commit 57dc81f3538d804a6b357a37a896fd028c737c26 Author: Markus Pesch Date: Mon Feb 21 21:41:31 2022 +0100 Initial Commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..d78f7b0 --- /dev/null +++ b/README.md @@ -0,0 +1,29 @@ +# bind + +With following role can be bind installed and configured. + +## Supported distributions + +- Arch Linux +- Rocky Linux 8 +- Ubuntu 20.04 + +## Features + +- Installing bind/named +- Configuring bind/named + - TSIG-Keys + - Simple Zones + - Zones with different views + - DYNDNS + +## Configuring + +In the default directory are examples how to configure `named`. Copy the +defaults into your `host_vars` or `group_vars` and adapt the examples. + +## Individual host-templates + +Each host has his own zones templates. Store the template in +`templates//etc/named/zones//zone.conf`. For example: +`templates/ns1.example.com/etc/named/zones/internal/db.de.example`. diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..172410c --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,93 @@ +--- + +bind9_acls: +- name: internalnets + permissions: [] + # - "111.222.111.222" + +bind9_logging: + categories: + - name: "security" + channels: + - "security_file" + channels: + - name: "security_file" + file: + path: "/var/log/named/security.log" + options: "versions 3 size 30m" + severity: "dynamic" + print_times: "yes" + +bind9_options: + allow_query: [] + allow_query_on: [] + allow_query_cache: [] + allow_query_cache_on: [] + allow_recursion: + - "localhost" + - "localnets" + - "internalnets" + allow_recursion_on: [] + allow_transfer: [] + allow_update: [] + allow_update_forwarding: [] + auth_nxdomain: false + blackhole: [] + dnssec_validations: true + forwarders: + - "8.8.8.8" # Google IPv4 + - "8.8.4.4" # Google IPv4 + - "2001:4860:4860::8888" # Google IPv6 + - "2001:4860:4860::8844" # Google IPv6 + - "208.67.222.222" # OpenDNS IPv4 + - "208.67.220.220" # OpenDNS IPv4 + - "2620:0:ccc::2" # OpenDNS IPv6 + - "2620:0:ccd::2" # OpenDNS IPv6 + interface_interval: 0 + listen_on_ipv4: + - "127.0.0.1" + listen_on_ipv6: + - "::1" + max_transfer_time: "60" + minimal_responses: "no" + notify: "yes" + recursion: "yes" + transfer_format: "many-answers" + +bind9_tsigkeys: [] +# - name: "name" +# algorithm: "algorithm" +# secret: "secret" + +bind9_views: [] +# - name: external +# match_clients: +# - "!internalnets" +# - "any" +# zones: +# - allow_notify: [] +# allow_query: +# - "any" +# allow_query_on: [] +# allow_update: [] +# allow_update_forwarding: [] +# allow_transfer: [] +# file: zones/external/db.local.example +# origin: "example.local." +# type: master +# - name: internal +# match_clients: +# - "!192.168.178.1" +# - "internalnets" +# - "127.0.0.0/8" +# zones: +# - allow_notify: [] +# allow_query: +# - "any" +# allow_query_on: [] +# allow_update: [] +# allow_update_forwarding: [] +# allow_transfer: [] +# file: zones/internal/db.local.example +# origin: "example.local." +# type: master diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..4d7c32f --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: restart named + systemd: + name: "{{ bind_service_name }}" + state: restarted + daemon_reload: true diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a74cab6 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,23 @@ +galaxy_info: + author: Markus Pesch + description: set up native bind + company: Cryptic Systems + license: MIT + min_ansible_version: 2.1 + platforms: + - name: Archlinux + versions: + - all + - name: Ubuntu + versions: + - 20.04 + - name: RockyLinux + versions: + - 8.5 + + galaxy_tags: + - named + - bind + - dyndns + +dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..f340945 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,70 @@ +--- + +- name: include special distribution-dependent variables + include_vars: "{{ ansible_os_family }}.yml" + +- name: install bind and dependencies + package: + name: "{{ item }}" + state: present + with_items: "{{ bind_package_names }}" + +- name: create logging directory + file: + path: "{{ bind_log_directory }}" + owner: "{{ bind_unix_user }}" + group: "{{ bind_unix_group }}" + mode: 0755 + state: directory + recurse: yes + +- name: remove existing journal files + block: + - name: find existing journal files + find: + path: "{{ bind_config_directory }}" + recurse: yes + patterns: "*.jnl" + register: files_to_delete + - name: delete existing journal files + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ files_to_delete.files }}" + + +# - name: copy zone files +# include_tasks: copy_zone_files.yml +# with_items: +# - "{{ bind9_views }}" +# loop_control: +# loop_var: view + +- name: template zone files + include_tasks: template_zone_files.yml + with_items: + - "{{ bind9_views }}" + loop_control: + loop_var: view + +- name: set up global bind config + template: + src: "{{ item }}.j2" + dest: "/etc/{{ item }}" + owner: "{{ bind_unix_user }}" + group: "{{ bind_unix_group }}" + mode: 0644 + with_items: + - named.conf + - named/named.conf.acl + - named/named.conf.logging + - named/named.conf.options + - named/named.conf.tsigkeys + - named/named.conf.views + notify: restart named + +- name: start and enabled named + systemd: + name: named + state: started + enabled: yes \ No newline at end of file diff --git a/tasks/template_zone_files.yml b/tasks/template_zone_files.yml new file mode 100644 index 0000000..fc8d00a --- /dev/null +++ b/tasks/template_zone_files.yml @@ -0,0 +1,27 @@ +--- + +- name: create directory for zone {{ zone.file | dirname }} + file: + path: "{{ bind_config_directory }}/{{ zone.file | dirname }}" + owner: "{{ bind_unix_user }}" + group: "{{ bind_unix_group }}" + mode: 0755 + state: directory + with_items: + - "{{ view.zones }}" + loop_control: + loop_var: zone + +- name: "template view {{ view.name }}" + template: + src: "{{ inventory_hostname }}/etc/named/{{ zone.file }}.j2" + dest: "{{ bind_config_directory }}/{{ zone.file }}" + owner: "{{ bind_unix_user }}" + group: "{{ bind_unix_group }}" + mode: 0644 + with_items: + - "{{ view.zones }}" + loop_control: + loop_var: zone + when: zone.type == 'master' + notify: restart named \ No newline at end of file diff --git a/templates/named.conf.j2 b/templates/named.conf.j2 new file mode 100644 index 0000000..f448f0e --- /dev/null +++ b/templates/named.conf.j2 @@ -0,0 +1,12 @@ +# zone "." IN { +# type hint; +# file "named.ca"; +# }; + +include "/etc/named/named.conf.acl"; +include "/etc/named/named.conf.logging"; +include "/etc/named/named.conf.options"; +include "/etc/named/named.conf.tsigkeys"; +include "/etc/named/named.conf.views"; +# include "/etc/named.rfc1912.zones"; +# include "/etc/named.root.key"; diff --git a/templates/named/named.conf.acl.j2 b/templates/named/named.conf.acl.j2 new file mode 100644 index 0000000..347e654 --- /dev/null +++ b/templates/named/named.conf.acl.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# + +{% for acl in bind9_acls %} +acl "{{ acl.name }}" { +{% for permission in acl.permissions %} + {{ permission }}; +{% endfor %} +}; + +{% endfor %} \ No newline at end of file diff --git a/templates/named/named.conf.logging.j2 b/templates/named/named.conf.logging.j2 new file mode 100644 index 0000000..ddf537d --- /dev/null +++ b/templates/named/named.conf.logging.j2 @@ -0,0 +1,31 @@ +# +# {{ ansible_managed }} +# + +logging { + +{% for category in bind9_logging.categories %} + category {{ category.name }} { +{% for channel in category.channels %} + {{ channel }}; +{% endfor %} + }; + +{% endfor %} + +{% for channel in bind9_logging.channels %} + channel {{ channel.name }} { +{%if channel.file.path is defined and channel.file.options is defined %} + file "{{ channel.file.path }}" {{ channel.file.options }}; +{% endif %} +{%if channel.file.path is defined and channel.file.options is not defined %} + file "{{ channel.file.path }}"; +{% endif %} +{%if channel.severity is defined %} + severity {{ channel.severity }}; +{% endif %} + print-time yes; + }; + +{% endfor %} +}; diff --git a/templates/named/named.conf.options.j2 b/templates/named/named.conf.options.j2 new file mode 100644 index 0000000..11488af --- /dev/null +++ b/templates/named/named.conf.options.j2 @@ -0,0 +1,233 @@ +# +# {{ ansible_managed }} +# + +options { + + # This specifies which hosts are allowed to ask ordinary DNS questions. + # allow-query may also be specified in the zone statement, in which case it + # overrides the options allow-query statement. If not specified, the default + # is to allow queries from all hosts. + # https://bind9.readthedocs.io/en/latest/reference.html#access-control +{% if bind9_options.allow_query is defined and bind9_options.allow_query | length > 0 %} + allow-query { +{% for entry in bind9_options.allow_query %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-query {}; +{% endif %} + + # This specifies which hosts are allowed to get answers from the cache. If + # allow-recursion is not set, BIND checks to see if the following parameters + # are set, in order: allow-query-cache and allow-query (unless recursion no; + # is set). If neither of those parameters is set, the default (localnets; + # localhost;) is used. + # https://bind9.readthedocs.io/en/latest/reference.html#access-control +{% if bind9_options.allow_query_on is defined and bind9_options.allow_query_on | length > 0 %} + allow-query-on { +{% for entry in bind9_options.allow_query_on %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-query-on {}; +{% endif %} + + # This specifies which hosts are allowed to get answers from the cache. If + # allow-recursion is not set, BIND checks to see if the following parameters + # are set, in order: allow-query-cache and allow-query (unless recursion no; + # is set). If neither of those parameters is set, the default (localnets; + # localhost;) is used. + # https://bind9.readthedocs.io/en/latest/reference.html#access-control +{% if bind9_options.allow_query_cache is defined and bind9_options.allow_query_cache | length > 0 %} + allow-query-cache { +{% for entry in bind9_options.allow_query_cache %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-query-cache {}; +{% endif %} + + # This specifies which local addresses can send answers from the cache. If + # allow-query-cache-on is not set, then allow-recursion-on is used if set. + # Otherwise, the default is to allow cache responses to be sent from any + # address. Note: both allow-query-cache and allow-query-cache-on must be + # satisfied before a cache response can be sent; a client that is blocked by + # one cannot be allowed by the other. + # https://bind9.readthedocs.io/en/latest/reference.html#access-control +{% if bind9_options.allow_query_cache_on is defined and bind9_options.allow_query_cache_on | length > 0 %} + allow-query-cache-on { +{% for entry in bind9_options.allow_query_cache_on %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-query-cache-on {}; +{% endif %} + + # This specifies which hosts are allowed to receive zone transfers from the + # server. allow-transfer may also be specified in the zone statement, in which + # case it overrides the allow-transfer statement set in options or view. If + # not specified, the default is to allow transfers to all hosts. + + # The transport level limitations can also be specified. In particular, zone + # transfers can be restricted to a specific port and/or DNS transport protocol + # by using the options port and transport. Either option can be specified; if + # both are used, both constraints must be satisfied in order for the transfer + # to be allowed. Zone transfers are currently only possible via the TCP and + # TLS transports. +{% if bind9_options.allow_recursion is defined and bind9_options.allow_recursion | length > 0 %} + allow-recursion { +{% for entry in bind9_options.allow_recursion %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-recursion {}; +{% endif %} + + # allow-recursion-on defines the server interface(s) from which + # recursive queries are accepted and can be useful where a server is + # multi-homed, perhaps in conjunction with a view clause. Defaults to + # allow-recursion-on {any;}; meaning that recursive queries are + # accepted on any server interface. + # + # NOTE: + # - The statement is only relevant if recursion yes; is present or + # defaulted. + # - The statements may be used in a view or a global options clause. +{% if bind9_options.allow_recursion_on is defined and bind9_options.allow_recursion_on | length > 0 %} + allow-recursion-on { +{% for entry in bind9_options.allow_recursion_on %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-recursion-on {}; +{% endif %} + + # allow-transfer defines a match list e.g. IP address(es) that are + # allowed to transfer (copy) the zone information from the server + # (master or slave for the zone). The default behaviour is to allow + # zone transfers to any host. While on its face this may seem an + # excessively friendly default, DNS data is essentially public (that's + # why its there) and the bad guys can get all of it anyway. However if + # the thought of anyone being able to transfer your precious zone file + # is repugnant, or (and this is far more significant) you are + # concerned about possible DoS attack initiated by XFER requests, then + # use the following policy. + # + # NOTE: + # - This statement may be used in a zone, view or global options clause. +{% if bind9_options.allow_transfer is defined and bind9_options.allow_transfer | length > 0 %} + allow-transfer { +{% for entry in bind9_options.allow_transfer %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-transfer {}; +{% endif %} + + # When set in the zone statement for a primary zone, this specifies which + # hosts are allowed to submit Dynamic DNS updates to that zone. The default is + # to deny updates from all hosts. + + # Note that allowing updates based on the requestor’s IP address is insecure; + # see Dynamic Update Security for details. +{% if bind9_options.allow_update is defined and bind9_options.allow_update | length > 0 %} + allow-update { +{% for entry in bind9_options.allow_update %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-update {}; +{% endif %} + + # When set in the zone statement for a secondary zone, this specifies which + # hosts are allowed to submit Dynamic DNS updates and have them be forwarded + # to the primary. The default is { none; }, which means that no update + # forwarding is performed. + + # To enable update forwarding, specify allow-update-forwarding { any; }; in + # the zone statement. Specifying values other than { none; } or { any; } is + # usually counterproductive; the responsibility for update access control + # should rest with the primary server, not the secondary. +{% if bind9_options.allow_update_forwarding is defined and bind9_options.allow_update_forwarding | length > 0 %} + allow-update-forwarding { +{% for entry in bind9_options.allow_update_forwarding %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-update-forwarding {}; +{% endif %} + + directory "/etc/named"; + + dnssec-validation {{ bind9_options.dnssec_validation | default('no') }}; + + # dump-file "/var/bind/named.dump"; + +{% if bind9_options.forwarders is defined and bind9_options.forwarders | length > 0 %} + forwarders { +{% for forwarder in bind9_options.forwarders %} + {{ forwarder }}; +{% endfor %} + }; +{% else %} + # forwarders {}; +{% endif %} + + geoip-directory "/usr/share/GeoIP"; + + # This is the hostname the server should report via a query of the name + # hostname.bind with type TXT and class CHAOS. This defaults to the hostname + # of the machine hosting the name server, as found by the gethostname() + # function. The primary purpose of such queries is to identify which of a + # group of anycast servers is actually answering the queries. Specifying + # hostname none; disables processing of the queries. + # https://bind9.readthedocs.io/en/latest/reference.html?highlight=hostname#built-in-server-information-zones + hostname none; + +{% if bind9_options.listen_on_ipv4 is defined and bind9_options.listen_on_ipv4 | length > 0 %} + listen-on port 53 { +{% for ip in bind9_options.listen_on_ipv4 %} + {{ ip }}; +{% endfor %} + }; +{% endif %} + +{% if bind9_options.listen_on_ipv6 is defined and bind9_options.listen_on_ipv6 | length > 0 %} + listen-on-v6 port 53 { +{% for ip in bind9_options.listen_on_ipv6 %} + {{ ip }}; +{% endfor %} + }; +{% endif %} + + # managed-keys-directory "/var/named/dynamic"; + # memstatistics-file "/var/bind/named.memstats"; + minimal-responses {{ bind9_options.minimal_responses }}; + notify {{ bind9_options.notify }}; + + pid-file "/run/named/named.pid"; + recursion {{ bind9_options.recursion }}; + + # statistics-file "/var/bind/named.stats"; + + transfer-format {{ bind9_options.transfer_format }}; + + # This is the version the server should report via a query of the name + # version.bind with type TXT and class CHAOS. The default is the real version + # number of this server. Specifying version none disables processing of the + # queries. + # https://bind9.readthedocs.io/en/latest/reference.html?highlight=hostname#built-in-server-information-zones + version none; + + zone-statistics yes; +}; \ No newline at end of file diff --git a/templates/named/named.conf.tsigkeys.j2 b/templates/named/named.conf.tsigkeys.j2 new file mode 100644 index 0000000..f35ad8d --- /dev/null +++ b/templates/named/named.conf.tsigkeys.j2 @@ -0,0 +1,11 @@ +# +# {{ ansible_managed }} +# + +{% for key in bind9_tsigkeys %} +key "{{ key.name }}" { + algorithm {{ key.algorithm }}; + secret "{{ key.secret }}"; +}; + +{% endfor %} \ No newline at end of file diff --git a/templates/named/named.conf.views.j2 b/templates/named/named.conf.views.j2 new file mode 100644 index 0000000..c8edb1f --- /dev/null +++ b/templates/named/named.conf.views.j2 @@ -0,0 +1,191 @@ +# +# {{ ansible_managed }} +# + +{% for view in bind9_views %} +view "{{ view.name }}" { + + match-clients { +{% for clients in view.match_clients %} + {{ clients }}; +{% endfor %} + }; + +{% for zone in view.zones %} + zone "{{ zone.origin }}" { + + # Hosts which are allowed to issue queries to the server. If not specified all + # hosts are allowed to make queries (defaults to allow-query {any;}; + # + # NOTE: + # - The statements may be used in a zone, view or a global options + # clause. +{% if zone.allow_query is defined and zone.allow_query | length > 0 %} + allow-query { +{% for entry in zone.allow_query %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-query {}; +{% endif %} + + # allow-query-on defines the server interface(s) from which queries + # are accepted and can be useful where a server is multi-homed, + # perhaps in conjunction with a view clause. Defaults to + # allow-query-on {any;};) meaning that queries are accepted on any + # server interface. + # + # NOTE: + # - The statements may be used in a zone, view or a global options + # clause. +{% if zone.allow_query_on is defined and zone.allow_query_on | length > 0 %} + allow-query { +{% for entry in zone.allow_query_on %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-query-on {}; +{% endif %} + + # allow-transfer defines a match list e.g. IP address(es) that are + # allowed to transfer (copy) the zone information from the server + # (master or slave for the zone). The default behavior is to allow + # zone transfers to any host. While on its face this may seem an + # excessively friendly default, DNS data is essentially public (that's + # why its there) and the bad guys can get all of it anyway. However if + # the thought of anyone being able to transfer your precious zone file + # is repugnant, or (and this is far more significant) you are + # concerned about possible DoS attack initiated by XFER requests, then + # use the following policy. + # + # NOTE: + # - This statement may be used in a zone, view or global options clause. +{% if zone.allow_transfer is defined and zone.allow_transfer | length > 0 %} + allow-transfer { +{% for entry in zone.allow_transfer %} + key {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-transfer {}; +{% endif %} + + # allow-update defines an address_match_list of hosts that are allowed + # to submit dynamic updates for master zones, and thus this statement + # enables Dynamic DNS. The default in BIND 9 is to disallow updates + # from all hosts, that is, DDNS is disabled by default. This statement + # is mutually exclusive with update-policy and applies to master zones + # only. The example shows DDNS for three zones: the first disables + # DDNS explicitly, the second uses an IP-based list, and the third + # references a key clause. The allow-update in the first zone clause + # could have been omitted since it is the default behavior. Many + # people like to be cautious in case the default mode changes. + # + # NOTE: + # - This statement may be used in a zone, view or an options clause. +{% if zone.allow_update is defined and zone.allow_update | length > 0 %} + allow-update { +{% for entry in zone.allow_update %} + key {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-update {}; +{% endif %} + + # allow-update-forwarding defines a match list, for instance, + # IP address(es) that are allowed to submit dynamic updates to + # a 'slave' sever for onward transmission to a 'master'. + # + # NOTE: + # - This statement may be used in zone, view or an options clause. +{% if zone.allow_update_forwarding is defined and zone.allow_update_forwarding | length > 0 %} + allow-update-forwarding { +{% for entry in zone.allow_update_forwarding %} + {{ entry }}; +{% endfor %} + }; +{% else %} + # allow-update-forwarding {}; +{% endif %} + + # Defines the file used by the zone in quoted string format, for + # instance, "slave/example.com" - or whatever convention you use. The + # file entry is mandatory for master and hint and optional - but + # highly recommended - for slave and not required for forward zones. + # The file may be an absolute path or relative to directory. + # + # NOTE: + # - If a type Slave has a file statement then any zone transfer + # will cause it to update this file. If the slave is reloaded then + # it will read this file and immediately start answering queries for + # the domain. If no file is specified it will immediately try to + # contact the Master and initiate a zone transfer. For obvious + # reasons the Slave cannot to zone queries until this zone transfer + # is complete. If the Master is not available or the Slave fails to + # contact the Master, ffor whatever reason, the zone may be left with + # no effective Authoritative Name Servers. + file "/etc/named/{{ zone.file }}"; + + # master servers + # https://bind9.readthedocs.io/en/latest/manpages.html?highlight=masters#masters +{% if zone.masters is defined and zone.masters | length > 0 %} + masters { +{% for master in zone.masters %} + {{ master.ip }} key {{ master.tsigkey}}; +{% endfor %} + }; +{% else %} + # masters {}; +{% endif %} + + # notify behavior is applicable to both master zones (with + # 'type master;') and slave zones (with 'type slave;') and if + # set to 'yes' (the default) then, when a zone is loaded or + # changed, for example, after a zone transfer, NOTIFY messages + # are sent to the name servers defined in the NS records for + # the zone (except itself and the 'Primary Master' name server + # defined in the SOA record) and to any IPs listed in any + # also-notify statement. + # + # If set to 'no' NOTIFY messages are not sent. + # If set to 'explicit' NOTIFY is only sent to those IP(s) listed + # in an also-notify statement. + # + # NOTE: + # - This statement may be specified in zone, view clauses or in a + # global options clause. + notify yes; + + # Zones configured for dynamic DNS may use this option to set the + # update method to be used for the zone serial number in the SOA + # record. + # + # With the default setting of serial-update-method increment;, the + # SOA serial number is incremented by one each time the zone is + # updated. + # + # When set to serial-update-method unixtime;, the SOA serial number + # is set to the number of seconds since the Unix epoch, unless the + # serial number is already greater than or equal to that value, in + # which case it is simply incremented by one. + # + # When set to serial-update-method date;, the new SOA serial number + # is the current date in the form “YYYYMMDD”, followed by two + # zeroes, unless the existing serial number is already greater than + # or equal to that value, in which case it is incremented by one. +{% if zone.serial_update_method is defined %} + serial-update-method {{ zone.serial_update_method }}; +{% else %} + # serial-update-method [date | increment | unixtime ]; +{% endif %} + + type {{ zone.type }}; + + }; +{% endfor %} + +}; +{% endfor %} \ No newline at end of file diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml new file mode 100644 index 0000000..ff852df --- /dev/null +++ b/vars/Archlinux.yml @@ -0,0 +1,13 @@ +--- + +bind_main_config: /etc/named.conf +bind_config_directory: /etc/named +bind_log_directory: /var/log/named + +bind_package_names: +- bind + +bind_service_name: named + +bind_unix_user: named +bind_unix_group: named diff --git a/vars/Debian.yml b/vars/Debian.yml new file mode 100644 index 0000000..1dcb90d --- /dev/null +++ b/vars/Debian.yml @@ -0,0 +1,13 @@ +--- + +bind_main_config: /etc/named.conf +bind_config_directory: /etc/named +bind_log_directory: /var/log/named + +bind_package_names: +- bind9 + +bind_service_name: named + +bind_unix_user: bind +bind_unix_group: bind \ No newline at end of file diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..ba63b3d --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,14 @@ +--- + +bind_main_config: /etc/named.conf +bind_config_directory: /etc/named +bind_log_directory: /var/log/named + +bind_package_names: +- bind +- bind-utils # for dig and tsig-keygen and so on + +bind_service_name: named + +bind_unix_user: named +bind_unix_group: named \ No newline at end of file