---
interfaces:
  adm: eth1
  srv: eth0

loc_bind:
  options:
    secondaries: "{{ query('ldap', 'ip', 'sputnik', 'adm') | union(query('ldap', 'ip', 'en7', 'adm')) }}"
    key_directory: /var/cache/bind/keys
  default:
    format: generated/%s.db
    type: primary
    notify: "yes"
    dnssec: true
  zones:
    _acme-challenge.crans.org:
      update_policy:
        - grant certbot_challenge. name _acme-challenge.crans.org. txt
      format: bak.%s
    _acme-challenge.adm.crans.org:
      update_policy:
        - grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt
      format: bak.%s
  rfc2136_keys:
    certbot_challenge.:
      algorithm: hmac-sha512
      secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
    certbot_adm_challenge.:
      algorithm: hmac-sha512
      secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"