forked from DavesCodeMusings/CloudPi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
install-dns.yml
79 lines (68 loc) · 2.61 KB
/
install-dns.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
---
- name: Install BIND9 and configure DNS forwarding
hosts: localhost
connection: local
become: true
# This playbook uses information gathered from the current network
# configuration to determine what the forwarding DNS server addresses
# should be. Check the contents of /etc/resolve.conf to see if those
# addresses are correct.
vars:
upstream_dns:
primary: "{{ ansible_dns.nameservers[0] }}"
secondary: "{{ ansible_dns.nameservers[1] }}"
tasks:
- name: Installing BIND9
apt:
name: bind9
state: latest
- name: Installing dnsutils
apt:
name: dnsutils
state: latest
- name: Verifying valid starting configuration
shell:
cmd: named-checkconf
register: named_checkconf
failed_when: named_checkconf.stdout_lines | length > 0
- name: Configuring forwarders
lineinfile:
path: /etc/bind/named.conf.options
insertafter: "\t// };"
regexp: "^\tforwarders { {{ upstream_dns.primary }}; {{ upstream_dns.secondary }}; };$"
line: "\tforwarders { {{ upstream_dns.primary }}; {{ upstream_dns.secondary }}; };\n"
# Allowing queried from anywhere simplifies things and on a home network,
# the Raspberry Pi DNS server should not be accessible from the internet.
- name: Allowing queries from hosts other than just localhost
lineinfile:
path: /etc/bind/named.conf.options
insertbefore: "};"
regexp: "^\tallow-query { any; };"
line: "\tallow-query { any; };"
# Errors like "got insecure response; parent indicates it should be secure"
# will start showing up if dnssec-validation is left set to auto. You can
# troubleshoot them or accept that for a home network, DNS security can
# probably be a little lax.
- name: Disabling DNSSEC
replace:
path: /etc/bind/named.conf.options
regexp: "dnssec-validation auto;"
replace: "dnssec-validation no;"
- name: Verifying final configuration
shell:
cmd: named-checkconf
register: named_checkconf
failed_when: named_checkconf.stdout_lines | length > 0
- name: Reloading BIND9 config
systemd:
name: bind9
enabled: yes
state: reloaded
- name: Testing DNS lookup for raspberrypi.org
shell:
cmd: nslookup raspberrypi.org 127.0.0.1
register: nslookup
failed_when: nslookup.stdout is not search("raspberrypi.org")
- name: Reporting new DNS server addresses
debug:
msg: You may now use {{ ansible_default_ipv4.address }} as a DNS server.