From 547928426b058d433db1b689ea972433ec7488ee Mon Sep 17 00:00:00 2001
From: mathieui <mathieui@mathieui.net>
Date: Mon, 4 Jan 2021 22:34:08 +0100
Subject: [PATCH] Add my changes

---
 README.md           | 13 ++++++-
 handlers/main.yml   |  5 ++-
 tasks/main.yml      | 86 ++++++++++++++++++++++++++++++++++++++-------
 templates/config.j2 |  7 ++++
 4 files changed, 96 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 6d091ad..21331d2 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,15 @@
-# Ansible role for NSD
+# This is a modified version of "Ansible role for NSD"
+
+Original source: https://github.com/zorun/ansible-role-nsd/
+
+I have made several changes to fit my usecase (essentially remote control and dnssec specificities, as well as some cosmetic changes).
+
+Changes: added two new dictionaries:
+
+* **nsd_remote_control** for remote controllong options in the config file
+* **nsd_zone_subdirs** to transfer whole subdirectories (I expect each one to contain a source.sh script which signs dnssec, installed as a cron)
+
+----
 
 This Ansible role installs and configure NSD, an authoritative DNS server.
 It also allows to publish DNS zones into NSD.
diff --git a/handlers/main.yml b/handlers/main.yml
index b74d069..871a73e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -12,7 +12,10 @@
   command: "{{ nsd_control_program }} reload"
 
 - name: restart nsd
-  service: name={{ nsd_service_name }} state=restarted
+  systemd:
+    name: "{{ nsd_service_name }}"
+    enabled: yes
+    state: restarted
 
 - name: notify slaves
   command: "{{ nsd_control_program }} notify"
diff --git a/tasks/main.yml b/tasks/main.yml
index 2ed22a7..69cf2d3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,33 +1,93 @@
 ---
 
-- name: Install nsd
-  apt: pkg={{ nsd_pkg_name }} state=present
-
+- name: Ensure resolved stays down
+  systemd:
+    enabled: false
+    state: stopped
+    masked: yes
+    name: systemd-resolved
 
 - name: Create primary zone directory
-  file: path="{{ nsd_primary_zones_dir }}" state=directory owner=root group=root mode=0755
+  file:
+    path: "{{ nsd_primary_zones_dir }}"
+    state: directory
+    owner: nsd
+    group: nsd
+    mode: 0711
+
+- name: Create control dir
+  file:
+    path: /etc/nsd/control
+    state: directory
+    owner: nsd
+    group: nsd
+    mode: 0700
+
+- name: Create subdirectories
+  file:
+    path: "{{ nsd_primary_zones_dir }}/{{ item }}"
+    state: directory
+    owner: nsd
+    group: nsd
+    mode: 0700
+  when: nsd_zone_subdirs is defined
+  loop: "{{ nsd_zone_subdirs }}"
 
 - name: Create secondary zone directory
-  file: path="{{ nsd_secondary_zones_dir }}" state=directory owner=nsd group=nsd mode=0755
-
+  file:
+    path: "{{ nsd_secondary_zones_dir }}"
+    state: directory
+    owner: nsd
+    group: nsd
+    mode: 0755
 
 - name: Configure nsd zones
-  template: src=zones_config.j2 dest="{{ nsd_zones_config_file }}" owner=root group=root mode=0644 validate='nsd-checkconf %s'
-  notify:
-    - rebuild nsd database
-    - reload nsd database
-    - restart nsd
+  template:
+    src: zones_config.j2
+    dest: "{{ nsd_zones_config_file }}"
+    owner: nsd
+    group: nsd
+    mode: 0600
+    validate: 'nsd-checkconf %s'
 
 - name: Create base nsd configuration file
-  template: src=config.j2 dest="{{ nsd_config_dir }}/nsd.conf" owner=root group=root mode=0644 validate='nsd-checkconf %s'
+  template:
+    src: config.j2
+    dest: "{{ nsd_config_dir }}/nsd.conf"
+    owner: nsd
+    group: nsd
+    mode: 0644
+    validate: 'nsd-checkconf %s'
   notify:
     - restart nsd
 
+- name: Copy content of subdirs
+  copy:
+    src: '{{ playbook_dir }}/files/nsd/{{ item }}'
+    dest: "{{ nsd_primary_zones_dir }}"
+    owner: nsd
+    group: nsd
+    mode: 0600
+    directory_mode: 0711
+  when: nsd_zone_subdirs is defined
+  loop: "{{ nsd_zone_subdirs }}"
 
 - name: Copy content of primary zones
-  copy: src="files/nsd/{{ item.zone_filename }}" dest="{{ nsd_primary_zones_dir }}/{{ item.zone_filename }}" owner=root group=root mode=0644
+  copy:
+    src: "{{ playbook_dir }}/files/nsd/{{ item.zone_filename }}"
+    dest: "{{ nsd_primary_zones_dir }}/{{ item.zone_filename }}"
+    owner: root
+    group: root
+    mode: 0644
   with_items: "{{ nsd_primary_zones }}"
   notify:
     - rebuild nsd database
     - reload nsd database
     - notify slaves
+
+- name: Add dnssec renewal crons
+  cron:
+    special_time: monthly
+    user: nsd
+    job: "bash {{ nsd_primary_zones_dir }}/{{ item }}/source.sh"
+  loop: "{{ nsd_zone_subdirs }}"
diff --git a/templates/config.j2 b/templates/config.j2
index e549ff2..296ae41 100644
--- a/templates/config.j2
+++ b/templates/config.j2
@@ -20,6 +20,13 @@ server:
 {%- endfor %}
 {% endif %}
 
+{% if nsd_remote_control is defined %}
+remote-control:
+{% for key, value in nsd_remote_control.items() -%}
+{{ expand_list(key, value) }}
+{%- endfor %}
+{% endif %}
+
 {% if nsd_local_server_config is defined %}
   # Local configuration
 {% for key, value in nsd_local_server_config.items() -%}