NSD: Allow to configure the name of the TSIG keys

Of course, I forgot that the name of TSIG keys is relevant, since it needs
to be the same on both the master and the slave...

While we're at it, allow to define keys separately and refer them by name
in zone config, which avoids duplication.

tasks/main.yml

@@ -18,6 +18,9 @@
 - name: Create secondary zone directory
   file: path={{ secondary_zones_dir }} state=directory owner=nsd group=nsd mode=0755
 
+- name: Create keys directory
+  file: path={{ keys_config_dir }} state=directory owner=root group=root mode=0755
+
 
 # Unfortunately, nsd doesn't allow to say "include all files in this directory".
 # The following implements the inclusion logic: the main config file includes
@@ -63,3 +66,20 @@
   with_items: "{{ nsd_secondary_zones }}"
   notify:
     - restart nsd3
+
+
+- name: Configure TSIG keys
+  template: src=tsigkey_config.j2 dest="{{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" owner=root group=root mode=0644
+  notify:
+    - restart nsd3
+  with_items: "{{ nsd_tsig_keys }}"
+
+- name: Add include lines for TSIG keys
+  lineinfile:
+    state: present
+    dest: "{{ zones_include_file }}"
+    regexp: "^include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf"
+    line: "include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf"
+  with_items: "{{ nsd_tsig_keys }}"
+  notify:
+    - restart nsd3

templates/primary_zone_config.j2

@@ -1,23 +1,9 @@
 # Primary zone definition for {{ item.zone_name }}
-
-{% for slave in item.slaves|default([]) %}
-{% if slave.tsig_secret is defined %}
-key:
-    name: "{{ item.zone_name }}_{{ slave.ip }}"
-    algorithm: "{{ slave.tsig_algorithm }}"
-    secret: "{{ slave.tsig_secret }}"
-{% endif %}
-{% endfor %}
-
-{%- macro tsigkey(slave) %}
-{% if slave.tsig_secret is defined %}{{ item.zone_name }}_{{ slave.ip }}{% else %}NOKEY{% endif %}
-{% endmacro -%}
-
 zone:
   name: "{{ item.zone_name }}"
   zonefile: "{{ primary_zones_dir }}/{{ item.zone_filename }}"
 {% for slave in item.slaves|default([]) %}
-  notify: {{ slave.ip }} "{{ tsigkey(slave) }}"
-  provide-xfr: {{ slave.ip }} "{{ tsigkey(slave) }}"
+  notify: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}"
+  provide-xfr: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}"
 {% endfor %}
 

templates/secondary_zone_config.j2

@@ -1,23 +1,9 @@
 # Secondary zone definition for {{ item.zone_name }}
-
-{% for master in item.masters|default([]) %}
-{% if master.tsig_secret is defined %}
-key:
-    name: "{{ item.zone_name }}_{{ master.ip }}"
-    algorithm: "{{ master.tsig_algorithm }}"
-    secret: "{{ master.tsig_secret }}"
-{% endif %}
-{% endfor %}
-
-{%- macro tsigkey(master) %}
-{% if master.tsig_secret is defined %}{{ item.zone_name }}_{{ master.ip }}{% else %}NOKEY{% endif %}
-{% endmacro -%}
-
 zone:
   name: "{{ item.zone_name }}"
   zonefile: "{{ secondary_zones_dir }}/{{ item.zone_name }}"
 {% for master in item.masters|default([]) %}
-  allow-notify: {{ master.ip }} "{{ tsigkey(master) }}"
-  request-xfr: AXFR {{ master.ip }} "{{ tsigkey(master) }}"
+  allow-notify: {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}"
+  request-xfr: AXFR {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}"
 {% endfor %}
 

templates/tsigkey_config.j2

@@ -0,0 +1,5 @@
+key:
+    name: "{{ item.tsig_keyname }}"
+    secret: "{{ item.tsig_secret }}"
+    algorithm: "{{ item.tsig_algorithm }}"
+