From 38b4533838fe00577413ef89d4a4fdffe4ea62d8 Mon Sep 17 00:00:00 2001
From: Markus Pesch <markus.pesch@cryptic.systems>
Date: Fri, 9 Jun 2023 09:46:02 +0200
Subject: [PATCH] feat: support rndc

---
 defaults/main.yml                         | 13 +++++++++++++
 tasks/main.yml                            | 19 +++++++++++--------
 templates/etc/named/named.conf.options.j2 | 19 ++++++++++++++++++-
 templates/etc/rndc.key.j2                 |  7 +++++++
 4 files changed, 49 insertions(+), 9 deletions(-)
 create mode 100644 templates/etc/rndc.key.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 571405b..cacf56b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,6 +5,14 @@ bind9_acls:
   permissions: []
   # - "111.222.111.222"
 
+bind9_controls: []
+# - acls:
+#   - localhost
+#   inet: "127.0.0.1"
+#   port: "953"
+#   tsig_keys:
+#   - rndc
+
 bind9_logging:
   categories:
   - name: "security"
@@ -70,6 +78,11 @@ bind9_options:
 
   transfer_format: "many-answers"
 
+bind9_rndc_key:
+  name: ""
+  algorithm: ""
+  secret: ""
+
 bind9_statics:
   enabled: true
   channels:
diff --git a/tasks/main.yml b/tasks/main.yml
index 5c515d1..23bf025 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -41,14 +41,6 @@
       state: absent
     with_items: "{{ files_to_delete.files }}"
 
-
-#  - name: copy zone files
-#   ansible.builtin.include_tasks: copy_zone_files.yml
-#   with_items:
-#   - "{{ bind9_views }}"
-#   loop_control:
-#     loop_var: view
-
 - name: Create DNS-Zone files
   ansible.builtin.include_tasks: template_zone_files.yml
   with_items:
@@ -86,3 +78,14 @@
     name: named
     state: started
     enabled: true
+
+- name: Create rndc.key
+  ansible.builtin.template:
+    src: etc/rndc.key.j2
+    dest: /etc/rndc.key
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0600"
+  when: bind9_rndc_key.name | length > 0 and
+        bind9_rndc_key.algorithm | length > 0 and
+        bind9_rndc_key.secret | length > 0
diff --git a/templates/etc/named/named.conf.options.j2 b/templates/etc/named/named.conf.options.j2
index 52f22dd..6e0d5b9 100644
--- a/templates/etc/named/named.conf.options.j2
+++ b/templates/etc/named/named.conf.options.j2
@@ -2,6 +2,23 @@
 # {{ ansible_managed }}
 #
 
+{% if bind9_controls is defined and bind9_controls | length > 0 %}
+controls {
+{% for control in bind9_controls %}
+  inet {{ control.inet }} port {{ control.port }} allow {
+{% for acl in control.acls %}
+    {{ acl }};
+{% endfor %}
+  } keys {
+{% for name in control.tsig_keys %}
+    "{{ name }}";
+{% endfor %}
+  };
+
+{% endfor %}
+};
+{% endif %}
+
 options {
 
   # This specifies which hosts are allowed to ask ordinary DNS questions.
@@ -246,4 +263,4 @@ statistics-channels {
   };
 {% endfor %}
 };
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/templates/etc/rndc.key.j2 b/templates/etc/rndc.key.j2
new file mode 100644
index 0000000..dcd6297
--- /dev/null
+++ b/templates/etc/rndc.key.j2
@@ -0,0 +1,7 @@
+#
+# {{ ansible_managed }}
+#
+key "{{ bind9_rndc_key.name }}" {
+  algorithm {{ bind9_rndc_key.algorithm }};
+  secret "{{ bind9_rndc_key.secret }}";
+};