Use Re2o API to config Bind9

fe3df776 · me5na7qbjqbrp · 787ff003 · fe3df776 · fe3df776 · fe3df776
Verified Commit fe3df776 authored 4 years ago by me5na7qbjqbrp
--- a/README.md
+++ b/README.md
@@ -80,6 +80,12 @@ on peut exécuter le module `setup` manuellement.
 ansible zamok.adm.crans.org -m setup
 ```

+### Filtrer un objet Python
+
+Ansible fournit le filtre `json_query` qui va utiliser
+le module python `jmespath`. Il est puissant et permet entre autre
+de filtrer la sortie de l'API Re2o.
+
 ## Exécution d'Ansible

 ### Configurer la connexion au vlan adm
@@ -103,7 +109,7 @@ ssh-copy-id zamok.adm.crans.org

 ### Lancer un Playbook Ansible

-Il faut `python3-netaddr` sur sa machine.
+Il faut `python3-netaddr` et `python3-jmespath` sur sa machine.

 Pour tester le playbook `base.yml` :
 ```bash

--- a/network.yml
+++ b/network.yml
@@ -41,10 +41,9 @@
  vars:
    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
    bind:
-      master: false
-      master_ip: 10.231.136.118
-      slaves: []  # TODO
-      zones: "{{ lookup('re2oapi', 'dnszones', api_hostname='intranet.crans.org') }}"
+      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+      slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
+      zones: "{{ lookup('re2oapi', 'dnszones') }}"
  roles:
    - bind-authoritative


--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -4,29 +4,41 @@
 // organization
 //include "/etc/bind/zones.rfc1918";

-{% if bind.master %}
+{%- set masters_ipv4 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
+{%- set masters_ipv6 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
+{%- set slaves_ipv4 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
+{%- set slaves_ipv6 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
+{%- set is_master = ansible_all_ipv4_addresses | intersect(masters_ipv4) %}
+
+{% if is_master -%}
 // Let's Encrypt Challenge DNS-01
 key "certbot_challenge." {
-    algorithm hmac-sha512;
-    secret "{{ certbot_dns_secret }}";
+	algorithm hmac-sha512;
+	secret "{{ certbot_dns_secret }}";
 };
 {% endif %}

 // Crans zones
 {% for zone in bind.zones %}
 zone "{{ zone }}" {
-	{% if bind.master -%}
+	{% if is_master -%}
 	type master;
 	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
 	forwarders {
-		{% for slave in bind.slaves -%}
-		{{ slave }};
+		{% for ip in slaves_ipv4 -%}
+		{{ ip }};
 		{% endfor -%}
+		{% for ip in slaves_ipv6 -%}
+		{{ ip }};
+	{% endfor -%}
 	};
 	allow-transfer {
-		{% for slave in bind.slaves -%}
-		{{ slave }};
+		{% for ip in slaves_ipv4 -%}
+		{{ ip }};
 		{% endfor -%}
+		{% for ip in slaves_ipv6 -%}
+		{{ ip }};
+	{% endfor -%}
 	};
 	update-policy {
 		grant certbot_challenge. name _acme-challenge.{{ zone }} txt;
@@ -36,7 +48,12 @@ zone "{{ zone }}" {
 	type slave;
 	file "bak.{{ zone }}";
 	masters {
-		{{ bind.master_ip }};
+		{% for ip in masters_ipv4 -%}
+		{{ ip }};
+		{% endfor -%}
+		{% for ip in masters_ipv6 -%}
+		{{ ip }};
+	{% endfor -%}
 	};
 	allow-transfer { "none"; };
 	notify no;