add in recursion fixes
This commit is contained in:
parent
b233c24f58
commit
6b8424027e
8 changed files with 80 additions and 1 deletions
|
@ -4,3 +4,9 @@
|
|||
ansible.builtin.service:
|
||||
name: NetworkManager
|
||||
state: reloaded
|
||||
|
||||
- name: restart_named
|
||||
ansible.builtin.service:
|
||||
name: named
|
||||
state: restarted
|
||||
...
|
||||
|
|
|
@ -5,7 +5,8 @@
|
|||
hosts: ipaclient
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/ipa/ipaclient.yml
|
||||
- vars/ipa/common.yml
|
||||
- vars/ipa/ipaclient.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
hosts: ipareplica
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/ipa/common.yml
|
||||
- vars/ipa/ipareplica.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
|
@ -71,4 +72,7 @@
|
|||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Configure recursion for private nets
|
||||
import_tasks: tasks/dns-ext.yml
|
||||
...
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
hosts: ipaserver
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/ipa/common.yml
|
||||
- vars/ipa/ipaserver.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
|
@ -81,4 +82,7 @@
|
|||
freeipa.ansible_freeipa.ipadnsconfig:
|
||||
ipaadmin_password: '{{ ipaadmin_password }}'
|
||||
allow_sync_ptr: true
|
||||
|
||||
- name: Configure recursion for private nets
|
||||
import_tasks: tasks/dns-ext.yml
|
||||
...
|
||||
|
|
19
tasks/dns-ext.yml
Normal file
19
tasks/dns-ext.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Configure ACL for nets
|
||||
ansible.builtin.template:
|
||||
src: "etc/named/ipa-ext.conf"
|
||||
dest: "/etc/named/ipa-ext.conf"
|
||||
owner: root
|
||||
group: named
|
||||
mode: '0640'
|
||||
notify: restart_named
|
||||
|
||||
- name: Turn on recursion for nets
|
||||
ansible.builtin.template:
|
||||
src: "etc/named/ipa-options-ext.conf"
|
||||
dest: "/etc/named/ipa-options-ext.conf"
|
||||
owner: root
|
||||
group: named
|
||||
mode: '0640'
|
||||
notify: restart_named
|
||||
...
|
18
templates/etc/named/ipa-ext.conf
Normal file
18
templates/etc/named/ipa-ext.conf
Normal file
|
@ -0,0 +1,18 @@
|
|||
/* User customization for BIND named
|
||||
*
|
||||
* This file is included in /etc/named.conf and is not modified during IPA
|
||||
* upgrades.
|
||||
*
|
||||
* "options" settings must be configured in /etc/named/ipa-options-ext.conf.
|
||||
*
|
||||
* Example: ACL for recursion access:
|
||||
*
|
||||
* acl "trusted_network" {
|
||||
* localnets;
|
||||
* localhost;
|
||||
* 234.234.234.0/24;
|
||||
* 2001::co:ffee:babe:1/48;
|
||||
* };
|
||||
*/
|
||||
|
||||
acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }} };
|
21
templates/etc/named/ipa-options-ext.conf
Normal file
21
templates/etc/named/ipa-options-ext.conf
Normal file
|
@ -0,0 +1,21 @@
|
|||
/* User customization for BIND named
|
||||
*
|
||||
* This file is included in /etc/named.conf and is not modified during IPA
|
||||
* upgrades.
|
||||
*
|
||||
* It must only contain "options" settings. Any other setting must be
|
||||
* configured in /etc/named/ipa-ext.conf.
|
||||
*
|
||||
* Examples:
|
||||
* allow-recursion { trusted_network; };
|
||||
* allow-query-cache { trusted_network; };
|
||||
*/
|
||||
|
||||
/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
|
||||
listen-on-v6 { any; };
|
||||
|
||||
/* dnssec-enable is obsolete and 'yes' by default */
|
||||
dnssec-validation yes;
|
||||
|
||||
allow-recursion { trusted_nets; };
|
||||
allow-query-cache { trusted_nets; };
|
6
vars/ipa/common.yml
Normal file
6
vars/ipa/common.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
ipa_trusted_nets:
|
||||
- localnets
|
||||
- localhost
|
||||
- 10.0.0.0/8
|
||||
...
|
Loading…
Reference in a new issue