From 69c17d7e12303fe3576c725980d06802f654dcd7 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 3 Sep 2020 17:58:53 +0000
Subject: [PATCH] nsd: Initial version of role (WIP)

---
 roles/nsd/handlers/main.yml     |  5 ++++
 roles/nsd/tasks/main.yml        | 49 +++++++++++++++++++++++++++++++++
 roles/nsd/templates/nsd.conf.j2 | 28 +++++++++++++++++++
 3 files changed, 82 insertions(+)
 create mode 100644 roles/nsd/handlers/main.yml
 create mode 100644 roles/nsd/tasks/main.yml
 create mode 100644 roles/nsd/templates/nsd.conf.j2

diff --git a/roles/nsd/handlers/main.yml b/roles/nsd/handlers/main.yml
new file mode 100644
index 0000000..f862d51
--- /dev/null
+++ b/roles/nsd/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart nsd
+  service:
+    name: nsd
+    state: restarted
diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml
new file mode 100644
index 0000000..132102b
--- /dev/null
+++ b/roles/nsd/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- name: copy server certificate
+  copy:
+    dest: "{{ tls_private }}/{{ nsd_server }}.key"
+    src: "{{ item }}"
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ nsd_server }}/privkey.pem"
+    - "/srv/ca/private/{{ nsd_server }}.key"
+    - "/srv/ca/private/{{ inventory_hostname }}.key"
+
+- name: copy server key
+  copy:
+    dest: "{{ tls_certs }}/{{ nsd_server }}.crt"
+    src: "{{ item }}"
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ site }}/fullchain.pem"
+    - "/srv/ca/certs/{{ site }}.crt"
+    - "/srv/ca/certs/{{ inventory_hostname }}.crt"
+
+- name: create nsd config
+  template:
+    src: nsd.conf.j2
+    dest: /var/nsd/etc/nsd.conf
+    mode: 0640
+    owner: root
+    group: _nsd
+  notify: restart nsd
+
+- name: copy zone files
+  copy:
+    dest: "/var/nsd/zones/master/{{ item|replace('/', '-') }}"
+    src: "/srv/dns/{{ item|replace('/', '-') }}"
+    mode: 0640
+    owner: root
+    group: _nsd
+  notify: restart nsd
+  with_items: "{{ nsd_zones }}"
+
+- name: enable nsd
+  service:
+    name: nsd
+    state: started
+    enabled: true
diff --git a/roles/nsd/templates/nsd.conf.j2 b/roles/nsd/templates/nsd.conf.j2
new file mode 100644
index 0000000..869996f
--- /dev/null
+++ b/roles/nsd/templates/nsd.conf.j2
@@ -0,0 +1,28 @@
+
+server:
+    chroot: "/var/nsd"
+    database: ""
+    hide-version: yes
+    logfile: "/var/log/nsd.log"
+    server-count: {{ ansible_processor_count }}
+    verbosity: 2
+
+    interface: ::0@53
+    interface: 0.0.0.0@53
+    interface: ::0@853
+    interface: 0.0.0.0@853
+
+    tls-service-key: {{ tls_private }}/{{ nsd_server }}.key
+    tls-service-pem: {{ tls_certs }}/{{ nsd_server }}.crt
+
+remote-control:
+    control-enable: yes
+    control-interface: "/var/nsd/run/control.sock"
+{% for zone in nsd_zones %}
+
+zone:
+    name: "{{ zone }}"
+    zonefile: "/zones/master/{{ zone|replace('/', '-') }}"
+    notify: 144.202.29.243 NOKEY
+    provide-xfr: 144.202.29.243 NOKEY
+{% endfor %}