feat: support rndc

defaults/main.yml

@@ -5,6 +5,14 @@ bind9_acls:
   permissions: []
   # - "111.222.111.222"
 
+bind9_controls: []
+# - acls:
+#   - localhost
+#   inet: "127.0.0.1"
+#   port: "953"
+#   tsig_keys:
+#   - rndc
+
 bind9_logging:
   categories:
   - name: "security"
@@ -70,6 +78,11 @@ bind9_options:
 
   transfer_format: "many-answers"
 
+bind9_rndc_key:
+  name: ""
+  algorithm: ""
+  secret: ""
+
 bind9_statics:
   enabled: true
   channels:

tasks/main.yml

@@ -41,14 +41,6 @@
       state: absent
     with_items: "{{ files_to_delete.files }}"
 
-
-#  - name: copy zone files
-#   ansible.builtin.include_tasks: copy_zone_files.yml
-#   with_items:
-#   - "{{ bind9_views }}"
-#   loop_control:
-#     loop_var: view
-
 - name: Create DNS-Zone files
   ansible.builtin.include_tasks: template_zone_files.yml
   with_items:
@@ -86,3 +78,14 @@
     name: named
     state: started
     enabled: true
+
+- name: Create rndc.key
+  ansible.builtin.template:
+    src: etc/rndc.key.j2
+    dest: /etc/rndc.key
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0600"
+  when: bind9_rndc_key.name | length > 0 and
+        bind9_rndc_key.algorithm | length > 0 and
+        bind9_rndc_key.secret | length > 0

templates/etc/named/named.conf.options.j2

@@ -2,6 +2,23 @@
 # {{ ansible_managed }}
 #
 
+{% if bind9_controls is defined and bind9_controls | length > 0 %}
+controls {
+{% for control in bind9_controls %}
+  inet {{ control.inet }} port {{ control.port }} allow {
+{% for acl in control.acls %}
+    {{ acl }};
+{% endfor %}
+  } keys {
+{% for name in control.tsig_keys %}
+    "{{ name }}";
+{% endfor %}
+  };
+
+{% endfor %}
+};
+{% endif %}
+
 options {
 
   # This specifies which hosts are allowed to ask ordinary DNS questions.

templates/etc/rndc.key.j2

@@ -0,0 +1,7 @@
+#
+# {{ ansible_managed }}
+#
+key "{{ bind9_rndc_key.name }}" {
+  algorithm {{ bind9_rndc_key.algorithm }};
+  secret "{{ bind9_rndc_key.secret }}";
+};