---
interfaces:
  adm: eth1
  srv: eth0

loc_bind:
  options:
    secondaries: "{{ query('ldap', 'ip', 'sputnik', 'adm') }}"
    key_directory: "/var/cache/bind/keys"
  default:
    format: 'generated/%s.db'
    type: primary
    notify: 'yes'
    dnssec: true
  zones:
    '_acme-challenge.crans.org':
      update_policy:
        - 'grant certbot_challenge. name _acme-challenge.crans.org. txt'
      format: 'bak.%s'
    '_acme-challenge.adm.crans.org':
      update_policy:
        - 'grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt'
      format: 'bak.%s'
  rfc2136_keys:
    'certbot_challenge.':
      algorithm: hmac-sha512
      secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
    'certbot_adm_challenge.':
      algorithm: hmac-sha512
      secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"