Compare commits

..

5 Commits

Author SHA1 Message Date
5e4711d87c
feat(zones): skip on slave servers
Introduce 'nsd:opmode' pillar option, allowing the zone file management
to be skipped on slave DNS servers.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-19 21:36:35 +01:00
5023b5e0a3
fix(checkconf): only check main config
Included configurations in nsd.conf.d tend to depend on each other. For
example when referring a TSIG key from 80-generates-keys in
90-generated-zones, running nsd-checkconf on these individual files
would cause an error.
It is sufficient and better to just check the main nsd.conf file, as it
combines all included configurations in the check.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-18 16:12:58 +01:00
9bbffa5f1f
feat(keys): allow pillar based management
Introduce managed TSIG keys configuration using pillar data.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-18 16:09:24 +01:00
307ed12b2b
feat(zones): allow custom options and files
- allow additional configuration options in zone blocks
- allow installation of zone files from other Salt file roots

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-18 16:06:35 +01:00
de523dd8df
feat(config): pillar based config template
Allow management of general configuration using pillar data.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-17 21:42:29 +01:00
32 changed files with 199 additions and 57 deletions

View File

@ -4,6 +4,7 @@
{#- Get the `tplroot` from `tpldir` #} {#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %} {%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %} {%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/macros.jinja" import config_file with context %}
{%- from tplroot ~ "/map.jinja" import mapdata as nsd with context %} {%- from tplroot ~ "/map.jinja" import mapdata as nsd with context %}
{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %} {%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
@ -28,3 +29,12 @@ nsd-config-file-file-managed:
- context: - context:
nsd: {{ nsd | json }} nsd: {{ nsd | json }}
- check_cmd: nsd-checkconf - check_cmd: nsd-checkconf
{%- set config_data = nsd.get('config_data', {}) %}
{%- if config_data | length > 0 %}
{{ config_file('10-salt', 'pillar-configuration') }}
{%- endif %}

View File

@ -6,3 +6,4 @@ include:
- .config_files - .config_files
- .file - .file
- .zones - .zones
- .keys

14
nsd/config/keys.sls Normal file
View File

@ -0,0 +1,14 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import mapdata as nsd with context %}
{%- from tplroot ~ "/macros.jinja" import config_file with context %}
{%- set keys = nsd.get('keys', {}) %}
{%- if keys | length > 0 %}
{{ config_file('80-generated-keys', 'generated-keys') }}
{%- endif %}

View File

@ -10,11 +10,14 @@
{%- from tplroot ~ "/macros.jinja" import zonefile_name with context %} {%- from tplroot ~ "/macros.jinja" import zonefile_name with context %}
{%- set zones = nsd.get('zones', {}) %} {%- set zones = nsd.get('zones', {}) %}
{%- set opmode = nsd.get('opmode', 'master') %}
{%- if zones | length > 0 %} {%- if zones | length > 0 %}
{{ config_file('90-generated-zones', 'generated-zones') }} {{ config_file('90-generated-zones', 'generated-zones') }}
{%- if opmode == 'master' %}
nsd-config-zones-file-directory: nsd-config-zones-file-directory:
file.directory: file.directory:
- name: {{ nsd.zones_dir }} - name: {{ nsd.zones_dir }}
@ -28,10 +31,14 @@ nsd-config-zones-file-directory:
"{{ identifier }}": "{{ identifier }}":
file.managed: file.managed:
- name: "{{ nsd.zones_dir }}/{{ zonefile_name(name, config) }}" - name: "{{ nsd.zones_dir }}/{{ zonefile_name(name, config) }}"
{%- if 'zone_source' in config %}
- source: {{ config['zone_source'] }}
{%- else %}
- source: {{ files_switch([template, template+'.jinja'], - source: {{ files_switch([template, template+'.jinja'],
lookup=identifier lookup=identifier
) )
}} }}
{%- endif %}
- mode: 644 - mode: 644
- user: root - user: root
- group: {{ nsd.rootgroup }} - group: {{ nsd.rootgroup }}
@ -49,3 +56,4 @@ nsd-config-zones-file-directory:
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- endif %}

View File

@ -0,0 +1,11 @@
########################################################################
# File managed by Salt at <{{ source }}>.
# Your changes will be overwritten.
########################################################################
{%- for name, config in nsd.get('keys').items() %}
key:
name: "{{ name }}"
algorithm: "{{ config['algorithm'] }}"
secret: "{{ config['secret'] }}"
{%- endfor %}

View File

@ -1,4 +1,5 @@
{%- from "nsd/macros.jinja" import zonefile_name with context -%} {%- from "nsd/macros.jinja" import zonefile_name with context -%}
{%- set extraopts = ['allow-notify', 'request-xfr', 'outgoing-interface'] -%}
######################################################################## ########################################################################
# File managed by Salt at <{{ source }}>. # File managed by Salt at <{{ source }}>.
# Your changes will be overwritten. # Your changes will be overwritten.
@ -8,4 +9,9 @@
zone: zone:
name: "{{ name }}" name: "{{ name }}"
zonefile: "{{ nsd.zones_dir }}/{{ zonefile_name(name, config) }}" zonefile: "{{ nsd.zones_dir }}/{{ zonefile_name(name, config) }}"
{%- for option in extraopts %}
{%- if option in config %}
{{ option }}: {{ config[option] }}
{%- endif %}
{%- endfor %}
{%- endfor %} {%- endfor %}

View File

@ -0,0 +1,12 @@
{%- for category, config in nsd.get('config_data').items() %}
{{ category }}:
{%- for option, value in config.items() %}
{%- if value is string or value is number %}
{{ option }}: {{ value }}
{%- elif value is iterable %}
{%- for item in value %}
{{ option }}: {{ item }}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endfor %}

View File

@ -25,7 +25,6 @@
- file: nsd-config-file-file-managed - file: nsd-config-file-file-managed
- context: - context:
nsd: {{ nsd | json }} nsd: {{ nsd | json }}
- check_cmd: nsd-checkconf
- watch_in: - watch_in:
- service: nsd-service-running-service-running - service: nsd-service-running-service-running
{%- endmacro %} {%- endmacro %}

View File

@ -17,18 +17,51 @@ nsd:
# config_include_glob: *.conf # config_include_glob: *.conf
# Configuration is separated into several files which have their own templates # Configuration is separated into several files which have their own templates
config_files: # config_files:
10-server: local-nsd-for-unbound # 10-server: local-nsd-for-unbound
# 90-generated-zones is reserved for zones generated by this formula # # 90-generated-zones is reserved for zones generated by this formula
# # 10-salt is reserved for general configuration generated by this formula
# If this section is present in your Pillar data,
# nsd.conf.d/80-generated-keys will be created and managed
keys:
examplekey:
algorithm: hmac-sha512
secret: encryptme
# If this section is present in your Pillar data, # If this section is present in your Pillar data,
# nsd.conf.d/90-generated-zones will be created and managed. # nsd.conf.d/90-generated-zones will be created and managed.
zones: zones:
example.test: example.test:
multi-master-check: 'no' # Just for testing purpuses
multi-master-check: no
"168.192.in-addr.arpa": {} "168.192.in-addr.arpa": {}
# NSD's include-pattern directive may be a better way to share configuration # NSD's include-pattern directive may be a better way to share configuration
# across zones than using YAML anchors. # across zones than using YAML anchors.
#
# You can load the zone file from a custom source and specify additional configuration options:
# example.com:
# zone_source: salt://zones/example.com.zone
# request-xfr: 192.168.0.1
# If this section is present in your Pillar data,
# nsd.conf.d/10-salt.conf will be created and managed
config_data:
server:
hide-version: 'yes'
ip-address: 127.0.0.1
# to use an option multiple times, make it a list:
# ip-address:
# - 127.0.0.1
# - 192.168.0.1
verbosity: 2
port: 53530
remote-control:
control-enable: 'yes'
control-interface: /run/nsd.sock
# If this option is defined and set to 'slave', no DNS zone files will be installed
# opmode: slave
tofs: tofs:
# The files_switch key serves as a selector for alternative # The files_switch key serves as a selector for alternative

View File

@ -22,38 +22,38 @@ control 'nsd.service.running' do
end end
describe command('nslookup -port=53530 ns1.example.test 127.0.0.1') do describe command('nslookup -port=53530 ns1.example.test 127.0.0.1') do
its('stdout') { should match '192.168.0.1' } its('stdout') { should match "192.168.0.1" }
end end
describe command('nslookup -port=53530 ns2.example.test 127.0.0.1') do describe command('nslookup -port=53530 ns2.example.test 127.0.0.1') do
its('stdout') { should match '192.168.0.2' } its('stdout') { should match "192.168.0.2" }
end end
describe command('nslookup -port=53530 example.test 127.0.0.1') do describe command('nslookup -port=53530 example.test 127.0.0.1') do
its('stdout') { should match '192.168.0.10' } its('stdout') { should match "192.168.0.10" }
end end
describe command('nslookup -port=53530 www.example.test 127.0.0.1') do describe command('nslookup -port=53530 www.example.test 127.0.0.1') do
its('stdout') { should match '192.168.0.10' } its('stdout') { should match "192.168.0.10" }
end end
describe command('nslookup -port=53530 mail.example.test 127.0.0.1') do describe command('nslookup -port=53530 mail.example.test 127.0.0.1') do
its('stdout') { should match '192.168.0.11' } its('stdout') { should match "192.168.0.11" }
end end
describe command('nslookup -port=53530 192.168.0.1 127.0.0.1') do describe command('nslookup -port=53530 192.168.0.1 127.0.0.1') do
its('stdout') { should match 'ns1.example.test' } its('stdout') { should match "ns1.example.test" }
end end
describe command('nslookup -port=53530 192.168.0.2 127.0.0.1') do describe command('nslookup -port=53530 192.168.0.2 127.0.0.1') do
its('stdout') { should match 'ns2.example.test' } its('stdout') { should match "ns2.example.test" }
end end
describe command('nslookup -port=53530 192.168.0.10 127.0.0.1') do describe command('nslookup -port=53530 192.168.0.10 127.0.0.1') do
its('stdout') { should match 'example.test' } its('stdout') { should match "example.test" }
end end
describe command('nslookup -port=53530 192.168.0.11 127.0.0.1') do describe command('nslookup -port=53530 192.168.0.11 127.0.0.1') do
its('stdout') { should match 'mail.example.test' } its('stdout') { should match "mail.example.test" }
end end
end end

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -7,8 +7,15 @@ values:
added_in_pillar: pillar_value added_in_pillar: pillar_value
arch: amd64 arch: amd64
config: /etc/nsd/nsd.conf config: /etc/nsd/nsd.conf
config_files: config_data:
10-server: local-nsd-for-unbound remote-control:
control-enable: 'yes'
control-interface: /run/nsd.sock
server:
hide-version: 'yes'
ip-address: 127.0.0.1
port: 53530
verbosity: 2
config_include_dir: "/etc/nsd/nsd.conf.d" config_include_dir: "/etc/nsd/nsd.conf.d"
config_include_glob: "*.conf" config_include_glob: "*.conf"
lookup: lookup:
@ -47,3 +54,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -7,8 +7,15 @@ values:
added_in_pillar: pillar_value added_in_pillar: pillar_value
arch: amd64 arch: amd64
config: /etc/nsd/nsd.conf config: /etc/nsd/nsd.conf
config_files: config_data:
10-server: local-nsd-for-unbound remote-control:
control-enable: 'yes'
control-interface: /run/nsd.sock
server:
hide-version: 'yes'
ip-address: 127.0.0.1
port: 53530
verbosity: 2
config_include_dir: "/etc/nsd/nsd.conf.d" config_include_dir: "/etc/nsd/nsd.conf.d"
config_include_glob: "*.conf" config_include_glob: "*.conf"
lookup: lookup:
@ -47,3 +54,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -7,8 +7,15 @@ values:
added_in_pillar: pillar_value added_in_pillar: pillar_value
arch: amd64 arch: amd64
config: /etc/nsd/nsd.conf config: /etc/nsd/nsd.conf
config_files: config_data:
10-server: local-nsd-for-unbound remote-control:
control-enable: 'yes'
control-interface: /run/nsd.sock
server:
hide-version: 'yes'
ip-address: 127.0.0.1
port: 53530
verbosity: 2
config_include_dir: "/etc/nsd/nsd.conf.d" config_include_dir: "/etc/nsd/nsd.conf.d"
config_include_glob: "*.conf" config_include_glob: "*.conf"
lookup: lookup:
@ -47,3 +54,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -7,8 +7,15 @@ values:
added_in_pillar: pillar_value added_in_pillar: pillar_value
arch: amd64 arch: amd64
config: /etc/nsd/nsd.conf config: /etc/nsd/nsd.conf
config_files: config_data:
10-server: local-nsd-for-unbound remote-control:
control-enable: 'yes'
control-interface: /run/nsd.sock
server:
hide-version: 'yes'
ip-address: 127.0.0.1
port: 53530
verbosity: 2
config_include_dir: "/etc/nsd/nsd.conf.d" config_include_dir: "/etc/nsd/nsd.conf.d"
config_include_glob: "*.conf" config_include_glob: "*.conf"
lookup: lookup:
@ -47,3 +54,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"

View File

@ -47,3 +47,4 @@ values:
example.test: example.test:
multi-master-check: false multi-master-check: false
zones_dir: "/etc/nsd/zones" zones_dir: "/etc/nsd/zones"