forked from saltstack-formulas/bind-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpillar.example
150 lines (130 loc) · 6.69 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Note - Each section beginning with 'bind:' below represents a different way you may configure
pillars for bind. When configuring your pillar(s), you may use any combination of subsections,
but salt will not merge sections with the same heading.
### Overrides for the defaults specified by ###
### map.jinja ###
bind:
lookup:
pkgs:
- bind # Need to install
service: named # Service name
zones_source_dir: bind/zonedata # Take zonefiles from `salt://bind/zonedata`
# instead of `salt://zones`
### General config options ###
bind:
config:
tmpl: salt://bind/files/debian/named.conf # Template we'd like to use (not implemented?)
user: root # File & Directory user
group: named # File & Directory group
mode: 640 # File & Directory mode
options:
allow-recursion: '{ any; }' # Never include this on a public resolver
# RedHat defaults, needed to generate default config file
listen-on: 'port 53 { 127.0.0.1; }'
listen-on-v6: 'port 53 { ::1; }'
allow-query: '{ localhost; }'
recursion: 'yes'
dnssec-enable: 'yes'
dnssec-validation: 'yes'
# End RedHat defaults
protocol: 4 # Force bind to serve only one IP protocol
# (ipv4: 4, ipv6: 6). Omitting this reverts to
# binds default of both.
# Debian and FreeBSD based systems
default_zones: True # If set to True, the default-zones configuration
# will be enabled. Defaults to False.
includes: # Include any additional configuration file(s) in
- /some/additional/named.conf # named.conf
# End Debian based systems
### Keys, Zones, ACLs and Views ###
bind:
keys:
"core_dhcp": # The name for our key
secret: "YourSecretKey" # The key its self
configured_zones:
sub.domain.com: # First domain zone
type: master # We're the master of this zone
notify: False # Don't notify any NS RRs of any changes to zone
also-notify: # Do notify these IP addresses (pointless as
- 1.1.1.1 # notify has been set to no)
- 2.2.2.2
1.168.192.in-addr.arpa: # Reverse lookup for local IPs
type: master # As above
notify: False # As above
allow-transfer: # As above
- 1.1.1.1
- 2.2.2.2
dynamic.domain.com: # Our ddns zone
type: master # As above
allow-update: "key core_dhcp" # Who we allow updates from (refers to above key)
notify: True # Notify NS RRs of changes
sub.anotherdomain.com: # Another domain zone
type: forward # This time it's a forwarding zone
forwarders: # Where we need to forward requests to
- 10.9.8.7
- 10.9.8.5
sub.forwardonlydomain.com: # Forwarding only domain
type: forward # As above
forward: only # We don't want the server to do any resulving
forwarders: # As above (but with different IPs)
- 10.9.8.8
- 10.9.8.9
configured_views:
myview1: # First (and only) view
match_clients: # The clients we wish to match
- client1
- client2
configured_zones: # Zones that our view is applicable to
my.zone: # We've defined a new zone in here
type: master
notify: False
update_policy: # A given update policy
- "grant core_dhcp name dns_entry_allowed_to_update. ANY"
configured_acls: # And now for some ACLs
my_net: # Our ACL's name
- 127.0.0.0/8 # And the applicable IP addresses
- 10.20.0.0/16
### Define zone records in pillar ###
bind:
available_zones:
example.com:
file: example.com.txt
soa: # Declare the SOA RRs for the zone
ns: ns1.example.com # Required
contact: hostmaster.example.com # Required
serial: 2017041001 # Required
class: IN # Optional. Default: IN
refresh: 8600 # Optional. Default: 12h
retry: 900 # Optional. Default: 15m
expiry: 86000 # Optional. Default: 2w
nxdomain: 500 # Optional. Default: 1m
ttl: 8600 # Optional. Not set by default
records: # Records for the zone, grouped by type
A:
mx1: # A RR with multiple values can
- 1.2.3.228 # be written as an array
- 1.2.3.229
cat: 2.3.4.188
rat: 1.2.3.231
live: 1.2.3.236
NS:
'@':
- rat
- cat
CNAME:
ftp: cat.example.com.
www: cat.example.com.
mail: mx1.example.com.
smtp: mx1.example.com.
TXT: # Complex records can be expressed as strings
'@':
- '"some_value"'
- '"v=spf1 mx a ip4:1.2.3.4 ~all"'
_dmarc: '"v=DMARC1; p=quarantine; rua=mailto:[email protected]; fo=1:d:s; adkim=r; aspf=r; pct=100; ri=86400"'
### Externally defined Zones ###
bind:
available_zones:
sub.domain.org:
file: db.sub.domain.org # DB file containing our zone
masters: # Masters of this zone
- 192.168.0.1