add in recursion fixes
This commit is contained in:
parent
b233c24f58
commit
6b8424027e
@ -4,3 +4,9 @@
|
|||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: NetworkManager
|
name: NetworkManager
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart_named
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: named
|
||||||
|
state: restarted
|
||||||
|
...
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
hosts: ipaclient
|
hosts: ipaclient
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
|
- vars/ipa/common.yml
|
||||||
- vars/ipa/ipaclient.yml
|
- vars/ipa/ipaclient.yml
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
hosts: ipareplica
|
hosts: ipareplica
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
|
- vars/ipa/common.yml
|
||||||
- vars/ipa/ipareplica.yml
|
- vars/ipa/ipareplica.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
@ -71,4 +72,7 @@
|
|||||||
mode: '0644'
|
mode: '0644'
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
|
- name: Configure recursion for private nets
|
||||||
|
import_tasks: tasks/dns-ext.yml
|
||||||
...
|
...
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
hosts: ipaserver
|
hosts: ipaserver
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
|
- vars/ipa/common.yml
|
||||||
- vars/ipa/ipaserver.yml
|
- vars/ipa/ipaserver.yml
|
||||||
|
|
||||||
# This is to try to avoid the handler issue in pre/post tasks
|
# This is to try to avoid the handler issue in pre/post tasks
|
||||||
@ -81,4 +82,7 @@
|
|||||||
freeipa.ansible_freeipa.ipadnsconfig:
|
freeipa.ansible_freeipa.ipadnsconfig:
|
||||||
ipaadmin_password: '{{ ipaadmin_password }}'
|
ipaadmin_password: '{{ ipaadmin_password }}'
|
||||||
allow_sync_ptr: true
|
allow_sync_ptr: true
|
||||||
|
|
||||||
|
- name: Configure recursion for private nets
|
||||||
|
import_tasks: tasks/dns-ext.yml
|
||||||
...
|
...
|
||||||
|
19
tasks/dns-ext.yml
Normal file
19
tasks/dns-ext.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
- name: Configure ACL for nets
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "etc/named/ipa-ext.conf"
|
||||||
|
dest: "/etc/named/ipa-ext.conf"
|
||||||
|
owner: root
|
||||||
|
group: named
|
||||||
|
mode: '0640'
|
||||||
|
notify: restart_named
|
||||||
|
|
||||||
|
- name: Turn on recursion for nets
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "etc/named/ipa-options-ext.conf"
|
||||||
|
dest: "/etc/named/ipa-options-ext.conf"
|
||||||
|
owner: root
|
||||||
|
group: named
|
||||||
|
mode: '0640'
|
||||||
|
notify: restart_named
|
||||||
|
...
|
18
templates/etc/named/ipa-ext.conf
Normal file
18
templates/etc/named/ipa-ext.conf
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
/* User customization for BIND named
|
||||||
|
*
|
||||||
|
* This file is included in /etc/named.conf and is not modified during IPA
|
||||||
|
* upgrades.
|
||||||
|
*
|
||||||
|
* "options" settings must be configured in /etc/named/ipa-options-ext.conf.
|
||||||
|
*
|
||||||
|
* Example: ACL for recursion access:
|
||||||
|
*
|
||||||
|
* acl "trusted_network" {
|
||||||
|
* localnets;
|
||||||
|
* localhost;
|
||||||
|
* 234.234.234.0/24;
|
||||||
|
* 2001::co:ffee:babe:1/48;
|
||||||
|
* };
|
||||||
|
*/
|
||||||
|
|
||||||
|
acl "trusted_nets" { {{ ipa_trusted_nets|join(';') }} };
|
21
templates/etc/named/ipa-options-ext.conf
Normal file
21
templates/etc/named/ipa-options-ext.conf
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
/* User customization for BIND named
|
||||||
|
*
|
||||||
|
* This file is included in /etc/named.conf and is not modified during IPA
|
||||||
|
* upgrades.
|
||||||
|
*
|
||||||
|
* It must only contain "options" settings. Any other setting must be
|
||||||
|
* configured in /etc/named/ipa-ext.conf.
|
||||||
|
*
|
||||||
|
* Examples:
|
||||||
|
* allow-recursion { trusted_network; };
|
||||||
|
* allow-query-cache { trusted_network; };
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
|
||||||
|
listen-on-v6 { any; };
|
||||||
|
|
||||||
|
/* dnssec-enable is obsolete and 'yes' by default */
|
||||||
|
dnssec-validation yes;
|
||||||
|
|
||||||
|
allow-recursion { trusted_nets; };
|
||||||
|
allow-query-cache { trusted_nets; };
|
6
vars/ipa/common.yml
Normal file
6
vars/ipa/common.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
ipa_trusted_nets:
|
||||||
|
- localnets
|
||||||
|
- localhost
|
||||||
|
- 10.0.0.0/8
|
||||||
|
...
|
Loading…
Reference in New Issue
Block a user