ansible/roles/bind-authoritative/templates/bind/named.conf.local.j2

{{ ansible_header | comment(decoration='// ') }}

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

{%- set masters_ipv4 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
{%- set masters_ipv6 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
{%- set slaves_ipv4 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
{%- set slaves_ipv6 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
{%- set is_master = ansible_all_ipv4_addresses | intersect(masters_ipv4) %}

{% if is_master -%}
// Let's Encrypt Challenge DNS-01 key
key "certbot_challenge." {
	algorithm hmac-sha512;
	secret "{{ certbot_dns_secret }}";
};
{% endif %}

// Let's Encrypt Challenge DNS-01 zone
zone "_acme-challenge.crans.org" {
	{% if is_master -%}
	type master;
	allow-transfer {
		{% for ip in slaves_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in slaves_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	notify yes;
	{% else -%}
	type slave;
	masters {
		{% for ip in masters_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in masters_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	allow-transfer { "none"; };
	notify no;
	{% endif -%}
	file "bak.{{ zone }}";
	update-policy {
		grant certbot_challenge. name _acme-challenge.crans.org txt;
	};
};

// Crans zones
{% for zone in bind.zones %}
zone "{{ zone }}" {
	{% if is_master -%}
	type master;
	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
	allow-transfer {
		{% for ip in slaves_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in slaves_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	notify yes;
	{% else -%}
	type slave;
	file "bak.{{ zone }}";
	masters {
		{% for ip in masters_ipv4 -%}
		{{ ip }};
		{% endfor -%}
		{% for ip in masters_ipv6 -%}
		{{ ip }};
	{% endfor -%}
	};
	allow-transfer { "none"; };
	notify no;
{% endif -%}
};

{% endfor %}