Closed 0xMattijs closed 1 year ago
Dear @0xMattijs, thanks for your contribution!
After a first look I have two comments:
/etc/bind/keys
to not break backwards-compability. Since you make it configurable anyway, I think that should be fine.ansible-playbook ... -e 'bind9_generate_ddns_key=true'
) and document that behaviour in README.md
? What do you think about that approach?Hi @doobry-systemli . Totally makes sense. I have processed your suggestions in the PR:
bind9_generate_ddns_key
/etc/bind/zones
files/bind/zones
within the playbook (the location where the role expects them when provided by the user)
Problem
This Ansible role writes zone files to a hard coded
/etc/bind/zones
directory, which causes problems on systems with mandatory access control such as Apparmor. The profile for Apparmor does not allow the BIND process to create the necessary journal files and update the zone files under/etc/bind/zones
.Solution
Parameterize the zone directory and default to
/var/lib/bind/zones
, for which write access is allowed by the Apparmor profile.PR
This PR parameterises the location for storing the zone files. It also includes code to generate DDNS keys using
tsig-keygen
if a configuredupdate_keyfile
does not exist already. Sincetsig-keygen
generates a fullkey
configuration section, thenamed.conf.options.j2
template has been adjusted accordingly.