From 34f12ba81cbec3f970ef4a3ac9ef2b53fd1e4492 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Sat, 26 Mar 2016 19:14:59 +0100 Subject: [PATCH] NSD: Allow to configure the name of the TSIG keys Of course, I forgot that the name of TSIG keys is relevant, since it needs to be the same on both the master and the slave... While we're at it, allow to define keys separately and refer them by name in zone config, which avoids duplication. --- tasks/main.yml | 20 ++++++++++++++++++++ templates/primary_zone_config.j2 | 18 ++---------------- templates/secondary_zone_config.j2 | 18 ++---------------- templates/tsigkey_config.j2 | 5 +++++ 4 files changed, 29 insertions(+), 32 deletions(-) create mode 100644 templates/tsigkey_config.j2 diff --git a/tasks/main.yml b/tasks/main.yml index cc758c6..a70acc2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -18,6 +18,9 @@ - name: Create secondary zone directory file: path={{ secondary_zones_dir }} state=directory owner=nsd group=nsd mode=0755 +- name: Create keys directory + file: path={{ keys_config_dir }} state=directory owner=root group=root mode=0755 + # Unfortunately, nsd doesn't allow to say "include all files in this directory". # The following implements the inclusion logic: the main config file includes @@ -63,3 +66,20 @@ with_items: "{{ nsd_secondary_zones }}" notify: - restart nsd3 + + +- name: Configure TSIG keys + template: src=tsigkey_config.j2 dest="{{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" owner=root group=root mode=0644 + notify: + - restart nsd3 + with_items: "{{ nsd_tsig_keys }}" + +- name: Add include lines for TSIG keys + lineinfile: + state: present + dest: "{{ zones_include_file }}" + regexp: "^include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" + line: "include: {{ keys_config_dir }}/{{ item.tsig_keyname }}.conf" + with_items: "{{ nsd_tsig_keys }}" + notify: + - restart nsd3 diff --git a/templates/primary_zone_config.j2 b/templates/primary_zone_config.j2 index 09b47c2..5fef8f4 100644 --- a/templates/primary_zone_config.j2 +++ b/templates/primary_zone_config.j2 @@ -1,23 +1,9 @@ # Primary zone definition for {{ item.zone_name }} - -{% for slave in item.slaves|default([]) %} -{% if slave.tsig_secret is defined %} -key: - name: "{{ item.zone_name }}_{{ slave.ip }}" - algorithm: "{{ slave.tsig_algorithm }}" - secret: "{{ slave.tsig_secret }}" -{% endif %} -{% endfor %} - -{%- macro tsigkey(slave) %} -{% if slave.tsig_secret is defined %}{{ item.zone_name }}_{{ slave.ip }}{% else %}NOKEY{% endif %} -{% endmacro -%} - zone: name: "{{ item.zone_name }}" zonefile: "{{ primary_zones_dir }}/{{ item.zone_filename }}" {% for slave in item.slaves|default([]) %} - notify: {{ slave.ip }} "{{ tsigkey(slave) }}" - provide-xfr: {{ slave.ip }} "{{ tsigkey(slave) }}" + notify: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}" + provide-xfr: {{ slave.ip }} "{{ slave.tsig_key|default('NOKEY') }}" {% endfor %} diff --git a/templates/secondary_zone_config.j2 b/templates/secondary_zone_config.j2 index 22a652c..ffc1a86 100644 --- a/templates/secondary_zone_config.j2 +++ b/templates/secondary_zone_config.j2 @@ -1,23 +1,9 @@ # Secondary zone definition for {{ item.zone_name }} - -{% for master in item.masters|default([]) %} -{% if master.tsig_secret is defined %} -key: - name: "{{ item.zone_name }}_{{ master.ip }}" - algorithm: "{{ master.tsig_algorithm }}" - secret: "{{ master.tsig_secret }}" -{% endif %} -{% endfor %} - -{%- macro tsigkey(master) %} -{% if master.tsig_secret is defined %}{{ item.zone_name }}_{{ master.ip }}{% else %}NOKEY{% endif %} -{% endmacro -%} - zone: name: "{{ item.zone_name }}" zonefile: "{{ secondary_zones_dir }}/{{ item.zone_name }}" {% for master in item.masters|default([]) %} - allow-notify: {{ master.ip }} "{{ tsigkey(master) }}" - request-xfr: AXFR {{ master.ip }} "{{ tsigkey(master) }}" + allow-notify: {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}" + request-xfr: AXFR {{ master.ip }} "{{ master.tsig_key|default('NOKEY') }}" {% endfor %} diff --git a/templates/tsigkey_config.j2 b/templates/tsigkey_config.j2 new file mode 100644 index 0000000..2095238 --- /dev/null +++ b/templates/tsigkey_config.j2 @@ -0,0 +1,5 @@ +key: + name: "{{ item.tsig_keyname }}" + secret: "{{ item.tsig_secret }}" + algorithm: "{{ item.tsig_algorithm }}" +