debops.pdns default variables¶
Sections
APT packages¶
-
pdns__base_packages¶
List of default packages to install for PowerDNS Authoritative Server support.
pdns__base_packages: '{{ ["pdns-server"]
+ (["pdns-backend-pgsql"]
if "gpgsql" in pdns__backends
else []) }}'
-
pdns__packages¶
List of additional packages to install with PowerDNS Authoritative Server.
pdns__packages: []
Basic settings¶
-
pdns__allow¶
List of addresses/subnets that can access the pdns service.
pdns__allow: [ '0.0.0.0/0', '::/0' ]
-
pdns__local_address¶
Local IPv4 and IPv6 addresses to bind to.
pdns__local_address: [ '0.0.0.0', '::' ]
-
pdns__local_port¶
Local port (TCP and UDP) to bind to.
pdns__local_port: '53'
-
pdns__primary¶
Whether to enable primary operation. Enabling this will instruct pdns to send (optionally TSIG-signed) notifications of changes to secondaries, which can then initiate zone transfers. Notifications are only sent for domains with type MASTER in your backend. See also https://doc.powerdns.com/authoritative/modes-of-operation.html#primary-operation
pdns__primary: False
-
pdns__secondary¶
Whether to enable secondary operation. Enabling this will instruct pdns to periodically check for zone changes at the primary nameservers, and update the local zones accordingly. These checks happen every 'refresh' seconds (as specified by the SOA record) and are only performed for domains with type SLAVE in your backend. See also https://doc.powerdns.com/authoritative/modes-of-operation.html#secondary-operation
pdns__secondary: False
-
pdns__autosecondary¶
Whether to enable autosecondary support. Enabling this will instruct pdns to automatically provision domains that it receives notifications for, if the notifications come from an IP address listed in the 'supermasters' table in your backend database. pdns will then act as a secondary for those domains. See also https://doc.powerdns.com/authoritative/modes-of-operation.html#autoprimary-operation
pdns__autosecondary: False
-
pdns__resolver¶
Recursive DNS server to use for ALIAS lookups and the internal stub resolver. Only one address can be given. A port may be specified after a colon; with IPv6, the address must in that case be enclosed in square brackets.
pdns__resolver: '{{ ansible_local.resolvconf.nameservers[0]
| d(ansible_dns.nameservers[0]) }}'
-
pdns__backends¶
The backends to enable. These can be used for storing DNS records and metadata and will be added to the 'launch' setting. Each backend can be configured separately. See https://doc.powerdns.com/authoritative/backends/index.html
pdns__backends: [ 'gpgsql' ]
Built-in webserver and HTTP API¶
-
pdns__api¶
Enable/Disable the built-in webserver and HTTP API. For details, see: https://doc.powerdns.com/authoritative/http-api/index.html#enabling-the-api
pdns__api: '{{ True
if "debops_service_pdns_nginx" in group_names
else False }}'
-
pdns__api_key¶
Static pre-shared authentication key for access to the HTTP API.
pdns__api_key: '{{ lookup("password", secret + "/pdns/" + ansible_fqdn
+ "/api_key chars=ascii_letters,digits length=22")
if pdns__api
else "" }}'
-
pdns__metrics¶
Enable/Disable the built-in webserver and metrics endpoint. For details, see: https://doc.powerdns.com/authoritative/http-api/index.html#metrics-endpoint
pdns__metrics: '{{ pdns__api }}'
-
pdns__http_port¶
TCP port which the built-in webserver will bind to. This is different from the default port 8081 because that port is already assigned in the Debian /etc/services file for the tproxy "Transparent Proxy" service.
pdns__http_port: '16836'
-
pdns__nginx_fqdn¶
The fully qualified domain name used to set up the NGINX webserver for proxying requests to the pdns built-in webserver and HTTP API.
pdns__nginx_fqdn: 'powerdns.{{ ansible_domain }}'
-
pdns__nginx_allow¶
List of IP addresses and/or subnets that NGINX allows access to the pdns webserver and HTTP API. An empty list denies all. Note: this does not influence the pdns built-in webserver ACL. For that, see the 'webserver-allow-from' setting.
pdns__nginx_allow: []
Dynamic DNS Update (RFC 2136)¶
pdns has support for updating zone contents using the DNS UPDATE mechanism specified in RFC 2136.
-
pdns__dnsupdate¶
Whether to enable DNS UPDATE processing. Not all backends support this. See https://doc.powerdns.com/authoritative/dnsupdate.html
pdns__dnsupdate: True
-
pdns__allow_dnsupdate_from¶
List of IP ranges that are allowed to perform DNS updates on all domains without any authentication. An empty list denies all. Note that this setting can be applied on a per-domain basis using the ALLOW-DNSUPDATE-FROM domain metadata. You are encouraged to specify fine-grained DNS UPDATE access controls using the ALLOW-DNSUPDATE-FROM and optionally TSIG-ALLOW-DNSUPDATE domain metadata. See https://doc.powerdns.com/authoritative/dnsupdate.html#per-zone-settings
pdns__allow_dnsupdate_from: []
PostgreSQL database configuration¶
The PostgreSQL database will only be configured if pdns__backends
contains 'gpgsql'. Upstream documentation on this backend is available here:
https://doc.powerdns.com/authoritative/backends/generic-postgresql.html
-
pdns__postgresql_delegate_to¶
The host that Ansible should configure the PostgreSQL database on.
pdns__postgresql_delegate_to: '{{ ansible_local.postgresql.delegate_to
| d(ansible_fqdn) }}'
-
pdns__postgresql_server¶
The host that should be configured in pdns as the PostgreSQL server.
pdns__postgresql_server: '{{ ansible_local.postgresql.server | d("localhost") }}'
-
pdns__postgresql_port¶
The TCP port of the PostgreSQL server.
pdns__postgresql_port: '{{ ansible_local.postgresql.port | d("5432") }}'
-
pdns__postgresql_database¶
The PostgreSQL database name.
pdns__postgresql_database: 'pdns'
-
pdns__postgresql_role¶
The role used to authenticate to the PostgreSQL database.
pdns__postgresql_role: 'pdns'
-
pdns__postgresql_password¶
The password used to authenticate to the PostgreSQL database.
pdns__postgresql_password: '{{ lookup("password", secret + "/postgresql/"
+ pdns__postgresql_delegate_to + "/"
+ pdns__postgresql_port + "/credentials/"
+ pdns__postgresql_role
+ "/password chars=ascii_letters,digits "
+ "length=22")
if "gpgsql" in pdns__backends
else "" }}'
-
pdns__postgresql_schema¶
Filesystem path to the initial PostgreSQL database schema.
pdns__postgresql_schema: '/usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql'
-
pdns__postgresql_dnssec¶
Whether to enable DNSSEC processing for the PostgreSQL backend. Note that you still need to enable DNSSEC on a per-domain basis. See https://doc.powerdns.com/authoritative/dnssec/index.html
pdns__postgresql_dnssec: True
pdns.conf templating¶
-
pdns__original_configuration¶
The original /etc/powerdns/pdns.conf configuration as supplied by the
'pdns-server' Debian package.
pdns__original_configuration:
- name: 'include-dir'
comment: 'Directory to scan for additional config files.'
value: '/etc/powerdns/pdns.d'
- name: 'launch'
comment: 'Which backends to launch and order to query them in.'
value: ''
- name: 'security-poll-suffix'
comment: 'Zone name from which to query security update notifications.'
value: ''
- name: 'setgid'
comment: |-
Run as an unprivileged group instead of root. Explicitly configuring this
is no longer necessary since pdns 4.3.0.
value: 'pdns'
state: '{{ "present"
if ansible_local.pdns.version is version("4.3.0", "<")
else "absent" }}'
- name: 'setuid'
comment: |-
Run as an unprivileged user instead of root. Explicitly configuring this
is no longer necessary since pdns 4.3.0.
value: 'pdns'
state: '{{ "present"
if ansible_local.pdns.version is version("4.3.0", "<")
else "absent" }}'
-
pdns__default_configuration¶
The default /etc/powerdns/pdns.conf configuration provided by this role.
pdns__default_configuration:
- name: 'local-address'
comment: |-
Local IP addresses to which we bind. Accepts IPv6 addresses since pdns
4.3.0.
value: '{{ (pdns__local_address if ansible_local.pdns.version is version("4.3.0", ">=")
else (pdns__local_address | ansible.utils.ipv4)) | join(",") }}'
- name: 'local-ipv6'
comment: |-
Local IPv6 addresses to which we bind. Will be deprecated in pdns 4.3.0
and removed in pdns 4.5.0.
value: '{{ pdns__local_address | ansible.utils.ipv6 | join(",") }}'
state: '{{ "present"
if ansible_local.pdns.version is version("4.3.0", "<")
else "absent" }}'
- name: 'local-port'
comment: 'Local TCP and UDP port to bind to.'
value: '{{ pdns__local_port }}'
- name: 'resolver'
comment: |-
Recursive DNS server to use for ALIAS lookups and the internal stub
resolver. Only one address can be given.
value: '{{ pdns__resolver }}'
- name: '{{ "primary"
if ansible_local.pdns.version is version("4.5.0", ">=")
else "master" }}'
comment: |-
Turn on primary operation. Note: the name of this setting was changed
with the release of pdns 4.5.0.
value: True
state: '{{ "present" if pdns__primary else "absent" }}'
- name: '{{ "secondary"
if ansible_local.pdns.version is version("4.5.0", ">=")
else "slave" }}'
comment: |-
Turn on secondary operation. Note: the name of this setting was changed
with the release of pdns 4.5.0.
value: True
state: '{{ "present" if pdns__secondary else "absent" }}'
- name: '{{ "autosecondary"
if ansible_local.pdns.version is version("4.5.0", ">=")
else "superslave"
if ansible_local.pdns.version is version("4.2.0", ">=")
else "supermaster" }}'
comment: |-
Turn on autosecondary operation. Note: the name of this setting was
changed with the release of pdns 4.2.0, and once more with the release of
pdns 4.5.0.
value: True
state: '{{ "present" if pdns__autosecondary else "absent" }}'
- name: 'api'
comment: 'Enable/Disable the built-in webserver and HTTP API.'
value: True
state: '{{ "present" if pdns__api else "absent" }}'
- name: 'api-key'
comment: 'Static pre-shared authentication key for access to the REST API.'
value: '{{ pdns__api_key }}'
state: '{{ "present" if pdns__api else "absent" }}'
- name: 'dnsupdate'
comment: 'Enable/Disable DNS update (RFC2136) support.'
value: True
state: '{{ "present" if pdns__dnsupdate else "absent" }}'
- name: 'allow-dnsupdate-from'
comment: 'Allow DNS updates from these IP ranges.'
value: '{{ pdns__allow_dnsupdate_from | join(",") }}'
state: '{{ "present" if pdns__dnsupdate else "absent" }}'
- name: 'launch'
comment: 'Which backends to launch and order to query them in.'
value: '{{ pdns__backends | join(",") }}'
- name: 'gpgsql-host'
comment: 'The PostgreSQL backend host.'
value: '{{ pdns__postgresql_server }}'
state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
- name: 'gpgsql-port'
comment: 'The PostgreSQL backend port.'
value: '{{ pdns__postgresql_port }}'
state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
- name: 'gpgsql-dbname'
comment: 'The PostgreSQL backend database name.'
value: '{{ pdns__postgresql_database }}'
state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
- name: 'gpgsql-user'
comment: 'The username to authenticate to the PostgreSQL backend with.'
value: '{{ pdns__postgresql_role }}'
state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
- name: 'gpgsql-password'
comment: 'The password to authenticate to the PostgreSQL backend with.'
value: '{{ pdns__postgresql_password }}'
state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
- name: 'gpgsql-dnssec'
comment: 'Whether to enable DNSSEC processing for the PostgreSQL backend.'
value: '{{ pdns__postgresql_dnssec }}'
state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
- name: 'webserver'
comment: 'Enable/Disable the built-in webserver and metrics endpoint.'
value: True
state: '{{ "present" if pdns__metrics else "absent" }}'
- name: 'webserver-port'
comment: 'The TCP port the built-in webserver will listen on.'
value: '{{ pdns__http_port }}'
state: '{{ "present" if pdns__api or pdns__metrics else "absent" }}'
-
pdns__configuration¶
Additional /etc/powerdns/pdns.conf configuration that should be present
on all hosts in the Ansible inventory.
pdns__configuration: []
-
pdns__group_configuration¶
Additional /etc/powerdns/pdns.conf configuration that should be present
on all hosts in the Ansible inventory group.
pdns__group_configuration: []
-
pdns__host_configuration¶
Additional /etc/powerdns/pdns.conf configuration that should be present
on specific hosts in the Ansible inventory.
pdns__host_configuration: []
-
pdns__combined_configuration¶
The combined pdns configuration variables that will be used to template the
/etc/powerdns/pdns.conf file.
pdns__combined_configuration: '{{ pdns__original_configuration
+ pdns__default_configuration
+ pdns__configuration
+ pdns__group_configuration
+ pdns__host_configuration }}'
Configuration for other Ansible roles¶
-
pdns__etc_services__dependent_list¶
Configuration for the debops.etc_services role.
pdns__etc_services__dependent_list:
- name: 'powerdns-http'
port: '{{ pdns__http_port }}'
protocols: [ 'tcp' ]
comment: 'Added by debops.pdns Ansible role.'
-
pdns__ferm__dependent_rules¶
Configuration for the debops.ferm role.
pdns__ferm__dependent_rules:
- name: 'pdns'
by_role: 'debops.pdns'
type: 'accept'
protocol: [ 'tcp', 'udp' ]
dport: [ '{{ pdns__local_port }}' ]
saddr: '{{ pdns__allow }}'
-
pdns__nginx__dependent_servers¶
Configuration for the debops.nginx role.
pdns__nginx__dependent_servers:
- name: '{{ pdns__nginx_fqdn }}'
filename: 'debops.pdns'
allow: '{{ pdns__nginx_allow }}'
type: 'proxy'
proxy_pass: 'http://127.0.0.1:{{ pdns__http_port }}'
webroot_create: False
-
pdns__postgresql__dependent_roles¶
Configuration for the debops.postgresql role.
pdns__postgresql__dependent_roles:
- role: '{{ pdns__postgresql_role }}'
port: '{{ pdns__postgresql_port }}'
password: '{{ pdns__postgresql_password }}'