clase 24/02/23

T2/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+remote_user: devops
+inventory: ./inventory
+
+[privilege_escalation]
+become: no
+become_method: sudo
+become_user: root
+

dns-auto/ansible-starter-files/configure_primary.yml.starter

@@ -0,0 +1,70 @@
+---
+- name: Configure primary nameserver
+  hosts:
+  remote_user: devops
+  become: yes
+
+  tasks:
+    - name: Install BIND9
+      yum:
+        name:
+        state:
+
+    - name: Copy primary config file
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Copy forward zone file to primary
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Copy reverse zone file to primary
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Copy backend config file (for zones)
+      copy:
+        src:
+        dest:
+        owner:
+        group:
+        mode:
+      notify:
+        - reload_named
+
+    - name: Allow dns service on firewall
+      firewalld:
+        service:
+        state:
+        immediate:
+        permanent:
+
+    - name: Ensure named is running and enabled
+      service:
+        name:
+        state:
+        enabled:
+
+  handlers:
+    - name: reload_named
+      service:
+        name:
+        state: reloaded

dns-auto/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory=./inventory
+remote_user=devops
+
+[privilege_escalation]
+become = False
+become_method = sudo
+become_user = root
+become_ask_pass = False

dns-auto/configure_caching.yml

@@ -0,0 +1,43 @@
+- name: install cache only nameserver
+  hosts: caching_dns
+  remote_user: devops
+  become: yes
+
+  vars:
+    interface: 0.0.0.0
+    interface_automatic: "yes"
+    access_control: 
+      - "172.25.250.0/24 allow"
+    domain_insecure: example.com
+    forward_zone_name: .
+    forward_zone_addr: "172.25.250.254"
+
+  tasks:
+    - name: install cache only nameserver
+      yum:
+        name: unbound
+        state: present
+
+    - name: create conf file in server
+      template:
+        src: unbound.conf.j2
+        dest: /etc/unbound/conf.d/unbound.conf
+
+    - name: allow dns on firewall
+      firewalld:
+        service: dns
+        state: enabled
+        permanent: yes
+        immediate: yes
+
+    - name: ensure unbound is running and enabled
+      service: 
+        name: unbound
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: restart_unbound
+      service:
+        name: unbound
+        state: restarted

dns-auto/configure_primary.yml

@@ -0,0 +1,67 @@
+- name: configure primary nameserver
+  hosts: primary_dns
+  remote_user: devops
+  become: yes
+
+  tasks:
+    - name: install BIND9
+      yum:
+        name: bind
+        state: present
+
+    - name: copy primary config file
+      copy:
+        src: files/primary-named.conf
+        dest: /etc/named.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: copy forward zone file to primary
+      copy:
+        src: files/primary-backend.lab.example.com.zone
+        dest: /var/named/backend.lab.example.com.zone
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: copy reverse zone to primary
+      copy:
+        src: files/primary-192.168.0.zone
+        dest: /var/named/192.168.0.zone
+        owner: root
+        group: named
+        mode: 0640
+
+    - name: copy backend config file
+      copy:
+        src: files/primary-named.backend.conf
+        dest: /etc/named.backend.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: allow dns on firewall
+      firewalld:
+        service: dns
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+    - name: ensure named is running and enabled
+      service:
+        name: named
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: reload_named
+      service:
+        name: named
+        state: reloaded

dns-auto/configure_secondary.yml

@@ -0,0 +1,49 @@
+- name: configure secondary nameserver
+  hosts: secondary_dns
+  remote_user: devops
+  become: yes
+  
+  tasks:
+    - name: install BIND9
+      yum:
+        name: bind
+        state: present
+
+    - name: copy secondary config file
+      copy:
+        src: files/secondary-named.conf
+        dest: /etc/named.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: copy backend config file
+      copy:
+        src: files/secondary-named.backend.conf
+        dest: /etc/named.backend.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify: 
+        - reload_named
+
+    - name: allow dns in firewall
+      firewalld:
+        service: dns
+        state: enabled
+        permanent: yes
+        immediate: yes
+
+    - name: ensure named running and enabled
+      service:
+        name: named
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: reload_named
+      service:
+        name: named
+        state: reloaded

dns-auto/files/primary-192.168.0.zone

@@ -0,0 +1,15 @@
+$TTL 300
+@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
+                    2020041805    ;serial number
+                    1H            ;refresh secondary
+                    5M            ;retry refresh
+                    1W            ;expire zone
+                    1M )          ;cache time-to-live for negative answers
+
+; owner                   TTL   CL  type    RDATA
+                          600   IN  NS      serverb.backend.lab.example.com.
+
+10.0.168.192.IN-ADDR.ARPA.      IN  PTR     servera.backend.lab.example.com.
+11                              IN  PTR     serverb.backend.lab.example.com.
+12                              IN  PTR     serverc.backend.lab.example.com.
+13                              IN  PTR     serverd.backend.lab.example.com.

dns-auto/files/primary-backend.lab.example.com.zone

@@ -0,0 +1,17 @@
+$TTL 300
+@ IN  SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
+                        2020041806  ;serial number
+                        1H          ;refresh secondary
+                        5m          ;retry refresh
+                        1w          ;expire zone
+                        1m )        ;cache time-to-live for negative answers
+
+; owner                   TTL     CL  type    RDATA
+                          600     IN  NS      serverb
+;                                  IN  MX 10   serverb.backend.lab.example.com.
+;                                  IN  A       192.168.0.11
+
+servera                           IN  A       192.168.0.10
+serverb                           IN  A       192.168.0.11
+serverc                           IN  A       192.168.0.12
+serverd                           IN  A       192.168.0.13

dns-auto/files/primary-named.backend.conf

@@ -0,0 +1,11 @@
+zone "backend.lab.example.com" IN {
+        type master;
+        file "backend.lab.example.com.zone";
+        forwarders {};
+};
+
+zone "0.168.192.in-addr.arpa" IN {
+        type master;
+        file "192.168.0.zone";
+        forwarders {};
+};

dns-auto/files/primary-named.conf

@@ -0,0 +1,35 @@
+# /etc/named.conf (primary/secondary)
+#
+# For this exercise, primary and secondary name.conf files are identical but
+# have separate names in the project directory to avoid confusion when
+# configuring playblooks.
+#
+# Template file for BIND labs.
+
+options {
+        listen-on port 53 { any; };
+        directory "/var/named";
+        allow-transfer { 192.168.0.12; };
+        allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
+        recursion no;
+
+#Added the following
+        pid-file "/run/named/named.pid";
+        session-keyfile "/run/named/session.key";
+
+        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+        include "/etc/crypto-policies/back-ends/bind.config";
+
+};
+
+#Added the following
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+include "/etc/named.backend.conf";

dns-auto/files/secondary-named.backend.conf

@@ -0,0 +1,11 @@
+zone "backend.lab.example.com" IN {
+        type slave;
+        file "slaves/backend.lab.example.com.zone";
+        masters { 192.168.0.11; };
+};
+
+zone "0.168.192.in-addr.arpa" IN {
+        type slave;
+        file "slaves/192.168.0.zone";
+        masters { 192.168.0.11; };
+};

dns-auto/files/secondary-named.conf

@@ -0,0 +1,35 @@
+# /etc/named.conf (primary/secondary)
+#
+# For this exercise, primary and secondary name.conf files are identical but
+# have separate names in the project directory to avoid confusion when
+# configuring playblooks.
+#
+# Template file for BIND labs.
+
+options {
+        listen-on port 53 { any; };
+        directory "/var/named";
+        allow-transfer { 192.168.0.12; };
+        allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
+        recursion no;
+
+#Added the following
+        pid-file "/run/named/named.pid";
+        session-keyfile "/run/named/session.key";
+
+        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+        include "/etc/crypto-policies/back-ends/bind.config";
+
+};
+
+#Added the following
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+include "/etc/named.backend.conf";

dns-auto/inventory

@@ -0,0 +1,11 @@
+[control_node]
+workstation.lab.example.com
+
+[caching_dns]
+servera.lab.example.com
+
+[primary_dns]
+serverb.lab.example.com
+
+[secondary_dns]
+serverc.lab.example.com

dns-auto/playbook.yml

@@ -0,0 +1,3 @@
+ - import_playbook: configure_primary.yml
+ - import_playbook: configure_secondary.yml
+ - import_playbook: configure_caching.yml

dns-auto/solution/configure_caching.yml.solution

@@ -0,0 +1,44 @@
+---
+- name: Install cache only nameserver
+  hosts: caching_dns
+  remote_user: devops
+  become: yes
+
+  vars:
+    interface: 0.0.0.0
+    interface_automatic: "yes"
+    access_control:
+      - "172.25.250.0/24 allow"
+    domain_insecure: example.com
+    forward_zone_name: .
+    forward_zone_addr: "172.25.250.254"
+
+  tasks:
+    - name: Install cache only nameserver
+      yum:
+        name: unbound
+        state: present
+
+    - name: Create configuration file on caching server host
+      template:
+        src: unbound.conf.j2
+        dest: /etc/unbound/conf.d/unbound.conf
+
+    - name: Allow dns service on firewall
+      firewalld:
+        service: dns
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+    - name: Ensure unbound is running and enabled
+      service:
+        name: unbound
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: restart_unbound
+      service:
+        name: unbound
+        state: restarted

dns-auto/solution/configure_primary.yml.solution

@@ -0,0 +1,70 @@
+---
+- name: Configure primary nameserver
+  hosts: primary_dns
+  remote_user: devops
+  become: yes
+
+  tasks:
+    - name: Install BIND9
+      yum:
+        name: bind
+        state: present
+
+    - name: Copy primary config file
+      copy:
+        src: files/primary-named.conf
+        dest: /etc/named.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: Copy forward zone file to primary
+      copy:
+        src: files/primary-backend.lab.example.com.zone
+        dest: /var/named/backend.lab.example.com.zone
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: Copy reverse zone file to primary
+      copy:
+        src: files/primary-192.168.0.zone
+        dest: /var/named/192.168.0.zone
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: Copy backend config file (for zones)
+      copy:
+        src: files/primary-named.backend.conf
+        dest: /etc/named.backend.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: Allow dns service on firewall
+      firewalld:
+        service: dns
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+    - name: Ensure named is running and enabled
+      service:
+        name: named
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: reload_named
+      service:
+        name: named
+        state: reloaded

dns-auto/solution/configure_secondary.yml.solution

@@ -0,0 +1,50 @@
+---
+- name: Configure secondary nameserver
+  hosts: secondary_dns
+  remote_user: devops
+  become: yes
+
+  tasks:
+    - name: Install BIND9
+      yum:
+        name: bind
+        state: present
+
+    - name: Copy secondary config file
+      copy:
+        src: files/secondary-named.conf
+        dest: /etc/named.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: Copy backend config file (for zones)
+      copy:
+        src: files/secondary-named.backend.conf
+        dest: /etc/named.backend.conf
+        owner: root
+        group: named
+        mode: 0640
+      notify:
+        - reload_named
+
+    - name: Allow dns service on firewall
+      firewalld:
+        service: dns
+        state: enabled
+        immediate: yes
+        permanent: yes
+
+    - name: Ensure named is running and enabled
+      service:
+        name: named
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: reload_named
+      service:
+        name: named
+        state: reloaded

dns-auto/solution/playbook.yml.solution

@@ -0,0 +1,4 @@
+---
+- import_playbook: configure_primary.yml
+- import_playbook: configure_secondary.yml
+- import_playbook: configure_caching.yml

dns-auto/templates/unbound.conf.j2

@@ -0,0 +1,11 @@
+server:
+        interface: {{ interface }}
+        interface-automatic: {{ interface_automatic }}
+{% for acl in access_control %}
+        access-control: {{ acl }}
+{% endfor %}
+        domain-insecure: "{{ domain_insecure }}"
+
+forward-zone:
+        name: "{{ forward_zone_name }}"
+        forward-addr: {{ forward_zone_addr }}

ping/ping2.yml

@@ -0,0 +1,9 @@
+- name: ping
+  ping:
+  register: retorno
+  ignore_errors: true
+
+- name: recursivo
+  include_tasks: ping.yml
+  when: retorno.failed
+

ping/playbook.yml

@@ -4,7 +4,7 @@
   vars:
     - ping_address: 192.168.1.32
   tasks:
-    - include_tasks: ping.yml
+    - include_tasks: ping2.yml
     - name:
       debug:
         msg: "Address {{ ping_address }} responding ping from {{ inventory_hostname }}"