{{ ansible_header | comment(decoration='// ') }}

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

{% if is_master -%}
// Let's Encrypt Challenge DNS-01 key
key "certbot_challenge." {
	algorithm hmac-sha512;
	secret "{{ certbot_dns_secret }}";
};
{% endif %}

// Let's Encrypt Challenge DNS-01 zone
zone "_acme-challenge.crans.org" {
	{% if is_master -%}
	type master;
	allow-transfer {
		{% for ip in slaves_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in slaves_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	notify yes;
	update-policy {
		grant certbot_challenge. name _acme-challenge.crans.org txt;
	};
	{% else -%}
	type slave;
	masters {
		{% for ip in masters_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in masters_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	allow-transfer { "none"; };
	notify no;
	{% endif -%}
	file "bak._acme-challenge.crans.org";
};

// Crans zones
{% for zone in bind.zones|sort %}
zone "{{ zone }}" {
	{% if is_master -%}
	type master;
	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
	allow-transfer {
		{% for ip in slaves_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in slaves_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	notify yes;
	{% else -%}
	type slave;
	file "bak.{{ zone }}";
	masters {
		{% for ip in masters_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in masters_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	allow-transfer { "none"; };
	notify no;
{% endif -%}
};

{% endfor %}