debops.pdns default variables

APT packages

pdns__base_packages

List of default packages to install for PowerDNS Authoritative Server support.

pdns__base_packages: '{{ [ "pdns-server" ]
                         + ([ "pdns-backend-pgsql" ]
                            if "gpgsql" in pdns__backends
                            else []) }}'
pdns__packages

List of additional packages to install with PowerDNS Authoritative Server.

pdns__packages: []

Basic settings

pdns__allow

List of addresses/subnets that can access the pdns service.

pdns__allow: [ '0.0.0.0/0', '::/0' ]
pdns__local_address

Local IPv4 and IPv6 addresses to bind to.

pdns__local_address: [ '0.0.0.0', '::' ]
pdns__local_port

Local port (TCP and UDP) to bind to.

pdns__local_port: '53'
pdns__primary

Whether to enable primary operation. Enabling this will instruct pdns to send (optionally TSIG-signed) notifications of changes to secondaries, which can then initiate zone transfers. Notifications are only sent for domains with type MASTER in your backend. See also https://doc.powerdns.com/authoritative/modes-of-operation.html#primary-operation

pdns__primary: False
pdns__secondary

Whether to enable secondary operation. Enabling this will instruct pdns to periodically check for zone changes at the primary nameservers, and update the local zones accordingly. These checks happen every 'refresh' seconds (as specified by the SOA record) and are only performed for domains with type SLAVE in your backend. See also https://doc.powerdns.com/authoritative/modes-of-operation.html#secondary-operation

pdns__secondary: False
pdns__autosecondary

Whether to enable autosecondary support. Enabling this will instruct pdns to automatically provision domains that it receives notifications for, if the notifications come from an IP address listed in the 'supermasters' table in your backend database. pdns will then act as a secondary for those domains. See also https://doc.powerdns.com/authoritative/modes-of-operation.html#autoprimary-operation

pdns__autosecondary: False
pdns__resolver

Recursive DNS server to use for ALIAS lookups and the internal stub resolver. Only one address can be given. A port may be specified after a colon; with IPv6, the address must in that case be enclosed in square brackets.

pdns__resolver: '{{ ansible_local.resolvconf.nameservers[0]
                    |d(ansible_dns.nameservers[0]) }}'
pdns__backends

The backends to enable. These can be used for storing DNS records and metadata and will be added to the 'launch' setting. Each backend can be configured separately. See https://doc.powerdns.com/authoritative/backends/index.html

pdns__backends: [ 'gpgsql' ]

Built-in webserver and HTTP API

pdns__api

Enable/Disable the built-in webserver and HTTP API. For details, see: https://doc.powerdns.com/authoritative/http-api/index.html#enabling-the-api

pdns__api: '{{ True
               if "debops_service_pdns_nginx" in group_names
               else False }}'
pdns__api_key

Static pre-shared authentication key for access to the HTTP API.

pdns__api_key: '{{ lookup("password", secret + "/pdns/" + ansible_fqdn
                          + "/api_key chars=ascii_letters,digits length=22")
                   if pdns__api
                   else "" }}'
pdns__metrics

Enable/Disable the built-in webserver and metrics endpoint. For details, see: https://doc.powerdns.com/authoritative/http-api/index.html#metrics-endpoint

pdns__metrics: '{{ pdns__api }}'
pdns__http_port

TCP port which the built-in webserver will bind to. This is different from the default port 8081 because that port is already assigned in the Debian /etc/services file for the tproxy "Transparent Proxy" service.

pdns__http_port: '16836'
pdns__nginx_fqdn

The fully qualified domain name used to set up the NGINX webserver for proxying requests to the pdns built-in webserver and HTTP API.

pdns__nginx_fqdn: 'powerdns.{{ ansible_domain }}'
pdns__nginx_allow

List of IP addresses and/or subnets that NGINX allows access to the pdns webserver and HTTP API. An empty list denies all. Note: this does not influence the pdns built-in webserver ACL. For that, see the 'webserver-allow-from' setting.

pdns__nginx_allow: []

Dynamic DNS Update (RFC 2136)

pdns has support for updating zone contents using the DNS UPDATE mechanism specified in RFC 2136.

pdns__dnsupdate

Whether to enable DNS UPDATE processing. Not all backends support this. See https://doc.powerdns.com/authoritative/dnsupdate.html

pdns__dnsupdate: True
pdns__allow_dnsupdate_from

List of IP ranges that are allowed to perform DNS updates on all domains without any authentication. An empty list denies all. Note that this setting can be applied on a per-domain basis using the ALLOW-DNSUPDATE-FROM domain metadata. You are encouraged to specify fine-grained DNS UPDATE access controls using the ALLOW-DNSUPDATE-FROM and optionally TSIG-ALLOW-DNSUPDATE domain metadata. See https://doc.powerdns.com/authoritative/dnsupdate.html#per-zone-settings

pdns__allow_dnsupdate_from: []

PostgreSQL database configuration

The PostgreSQL database will only be configured if pdns__backends contains 'gpgsql'. Upstream documentation on this backend is available here: https://doc.powerdns.com/authoritative/backends/generic-postgresql.html

pdns__postgresql_delegate_to

The host that Ansible should configure the PostgreSQL database on.

pdns__postgresql_delegate_to: '{{ ansible_local.postgresql.delegate_to
                                  |d(ansible_fqdn) }}'
pdns__postgresql_server

The host that should be configured in pdns as the PostgreSQL server.

pdns__postgresql_server: '{{ ansible_local.postgresql.server|d("localhost") }}'
pdns__postgresql_port

The TCP port of the PostgreSQL server.

pdns__postgresql_port: '{{ ansible_local.postgresql.port|d("5432") }}'
pdns__postgresql_database

The PostgreSQL database name.

pdns__postgresql_database: 'pdns'
pdns__postgresql_role

The role used to authenticate to the PostgreSQL database.

pdns__postgresql_role: 'pdns'
pdns__postgresql_password

The password used to authenticate to the PostgreSQL database.

pdns__postgresql_password: '{{ lookup("password", secret + "/postgresql/"
                                      + pdns__postgresql_delegate_to + "/"
                                      + pdns__postgresql_port + "/credentials/"
                                      + pdns__postgresql_role
                                      + "/password chars=ascii_letters,digits "
                                      + "length=22")
                               if "gpgsql" in pdns__backends
                               else "" }}'
pdns__postgresql_schema

Filesystem path to the initial PostgreSQL database schema.

pdns__postgresql_schema: '/usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql'
pdns__postgresql_dnssec

Whether to enable DNSSEC processing for the PostgreSQL backend. Note that you still need to enable DNSSEC on a per-domain basis. See https://doc.powerdns.com/authoritative/dnssec/index.html

pdns__postgresql_dnssec: True

pdns.conf templating

pdns__original_configuration

The original /etc/powerdns/pdns.conf configuration as supplied by the 'pdns-server' Debian package.

pdns__original_configuration:

  - name: 'include-dir'
    comment: 'Directory to scan for additional config files.'
    value: '/etc/powerdns/pdns.d'

  - name: 'launch'
    comment: 'Which backends to launch and order to query them in.'
    value: ''

  - name: 'security-poll-suffix'
    comment: 'Zone name from which to query security update notifications.'
    value: ''

  - name: 'setgid'
    comment: |-
      Run as an unprivileged group instead of root. Explicitly configuring this
      is no longer necessary since pdns 4.3.0.
    value: 'pdns'
    state: '{{ "present"
               if ansible_local.pdns.version is version("4.3.0", "<")
               else "absent" }}'

  - name: 'setuid'
    comment: |-
      Run as an unprivileged user instead of root. Explicitly configuring this
      is no longer necessary since pdns 4.3.0.
    value: 'pdns'
    state: '{{ "present"
               if ansible_local.pdns.version is version("4.3.0", "<")
               else "absent" }}'
pdns__default_configuration

The default /etc/powerdns/pdns.conf configuration provided by this role.

pdns__default_configuration:

  - name: 'local-address'
    comment: |-
      Local IP addresses to which we bind. Accepts IPv6 addresses since pdns
      4.3.0.
    value: '{{ (pdns__local_address
                if ansible_local.pdns.version is version("4.3.0", ">=")
                else (pdns__local_address | ipv4)) | join (",") }}'

  - name: 'local-ipv6'
    comment: |-
      Local IPv6 addresses to which we bind. Will be deprecated in pdns 4.3.0
      and removed in pdns 4.5.0.
    value: '{{ pdns__local_address | ipv6 | join(",") }}'
    state: '{{ "present"
               if ansible_local.pdns.version is version("4.3.0", "<")
               else "absent" }}'

  - name: 'local-port'
    comment: 'Local TCP and UDP port to bind to.'
    value: '{{ pdns__local_port }}'

  - name: 'resolver'
    comment: |-
      Recursive DNS server to use for ALIAS lookups and the internal stub
      resolver. Only one address can be given.
    value: '{{ pdns__resolver }}'

  - name: '{{ "primary"
              if ansible_local.pdns.version is version("4.5.0", ">=")
              else "master" }}'
    comment: |-
      Turn on primary operation. Note: the name of this setting was changed
      with the release of pdns 4.5.0.
    value: True
    state: '{{ "present" if pdns__primary else "absent" }}'

  - name: '{{ "secondary"
              if ansible_local.pdns.version is version("4.5.0", ">=")
              else "slave" }}'
    comment: |-
      Turn on secondary operation. Note: the name of this setting was changed
      with the release of pdns 4.5.0.
    value: True
    state: '{{ "present" if pdns__secondary else "absent" }}'

  - name: '{{ "autosecondary"
              if ansible_local.pdns.version is version("4.5.0", ">=")
              else "superslave"
                   if ansible_local.pdns.version is version("4.2.0", ">=")
                   else "supermaster" }}'
    comment: |-
      Turn on autosecondary operation. Note: the name of this setting was
      changed with the release of pdns 4.2.0, and once more with the release of
      pdns 4.5.0.
    value: True
    state: '{{ "present" if pdns__autosecondary else "absent" }}'

  - name: 'api'
    comment: 'Enable/Disable the built-in webserver and HTTP API.'
    value: True
    state: '{{ "present" if pdns__api else "absent" }}'

  - name: 'api-key'
    comment: 'Static pre-shared authentication key for access to the REST API.'
    value: '{{ pdns__api_key }}'
    state: '{{ "present" if pdns__api else "absent" }}'

  - name: 'dnsupdate'
    comment: 'Enable/Disable DNS update (RFC2136) support.'
    value: True
    state: '{{ "present" if pdns__dnsupdate else "absent" }}'

  - name: 'allow-dnsupdate-from'
    comment: 'Allow DNS updates from these IP ranges.'
    value: '{{ pdns__allow_dnsupdate_from | join(",") }}'
    state: '{{ "present" if pdns__dnsupdate else "absent" }}'

  - name: 'launch'
    comment: 'Which backends to launch and order to query them in.'
    value: '{{ pdns__backends | join(",") }}'

  - name: 'gpgsql-host'
    comment: 'The PostgreSQL backend host.'
    value: '{{ pdns__postgresql_server }}'
    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'

  - name: 'gpgsql-port'
    comment: 'The PostgreSQL backend port.'
    value: '{{ pdns__postgresql_port }}'
    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'

  - name: 'gpgsql-dbname'
    comment: 'The PostgreSQL backend database name.'
    value: '{{ pdns__postgresql_database }}'
    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'

  - name: 'gpgsql-user'
    comment: 'The username to authenticate to the PostgreSQL backend with.'
    value: '{{ pdns__postgresql_role }}'
    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'

  - name: 'gpgsql-password'
    comment: 'The password to authenticate to the PostgreSQL backend with.'
    value: '{{ pdns__postgresql_password }}'
    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'

  - name: 'gpgsql-dnssec'
    comment: 'Whether to enable DNSSEC processing for the PostgreSQL backend.'
    value: '{{ pdns__postgresql_dnssec }}'
    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'

  - name: 'webserver'
    comment: 'Enable/Disable the built-in webserver and metrics endpoint.'
    value: True
    state: '{{ "present" if pdns__metrics else "absent" }}'

  - name: 'webserver-port'
    comment: 'The TCP port the built-in webserver will listen on.'
    value: '{{ pdns__http_port }}'
    state: '{{ "present" if pdns__api or pdns__metrics else "absent" }}'
pdns__configuration

Additional /etc/powerdns/pdns.conf configuration that should be present on all hosts in the Ansible inventory.

pdns__configuration: []
pdns__group_configuration

Additional /etc/powerdns/pdns.conf configuration that should be present on all hosts in the Ansible inventory group.

pdns__group_configuration: []
pdns__host_configuration

Additional /etc/powerdns/pdns.conf configuration that should be present on specific hosts in the Ansible inventory.

pdns__host_configuration: []
pdns__combined_configuration

The combined pdns configuration variables that will be used to template the /etc/powerdns/pdns.conf file.

pdns__combined_configuration: '{{ pdns__original_configuration
                                  + pdns__default_configuration
                                  + pdns__configuration
                                  + pdns__group_configuration
                                  + pdns__host_configuration }}'

Configuration for other Ansible roles

pdns__etc_services__dependent_list

Configuration for the debops.etc_services role.

pdns__etc_services__dependent_list:

  - name: 'powerdns-http'
    port: '{{ pdns__http_port }}'
    protocols: [ 'tcp' ]
    comment: 'Added by debops.pdns Ansible role.'
pdns__ferm__dependent_rules

Configuration for the debops.ferm role.

pdns__ferm__dependent_rules:

  - name: 'pdns'
    by_role: 'debops.pdns'
    type: 'accept'
    protocol: [ 'tcp', 'udp' ]
    dport: [ '{{ pdns__local_port }}' ]
    saddr: '{{ pdns__allow }}'
pdns__nginx__dependent_servers

Configuration for the debops.nginx role.

pdns__nginx__dependent_servers:

  - name: '{{ pdns__nginx_fqdn }}'
    filename: 'debops.pdns'
    allow: '{{ pdns__nginx_allow }}'
    type: 'proxy'
    proxy_pass: 'http://127.0.0.1:{{ pdns__http_port }}'
    webroot_create: False
pdns__postgresql__dependent_roles

Configuration for the debops.postgresql role.

pdns__postgresql__dependent_roles:

  - role: '{{ pdns__postgresql_role }}'
    port: '{{ pdns__postgresql_port }}'
    password: '{{ pdns__postgresql_password }}'