NSD: Allow to configure the name of the TSIG keys

Of course, I forgot that the name of TSIG keys is relevant, since it needs
to be the same on both the master and the slave...

While we're at it, allow to define keys separately and refer them by name
in zone config, which avoids duplication.
This commit is contained in:
Baptiste Jonglez 2016-03-26 19:14:59 +01:00
parent 0e6f8b9ad2
commit 34f12ba81c
4 changed files with 29 additions and 32 deletions

View File

@ -18,6 +18,9 @@
- name: Create secondary zone directory
file: path={{ secondary_zones_dir }} state=directory owner=nsd group=nsd mode=0755
- name: Create keys directory
file: path={{ keys_config_dir }} state=directory owner=root group=root mode=0755
# Unfortunately, nsd doesn't allow to say "include all files in this directory".
# The following implements the inclusion logic: the main config file includes
@ -63,3 +66,20 @@
with_items: "{{ nsd_secondary_zones }}"
notify:
- restart nsd3
- name: Configure TSIG keys
template: src=tsigkey_config.j2 dest="{{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" owner=root group=root mode=0644
notify:
- restart nsd3
with_items: "{{ nsd_tsig_keys }}"
- name: Add include lines for TSIG keys
lineinfile:
state: present
dest: "{{ zones_include_file }}"
regexp: "^include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf"
line: "include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf"
with_items: "{{ nsd_tsig_keys }}"
notify:
- restart nsd3

View File

@ -1,23 +1,9 @@
# Primary zone definition for {{ item.zone_name }}
{% for slave in item.slaves|default([]) %}
{% if slave.tsig_secret is defined %}
key:
name: "{{ item.zone_name }}_{{ slave.ip }}"
algorithm: "{{ slave.tsig_algorithm }}"
secret: "{{ slave.tsig_secret }}"
{% endif %}
{% endfor %}
{%- macro tsigkey(slave) %}
{% if slave.tsig_secret is defined %}{{ item.zone_name }}_{{ slave.ip }}{% else %}NOKEY{% endif %}
{% endmacro -%}
zone:
name: "{{ item.zone_name }}"
zonefile: "{{ primary_zones_dir }}/{{ item.zone_filename }}"
{% for slave in item.slaves|default([]) %}
notify: {{ slave.ip }} "{{ tsigkey(slave) }}"
provide-xfr: {{ slave.ip }} "{{ tsigkey(slave) }}"
notify: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}"
provide-xfr: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}"
{% endfor %}

View File

@ -1,23 +1,9 @@
# Secondary zone definition for {{ item.zone_name }}
{% for master in item.masters|default([]) %}
{% if master.tsig_secret is defined %}
key:
name: "{{ item.zone_name }}_{{ master.ip }}"
algorithm: "{{ master.tsig_algorithm }}"
secret: "{{ master.tsig_secret }}"
{% endif %}
{% endfor %}
{%- macro tsigkey(master) %}
{% if master.tsig_secret is defined %}{{ item.zone_name }}_{{ master.ip }}{% else %}NOKEY{% endif %}
{% endmacro -%}
zone:
name: "{{ item.zone_name }}"
zonefile: "{{ secondary_zones_dir }}/{{ item.zone_name }}"
{% for master in item.masters|default([]) %}
allow-notify: {{ master.ip }} "{{ tsigkey(master) }}"
request-xfr: AXFR {{ master.ip }} "{{ tsigkey(master) }}"
allow-notify: {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}"
request-xfr: AXFR {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}"
{% endfor %}

View File

@ -0,0 +1,5 @@
key:
name: "{{ item.tsig_keyname }}"
secret: "{{ item.tsig_secret }}"
algorithm: "{{ item.tsig_algorithm }}"