NSD: Allow to configure the name of the TSIG keys
Of course, I forgot that the name of TSIG keys is relevant, since it needs to be the same on both the master and the slave... While we're at it, allow to define keys separately and refer them by name in zone config, which avoids duplication.
This commit is contained in:
parent
0e6f8b9ad2
commit
34f12ba81c
@ -18,6 +18,9 @@
|
||||
- name: Create secondary zone directory
|
||||
file: path={{ secondary_zones_dir }} state=directory owner=nsd group=nsd mode=0755
|
||||
|
||||
- name: Create keys directory
|
||||
file: path={{ keys_config_dir }} state=directory owner=root group=root mode=0755
|
||||
|
||||
|
||||
# Unfortunately, nsd doesn't allow to say "include all files in this directory".
|
||||
# The following implements the inclusion logic: the main config file includes
|
||||
@ -63,3 +66,20 @@
|
||||
with_items: "{{ nsd_secondary_zones }}"
|
||||
notify:
|
||||
- restart nsd3
|
||||
|
||||
|
||||
- name: Configure TSIG keys
|
||||
template: src=tsigkey_config.j2 dest="{{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" owner=root group=root mode=0644
|
||||
notify:
|
||||
- restart nsd3
|
||||
with_items: "{{ nsd_tsig_keys }}"
|
||||
|
||||
- name: Add include lines for TSIG keys
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: "{{ zones_include_file }}"
|
||||
regexp: "^include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf"
|
||||
line: "include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf"
|
||||
with_items: "{{ nsd_tsig_keys }}"
|
||||
notify:
|
||||
- restart nsd3
|
||||
|
@ -1,23 +1,9 @@
|
||||
# Primary zone definition for {{ item.zone_name }}
|
||||
|
||||
{% for slave in item.slaves|default([]) %}
|
||||
{% if slave.tsig_secret is defined %}
|
||||
key:
|
||||
name: "{{ item.zone_name }}_{{ slave.ip }}"
|
||||
algorithm: "{{ slave.tsig_algorithm }}"
|
||||
secret: "{{ slave.tsig_secret }}"
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{%- macro tsigkey(slave) %}
|
||||
{% if slave.tsig_secret is defined %}{{ item.zone_name }}_{{ slave.ip }}{% else %}NOKEY{% endif %}
|
||||
{% endmacro -%}
|
||||
|
||||
zone:
|
||||
name: "{{ item.zone_name }}"
|
||||
zonefile: "{{ primary_zones_dir }}/{{ item.zone_filename }}"
|
||||
{% for slave in item.slaves|default([]) %}
|
||||
notify: {{ slave.ip }} "{{ tsigkey(slave) }}"
|
||||
provide-xfr: {{ slave.ip }} "{{ tsigkey(slave) }}"
|
||||
notify: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}"
|
||||
provide-xfr: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}"
|
||||
{% endfor %}
|
||||
|
||||
|
@ -1,23 +1,9 @@
|
||||
# Secondary zone definition for {{ item.zone_name }}
|
||||
|
||||
{% for master in item.masters|default([]) %}
|
||||
{% if master.tsig_secret is defined %}
|
||||
key:
|
||||
name: "{{ item.zone_name }}_{{ master.ip }}"
|
||||
algorithm: "{{ master.tsig_algorithm }}"
|
||||
secret: "{{ master.tsig_secret }}"
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{%- macro tsigkey(master) %}
|
||||
{% if master.tsig_secret is defined %}{{ item.zone_name }}_{{ master.ip }}{% else %}NOKEY{% endif %}
|
||||
{% endmacro -%}
|
||||
|
||||
zone:
|
||||
name: "{{ item.zone_name }}"
|
||||
zonefile: "{{ secondary_zones_dir }}/{{ item.zone_name }}"
|
||||
{% for master in item.masters|default([]) %}
|
||||
allow-notify: {{ master.ip }} "{{ tsigkey(master) }}"
|
||||
request-xfr: AXFR {{ master.ip }} "{{ tsigkey(master) }}"
|
||||
allow-notify: {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}"
|
||||
request-xfr: AXFR {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}"
|
||||
{% endfor %}
|
||||
|
||||
|
5
templates/tsigkey_config.j2
Normal file
5
templates/tsigkey_config.j2
Normal file
@ -0,0 +1,5 @@
|
||||
key:
|
||||
name: "{{ item.tsig_keyname }}"
|
||||
secret: "{{ item.tsig_secret }}"
|
||||
algorithm: "{{ item.tsig_algorithm }}"
|
||||
|
Loading…
Reference in New Issue
Block a user