Merge commit 'aa5b74dcfe874efe4ec914bbd862d2d19d3f9f86'

# Conflicts:
#	tasks/main.yml

defaults/main.yml

@@ -1,8 +1,13 @@
 ---
 # defaults file for roles/powerdns-recursor
-powerdns_version: 49
-deb_powerdns_version: =4.9.*
-repo_uri: http://repo.powerdns.com/debian
+powerdns_version: "{{ powerdns_recursor.version | default(49) }}"
+deb_version: "{{ powerdns_recursor.deb_version | default('=4.9.*') }}"
+repo_uri: "{{ powerdns_recursor.repo_uri | default('http://repo.powerdns.com/debian') }}"
 repo_components: "{{ ansible_distribution_release }}-rec-{{ powerdns_version }} main"
 repo_signed_key: "rec-{{ powerdns_version }}-pub.asc"
-repo_state: "{{ powerdns_recursor__state }}"
+repo_state: "{{ powerdns_recursor.repo_state | default('present') }}"
+forward_lst: "{{ powerdns_recursor.forward_lst | default ([]) }}"
+#  domain: auth_server_ip
+nta_lst: "{{ powerdns_recursor.nta_lst | default([]) }}"
+allow_lst: "{{ powerdns_recursor.allow_lst | default (['127.0.0.0/8', '10.0.0.0/8']) }}"
+root_cached: "{{ powerdns_recursor.root_cached | default('file') }}"

tasks/main.yml

@@ -3,16 +3,23 @@
 - name: "add powerdns-recursor repository"
   become: true
   block:
-    - name: "powerdns repo apt key"
+    - name: Check if powerdns repo apt key exists
+      stat:
+        path: "/etc/apt/trusted.gpg.d/{{ repo_signed_key }}"
+      register: key_stat
+      ignore_errors: yes
+    
+    - name: Download powerdns repo apt key if needed
       become: true
       get_url: 
         url: https://repo.powerdns.com/FD380FBB-pub.asc
         dest: "/etc/apt/trusted.gpg.d/{{ repo_signed_key }}"
+      when: key_stat.stat.exists == False or key_stat.stat.checksum != 'sha256:checksum_of_the_source_key'
     
     - name: "powerdns-recursor {{ powerdns_version }} repo"
       become: true
       apt_repository:
-        repo: deb [signed-by=/etc/apt/trusted.gpg.d/{{ repo_signed_key }} arch=amd64] {{ repo_uri }} {{ repo_components }}
+        repo: deb [arch=amd64] {{ repo_uri }} {{ repo_components }}
         state: "{{ repo_state }}"
         update_cache: yes
         filename: powerdns-rec-{{ powerdns_version }}
@@ -20,7 +27,7 @@
 - name: "install powerdns-recursor {{ powerdns_version }}"
   become: true
   apt:
-    name: "pdns-recursor{{ deb_powerdns_version }}"
+    name: "pdns-recursor{{ deb_version }}"
     autoremove: true
     update_cache: true
 
@@ -31,12 +38,13 @@
       get_url:
         url: https://www.internic.net/domain/root.zone
         dest: /etc/powerdns/root.zone
+      when: root_cached == 'file'
 
     - name: "template powerdns-recursor configs"
       become: true
       template:
-        src: "templates{{ cfile }}.j2"
-        dest: "{{ cfile }}"
+        src: "templates{{ file }}.j2"
+        dest: "{{ file }}"
         owner: root
         group: root
         mode: 0644
@@ -47,6 +55,6 @@
         - /etc/powerdns/recursor.d/forward.lst
         - /etc/powerdns/recursor.d/dns-script.lua
       loop_control:
-        loop_var: cfile
+        loop_var: file
   notify:
     - Restart powerdns-recursor

templates/etc/powerdns/recursor.d/allow.lst.j2

@@ -1,6 +1,8 @@
 #
 # WARNING: auto-generated by Ansible powerdns-recursor role.
 #
-127.0.0.0/8
-100.64.0.0/10
-169.254.0.0/16
+{% if allow_lst is defined and allow_lst | length > 0 %}
+{% for allowed_addr in allow_lst %}
+{{ allowed_addr }}
+{% endfor %}
+{% endif %}

templates/etc/powerdns/recursor.d/dns-script.lua.j2

@@ -2,7 +2,9 @@
 -- WARNING: auto-generated by Ansible powerdns-recursor role.
 --
 self = newDS()
-self:add{'{{ ansible_hostname }}', '{{ ansible_hostname }}.mm', '{{ ansible_fqdn }}'}
+self:add{'{{ ansible_hostname }}', '{{ ansible_fqdn }}'{%- for fqdn in powerdns_recursor__self_add | default([]) %}
+{% if loop.first %}, {% endif %}'{{ fqdn }}'{% if not loop.last %}, {% endif %}
+{%- endfor %}}
 
 function string.starts(String,Start)
    return string.sub(String,1,string.len(Start))==Start

templates/etc/powerdns/recursor.d/forward.lst.j2

@@ -1,5 +1,8 @@
 #
 # WARNING: auto-generated by Ansible powerdns-recursor role.
 #
-mm=172.31.122.10
-miranda-media.net=172.31.122.10
+{% if forward_lst is defined and forward_lst | length > 0 %}
+{% for zone, auth_server in forward_lst.items() %}
+{{ zone }}={{ auth_server }}
+{% endfor %}
+{% endif %}

templates/etc/powerdns/recursor.lua.j2

@@ -6,7 +6,13 @@
 -- Note: If you provide your own Lua configuration file, consider
 -- running rootkeys.lua too.
 dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
--- zoneToCache(".", "url", "https://www.internic.net/domain/root.zone", { refreshPeriod = 0 })
+{% if root_cached == 'file' %}
 zoneToCache(".", "file", "/etc/powerdns/root.zone", { refreshPeriod = 0 })
-addNTA('mm', "private MM domain")
-addNTA('miranda-media.net', "fix DNSSEC issue for MM domain")
+{% else %}
+zoneToCache(".", "url", "https://www.internic.net/domain/root.zone", { refreshPeriod = 0 })
+{% endif %}
+{% if nta_lst is defined and nta_lst | length > 0 %}
+{% for zone, description in nta_lst.items() %}
+addNTA("{{ zone }}", "{{ description }}")
+{% endfor %}
+{% endif %}