From 5aaf0e8968de6e478c1cb5afa9b917dc941cbc06 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Tue, 15 May 2018 16:12:29 +0200
Subject: [PATCH] powerdns: manage the configuration for both the master and
 the slave.

---
 powerdns-authoritative/defaults/main.yml      |  32 +
 powerdns-authoritative/handlers/main.yml      |   4 +
 powerdns-authoritative/tasks/main.yml         |   8 +
 powerdns-authoritative/templates/pdns.conf    | 641 ++++++++++++++++++
 .../templates/pdns.local.conf                 |   4 +
 5 files changed, 689 insertions(+)
 create mode 100644 powerdns-authoritative/handlers/main.yml
 create mode 100644 powerdns-authoritative/templates/pdns.conf
 create mode 100644 powerdns-authoritative/templates/pdns.local.conf

diff --git a/powerdns-authoritative/defaults/main.yml b/powerdns-authoritative/defaults/main.yml
index 4b20cee..1f72f48 100644
--- a/powerdns-authoritative/defaults/main.yml
+++ b/powerdns-authoritative/defaults/main.yml
@@ -16,7 +16,39 @@ powerdns_auth_pkgs:
   - pdns-backend-pipe 
 
 powerdns_auth_use_db_backend: True
+powerdns_auth_backend_name: gpgsql
 powerdns_auth_db_backend: pgsql
 powerdns_auth_db_pkgs:
   - 'pdns-backend-{{ powerdns_auth_db_backend }}'
 
+powerdns_auth_backend_data:
+  - { key: 'gpgsql-port', value: 5432 }
+  - { key: 'gpgsql-dbname', value: '' }
+  - { key: 'dpgsql-user', value: '' }
+  - { key: 'gpgsql-password', value: '' }
+  - { key: 'gpgsql-dnssec', value: '' }
+  - { key: 'gpgsql-extra-connection-parameters', value: '' }
+  
+# pdns_zone_transfer_ip:
+# - '0/0'
+# pdns_allow_dnsupdate_from:
+# - '0/0'
+# pdns_allow_notify_from:
+# - '0/0'
+# pdns_allow_unsigned_notify: 'yes'
+# pdns_allow_unsigned_supermaster: 'yes'
+# pdns_also_notify_from:
+# - '0/0'
+# powerdns_auth_enable_api: 'no'
+# powerdns_auth_api_key: 'use a vault file'
+# powerdns_auth_api_readonly: 'no'
+# powerdns_dnsupdate: 'no'
+# powerdns_local_ipv4: '0.0.0.0'
+# powerdns_local_ipv4_fail: 'yes'
+# powerdns_local_port: 53
+# powerdns_auth_master: 'no'
+# powerdns_reuseport: 'yes'
+# powerdns_auth_slave: 'no'
+# powerdns_auth_webserver: 'no'
+# powerdns_auth_web_address: '127.0.0.1'
+# powerdns_auth_web_allowfrom: '127.0.0.1,::1'
diff --git a/powerdns-authoritative/handlers/main.yml b/powerdns-authoritative/handlers/main.yml
new file mode 100644
index 0000000..008b072
--- /dev/null
+++ b/powerdns-authoritative/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: Restart powerdns
+  service: name=pdns state=restarted
+
diff --git a/powerdns-authoritative/tasks/main.yml b/powerdns-authoritative/tasks/main.yml
index f588871..44b437d 100644
--- a/powerdns-authoritative/tasks/main.yml
+++ b/powerdns-authoritative/tasks/main.yml
@@ -15,6 +15,14 @@
     with_items: '{{ powerdns_auth_db_pkgs }}'
     when: powerdns_auth_use_db_backend
 
+  - name: Install the powerdns main configuration file
+    template: src=pdns.conf dest=/etc/powerdns/pdns.conf owner=root group=root mode=0600
+    notify: Restart powerdns
+
+  - name: Install the powerdns local configuration file
+    template: src=pdns.conf dest=/etc/powerdns/pdns.d/pdns.local.conf owner=root group=root mode=0600
+    notify: Restart powerdns
+    
   - name: Ensure that powerdns is running and enabled
     service: name=pdns state=started enabled=yes
 
diff --git a/powerdns-authoritative/templates/pdns.conf b/powerdns-authoritative/templates/pdns.conf
new file mode 100644
index 0000000..73172ad
--- /dev/null
+++ b/powerdns-authoritative/templates/pdns.conf
@@ -0,0 +1,641 @@
+# Autogenerated configuration file template
+#################################
+# 8bit-dns	Allow 8bit dns queries
+#
+# 8bit-dns=no
+
+#################################
+# allow-axfr-ips	Allow zonetransfers only to these subnets
+#
+{% if pdns_zone_transfer_ip is defined %}
+allow-axfr-ips=127.0.0.0/8,::1,{%for ip in pdns_zone_transfer_ip %}{{ ip }}{%if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
+
+#################################
+# allow-dnsupdate-from	A global setting to allow DNS updates from these IP ranges.
+#
+# allow-dnsupdate-from=127.0.0.0/8,::1
+{% if pdns_allow_dnsupdate_from is defined %}
+allow-dnsupdate-from=127.0.0.0/8,::1,{%for ip in pdns_allow_dnsupdate_from %}{{ ip }}{%if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
+
+#################################
+# allow-notify-from	Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
+#
+# allow-notify-from=0.0.0.0/0,::/0
+{% if pdns_allow_notify_from is defined %}
+allow-notify-from=0.0.0.0/0,::/0,{%for ip in pdns_allow_notify_from %}{{ ip }}{%if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
+
+#################################
+# allow-unsigned-notify	Allow unsigned notifications for TSIG secured domains
+#
+#allow-unsigned-notify=yes
+allow-unsigned-notify={{ pdns_allow_unsigned_notify | default('yes') }}
+
+#################################
+# allow-unsigned-supermaster	Allow supermasters to create zones without TSIG signed NOTIFY
+#
+# allow-unsigned-supermaster=yes
+allow-unsigned-supermaster={{ pdns_allow_unsigned_supermaster | default('yes') }}
+
+#################################
+# also-notify	When notifying a domain, also notify these nameservers
+#
+# also-notify=
+{% if pdns_also_notify_from is defined %}
+also-notify={%for ip in pdns_also_notify_from %}{{ ip }}{%if not loop.last %},{% endif %}{% endfor %}
+{% endif %}
+
+#################################
+# any-to-tcp	Answer ANY queries with tc=1, shunting to TCP
+#
+# any-to-tcp=yes
+
+#################################
+# api	Enable/disable the REST API (including HTTP listener)
+#
+# api=no
+api={{ powerdns_auth_enable_api | default('no') }}
+
+#################################
+# api-key	Static pre-shared authentication key for access to the REST API
+#
+# api-key=
+api-key={{ powerdns_auth_api_key | default(omit) }}
+
+#################################
+# api-logfile	Location of the server logfile (used by the REST API)
+#
+# api-logfile=/var/log/pdns.log
+
+#################################
+# api-readonly	Disallow data modification through the REST API when set
+#
+api-readonly={{ powerdns_auth_api_readonly | default('no') }}
+
+#################################
+# axfr-lower-serial	Also AXFR a zone from a master with a lower serial
+#
+# axfr-lower-serial=no
+
+#################################
+# cache-ttl	Seconds to store packets in the PacketCache
+#
+# cache-ttl=20
+
+#################################
+# carbon-interval	Number of seconds between carbon (graphite) updates
+#
+# carbon-interval=30
+
+#################################
+# carbon-ourname	If set, overrides our reported hostname for carbon stats
+#
+# carbon-ourname=
+
+#################################
+# carbon-server	If set, send metrics in carbon (graphite) format to this server IP address
+#
+# carbon-server=
+
+#################################
+# chroot	If set, chroot to this directory for more security
+#
+# chroot=
+
+#################################
+# config-dir	Location of configuration directory (pdns.conf)
+#
+# config-dir=/etc/powerdns
+
+#################################
+# config-name	Name of this virtual configuration - will rename the binary image
+#
+# config-name=
+
+#################################
+# control-console	Debugging switch - don't use
+#
+# control-console=no
+
+#################################
+# daemon	Operate as a daemon
+#
+# daemon=no
+
+#################################
+# default-ksk-algorithm	Default KSK algorithm
+#
+# default-ksk-algorithm=ecdsa256
+
+#################################
+# default-ksk-size	Default KSK size (0 means default)
+#
+# default-ksk-size=0
+
+#################################
+# default-soa-edit	Default SOA-EDIT value
+#
+# default-soa-edit=
+
+#################################
+# default-soa-edit-signed	Default SOA-EDIT value for signed zones
+#
+# default-soa-edit-signed=
+
+#################################
+# default-soa-mail	mail address to insert in the SOA record if none set in the backend
+#
+# default-soa-mail=
+
+#################################
+# default-soa-name	name to insert in the SOA record if none set in the backend
+#
+# default-soa-name=a.misconfigured.powerdns.server
+
+#################################
+# default-ttl	Seconds a result is valid if not set otherwise
+#
+# default-ttl=3600
+
+#################################
+# default-zsk-algorithm	Default ZSK algorithm
+#
+# default-zsk-algorithm=
+
+#################################
+# default-zsk-size	Default ZSK size (0 means default)
+#
+# default-zsk-size=0
+
+#################################
+# direct-dnskey	Fetch DNSKEY RRs from backend during DNSKEY synthesis
+#
+# direct-dnskey=no
+
+#################################
+# disable-axfr	Disable zonetransfers but do allow TCP queries
+#
+# disable-axfr=no
+
+#################################
+# disable-axfr-rectify	Disable the rectify step during an outgoing AXFR. Only required for regression testing.
+#
+# disable-axfr-rectify=no
+
+#################################
+# disable-syslog	Disable logging to syslog, useful when running inside a supervisor that logs stdout
+#
+# disable-syslog=no
+
+#################################
+# disable-tcp	Do not listen to TCP queries
+#
+# disable-tcp=no
+
+#################################
+# distributor-threads	Default number of Distributor (backend) threads to start
+#
+# distributor-threads=3
+
+#################################
+# dname-processing	If we should support DNAME records
+#
+# dname-processing=no
+
+#################################
+# dnssec-key-cache-ttl	Seconds to cache DNSSEC keys from the database
+#
+# dnssec-key-cache-ttl=30
+
+#################################
+# dnsupdate	Enable/Disable DNS update (RFC2136) support. Default is no.
+#
+dnsupdate={{ powerdns_dnsupdate | default('no') }}
+
+#################################
+# do-ipv6-additional-processing	Do AAAA additional processing
+#
+# do-ipv6-additional-processing=yes
+
+#################################
+# domain-metadata-cache-ttl	Seconds to cache domain metadata from the database
+#
+# domain-metadata-cache-ttl=60
+
+#################################
+# edns-subnet-processing	If we should act on EDNS Subnet options
+#
+# edns-subnet-processing=no
+
+#################################
+# entropy-source	If set, read entropy from this file
+#
+# entropy-source=/dev/urandom
+
+#################################
+# expand-alias	Expand ALIAS records
+#
+# expand-alias=no
+
+#################################
+# forward-dnsupdate	A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.
+#
+# forward-dnsupdate=yes
+
+#################################
+# forward-notify	IP addresses to forward received notifications to regardless of master or slave settings
+#
+# forward-notify=
+
+#################################
+# guardian	Run within a guardian process
+#
+# guardian=no
+
+#################################
+# include-dir	Include *.conf files from this directory
+#
+# include-dir=
+include-dir=/etc/powerdns/pdns.d
+
+#################################
+# launch	Which backends to launch and order to query them in
+#
+# launch=
+{% if powerdns_auth_use_db_backend %}
+launch={{ powerdns_auth_backend_name }}
+{% endif %}
+
+#################################
+# load-modules	Load this module - supply absolute or relative path
+#
+# load-modules=
+
+#################################
+# local-address	Local IP addresses to which we bind
+#
+local-address={{ powerdns_local_ipv4 | default('0.0.0.0') }}
+
+#################################
+# local-address-nonexist-fail	Fail to start if one or more of the local-address's do not exist on this server
+#
+local-address-nonexist-fail={{ powerdns_local_ipv4_fail | default('yes') }}
+
+#################################
+# local-ipv6	Local IP address to which we bind
+#
+# local-ipv6=::
+
+#################################
+# local-ipv6-nonexist-fail	Fail to start if one or more of the local-ipv6 addresses do not exist on this server
+#
+# local-ipv6-nonexist-fail=yes
+
+#################################
+# local-port	The port on which we listen
+#
+local-port={{ powerdns_local_port | default('53') }}
+
+#################################
+# log-dns-details	If PDNS should log DNS non-erroneous details
+#
+# log-dns-details=no
+
+#################################
+# log-dns-queries	If PDNS should log all incoming DNS queries
+#
+# log-dns-queries=no
+
+#################################
+# log-timestamp	Print timestamps in log lines
+#
+# log-timestamp=yes
+
+#################################
+# logging-facility	Log under a specific facility
+#
+# logging-facility=
+
+#################################
+# loglevel	Amount of logging. Higher is more. Do not set below 3
+#
+# loglevel=4
+
+#################################
+# lua-axfr-script	Script to be used to edit incoming AXFRs
+#
+# lua-axfr-script=
+
+#################################
+# lua-dnsupdate-policy-script	Lua script with DNS update policy handler
+#
+# lua-dnsupdate-policy-script=
+
+#################################
+# lua-prequery-script	Lua script with prequery handler (DO NOT USE)
+#
+# lua-prequery-script=
+
+#################################
+# master	Act as a master
+#
+master={{ powerdns_auth_master | default('no') }}
+
+#################################
+# max-cache-entries	Maximum number of entries in the query cache
+#
+# max-cache-entries=1000000
+
+#################################
+# max-ent-entries	Maximum number of empty non-terminals in a zone
+#
+# max-ent-entries=100000
+
+#################################
+# max-nsec3-iterations	Limit the number of NSEC3 hash iterations
+#
+# max-nsec3-iterations=500
+
+#################################
+# max-packet-cache-entries	Maximum number of entries in the packet cache
+#
+# max-packet-cache-entries=1000000
+
+#################################
+# max-queue-length	Maximum queuelength before considering situation lost
+#
+# max-queue-length=5000
+
+#################################
+# max-signature-cache-entries	Maximum number of signatures cache entries
+#
+# max-signature-cache-entries=
+
+#################################
+# max-tcp-connection-duration	Maximum time in seconds that a TCP DNS connection is allowed to stay open.
+#
+# max-tcp-connection-duration=0
+
+#################################
+# max-tcp-connections	Maximum number of TCP connections
+#
+# max-tcp-connections=20
+
+#################################
+# max-tcp-connections-per-client	Maximum number of simultaneous TCP connections per client
+#
+# max-tcp-connections-per-client=0
+
+#################################
+# max-tcp-transactions-per-conn	Maximum number of subsequent queries per TCP connection
+#
+# max-tcp-transactions-per-conn=0
+
+#################################
+# module-dir	Default directory for modules
+#
+
+
+#################################
+# negquery-cache-ttl	Seconds to store negative query results in the QueryCache
+#
+# negquery-cache-ttl=60
+
+#################################
+# no-shuffle	Set this to prevent random shuffling of answers - for regression testing
+#
+# no-shuffle=off
+
+#################################
+# non-local-bind	Enable binding to non-local addresses by using FREEBIND / BINDANY socket options
+#
+# non-local-bind=no
+
+#################################
+# only-notify	Only send AXFR NOTIFY to these IP addresses or netmasks
+#
+# only-notify=0.0.0.0/0,::/0
+
+#################################
+# out-of-zone-additional-processing	Do out of zone additional processing
+#
+# out-of-zone-additional-processing=yes
+
+#################################
+# outgoing-axfr-expand-alias	Expand ALIAS records during outgoing AXFR
+#
+# outgoing-axfr-expand-alias=no
+
+#################################
+# overload-queue-length	Maximum queuelength moving to packetcache only
+#
+# overload-queue-length=0
+
+#################################
+# prevent-self-notification	Don't send notifications to what we think is ourself
+#
+# prevent-self-notification=yes
+
+#################################
+# query-cache-ttl	Seconds to store query results in the QueryCache
+#
+# query-cache-ttl=20
+
+#################################
+# query-local-address	Source IP address for sending queries
+#
+# query-local-address=0.0.0.0
+
+#################################
+# query-local-address6	Source IPv6 address for sending queries
+#
+# query-local-address6=::
+
+#################################
+# query-logging	Hint backends that queries should be logged
+#
+# query-logging=no
+
+#################################
+# queue-limit	Maximum number of milliseconds to queue a query
+#
+# queue-limit=1500
+
+#################################
+# receiver-threads	Default number of receiver threads to start
+#
+# receiver-threads=1
+
+#################################
+# resolver	Use this resolver for ALIAS and the internal stub resolver
+#
+# resolver=no
+
+#################################
+# retrieval-threads	Number of AXFR-retrieval threads for slave operation
+#
+# retrieval-threads=2
+
+#################################
+# reuseport	Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
+#
+reuseport={{ powerdns_reuseport | default('yes' ) }}
+
+#################################
+# security-poll-suffix	Domain name from which to query security update notifications
+#
+# security-poll-suffix=secpoll.powerdns.com.
+
+#################################
+# server-id	Returned when queried for 'id.server' TXT or NSID, defaults to hostname - disabled or custom
+#
+# server-id=
+
+#################################
+# setgid	If set, change group id to this gid for more security
+#
+setgid=pdns
+
+#################################
+# setuid	If set, change user id to this uid for more security
+#
+setuid=pdns
+
+#################################
+# signing-threads	Default number of signer threads to start
+#
+# signing-threads=3
+
+#################################
+# slave	Act as a slave
+#
+slave={{ powerdns_auth_slave | default('no') }}
+
+#################################
+# slave-cycle-interval	Schedule slave freshness checks once every .. seconds
+#
+# slave-cycle-interval=60
+
+#################################
+# slave-renotify	If we should send out notifications for slaved updates
+#
+# slave-renotify=no
+
+#################################
+# soa-expire-default	Default SOA expire
+#
+# soa-expire-default=604800
+
+#################################
+# soa-minimum-ttl	Default SOA minimum ttl
+#
+# soa-minimum-ttl=3600
+
+#################################
+# soa-refresh-default	Default SOA refresh
+#
+# soa-refresh-default=10800
+
+#################################
+# soa-retry-default	Default SOA retry
+#
+# soa-retry-default=3600
+
+#################################
+# socket-dir	Where the controlsocket will live, /var/run when unset and not chrooted
+#
+# socket-dir=
+
+#################################
+# tcp-control-address	If set, PowerDNS can be controlled over TCP on this address
+#
+# tcp-control-address=
+
+#################################
+# tcp-control-port	If set, PowerDNS can be controlled over TCP on this address
+#
+# tcp-control-port=53000
+
+#################################
+# tcp-control-range	If set, remote control of PowerDNS is possible over these networks only
+#
+# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
+
+#################################
+# tcp-control-secret	If set, PowerDNS can be controlled over TCP after passing this secret
+#
+# tcp-control-secret=
+
+#################################
+# tcp-fast-open	Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size
+#
+# tcp-fast-open=0
+
+#################################
+# tcp-idle-timeout	Maximum time in seconds that a TCP DNS connection is allowed to stay open while being idle
+#
+# tcp-idle-timeout=5
+
+#################################
+# traceback-handler	Enable the traceback handler (Linux only)
+#
+# traceback-handler=yes
+
+#################################
+# trusted-notification-proxy	IP address of incoming notification proxy
+#
+# trusted-notification-proxy=
+
+#################################
+# udp-truncation-threshold	Maximum UDP response size before we truncate
+#
+# udp-truncation-threshold=1680
+
+#################################
+# version-string	PowerDNS version in packets - full, anonymous, powerdns or custom
+#
+# version-string=full
+
+#################################
+# webserver	Start a webserver for monitoring (api=yes also enables the HTTP listener)
+#
+webserver={{ powerdns_auth_webserver | default('no') }}
+
+#################################
+# webserver-address	IP Address of webserver/API to listen on
+#
+webserver-address={{ powerdns_auth_web_address | default('127.0.0.1') }} 
+
+#################################
+# webserver-allow-from	Webserver/API access is only allowed from these subnets
+#
+webserver-allow-from={{ powerdns_auth_web_allowfrom | default('127.0.0.1,::1') }}
+
+#################################
+# webserver-password	Password required for accessing the webserver
+#
+# webserver-password=
+
+#################################
+# webserver-port	Port of webserver/API to listen on
+#
+# webserver-port=8081
+
+#################################
+# webserver-print-arguments	If the webserver should print arguments
+#
+# webserver-print-arguments=no
+
+#################################
+# write-pid	Write a PID file
+#
+# write-pid=yes
+
+#################################
+# xfr-max-received-mbytes	Maximum number of megabytes received from an incoming XFR
+#
+# xfr-max-received-mbytes=100
+
+
diff --git a/powerdns-authoritative/templates/pdns.local.conf b/powerdns-authoritative/templates/pdns.local.conf
new file mode 100644
index 0000000..ad12394
--- /dev/null
+++ b/powerdns-authoritative/templates/pdns.local.conf
@@ -0,0 +1,4 @@
+{% if powerdns_auth_use_db_backend %}
+{% for bk_data in powerdns_auth_backend_data %}
+{{ bk_data.key }}={{ bk_data.value }}
+{% endif %}