{{ ansible_managed | comment }}

# See knot.conf(5) or refer to the server documentation.

server:
  rundir: "{{ knot_server_rundir }}"
  user: "{{ knot_server_user }}:{{ knot_server_group }}"
  identity: "{{ knot_server_identity }}"
  nsid: "{{ knot_server_nsid }}"
{% for addr in knot_server_listen %}
  listen: "{{ addr }}"
{% endfor %}

log:
{% for target in knot_log_targets %}

  - target: "{{ target.target }}"
    any: "{{ target.level }}"
{% endfor %}


#
#   ALL KNOWN REMOTES, TSIG KEYS AND ACLs
#

key:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') | select('defined') ) ) | flatten | unique %}
{% if 'knot_tsig_key' in hostvars[remote] %}

  - id: {{ hostvars[remote].knot_tsig_key.name }}
    algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }}
    secret: {{ hostvars[remote].knot_tsig_key.secret }}
{% endif %}
{% endfor %}


remote:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='parents') | select('defined') ) ) | flatten | unique %}

  - id: remote-{{ remote }}
{% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
{# only use TSIG mutually, i.e. if both parties have a key #}
    key: {{ knot_tsig_key.name }}
{% endif %}
{% for address in hostvars[remote].knot_dns_addresses %}
    address: "{{ address }}"
{% endfor %}
{% endfor %}

acl:
{% for remote in zones | map(attribute='replicas') | flatten | unique %}

  - id: acl-xfr-{{ remote }}
    action: transfer
{% if 'knot_tsig_key' in hostvars[remote] %}
    key: {{ hostvars[remote].knot_tsig_key.name }}
{% endif %}
{% for address in hostvars[remote].knot_dns_addresses %}
    address: "{{ address }}"
{% endfor %}
{% endfor %}

{% for remote in zones | map(attribute='masters') | flatten | unique %}

  - id: acl-notify-{{ remote }}
    action: notify
{% if 'knot_tsig_key' in hostvars[remote] %}
    key: {{ hostvars[remote].knot_tsig_key.name }}
{% endif %}
{% for address in hostvars[remote].knot_dns_addresses %}
    address: "{{ address.split('@')[0] }}"
{% endfor %}
{% endfor %}

{% for remote in zones | map(attribute='updaters') | select('defined') | flatten | unique %}

  - id: acl-update-{{ remote }}
    action: update
    key: {{ hostvars[remote].knot_tsig_key.name }}
{% endfor %}


#
#   MASTER ZONES
#

submission:
{% for zone in zones %}
{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}

  - id: submission-{{ zone.name }}
    check-interval: {{ knot_dnssec_submission_check_interval }}
    timeout: {{ knot_dnssec_submission_timeout }}
{% if zone.parents is defined and zone.parents | length > 0 %}
    parent:{% for parent in zone.parents %} remote-{{ parent }}{% endfor %}

{% endif %}
{% endif %}
{% endfor %}

policy:
{% for zone in zones %}
{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}

  - id: dnssec-{{ zone.name }}
    algorithm: {{ zone.algorithm | default(knot_dnssec_policy_algorithm) }}
    nsec3: {{ knot_dnssec_policy_nsec3 }}
    ksk-size: {{ zone.ksk_size | default(knot_dnssec_policy_ksk_size) }}
    zsk-size: {{ zone.zsk_size | default(knot_dnssec_policy_zsk_size) }}
    zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}
    ksk-lifetime: {{ zone.ksk_lifetime | default(knot_dnssec_policy_ksk_lifetime) }}
    ksk-submission: submission-{{ zone.name }}
    ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
    propagation-delay: {{ zone.propagation_delay | default(knot_dnssec_policy_propagation_delay) }}
    cds-cdnskey-publish: {{ zone.cds_cdnskey_publish | default(knot_dnssec_policy_cds_publish) }}
{% endif %}
{% endfor %}

zone:
{% for zone in zones %}
{% if inventory_hostname in zone.masters %}

  - domain: {{ zone.name }}
    storage: {{ knot_zone_master_storage_path }}
    semantic-checks: {{ knot_zone_semantic_checks }}
    serial-policy: unixtime
    zonefile-load: difference
    zonefile-sync: -1
    journal-content: changes
    dnssec-signing: {{ knot_zone_dnssec_signing }}
    dnssec-policy: dnssec-{{ zone.name }}
{% for replica in zone.replicas %}
    acl: acl-xfr-{{ replica }}
{% endfor %}
{% if 'updaters' in zone %}
{% for updater in zone.updaters %}
    acl: acl-update-{{ updater }}
{% endfor %}
{% endif %}
{% for replica in zone.replicas %}
    notify: remote-{{ replica }}
{% endfor %}
{% endif %}
{% endfor %}


#
#   REPLICA ZONES
#

zone:
{% for zone in zones %}
{% if inventory_hostname in zone.replicas %}

  - domain: {{ zone.name }}
    storage: {{ knot_zone_replica_storage_path }}
    serial-policy: unixtime
{% for master in zone.masters %}
    acl: acl-notify-{{ master }}
{% endfor %}
{% for master in zone.masters %}
    master: remote-{{ master }}
{% endfor %}
{% if zone.sign_on_secondary | default(false) %}
    dnssec-signing: {{ knot_zone_dnssec_signing }}
    dnssec-policy: dnssec-{{ zone.name }}
{% endif %}
{% endif %}
{% endfor %}