Add support for on-secondary signing

galaxy.yml

@@ -7,7 +7,7 @@ namespace: s3lph
 name: nameserver
 
 # The version of the collection. Must be compatible with semantic versioning
-version: "0.3.4"
+version: "0.3.5"
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
@@ -15,7 +15,7 @@ readme: README.md
 # A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
 # @nicks:irc/im.site#channel'
 authors:
-- s3lph <account-gitlab-ideynizv@kernelpanic.lol>
+- s3lph <1375407-s3lph@users.noreply.gitlab.com>
 
 
 ### OPTIONAL but strongly recommended

roles/knot/templates/etc/knot/knot.conf.j2

@@ -100,7 +100,7 @@ submission:
 
 policy:
 {% for zone in zones %}
-{% if inventory_hostname in zone.masters %}
+{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}
 
   - id: dnssec-{{ zone.name }}
     algorithm: {{ zone.algorithm | default(knot_dnssec_policy_algorithm) }}
@@ -161,6 +161,10 @@ zone:
 {% for master in zone.masters %}
     master: remote-{{ master }}
 {% endfor %}
+{% if zone.sign_on_secondary | default(false) %}
+    dnssec-signing: {{ knot_zone_dnssec_signing }}
+    dnssec-policy: dnssec-{{ zone.name }}
+{% endif %}
 {% endif %}
 {% endfor %}