{{ ansible_header | comment(decoration='// ') }}

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

{% if bind.master %}
// Let's Encrypt Challenge DNS-01
key "certbot_challenge." {
    algorithm hmac-sha512;
    secret "{{ certbot_dns_secret }}";
};
{% endif %}

// Crans zones
{% for zone in bind.zones %}
zone "{{ zone }}" {
	{% if bind.master %}
	type master;
	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
	forwarders {
		{% for slave in bind.slaves -%}
		{{ slave }};
		{% endfor -%}
	};
	allow-transfer {
		{% for slave in bind.slaves -%}
		{{ slave }};
		{% endfor -%}
	};
	update-policy {
		grant certbot_challenge. name _acme-challenge.{{ zone }} txt;
	};
	notify yes;
	{% else %}
	type slave;
	file "bak.{{ zone }}";
	masters {
		{{ bind.master_ip }};
	};
	allow-transfer { "none"; };
	notify no;
	{% endif %}
};

{% endfor %}