diff --git a/tasks/main.yml b/tasks/main.yml index cc758c6..a70acc2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -18,6 +18,9 @@ - name: Create secondary zone directory file: path={{ secondary_zones_dir }} state=directory owner=nsd group=nsd mode=0755 +- name: Create keys directory + file: path={{ keys_config_dir }} state=directory owner=root group=root mode=0755 + # Unfortunately, nsd doesn't allow to say "include all files in this directory". # The following implements the inclusion logic: the main config file includes @@ -63,3 +66,20 @@ with_items: "{{ nsd_secondary_zones }}" notify: - restart nsd3 + + +- name: Configure TSIG keys + template: src=tsigkey_config.j2 dest="{{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" owner=root group=root mode=0644 + notify: + - restart nsd3 + with_items: "{{ nsd_tsig_keys }}" + +- name: Add include lines for TSIG keys + lineinfile: + state: present + dest: "{{ zones_include_file }}" + regexp: "^include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" + line: "include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" + with_items: "{{ nsd_tsig_keys }}" + notify: + - restart nsd3 diff --git a/templates/primary_zone_config.j2 b/templates/primary_zone_config.j2 index 09b47c2..5fef8f4 100644 --- a/templates/primary_zone_config.j2 +++ b/templates/primary_zone_config.j2 @@ -1,23 +1,9 @@ # Primary zone definition for {{ item.zone_name }} - -{% for slave in item.slaves|default([]) %} -{% if slave.tsig_secret is defined %} -key: - name: "{{ item.zone_name }}_{{ slave.ip }}" - algorithm: "{{ slave.tsig_algorithm }}" - secret: "{{ slave.tsig_secret }}" -{% endif %} -{% endfor %} - -{%- macro tsigkey(slave) %} -{% if slave.tsig_secret is defined %}{{ item.zone_name }}_{{ slave.ip }}{% else %}NOKEY{% endif %} -{% endmacro -%} - zone: name: "{{ item.zone_name }}" zonefile: "{{ primary_zones_dir }}/{{ item.zone_filename }}" {% for slave in item.slaves|default([]) %} - notify: {{ slave.ip }} "{{ tsigkey(slave) }}" - provide-xfr: {{ slave.ip }} "{{ tsigkey(slave) }}" + notify: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}" + provide-xfr: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}" {% endfor %} diff --git a/templates/secondary_zone_config.j2 b/templates/secondary_zone_config.j2 index 22a652c..ffc1a86 100644 --- a/templates/secondary_zone_config.j2 +++ b/templates/secondary_zone_config.j2 @@ -1,23 +1,9 @@ # Secondary zone definition for {{ item.zone_name }} - -{% for master in item.masters|default([]) %} -{% if master.tsig_secret is defined %} -key: - name: "{{ item.zone_name }}_{{ master.ip }}" - algorithm: "{{ master.tsig_algorithm }}" - secret: "{{ master.tsig_secret }}" -{% endif %} -{% endfor %} - -{%- macro tsigkey(master) %} -{% if master.tsig_secret is defined %}{{ item.zone_name }}_{{ master.ip }}{% else %}NOKEY{% endif %} -{% endmacro -%} - zone: name: "{{ item.zone_name }}" zonefile: "{{ secondary_zones_dir }}/{{ item.zone_name }}" {% for master in item.masters|default([]) %} - allow-notify: {{ master.ip }} "{{ tsigkey(master) }}" - request-xfr: AXFR {{ master.ip }} "{{ tsigkey(master) }}" + allow-notify: {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}" + request-xfr: AXFR {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}" {% endfor %} diff --git a/templates/tsigkey_config.j2 b/templates/tsigkey_config.j2 new file mode 100644 index 0000000..2095238 --- /dev/null +++ b/templates/tsigkey_config.j2 @@ -0,0 +1,5 @@ +key: + name: "{{ item.tsig_keyname }}" + secret: "{{ item.tsig_secret }}" + algorithm: "{{ item.tsig_algorithm }}" +