DNS: Rework/unfack DNS server configuration.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>

dns-server/auth/init.sls

@@ -1,97 +0,0 @@
-#
-# Authoritive FFHO DNS Server configuration (dns01/dns02 anycast)
-#
-
-{% set roles = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
-
-include:
-  - dns-server
-
-# Bind options
-/etc/bind/named.conf.options:
-  file.managed:
-{% if 'dns-recursor' in roles %}
-    - source: salt://dns-server/auth/named.conf.options.recursor
-{% else %}
-    - source: salt://dns-server/auth/named.conf.options
-{% endif %}
-    - template: jinja
-    - require:
-      - pkg: bind9
-    - watch_in:
-      - cmd: rndc-reload
-
-
-# Configure authoritive zones in local config
-/etc/bind/named.conf.local:
-  file.managed:
-    - source: salt://dns-server/auth/named.conf.local
-    - require:
-      - pkg: bind9
-    - watch_in:
-      - cmd: rndc-reload
-
-
-# Create zones directory
-/etc/bind/zones/:
-  file.directory:
-    - makedirs: true
-    - user: root
-    - group: root
-    - mode: 755
-    - require:
-      - pkg: bind9
-
-# Create directory for static zone files
-/etc/bind/zones/static:
-  file.directory:
-    - makedirs: true
-    - user: root
-    - group: root
-    - mode: 755
-    - require:
-      - pkg: bind9
-      - file: /etc/bind/zones/
-
-# Copy zonefiles
-/etc/bind/zones/static/_tree:
-  file.recurse:
-    - name: /etc/bind/zones/static
-    - source: salt://dns-server/auth/zones
-    - file_mode: 644
-    - dir_mode: 755
-    - user: root
-    - group: root
-    - watch_in:
-      - cmd: rndc-reload
-
-
-# Create directory for generated zone files
-/etc/bind/zones/generated:
-  file.directory:
-    - makedirs: true
-    - user: root
-    - group: root
-    - mode: 755
-    - require:
-      - pkg: bind9
-      - file: /etc/bind/zones/
-
-{% set nodes_config = salt['pillar.get'] ('nodes', {}) %}
-{% set sites_config = salt['pillar.get'] ('sites', {}) %}
-{% set zones = salt['ffho_net.generate_DNS_entries'] (nodes_config, sites_config) %}
-{% for zone, entries in zones.items () %}
-/etc/bind/zones/generated/{{ zone }}.zone:
-  file.managed:
-    - source: salt://dns-server/auth/zone.gen.tmpl
-    - template: jinja
-    - context:
-      zone: {{ zone }}
-      nodes_config: {{ nodes_config }}
-      sites_config: {{ sites_config }}
-    - require:
-      - file: /etc/bind/zones/generated
-    - watch_in:
-      - cmd: rndc-reload
-{% endfor %}
-

dns-server/init.sls

@@ -1,7 +1,9 @@
 #
-# Bind name server
+# FFHO DNS Server configuration (authoritive / recursive)
 #
 
+{% set roles = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
+
 bind9:
   pkg.installed:
     - name: bind9
@@ -9,9 +11,74 @@ bind9:
     - enable: True
     - reload: True
 
-
 # Reload command
 rndc-reload:
   cmd.wait:
     - watch: []
     - name: /usr/sbin/rndc reload
+
+
+# Bind options
+/etc/bind/named.conf.options:
+  file.managed:
+{% if 'dns-recursor' in roles %}
+    - source: salt://dns-server/named.conf.options.recursor
+{% else %}
+    - source: salt://dns-server/named.conf.options
+{% endif %}
+    - template: jinja
+    - require:
+      - pkg: bind9
+    - watch_in:
+      - cmd: rndc-reload
+
+
+# Configure authoritive zones in local config
+/etc/bind/named.conf.local:
+  file.managed:
+    - source: salt://dns-server/named.conf.local
+    - require:
+      - pkg: bind9
+    - watch_in:
+      - cmd: rndc-reload
+
+
+# Create zones directory
+/etc/bind/zones/:
+  file.directory:
+    - makedirs: true
+    - user: root
+    - group: root
+    - mode: 755
+    - require:
+      - pkg: bind9
+
+
+# Copy static zone files
+/etc/bind/zones/static:
+  file.recurse:
+    - source: salt://dns-server/zones/static/
+    - file_mode: 644
+    - dir_mode: 755
+    - user: root
+    - group: root
+    - clean: True
+    - require:
+      - file: /etc/bind/zones/
+    - watch_in:
+      - cmd: rndc-reload
+
+
+# Copy generated zone files
+/etc/bind/zones/generated:
+  file.recurse:
+    - source: salt://dns-server/zones/generated/
+    - file_mode: 644
+    - dir_mode: 755
+    - user: root
+    - group: root
+    - clean: True
+    - require:
+      - file: /etc/bind/zones/
+    - watch_in:
+      - cmd: rndc-reload

dns-server/auth/named.conf.local → dns-server/named.conf.local

@@ -7,19 +7,16 @@ acl slaves {
 	31.172.8.66;
 	2a01:a700:4621:866::10;
 
-	// dns.gnuzifer.de
-	78.46.242.18;
-	2a01:4f8:190:6500::12:1;
-
 	// ns.youngage.eu
 	5.9.142.19;
 	2a01:4f8:190:2105::53;
 };
 
 acl ffho-ops {
-	10.123.249.0/27;
+	10.123.249.0/24;
 };
 
+
 //
 // Public forward zones
 //
@@ -38,7 +35,7 @@ zone "hochstift.freifunk.net" {
 
 zone "ffho.net" {
 	type master;
-	file "/etc/bind/zones/static/ffho.net.zone";
+	file "/etc/bind/zones/generated/ffho.net.zone";
 	allow-transfer { slaves; localhost; ffho-ops; };
 };
 
@@ -68,7 +65,7 @@ zone "0.0.0.1.0.0.0.0.5.4.0.2.0.a.2.ip6.arpa" {
 // 2a03:2260:2342::/48
 zone "2.4.3.2.0.6.2.2.3.0.a.2.ip6.arpa" {
 	type master;
-	file "/etc/bind/zones/static/2a03:2260:2342::_48.ip6.arpa.zone";
+	file "/etc/bind/zones/generated/2a03:2260:2342::_48.ip6.arpa.zone";
 	allow-transfer { slaves; localhost; ffho-ops; };
 };
 
@@ -80,20 +77,13 @@ zone "2.4.3.2.0.6.2.2.3.0.a.2.ip6.arpa" {
 // 10.132.0.0/16 reverse
 zone "132.10.in-addr.arpa" {
 	type master;
-	file "/etc/bind/zones/static/132.10.in-addr.arpa.db";
+	file "/etc/bind/zones/generated/132.10.in-addr.arpa.zone";
 	allow-transfer { localhost; ffho-ops; };
 };
 
 // Management reverse
 zone "30.172.in-addr.arpa" {
 	type master;
-	file "/etc/bind/zones/static/30.172.in-addr.arpa.zone";
-	allow-transfer { localhost; ffho-ops; };
-};
-
-// Legacy fdca:ffee:ff12::/48 reverse
-zone "2.1.f.f.e.e.f.f.a.c.d.f.ip6.arpa" {
-	type master;
-	file "/etc/bind/zones/static//fdca:ffce:ff12::_48.db";
+	file "/etc/bind/zones/generated/30.172.in-addr.arpa.zone";
 	allow-transfer { localhost; ffho-ops; };
 };

dns-server/auth/named.conf.options.recursor → dns-server/named.conf.options.recursor

@@ -41,8 +41,6 @@ options {
 {%- endfor %}
 	};
 
-{%- if grains['id'] != 'dns01.in.ffho.net' %}
 	// Disable notifies on non-master DNS
 	notify no;
-{%- endif %}
 };

dns-server/auth/ZONES → dns-server/zones/README.md

@@ -1,3 +1,5 @@
+## These are not the droids you are locking for!
+
 The zones/ directory is part of the internal salt git as the contents of the
 zones should not be public :-)