[bind] Add master configuration

network.yml

@@ -39,14 +39,12 @@
 # Deplay authoritative DNS server
 - hosts: sputnik.adm.crans.org
   vars:
+    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
     bind:
       master: false
       master_ip: 10.231.136.118
-      dnssec: false
-      zones:
-        - crans.org
-        - crans.eu
-        - crans.fr
+      slaves: []  # TODO
+      zones: "{{ lookup('re2oapi', 'dnszones', api_hostname='intranet.crans.org') }}"
   roles:
     - bind-authoritative
 

roles/bind-authoritative/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Reload Bind9
+  systemd:
+    name: bind9
+    state: reloaded

roles/bind-authoritative/tasks/main.yml

@@ -11,15 +11,11 @@
   template:
     src: bind/{{ item }}.j2
     dest: /etc/bind/{{ item }}
-    mode: 0644
+    mode: 0640
     owner: root
     group: bind
   loop:
     - named.conf
     - named.conf.local
     - named.conf.options
-
-- name: Reload Bind9
-  systemd:
-    name: bind9
-    state: reloaded
+  notify: Reload Bind9

roles/bind-authoritative/templates/bind/named.conf.local.j2

@@ -4,15 +4,43 @@
 // organization
 //include "/etc/bind/zones.rfc1918";
 
-{% if not bind.master %}
+{% if bind.master %}
+// Let's Encrypt Challenge DNS-01
+key "certbot_challenge." {
+    algorithm hmac-sha512;
+    secret "{{ certbot_dns_secret }}";
+};
+{% endif %}
+
+// Crans zones
 {% for zone in bind.zones %}
 zone "{{ zone }}" {
+	{% if bind.master %}
+	type master;
+	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
+	forwarders {
+		{% for slave in bind.slaves -%}
+		{{ slave }};
+		{% endfor -%}
+	};
+	allow-transfer {
+		{% for slave in bind.slaves -%}
+		{{ slave }};
+		{% endfor -%}
+	};
+	update-policy {
+		grant certbot_challenge. name _acme-challenge.{{ zone }} txt;
+	};
+	notify yes;
+	{% else %}
 	type slave;
-	masters { {{ bind.master_ip }}; };
 	file "bak.{{ zone }}";
+	masters {
+		{{ bind.master_ip }};
+	};
 	allow-transfer { "none"; };
 	notify no;
+	{% endif %}
 };
 
 {% endfor %}
-{% endif %}