From 424e0df45e24f222b475a6a257e210a19d50ca1c Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 25 Apr 2020 20:22:26 +0200
Subject: [PATCH] [bind] Add master configuration

---
 network.yml                                   |  8 ++---
 roles/bind-authoritative/handlers/main.yml    |  5 +++
 roles/bind-authoritative/tasks/main.yml       |  8 ++---
 .../templates/bind/named.conf.local.j2        | 34 +++++++++++++++++--
 4 files changed, 41 insertions(+), 14 deletions(-)
 create mode 100644 roles/bind-authoritative/handlers/main.yml

diff --git a/network.yml b/network.yml
index 5a28e7d0..f3f8c589 100755
--- a/network.yml
+++ b/network.yml
@@ -39,14 +39,12 @@
 # Deplay authoritative DNS server
 - hosts: sputnik.adm.crans.org
   vars:
+    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
     bind:
       master: false
       master_ip: 10.231.136.118
-      dnssec: false
-      zones:
-        - crans.org
-        - crans.eu
-        - crans.fr
+      slaves: []  # TODO
+      zones: "{{ lookup('re2oapi', 'dnszones', api_hostname='intranet.crans.org') }}"
   roles:
     - bind-authoritative
 
diff --git a/roles/bind-authoritative/handlers/main.yml b/roles/bind-authoritative/handlers/main.yml
new file mode 100644
index 00000000..0f5025c5
--- /dev/null
+++ b/roles/bind-authoritative/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Reload Bind9
+  systemd:
+    name: bind9
+    state: reloaded
diff --git a/roles/bind-authoritative/tasks/main.yml b/roles/bind-authoritative/tasks/main.yml
index 407e533e..47d16b22 100644
--- a/roles/bind-authoritative/tasks/main.yml
+++ b/roles/bind-authoritative/tasks/main.yml
@@ -11,15 +11,11 @@
   template:
     src: bind/{{ item }}.j2
     dest: /etc/bind/{{ item }}
-    mode: 0644
+    mode: 0640
     owner: root
     group: bind
   loop:
     - named.conf
     - named.conf.local
     - named.conf.options
-
-- name: Reload Bind9
-  systemd:
-    name: bind9
-    state: reloaded
+  notify: Reload Bind9
diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index 09653cd1..0f7603c1 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -4,15 +4,43 @@
 // organization
 //include "/etc/bind/zones.rfc1918";
 
-{% if not bind.master %}
+{% if bind.master %}
+// Let's Encrypt Challenge DNS-01
+key "certbot_challenge." {
+    algorithm hmac-sha512;
+    secret "{{ certbot_dns_secret }}";
+};
+{% endif %}
+
+// Crans zones
 {% for zone in bind.zones %}
 zone "{{ zone }}" {
+	{% if bind.master %}
+	type master;
+	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
+	forwarders {
+		{% for slave in bind.slaves -%}
+		{{ slave }};
+		{% endfor -%}
+	};
+	allow-transfer {
+		{% for slave in bind.slaves -%}
+		{{ slave }};
+		{% endfor -%}
+	};
+	update-policy {
+		grant certbot_challenge. name _acme-challenge.{{ zone }} txt;
+	};
+	notify yes;
+	{% else %}
 	type slave;
-	masters { {{ bind.master_ip }}; };
 	file "bak.{{ zone }}";
+	masters {
+		{{ bind.master_ip }};
+	};
 	allow-transfer { "none"; };
 	notify no;
+	{% endif %}
 };
 
 {% endfor %}
-{% endif %}