Adding DNS role

roles/dns/molecule/default/converge.yml

@@ -0,0 +1,8 @@
+---
+- name: Converge
+  hosts: localhost
+  gather_facts: false
+  vars_files:
+    - ../../../molecule/shared/vars.yml
+  roles:
+    - role: dns

roles/dns/molecule/default/molecule.yml

@@ -0,0 +1,21 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: requirements.yml
+driver:
+  name: default
+platforms:
+  - name: localhost
+    groups:
+      - sovereign
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: "${MOLECULE_PROJECT_DIRECTORY}/.."
+  inventory:
+    host_vars:
+      localhost:
+        ansible_connection: local
+verifier:
+  name: ansible

roles/dns/molecule/default/verify.yml

@@ -0,0 +1,194 @@
+---
+- name: Verify dns role
+  hosts: localhost
+  gather_facts: false
+  vars:
+    dns_data_dir: /tmp/sovereign_test/dns
+
+  tasks:
+    - name: Check dns data directory exists
+      ansible.builtin.stat:
+        path: /tmp/sovereign_test/dns
+      register: data_dir_stat
+
+    - name: Assert dns data directory is present
+      ansible.builtin.assert:
+        that: data_dir_stat.stat.isdir
+        fail_msg: "Data directory /tmp/sovereign_test/dns was not created"
+
+    - name: Check dns config directory exists
+      ansible.builtin.stat:
+        path: /tmp/sovereign_test/dns/config
+      register: config_dir_stat
+
+    - name: Assert dns config directory is present
+      ansible.builtin.assert:
+        that: config_dir_stat.stat.isdir
+        fail_msg: "Directory /tmp/sovereign_test/dns/config was not created"
+
+    - name: Check dns zones directory exists
+      ansible.builtin.stat:
+        path: /tmp/sovereign_test/dns/zones
+      register: zones_dir_stat
+
+    - name: Assert dns zones directory is present
+      ansible.builtin.assert:
+        that: zones_dir_stat.stat.isdir
+        fail_msg: "Directory /tmp/sovereign_test/dns/zones was not created"
+
+    - name: Check dns cache directory exists
+      ansible.builtin.stat:
+        path: /tmp/sovereign_test/dns/cache
+      register: cache_dir_stat
+
+    - name: Assert dns cache directory is present
+      ansible.builtin.assert:
+        that: cache_dir_stat.stat.isdir
+        fail_msg: "Directory /tmp/sovereign_test/dns/cache was not created"
+
+    - name: Check named.conf exists
+      ansible.builtin.stat:
+        path: /tmp/sovereign_test/dns/config/named.conf
+      register: named_conf_stat
+
+    - name: Assert named.conf was rendered
+      ansible.builtin.assert:
+        that: named_conf_stat.stat.exists
+        fail_msg: "named.conf was not rendered"
+
+    - name: Read named.conf
+      ansible.builtin.slurp:
+        src: /tmp/sovereign_test/dns/config/named.conf
+      register: named_conf_raw
+
+    - name: Set named.conf content fact
+      ansible.builtin.set_fact:
+        named_conf: "{{ named_conf_raw.content | b64decode }}"
+
+    - name: Assert zone declaration for base domain in named.conf
+      ansible.builtin.assert:
+        that: "'zone \"test.example.com\"' in named_conf"
+        fail_msg: "Expected zone declaration for test.example.com not found in named.conf"
+
+    - name: Assert recursion disabled in named.conf
+      ansible.builtin.assert:
+        that: "'recursion no' in named_conf"
+        fail_msg: "Expected 'recursion no' not found in named.conf"
+
+    - name: Check zone file exists
+      ansible.builtin.stat:
+        path: /tmp/sovereign_test/dns/zones/test.example.com.zone
+      register: zone_stat
+
+    - name: Assert zone file was rendered
+      ansible.builtin.assert:
+        that: zone_stat.stat.exists
+        fail_msg: "Zone file test.example.com.zone was not rendered"
+
+    - name: Read zone file
+      ansible.builtin.slurp:
+        src: /tmp/sovereign_test/dns/zones/test.example.com.zone
+      register: zone_raw
+
+    - name: Set zone content fact
+      ansible.builtin.set_fact:
+        zone: "{{ zone_raw.content | b64decode }}"
+
+    - name: Assert SOA record in zone
+      ansible.builtin.assert:
+        that: "'SOA' in zone"
+        fail_msg: "SOA record not found in zone file"
+
+    - name: Assert NS record in zone
+      ansible.builtin.assert:
+        that: "'IN      NS' in zone"
+        fail_msg: "NS record not found in zone file"
+
+    - name: Assert server IP in zone for ns1 A record
+      ansible.builtin.assert:
+        that: "'192.0.2.1' in zone"
+        fail_msg: "Expected dns_server_ip 192.0.2.1 not found in zone file"
+
+    - name: Assert mail A record in zone
+      ansible.builtin.assert:
+        that: "'mail            IN      A' in zone"
+        fail_msg: "mail A record not found in zone file"
+
+    - name: Assert MX record in zone
+      ansible.builtin.assert:
+        that: "'IN      MX' in zone"
+        fail_msg: "MX record not found in zone file"
+
+    - name: Assert SPF TXT record in zone
+      ansible.builtin.assert:
+        that: "'v=spf1 mx ~all' in zone"
+        fail_msg: "SPF record not found in zone file"
+
+    - name: Assert DMARC TXT record in zone
+      ansible.builtin.assert:
+        that: "'v=DMARC1' in zone"
+        fail_msg: "DMARC record not found in zone file"
+
+    - name: Assert DMARC policy in zone
+      ansible.builtin.assert:
+        that: "'p=quarantine' in zone"
+        fail_msg: "Expected DMARC policy 'quarantine' not found in zone file"
+
+    - name: Assert DMARC rua address in zone
+      ansible.builtin.assert:
+        that: "'mailto:dmarc-reports@test.example.com' in zone"
+        fail_msg: "Expected DMARC rua address not found in zone file"
+
+    - name: Assert auth A record in zone
+      ansible.builtin.assert:
+        that: "'auth            IN      A' in zone"
+        fail_msg: "auth A record not found in zone file"
+
+    - name: Assert git A record in zone
+      ansible.builtin.assert:
+        that: "'git             IN      A' in zone"
+        fail_msg: "git A record not found in zone file"
+
+    - name: Check docker-compose.yml exists
+      ansible.builtin.stat:
+        path: /tmp/sovereign_test/dns/docker-compose.yml
+      register: compose_stat
+
+    - name: Assert docker-compose.yml was rendered
+      ansible.builtin.assert:
+        that: compose_stat.stat.exists
+        fail_msg: "docker-compose.yml was not rendered for dns"
+
+    - name: Read docker-compose.yml
+      ansible.builtin.slurp:
+        src: /tmp/sovereign_test/dns/docker-compose.yml
+      register: compose_raw
+
+    - name: Set compose content fact
+      ansible.builtin.set_fact:
+        compose: "{{ compose_raw.content | b64decode }}"
+
+    - name: Assert bind9 image in compose
+      ansible.builtin.assert:
+        that: "'ubuntu/bind9:9.18-22.04_beta' in compose"
+        fail_msg: "Expected bind9 image not found in docker-compose.yml"
+
+    - name: Assert port 53 TCP in compose
+      ansible.builtin.assert:
+        that: "'53:53/tcp' in compose"
+        fail_msg: "Expected port 53/tcp mapping not found in docker-compose.yml"
+
+    - name: Assert port 53 UDP in compose
+      ansible.builtin.assert:
+        that: "'53:53/udp' in compose"
+        fail_msg: "Expected port 53/udp mapping not found in docker-compose.yml"
+
+    - name: Assert GELF logging address in compose
+      ansible.builtin.assert:
+        that: "'udp://127.0.0.1:12201' in compose"
+        fail_msg: "Expected GELF address udp://127.0.0.1:12201 not found in docker-compose.yml"
+
+    - name: Assert sovereign network is external in compose
+      ansible.builtin.assert:
+        that: "'external: true' in compose"
+        fail_msg: "Expected 'external: true' not found in docker-compose.yml"