;
file "named.ca"; file "named.ca";

82
bind/files/redhat/named.conf.local
View file

@ -1,82 +0,0 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
{%- macro zone(key, args, file, masters) %}
zone "{{ key }}" IN {
type {{ args['type'] }};
{% if args['type'] == 'forward' -%}
{% if args['forward'] is defined -%}
forward {{ args['forward'] }};
{%- endif %}
forwarders {
{% for forwarder in args.forwarders -%}
{{ forwarder }};
{%- endfor %}
};
{% else -%}
{% if args['dnssec'] is defined and args['dnssec'] -%}
file "{{ file }}.signed";
{% else -%}
file "{{ file }}";
{%- endif %}
{%- if args['allow-update'] is defined %}
allow-update { {{args['allow-update']}}; };
{%- endif %}
{%- if args.update_policy is defined %}
update-policy {
{%- for policy in args.update_policy %}
{{ policy }};
{%- endfor %}
};
{%- endif %}
{%- if args['allow-transfer'] is defined %}
allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; };
{%- endif %}
{%- if args['also-notify'] is defined %}
also-notify { {{ args.get('also-notify', []) | join('; ') }}; };
{%- endif %}
{%- if args['type'] == 'slave' %}
{%- if args['allow-notify'] is defined %}
allow-notify { {{ args.get('allow-notify', []) | join('; ') }}; };
{%- endif %}
{%- endif %}
{%- if args['type'] == "master" -%}
{% if args['notify'] %}
notify yes;
{% else %}
notify no;
{%- endif -%}
{% else %}
notify no;
{%- if masters is iterable and masters is not string %}
masters {
{%- for item in masters %}
{{ item }};
{%- endfor %}
};
{%- else %}
masters { {{ masters }} };
{%- endif %}
{%- endif %}
{%- endif %}
};
{%- endmacro %}
{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%}
{%- set file = args.get('file', salt['pillar.get']("bind:available_zones:" + key + ":file")) %}
{%- set masters = args.get('masters', salt['pillar.get']("bind:available_zones:" + key + ":masters")) %}
{{ zone(key, args, file, masters) }}
{% endfor %}
{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %}
acl {{ name }} {
{%- for d in data %}
{{ d }};
{%- endfor %}
};
{%- endfor %}

31
bind/files/suse/named.conf
View file

@ -108,37 +108,6 @@ options {
}; };
# To configure named's logging remove the leading '#' characters of the
# following examples.
#logging {
# # Log queries to a file limited to a size of 100 MB.
# channel query_logging {
# file "/var/log/named_querylog"
# versions 3 size 100M;
# print-time yes; // timestamp log entries
# };
# category queries {
# query_logging;
# };
#
# # Or log this kind alternatively to syslog.
# channel syslog_queries {
# syslog user;
# severity info;
# };
# category queries { syslog_queries; };
#
# # Log general name server errors to syslog.
# channel syslog_errors {
# syslog user;
# severity error;
# };
# category default { syslog_errors; };
#
# # Don't log lame server messages.
# category lame-servers { null; };
#};
# The following zone definitions don't need any modification. The first one # The following zone definitions don't need any modification. The first one
# is the definition of the root name servers. The second one defines # is the definition of the root name servers. The second one defines
# localhost while the third defines the reverse lookup for localhost. # localhost while the third defines the reverse lookup for localhost.

77
bind/files/suse/named.conf.local
View file

@ -1,77 +0,0 @@
//
// Do any local configuration here
//
{%- macro zone(key, args, file, masters) %}
zone "{{ key }}" IN {
type {{ args['type'] }};
{% if args['type'] == 'forward' -%}
{% if args['forward'] is defined -%}
forward {{ args['forward'] }};
{%- endif %}
forwarders {
{% for forwarder in args.forwarders -%}
{{ forwarder }};
{%- endfor %}
};
{% else -%}
{% if args['dnssec'] is defined and args['dnssec'] -%}
file "{{ file }}.signed";
{% else -%}
file "{{ file }}";
{%- endif %}
{%- if args['allow-update'] is defined %}
allow-update { {{args['allow-update']}}; };
{%- endif %}
{%- if args.update_policy is defined %}
update-policy {
{%- for policy in args.update_policy %}
{{ policy }};
{%- endfor %}
};
{%- endif %}
{%- if args['allow-transfer'] is defined %}
allow-transfer { {{ args.get('allow-transfer', []) | join('; ') }}; };
{%- endif %}
{%- if args['also-notify'] is defined %}
also-notify { {{ args.get('also-notify', []) | join('; ') }}; };
{%- endif %}
{%- if args['type'] == 'slave' %}
{%- if args['allow-notify'] is defined %}
allow-notify { {{ args.get('allow-notify', []) | join('; ') }}; };
{%- endif %}
{%- endif %}
{%- if args['type'] == "master" -%}
{% if args['notify'] %}
notify yes;
{% else %}
notify no;
{%- endif -%}
{% else %}
notify no;
{%- if masters is iterable and masters is not string %}
masters {
{%- for item in masters %}
{{ item }};
{%- endfor %}
};
{%- else %}
masters { {{ masters }} };
{%- endif %}
{%- endif %}
{%- endif %}
};
{%- endmacro %}
{% for key, args in salt['pillar.get']('bind:configured_zones', {}).items() -%}
{%- set file = args.get('file', salt['pillar.get']("bind:available_zones:" + key + ":file")) %}
{%- set masters = args.get('masters', salt['pillar.get']("bind:available_zones:" + key + ":masters")) %}
{{ zone(key, args, file, masters) }}
{% endfor %}
{%- for name, data in salt['pillar.get']('bind:configured_acls', {}).items() %}
acl {{ name }} {
{%- for d in data %}
{{ d }};
{%- endfor %}
};
{%- endfor %}

10
bind/map.jinja
View file

@ -1,6 +1,6 @@
{% set map = salt['grains.filter_by']({ {% set map = salt['grains.filter_by']({
'Debian': { 'Debian': {
'pkgs': ['bind9', 'bind9utils', 'dnssec-tools'], 'pkgs': ['bind9', 'bind9utils'],
'service': 'bind9', 'service': 'bind9',
'config_source_dir': 'bind/files/debian', 'config_source_dir': 'bind/files/debian',
'zones_source_dir': 'zones', 'zones_source_dir': 'zones',
@ -33,7 +33,7 @@
'named_directory': '/var/named', 'named_directory': '/var/named',
'log_dir': '/var/log/named', 'log_dir': '/var/log/named',
'log_mode': '640', 'log_mode': '640',
'user': 'root', 'user': 'named',
'group': 'named', 'group': 'named',
'mode': '640', 'mode': '640',
'options': { 'options': {
@ -89,12 +89,6 @@
'mode': '640', 'mode': '640',
}, },
}, merge=salt['grains.filter_by']({ }, merge=salt['grains.filter_by']({
'jessie': {
'pkgs': ['bind9', 'bind9utils'],
},
'stretch': {
'pkgs': ['bind9', 'bind9utils'],
},
}, grain='oscodename', merge=salt['grains.filter_by']({ }, grain='oscodename', merge=salt['grains.filter_by']({
'Ubuntu': { 'Ubuntu': {
'log_dir': '/var/log/named', 'log_dir': '/var/log/named',

57
pillar.example
View file

@ -22,34 +22,7 @@ bind:
user: root # File & Directory user user: root # File & Directory user
group: named # File & Directory group group: named # File & Directory group
mode: 640 # File & Directory mode mode: 640 # File & Directory mode
options: enable_logging: true # Enable basic query logging
allow-recursion: '{ any; }' # Never include this on a public resolver
# RedHat defaults, needed to generate default config file
listen-on: 'port 53 { 127.0.0.1; }'
listen-on-v6: 'port 53 { ::1; }'
allow-query: '{ localhost; }'
recursion: 'yes'
dnssec-enable: 'yes'
dnssec-validation: 'yes'
# End RedHat defaults
protocol: 4 # Force bind to serve only one IP protocol
# (ipv4: 4, ipv6: 6). Omitting this reverts to
# binds default of both.
# Debian and FreeBSD based systems
default_zones: True # If set to True, the default-zones configuration
# will be enabled. Defaults to False.
includes: # Include any additional configuration file(s) in
- /some/additional/named.conf # named.conf
# Debian based systems optional configs
bind:
config:
options:
querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no)
use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to use_extensive_logging: # Enable extensive config for logging. Partial example. For proposed settings please refer to
channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html channel: # https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html
default_log: default_log:
@ -106,6 +79,33 @@ bind:
query-errors: query-errors:
- query-errors_log - query-errors_log
options:
allow-recursion: '{ any; }' # Never include this on a public resolver
# RedHat defaults, needed to generate default config file
listen-on: 'port 53 { 127.0.0.1; }'
listen-on-v6: 'port 53 { ::1; }'
allow-query: '{ localhost; }'
recursion: 'yes'
dnssec-enable: 'yes'
dnssec-validation: 'yes'
# End RedHat defaults
protocol: 4 # Force bind to serve only one IP protocol
# (ipv4: 4, ipv6: 6). Omitting this reverts to
# binds default of both.
# Debian and FreeBSD based systems
default_zones: True # If set to True, the default-zones configuration
# will be enabled. Defaults to False.
includes: # Include any additional configuration file(s) in
- /some/additional/named.conf # named.conf
# Debian based systems optional configs
bind:
config:
options:
querylog: 'yes' # Enable query logs, by default is disabled in map.jinja (yes,no)
rndc_client: # Generate rndc.conf file it uses previously defined keys rndc_client: # Generate rndc.conf file it uses previously defined keys
options: options:
default: default:
@ -158,7 +158,6 @@ bind:
- 10.161.64.168 - 10.161.64.168
- my_net - my_net
configured_zones: # Debian based systems can have zones using only configured_zones configured_zones: # Debian based systems can have zones using only configured_zones
sub.domain.com: # This zone will be copied from zones_source_dir sub.domain.com: # This zone will be copied from zones_source_dir
file: sub.domain.com # You can optionally specify name of a file here. file: sub.domain.com # You can optionally specify name of a file here.