Skip to content
Permalink
Browse files

Merge branch 'drybjed-small-improvements'

  • Loading branch information...
drybjed committed Oct 6, 2019
2 parents 6c00541 + 30fd218 commit df4f6f07db6c9221bcb09eda371d322caf72fdc5
@@ -115,6 +115,11 @@ LDAP

.. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
- The role will configure the :command:`unbound` daemon to allow non-recursive
access to DNS queries when a host is managed by Ansible locally, with
assumption that it's an Ansible Controller host. This change unblocks use of
the :command:`dig +trace` and similar commands.

Changed
~~~~~~~

@@ -177,6 +182,15 @@ General
precompiled binaries from remote resources. See the role documentation for
more details.

:ref:`debops.ldap` role
'''''''''''''''''''''''

- The role will reset the LDAP host attributes defined in the
:envvar:`ldap__device_attributes` variable on first configuration in case
that the host has been reinstalled and some of their values changed (for
example different IP addresses). This should avoid leaving the outdated
attributes in the host LDAP object.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

@@ -30,6 +30,14 @@
mode: '0644'
register: ifupdown__register_main_config

- name: Ensure that runtime directory exists
file:
path: '/run/network'
state: 'directory'
mode: '0755'
when: (ifupdown__register_divert is changed or
ifupdown__register_main_config is changed)

- name: Request entire network reconfiguration
copy:
content: 'init'
@@ -685,8 +685,11 @@ ldap__default_tasks:
dn: '{{ ldap__device_dn }}'
attributes: '{{ ldap__device_attributes }}'
state: '{{ "present"
if (ldap__device_enabled|bool)
else "ignore" }}'
if (ldap__fact_configured|bool and
ldap__device_enabled|bool)
else ("exact"
if (ldap__device_enabled|bool)
else "ignore") }}'

# ]]]
# .. envvar:: ldap__tasks [[[
@@ -36,7 +36,27 @@ unbound__packages: []
# .. envvar:: unbound__default_server [[[
#
# The default Unbound 'server' configuration defined by the role.
unbound__default_server: []
unbound__default_server:

- name: 'localhost-allow_snoop'
option: 'access-control'
comment: |
By default unbound blocks non-recursive queries to prevent abuse; this
prevents commands like 'dig +trace' from working correctly. Since query
tracing is a useful debugging and diagnostic tool, non-recursive queries
will be allowed when the host is managed locally with assumption that
this is an administrator's machine.
value:

- name: '127.0.0.0/8'
args: 'allow_snoop'

- name: '::1/128'
args: 'allow_snoop'

state: '{{ "present"
if (unbound__fact_ansible_connection == "local")
else "ignore" }}'

# ]]]
# .. envvar:: unbound__server [[[
@@ -1,5 +1,9 @@
---

- name: Create a fact that knows the Ansible connection type
set_fact:
unbound__fact_ansible_connection: '{{ ansible_connection }}'

- name: Create Unbound configuration directory
file:
path: '/etc/unbound/unbound.conf.d'

0 comments on commit df4f6f0

Please sign in to comment.
You can’t perform that action at this time.