crans/crans_bcfg2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[bind] Rationalisation de la séparation dns autoritaire, dns récursif, named.conf.local est maintenant généré par python

Browse source 
Ignore-this: 8d1cd1381242a85d0180a72a814e1c62

darcs-hash:20130125023918-3a55a-00fe31a1714219c64b3d78370e2af3eaa27d2470.gz
This commit is contained in:
Valentin Samir 2013-01-25 03:39:18 +01:00
parent 3bd36c0878
commit fbbfc0bf78
11 changed files with 161 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Bundler/bind.xml
View file

@ -1,20 +1,27 @@
<Bundle name="bind"> <Bundle name="bind">
<Python name="/etc/bind/rndc.key"/> <Python name="/etc/bind/rndc.key"/>
<Python name="/etc/bind/named.conf"/> <Python name="/etc/bind/named.conf"/>
<Path name="/etc/bind/named.conf.local"/> <Python name="/etc/bind/named.conf.local"/>
<Python name="/etc/bind/named.conf.options"/> <Python name="/etc/bind/named.conf.options"/>
<Group name="dns-primary"> <Group name="dns-primary">
<Path name="/etc/bind/named.conf.notify"/> <Path name="/etc/bind/named.conf.notify"/>
</Group> </Group>
<Group name="dns-secondary"> <Group name="dns-secondary">
<Path name="/etc/bind/generated/zones_crans"/> <Path name="/etc/bind/generated/zones_crans"/>
<Action name="bind-permission"/>
</Group> </Group>
<Group name="dns-secondary-no-forward"> <Group name="dns-secondary-no-forward">
<Path name="/etc/bind/generated/zones_crans"/> <Path name="/etc/bind/generated/zones_crans"/>
<Action name="bind-permission"/>
</Group> </Group>
<Group name="vlan-radin"> <Group name="vlan-radin">
<Path name="/etc/bind/db.fake"/> <Path name="/etc/bind/db.fake"/>
</Group> </Group>
<Group name="vlan-accueil">
<Path name="/etc/bind/db.fake"/>
<Path name="/etc/bind/generated/zones_crans"/>
<Action name="bind-permission"/>
</Group>
<Package name="bind9"/> <Package name="bind9"/>
<Service name="bind9"/> <Service name="bind9"/>
<Package name="dnssec-tools"/> <Package name="dnssec-tools"/>

3
Cfg/etc/bind/named.conf.local/info.xml
View file

@ -1,3 +0,0 @@
<FileInfo>
<Info owner='root' group='bind' perms='0644'/>
</FileInfo>

36
Cfg/etc/bind/named.conf.local/named.conf.local
View file

@ -1,36 +0,0 @@
// Fichier gere par BCfg2 (plugin Cfg)
//
// A ne modifier que sur vert
include "/etc/bind/zones.rfc1918";
// zones crans
include "/etc/bind/generated/zones_crans";
// anti SPAM
// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
zone "rbl-plus.mail-abuse.org" {
type forward;
forward only;
forwarders { 138.231.176.4 ; };
};
// la tele
zone "tv.crans.org" {
type slave;
file "/etc/bind/generated/db.tv.crans.org";
masters { 138.231.136.243; };
};
zone "239.in-addr.arpa" {
type slave;
file "/etc/bind/generated/db.239.in-addr.arpa";
masters { 138.231.136.243; };
};
// bricoles de config en plus
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
};

19
Cfg/etc/bind/named.conf.local/named.conf.local.G99_dns-tv
View file

@ -1,19 +0,0 @@
// Fichier gere par BCfg2 (plugin Cfg)
//
// A ne modifier que sur vert
// La zone TV
zone "tv.crans.org" {
type master;
file "/etc/bind/generated/db.tv.crans.org";
};
zone "239.in-addr.arpa" {
type master;
file "/etc/bind/generated/db.239.in-addr.arpa";
};
// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
};

61
Cfg/etc/bind/named.conf.local/named.conf.local.G99_vlan-radin
View file

@ -1,61 +0,0 @@
// Fichier gere par BCfg2 (plugin Cfg)
//
// A ne modifier que sur vert
view "accueilview" {
match-clients { "accueil"; };
// zones crans
include "/etc/bind/generated/zones_crans";
// Zones RFC 1918
include "/etc/bind/zones.rfc1918";
recursion no;
zone "." {
type master;
file "/etc/bind/db.fake";
};
};
view "others" {
match-clients { any; };
// Zones RFC 1918
include "/etc/bind/zones.rfc1918";
// zones crans
include "/etc/bind/generated/zones_crans";
recursion yes;
// anti SPAM
// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
zone "rbl-plus.mail-abuse.org" {
type forward;
forward only;
forwarders { 138.231.176.4; };
};
// la tele
zone "tv.crans.org" {
type slave;
file "/etc/bind/generated/db.tv.crans.org";
masters { 138.231.136.243; };
};
zone "239.in-addr.arpa" {
type slave;
file "/etc/bind/generated/db.239.in-addr.arpa";
masters { 138.231.136.243; };
};
};
// bricoles de config en plus
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
};

1
Cfg/etc/bind/named.conf.notify/named.conf.notify
View file

@ -7,4 +7,5 @@
10.231.136.8; // ovh 10.231.136.8; // ovh
10.231.136.98; // charybde 10.231.136.98; // charybde
10.231.136.14; // titanic 10.231.136.14; // titanic
138.231.176.4; // ariane
}; };

27
Metadata/groups.xml
View file

@ -19,8 +19,8 @@
<Group name="charybde" <Group name="charybde"
profile="true"> profile="true">
<Group name="crans-squeeze"/> <Group name="crans-squeeze"/>
<Group name="dns-secondary"/>
<Group name="dnssec-validation"/> <Group name="dnssec-validation"/>
<Group name="dns-recursif"/>
<Group name="main-ftp-server"/> <Group name="main-ftp-server"/>
<!-- <Group name="ups-monitor"/> --> <!-- <Group name="ups-monitor"/> -->
<Group name="debian-mirror"/> <Group name="debian-mirror"/>
@ -37,17 +37,18 @@
<Group name="sable" <Group name="sable"
profile="true"> profile="true">
<Group name="crans-squeeze"/> <Group name="crans-squeeze"/>
<!--
<Group name="main-proxy-server"/> <Group name="main-proxy-server"/>
<Group name="radius-server"/> <Group name="ups-monitor"/>
<Group name="db-replicat"/>
<Group name="dns-primary"/>
<Group name="dnssec-validation"/>
<!-- <Group name="ups-monitor"/> -->
<Group name="vlan-radin"/> <Group name="vlan-radin"/>
<Group name="vlan-accueil" /> <Group name="vlan-accueil" />
<Group name="vlan-isolement"/> <Group name="vlan-isolement"/>
<Group name="firmware-bnx2"/>
<Group name="vlan-ens"/> <Group name="vlan-ens"/>
-->
<Group name="radius-server"/>
<Group name="db-replicat"/>
<Group name="dns-primary"/>
<Group name="firmware-bnx2"/>
</Group> </Group>
<Group name="gordon" <Group name="gordon"
@ -55,6 +56,8 @@
<Group name="crans-squeeze"/> <Group name="crans-squeeze"/>
<Group name="router-wifi"/> <Group name="router-wifi"/>
<Group name="freeradius"/> <Group name="freeradius"/>
<Group name="dnssec-validation"/>
<Group name="dns-recursif"/>
<Group name="secondary-ntp-server"/> <Group name="secondary-ntp-server"/>
</Group> </Group>
@ -171,6 +174,7 @@
<Group name="crans-squeeze"/> <Group name="crans-squeeze"/>
<Group name="mail-mx-secondary"/> <Group name="mail-mx-secondary"/>
<Group name="dns-secondary-no-forward"/> <Group name="dns-secondary-no-forward"/>
<Group name="dns-recursif"/>
<Group name="connection-rescue"/> <Group name="connection-rescue"/>
<Group name="failover-proxy-server"/> <Group name="failover-proxy-server"/>
<Group name="vlan-ens"/> <Group name="vlan-ens"/>
@ -368,12 +372,12 @@
profile="true"> profile="true">
<Group name="crans-squeeze"/> <Group name="crans-squeeze"/>
<Group name="domu"/> <Group name="domu"/>
<Group name="dns-recursif"/>
<Group name="dnssec-validation"/>
<Group name="vlan-radin"/> <Group name="vlan-radin"/>
<Group name="vlan-accueil" /> <Group name="vlan-accueil" />
<Group name="vlan-isolement"/> <Group name="vlan-isolement"/>
<Group name="vlan-ens"/> <Group name="vlan-ens"/>
<Group name="dns-secondary"/>
<Group name="dnssec-validation"/>
<Group name="nginx" comment="Proxy web et pages déco"/> <Group name="nginx" comment="Proxy web et pages déco"/>
</Group> </Group>
@ -653,6 +657,11 @@
<Group name="dns-server"/> <Group name="dns-server"/>
</Group> </Group>
<Group name="dns-recursif"
comment="un serveur DNS récursif de l'association">
<Group name="dns-server"/>
</Group>
<Group name="dns-secondary-no-forward" <Group name="dns-secondary-no-forward"
comment="un serveur DNS secondaire sans forward de l'association" comment="un serveur DNS secondaire sans forward de l'association"

100
Python/etc/bind/named.conf.local Normal file
View file

@ -0,0 +1,100 @@
# -*- mode: python; encoding: utf-8 -*-
info["owner"] = "root"
info["group"] = "bind"
info["perms"] = 0644
comment_start = "//"
header("Conf locale de Bind9")
if has("vlan-accueil"):
@view "accueilview" {
@ match-clients { "accueil"; };
@
@ // zones crans
@ include "/etc/bind/generated/zones_crans";
@
@ // Zones RFC 1918
@ include "/etc/bind/zones.rfc1918";
@
@ recursion no;
@
@ zone "." {
@ type master;
@ file "/etc/bind/db.fake";
@ };
@};
@view "others" {
@ match-clients { any; };
@ recursion yes;
if has("dns-secondary-no-forward") or has("dns-secondary") or has("dns-primary"):
@include "/etc/bind/zones.rfc1918";
@// zones crans
@include "/etc/bind/generated/zones_crans";
@// la tele
@zone "tv.crans.org" {
@ type slave;
@ file "/etc/bind/generated/db.tv.crans.org";
@ masters { 138.231.136.243; };
@};
@zone "239.in-addr.arpa" {
@ type slave;
@ file "/etc/bind/generated/db.239.in-addr.arpa";
@ masters { 138.231.136.243; };
@};
elif has("dns-tv"):
@// La zone TV
@zone "tv.crans.org" {
@ type master;
@ file "/etc/bind/generated/db.tv.crans.org";
@};
@zone "239.in-addr.arpa" {
@ type master;
@ file "/etc/bind/generated/db.239.in-addr.arpa";
@};
@// reduce log verbosity on issues outside our control
@logging {
@ category lame-servers { null; };
@};
elif has("dns-recursif"):
@zone "239.in-addr.arpa" {
@ type forward;
@ forward only;
@ forwarders { 138.231.136.243; 138.231.136.9; };
@};
@zone "136.231.10.in-addr.arpa" {
@ type forward;
@ forward only;
@ forwarders { 138.231.136.9; 138.231.136.14; };
@};
@// anti SPAM
@// Rajout pour generer le forward vers ariane pour la zone rbl-plus.mail-abuse.org --Nico 21/04/02
@zone "rbl-plus.mail-abuse.org" {
@ type forward;
@ forward only;
@ forwarders { 138.231.176.4 ; };
@};
@
if has("vlan-accueil"):
@};
@// bricoles de config en plus
@include "/etc/bind/rndc.key";
@
@controls {
@ inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };
@};

38
Python/etc/bind/named.conf.options
View file

@ -11,7 +11,10 @@ header("Options de Bind9")
comment("Listes d'accès") comment("Listes d'accès")
if has("vlan-radin"): if has("vlan-radin"):
@acl "radins" { 10.42.0.0/16; }; @acl "radins" { 10.42.0.0/16; };
if has("vlan-accueil"):
@acl "accueil" { 10.51.0.0/16; }; @acl "accueil" { 10.51.0.0/16; };
if has("vlan-ens"):
@acl "appartement" { 10.2.9.0/24; };
@acl "crans" { @acl "crans" {
@ 138.231.136.0/21; @ 138.231.136.0/21;
@ 138.231.144.0/21; @ 138.231.144.0/21;
@ -26,21 +29,36 @@ if has("vlan-radin"):
@options { @options {
@ directory "/var/cache/bind"; @ directory "/var/cache/bind";
@ recursive-clients 5000;
@ @
if has("dns-primary"): if has("dns-primary"):
@ include "/etc/bind/named.conf.notify"; @ include "/etc/bind/named.conf.notify";
@
@ allow-transfer { if has("dns-recursif"):
@ 127.0.0.1; zones=["127.0.0.1", "crans", "cransadm"]
@ 138.231.136.0/21; // fixes if has("vlan-ens"):
@ 82.225.39.54; // freebox zones.append("appartement")
@ 138.231.148.0/22; // wifi if has("vlan-radin"):
@ 10.231.136.0/24; // adm zones.append("radins")
@ 138.231.176.4; // ariane zones.append("accueil")
@ }; print " allow-query-cache { %s; };" % ';'.join(zones)
print " allow-recursion { %s; };" % ';'.join(zones)
@ recursive-clients 5000;
else:
@ allow-query-cache { };
@ allow-recursion { };
if has("dns-primary") or has("dns-tv"):
@ allow-transfer {
@ 127.0.0.1;
@ 138.231.136.0/21; // fixes
@ 82.225.39.54; // freebox
@ 138.231.148.0/22; // wifi
@ 10.231.136.0/24; // adm
@ 138.231.176.4; // ariane
@ };
@ allow-query { any; };
@ auth-nxdomain no; # conform to RFC1035 @ auth-nxdomain no; # conform to RFC1035
@ @
@ listen-on { any; }; @ listen-on { any; };

6
Python/etc/network/interfaces
View file

@ -29,7 +29,7 @@ iface %(interface)s inet static
netmask 255.255.248.0 netmask 255.255.248.0
broadcast 138.231.143.255 broadcast 138.231.143.255
gateway 138.231.136.4 gateway 138.231.136.4
dns-nameservers 138.231.136.98 138.231.136.9 dns-nameservers 138.231.136.98 138.231.136.247
dns-search crans.org""" % { 'interface': interface, 'ip': pubip() } dns-search crans.org""" % { 'interface': interface, 'ip': pubip() }
if not has('vlan-wifi'): if not has('vlan-wifi'):
print """ post-up ip r add 138.231.144.0/21 dev %(interface)s via 138.231.136.247 src %(ip)s""" % { 'interface': interface, 'ip': pubip() } print """ post-up ip r add 138.231.144.0/21 dev %(interface)s via 138.231.136.247 src %(ip)s""" % { 'interface': interface, 'ip': pubip() }
@ -47,7 +47,7 @@ iface %(interface)s inet static
network 138.231.144.0 network 138.231.144.0
netmask 255.255.248.0 netmask 255.255.248.0
broadcast 138.231.148.255 broadcast 138.231.148.255
dns-nameservers 138.231.148.1 dns-nameservers 138.231.136.98 138.231.136.247
dns-search wifi.crans.org""" % { 'interface': interface, 'ip': wifiip() } dns-search wifi.crans.org""" % { 'interface': interface, 'ip': wifiip() }
for line in additionnals: for line in additionnals:
@ -62,7 +62,7 @@ iface %(interface)s inet static
netmask 255.255.255.0 netmask 255.255.255.0
broadcast 10.231.136.255 broadcast 10.231.136.255
mtu 1496 mtu 1496
dns-nameservers 10.231.136.98 10.231.136.9 dns-nameservers 10.231.136.98 10.231.136.247
dns-search adm.crans.org""" % { 'interface': interface, 'ip': admip() } dns-search adm.crans.org""" % { 'interface': interface, 'ip': admip() }
for line in additionnals: for line in additionnals:

3
Rules/bind.xml
View file

@ -1,4 +1,7 @@
<!-- Règles pour bind //--> <!-- Règles pour bind //-->
<Rules priority="1"> <Rules priority="1">
<Service type="deb" name="bind9" status="on"/> <Service type="deb" name="bind9" status="on"/>
<Action name="bind-permission" timing="post"
when="modified" status="check"
command="mkdir -p /etc/bind/generated; mkdir -p /etc/bind/signed; chmod 775 /etc/bind/generated /etc/bind/signed"/>
</Rules> </Rules>