6 files changed, 135 insertions, 0 deletions

diff --git a/roles/nsd/defaults/main.yml b/roles/nsd/defaults/main.yml
new file mode 100644
index 0000000..de4f06d
--- /dev/null
+++ b/roles/nsd/defaults/main.yml
@@ -0,0 +1,2 @@
+nsd_server_count: '{{ ansible_processor_vcpus }}'
+nsd_zones: []
diff --git a/roles/nsd/handlers/main.yml b/roles/nsd/handlers/main.yml
new file mode 100644
index 0000000..34ae511
--- /dev/null
+++ b/roles/nsd/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: restart nsd
+  systemd:
+    name: nsd
+    state: restarted
+
+- name: reload nsd
+  systemd:
+    name: nsd
+    state: reloaded
diff --git a/roles/nsd/tasks/generate_zone.yml b/roles/nsd/tasks/generate_zone.yml
new file mode 100644
index 0000000..a78ee62
--- /dev/null
+++ b/roles/nsd/tasks/generate_zone.yml
@@ -0,0 +1,50 @@
+- name: stat current zone file
+  stat:
+    path: /etc/nsd/{{ zone.name }}.zone
+  register: current_zone_file
+
+- name: get current serial
+  command: dig @{{ zone.slave_nameservers | first | default('127.0.0.1') }} +short SOA {{ zone.name }}
+  register: zone_soa
+  changed_when: no
+
+- name: check if zone serial needs to be regenerated
+  block:
+    - name: create temporary zone file
+      copy:
+        content: |
+          {{ nsd_soa_block }}
+          {{ zone.content }}
+        dest: /tmp/.ansible-{{ zone.name }}.zone.tmp
+      vars:
+        serial: '{{ zone_soa.stdout.split()[2] | default(nsd_init_serial) }}'
+      changed_when: no
+
+    - name: stat temporary zone file
+      stat:
+        path: /tmp/.ansible-{{ zone.name }}.zone.tmp
+      register: temp_zone_file
+
+    - name: remove temporary zone file
+      file:
+        path: /tmp/.ansible-{{ zone.name }}.zone.tmp
+        state: absent
+      changed_when: no
+  when: current_zone_file.stat.exists
+
+- name: generate zone file
+  copy:
+    content: |
+      {{ nsd_soa_block }}
+      {{ zone.content }}
+    dest: /etc/nsd/{{ zone.name }}.zone
+  vars:
+    serial: >-
+      {{
+      nsd_init_serial if not zone_soa.stdout.split()[2]
+      else
+      (zone_soa.stdout.split()[2] | int) if ((not current_zone_file.stat.exists) or current_zone_file.stat.checksum == temp_zone_file.stat.checksum)
+      else
+      (zone_soa.stdout.split()[2] | int) + 1
+      }}
+  notify: reload nsd
diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml
new file mode 100644
index 0000000..63ac3eb
--- /dev/null
+++ b/roles/nsd/tasks/main.yml
@@ -0,0 +1,35 @@
+- name: install packages
+  dnf:
+    name: nsd
+    state: present
+
+- name: generate nsd.conf
+  template:
+    src: etc/nsd/nsd.conf.j2
+    dest: /etc/nsd/nsd.conf
+  notify: restart nsd
+  tags: zoneupdate
+
+- include_tasks:
+    file: generate_zone.yml
+    apply:
+      tags: zoneupdate
+  loop: '{{ nsd_zones }}'
+  loop_control:
+    loop_var: zone
+    label: '{{ zone.name }}'
+  tags: zoneupdate
+
+- name: enable nsd
+  systemd:
+    name: nsd
+    state: started
+    enabled: yes
+
+- name: open firewall ports
+  firewalld:
+    service: dns
+    permanent: yes
+    immediate: yes
+    state: enabled
+  tags: firewalld
diff --git a/roles/nsd/templates/etc/nsd/nsd.conf.j2 b/roles/nsd/templates/etc/nsd/nsd.conf.j2
new file mode 100644
index 0000000..6d205c4
--- /dev/null
+++ b/roles/nsd/templates/etc/nsd/nsd.conf.j2
@@ -0,0 +1,24 @@
+server:
+  ip-address: {{ ansible_default_ipv4.address }}
+  server-count: {{ nsd_server_count }}
+  database: ""
+  pidfile: ""
+  hide-version: yes
+  verbosity: 1
+  log-only-syslog: yes
+  minimal-responses: yes
+  refuse-any: yes
+
+{% for zone in nsd_zones %}
+zone:
+  name: {{ zone.name }}
+  zonefile: /etc/nsd/%s.zone
+{% for ns in zone.slave_nameservers | default([]) %}
+  notify: {{ ns }} NOKEY
+  provide-xfr: {{ ns }} NOKEY
+{% endfor %}
+{% endfor %}
+
+remote-control:
+  control-enable: yes
+  control-interface: /run/nsd/nsd.ctl
diff --git a/roles/nsd/vars/main.yml b/roles/nsd/vars/main.yml
new file mode 100644
index 0000000..78b1ba6
--- /dev/null
+++ b/roles/nsd/vars/main.yml
@@ -0,0 +1,15 @@
+nsd_init_serial: 10000
+
+nsd_default_ttl: 10800
+
+nsd_soa_block: |
+  $TTL    {{ zone.ttl | default(nsd_default_ttl) }}
+  $ORIGIN {{ zone.name }}.
+
+  @  IN  SOA  {{ zone.ns | default('ns1.' + zone.name) }}.  {{ zone.contact | default('hostmaster.' + zone.name) }}.  (
+    {{ serial }} ; serial
+    {{ zone.refresh | default('1d') }} ; refresh
+    {{ zone.retry   | default('3m') }} ; retry
+    {{ zone.expire  | default('1w') }} ; expire
+    {{ zone.minimum | default('3h') }} ; minimum
+  )