Rework the NSD role to support more operating systems with minimal effort and duplication

author: Mitchell Riedstra <mitch@riedstra.dev> 2025-12-16 23:02:49 -0500
committer: Mitchell Riedstra <mitch@riedstra.dev> 2025-12-16 23:02:49 -0500
commit: a468044c0337d1a2ac0dab2ce3efc4ad766f81a3 (patch)
tree: ca7d1523a6b43e14dc4fb6d2cd15966774faa237
parent: 256ed8e7653b1963e1cc2b6d30aa636e9766d07b (diff)
download: nsd-a468044c0337d1a2ac0dab2ce3efc4ad766f81a3.tar.gz
nsd-a468044c0337d1a2ac0dab2ce3efc4ad766f81a3.tar.xz
13 files changed, 153 insertions, 192 deletions
diff --git a/defaults/main.yml b/defaults/main.yml
index 0549ac8..f1a6e26 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 
+# nsd_bindaddr: <ipaddr>[@<port>]
 # nsd_keys:
 #   - name: key_one
 #     algorithm: hmac-md5
diff --git a/handlers/main.yml b/handlers/main.yml
index 6838ab5..f73f8db 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,14 +1,14 @@
-- name: Restart NSD [ Linux ]
+- name: 'sv: Restart NSD'
   runit:
     name: nsd
     state: restarted
   listen:
     - Restart NSD
-  when: ansible_facts['system'].lower() == "linux"
-- name: Restart NSD [ OpenBSD ]
+  when: use_runit
+- name: Restart NSD
   service:
     name: nsd
     state: restarted
   listen:
     - Restart NSD
-  when: ansible_facts['system'].lower() == "openbsd"
+  when: 'not use_runit'
diff --git a/tasks/alpine.yml b/tasks/alpine.yml
deleted file mode 100644
index 7b73870..0000000
--- a/tasks/alpine.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-- name: Install Runit service directory
-  file:
-    state: directory
-    path: /etc/sv/nsd
-    mode: '0755'
-- name: Install Runit service command
-  template:
-    src: run.j2
-    dest: /etc/sv/nsd/run
-    mode: '755'
-- name: Install supervise symlink
-  file:
-    state: link
-    force: yes
-    src: /run/supervise.nsd
-    dest: /etc/sv/nsd/supervise
-    follow: false
-- name: Enable NSD service
-  file:
-    state: link
-    force: yes
-    src: /etc/sv/nsd
-    dest: /var/service/nsd
-    follow: false
diff --git a/tasks/linux.yml b/tasks/linux.yml
deleted file mode 100644
index 346c088..0000000
--- a/tasks/linux.yml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-- name: 'Install NSD [Void]'
-  xbps:
-    state: present
-    name: nsd
-  when: ansible_facts['distribution'].lower() == "void"
-- name: 'Install NSD [Alpine]'
-  apk:
-    state: present
-    name: nsd
-  when: ansible_facts['distribution'].lower() == "alpine"
-- name: Install nsd.conf
-  template:
-    src: nsd.conf
-    dest: /etc/nsd/nsd.conf
-- name: Install zone files
-  template:
-    src: 'zones/{{item}}'
-    dest: '/etc/nsd/{{item}}.zone'
-    validate: 'nsd-checkzone {{item}} %s'
-    owner: root
-    group: nsd
-    mode: 0640
-  loop: "{{nsd_zones}}"
-  notify:
-    - Restart NSD
-- name: Include Alpine Linux Speicifc Tasks
-  include_tasks: alpine.yml
-  when: ansible_facts['distribution'].lower() == "alpine"
-- name: Enable NSD
-  file:
-    src: /etc/sv/nsd
-    dest: /var/service/nsd
-    owner: root
-    group: root
-    state: link
diff --git a/tasks/main.yml b/tasks/main.yml
index ebb9733..158eb6f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,7 +1,88 @@
 ---
-- name: Include Linux tasks
-  include_tasks: linux.yml
-  when: ansible_facts['system'].lower() == "linux"
-- name: Include OpenBSD Tasks
-  include_tasks: openbsd.yml
-  when: ansible_facts['system'].lower() == "openbsd"
+- name: 'Include OpenBSD vars'
+  include_vars: 'openbsd.yml'
+  when: is_openbsd
+- name: 'Check for runit'
+  set_fact:
+    use_runit: true
+  when: is_alpine or is_voidlinux or is_deb
+- name: 'VoidLinux: Install NSD'
+  xbps:
+    state: present
+    name: nsd
+  when: is_voidlinux
+- name: 'Alpine: Install NSD'
+  apk:
+    state: present
+    name: nsd
+  when: is_alpine
+- name: 'RHEL: Install epel'
+  yum:
+    state: present
+    name: epel-release
+  when: is_rhel
+- name: 'RHEL: Install NSD'
+  yum:
+    state: present
+    name: nsd
+  when: is_rhel
+- name: 'debian: Install NSD'
+  apt:
+    state: present
+    name: nsd
+  when: is_deb
+- name: Install nsd.conf
+  template:
+    src: nsd/nsd.conf
+    dest: '{{nsd_conf}}'
+- name: Ensure zone dir exists
+  file:
+    path: '{{zone_dir}}'
+    owner: '{{zone_owner}}'
+    group: '{{zone_group}}'
+    state: directory
+- name: Install zone files
+  template:
+    src: 'zones/{{item}}'
+    dest: '{{zone_dir}}/{{item}}.zone'
+    validate: 'nsd-checkzone {{item}} %s'
+    owner: '{{zone_owner}}'
+    group: '{{zone_group}}'
+    mode: 0640
+  loop: "{{nsd_zones}}"
+  notify:
+    - Restart NSD
+- name: 'runit: create service directory'
+  file:
+    state: directory
+    path: /etc/sv/nsd
+    mode: '0755'
+  when: use_runit
+- name: 'runit: Install service command'
+  template:
+    src: nsd/run.j2
+    dest: /etc/sv/nsd/run
+    mode: '755'
+  when: use_runit
+- name: 'runit: Install supervise symlink'
+  file:
+    state: link
+    force: yes
+    src: /run/supervise.nsd
+    dest: /etc/sv/nsd/supervise
+    follow: false
+  when: use_runit
+- name: 'runit: Enable NSD'
+  file:
+    src: /etc/sv/nsd
+    dest: /var/service/nsd
+    owner: root
+    group: root
+    state: link
+  when: use_runit
+- name: Enable NSD
+  service:
+    name: nsd
+    state: started
+    enabled: true
+  when: 'not use_runit'
diff --git a/tasks/openbsd.yml b/tasks/openbsd.yml
deleted file mode 100644
index 0d3e613..0000000
--- a/tasks/openbsd.yml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-- name: 'Install nsd.conf'
-  template:
-    src: openbsd_nsd.conf
-    dest: /var/nsd/etc/nsd.conf
-  notify:
-    - Restart NSD
-- name: Install zone files
-  template:
-    src: 'zones/{{item}}'
-    dest: '/var/nsd/zones/master/{{item}}.zone'
-    validate: 'nsd-checkzone {{item}} %s'
-    owner: root
-    group: wheel
-    mode: 0644
-  loop: "{{nsd_zones}}"
-  notify:
-    - Restart NSD
-- name: Enable nsd
-  service:
-    name: nsd
-    enabled: yes
diff --git a/templates/nsd.conf b/templates/nsd.conf
deleted file mode 100644
index 246e308..0000000
--- a/templates/nsd.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# Managed by Ansible
-server:
-	server-count: 1 # use this number of cpu cores
-	database: "/var/db/nsd/nsd.db"
-	zonelistfile: "/var/db/nsd/zone.list"
-	username: nsd
-	logfile: "/var/log/nsd.log"
-	pidfile: "/var/run/nsd.pid"
-	xfrdfile: "/var/db/nsd/xfrd.state"
-
-{% if nsd_keys is defined %}
-{% for key in nsd_keys %}
-key:
-	name: {{key.name}}
-	algorithm: {{key.algorithm}}
-	secret: "{{key.secret}}"
-{% endfor %}
-{% endif %}
-
-
-{% for zone in nsd_zones %}
-zone:
-	name: {{zone}}
-	zonefile: /etc/nsd/%s.zone
-
-{% endfor %}
diff --git a/templates/nsd/nsd.conf b/templates/nsd/nsd.conf
new file mode 100644
index 0000000..43f2f12
--- /dev/null
+++ b/templates/nsd/nsd.conf
@@ -0,0 +1,35 @@
+server:
+	#server-count: 1 # use this number of cpu cores
+	{% if nsd_bindaddr is defined %}ip-address: {{nsd_bindaddr}}
+	{% elif is_deb %}
+
+	# Workaround for systemd-resolved nonsense on Ubuntu servers
+	ip-address: {{ansible_facts['all_ipv4_addresses'][0]}}
+	{% endif %}
+
+	hide-version: yes
+	verbosity: 1
+	database: "" # disable database
+	
+	remote-control:
+		control-enable: yes
+		control-interface: /var/run/nsd.sock
+
+{% if nsd_keys is defined %}
+{% for key in nsd_keys %}
+key:
+	name: {{key.name}}
+	algorithm: {{key.algorithm}}
+	secret: "{{key.secret}}"
+{% endfor %}
+{% endif %}
+
+
+{% for zone in nsd_zones %}
+zone:
+	name: {{zone}}
+	{% if is_openbsd %}zonefile: master/%s.zone
+	{% else %}zonefile: {{zone_dir}}/%s.zone
+{% endif %}
+
+{% endfor %}
diff --git a/templates/nsd/run.j2 b/templates/nsd/run.j2
new file mode 100644
index 0000000..02f4587
--- /dev/null
+++ b/templates/nsd/run.j2
@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+if ! [ -d /var/log/nsd ]; then
+	mkdir /var/log/nsd
+fi
+nsd -d 2>&1 | svlogd -tt /var/log/nsd
+
diff --git a/templates/openbsd_nsd.conf b/templates/openbsd_nsd.conf
deleted file mode 100644
index 70e3541..0000000
--- a/templates/openbsd_nsd.conf
+++ /dev/null
@@ -1,70 +0,0 @@
-# Manged by Ansible
-
-server:
-        hide-version: yes
-        verbosity: 1
-        database: "" # disable database
-
-## bind to a specific address/port
-#       ip-address: 192.0.2.53
-#       ip-address: 192.0.2.53@5678
-#       ip-address: 2001:db8::53
-
-## make packets as small as possible, on by default
-#       minimal-responses: yes
-
-## respond with truncation for ANY queries over UDP and allow ANY over TCP,
-## on by default
-#       refuse-any: yes
-
-remote-control:
-        control-enable: yes
-        control-interface: /var/run/nsd.sock
-
-## tsig key example
-#key:
-#       name: "tsig1.example.com."
-#       algorithm: hmac-sha256
-#       secret: "bWVrbWl0YXNkaWdvYXQ="
-
-## master zone example
-#zone:
-#       name: "example.com"
-#       zonefile: "master/example.com"
-#       notify: 192.0.2.1 NOKEY
-#       provide-xfr: 192.0.2.1 NOKEY
-
-## slave zone example
-#zone:
-#       name: "example.net"
-#       zonefile: "slave/example.net"
-#       allow-notify: 192.0.2.2 tsig1.example.com.
-#       request-xfr: 192.0.2.2 tsig1.example.com.
-
-## dynamically configured zones, used with "nsd-control addzone/delzone".
-## filenames are constructed using the pattern: %s - zone name.
-## %1 - first character of zone name, %2 second, ## %3 third.
-## %z - topleveldomain label of zone, %y, %x next labels in name.
-#pattern:
-#       name: "master"
-#       zonefile: "master/%s.zone"
-#       notify: 192.0.2.1 NOKEY
-#       provide-xfr: 192.0.2.1 NOKEY
-
-
-{% if nsd_keys is defined %}
-{% for key in nsd_keys %}
-key:
-	name: {{key.name}}
-	algorithm: {{key.algorithm}}
-	secret: "{{key.secret}}"
-{% endfor %}
-{% endif %}
-
-
-{% for zone in nsd_zones %}
-zone:
-	name: {{zone}}
-	zonefile: master/%s.zone
-
-{% endfor %}
diff --git a/templates/run.j2 b/templates/run.j2
deleted file mode 100644
index 7173f62..0000000
--- a/templates/run.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-# install -d -m 0755 -o nsd -g nsd /run/nsd
-exec nsd -d 2>/dev/null
-
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..8e4dbe5
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,14 @@
+---
+is_alpine: '{{ansible_facts["system"].lower() == "linux" and ansible_facts["distribution"].lower() == "alpine"}}'
+is_voidlinux: '{{ansible_facts["system"].lower() == "linux" and ansible_facts["distribution"].lower() == "void"}}'
+is_rhel: '{{ansible_facts["system"].lower() == "linux" and ansible_facts["os_family"].lower() == "redhat"}}'
+is_deb: '{{ansible_facts["system"].lower() == "linux" and ansible_facts["os_family"].lower() == "debian"}}'
+is_openbsd: '{{ansible_facts["system"].lower() == "openbsd"}}'
+
+
+# Overridden in other vars based on OS
+use_runit: false
+nsd_conf: /etc/nsd/nsd.conf
+zone_dir: /etc/nsd/zones
+zone_owner: root
+zone_group: nsd
diff --git a/vars/openbsd.yml b/vars/openbsd.yml
new file mode 100644
index 0000000..dd1a03e
--- /dev/null
+++ b/vars/openbsd.yml
@@ -0,0 +1,5 @@
+---
+nsd_conf: /var/nsd/etc/nsd.conf
+zone_dir: /var/nsd/zones/master
+zone_group: _nsd
+use_runit: false
author	Mitchell Riedstra <mitch@riedstra.dev>	2025-12-16 23:02:49 -0500
committer	Mitchell Riedstra <mitch@riedstra.dev>	2025-12-16 23:02:49 -0500
commit	a468044c0337d1a2ac0dab2ce3efc4ad766f81a3 (patch)
tree	ca7d1523a6b43e14dc4fb6d2cd15966774faa237
parent	256ed8e7653b1963e1cc2b6d30aa636e9766d07b (diff)
download	nsd-a468044c0337d1a2ac0dab2ce3efc4ad766f81a3.tar.gz nsd-a468044c0337d1a2ac0dab2ce3efc4ad766f81a3.tar.xz