- name: Install packages
  package:
    name:
      - bind9
      - git
      - rsync
    state: present
- name: Ensure base zone directory exists
  file:
    path: /var/lib/bind/zones
    state: directory
- name: Clone zone repos
  git:
    repo: "{{ item.url }}"
    refspec: "{{ item.refspec | default(omit) }}"
    version: "{{ item.version | default(omit) }}"
    dest: "/opt/source/{{ item.name }}"
  loop: "{{ dns_repos }}"
- name: Set base rsync options
  set_fact:
    _rsync_options:
      - "--chmod=u+rwX,g+rX,o+rX"
      - "--chown=bind:bind"
- name: Synchronize zone repos to zone directories
  delegate_to: "{{ inventory_hostname }}"
  synchronize:
    src: "/opt/source/{{ item.source }}"
    dest: "/var/lib/bind/zones/{{ item.name }}"
    rsync_opts: '{{ _rsync_options + ["--ignore-existing"] if item.unmanaged|default(False) else _rsync_options }}'
  loop: "{{ dns_zones }}"
  notify: Reload named
- name: Install tsig key
  no_log: true
  template:
    src: templates/bind.key.j2
    dest: "/etc/bind/tsig.key"
    owner: root
    group: bind
    mode: 0440
  vars:
    key: "{{ tsig_key }}"
    name: tsig
- name: Ensure base dnssec key directory exists
  file:
    path: /etc/bind/keys
    state: directory
# The key directories must exist for every zone, regardless of whether
# there are any keys in them.
- name: Ensure zone dnssec key directories exist
  loop: "{{ dns_zones }}"
  file:
    path: "/etc/bind/keys/{{ item.name }}"
    state: directory
    owner: root
    group: bind
    mode: 0750
- name: Install dnssec public keys
  loop: "{{ dnssec_keys | dict2items }}"
  copy:
    dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.key"
    content: "{{ item.value.public }}"
    owner: root
    group: bind
    mode: 0440
- name: Install dnssec private keys
  no_log: true
  loop: "{{ dnssec_keys | dict2items }}"
  copy:
    dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.private"
    content: "{{ item.value.private }}"
    owner: root
    group: bind
    mode: 0440
- name: Install bind config
  template:
    src: templates/named.conf.j2
    dest: /etc/bind/named.conf
    owner: root
    group: bind
    mode: 0444
  notify: Reload named
- name: Enable named
  service:
    name: bind9
    enabled: true