# This file is ansible managed

{% macro bool(value) %}
{{   'yes' if value | bool else 'no' -}}
{% endmacro %}

#
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
#
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
#

# This is a comment.
# Sample configuration file
# include: "file" # include that file's text over here.

# options for the nsd server
server:
    # Number of NSD servers to fork.  Put the number of CPUs to use here.
    server-count: {{ nsd_server_count }}

    # uncomment to specify specific interfaces to bind (default are the
    # wildcard interfaces 0.0.0.0 and ::0).
    # For servers with multiple IP addresses, list them one by one,
    # or the source address of replies could be wrong.
    # Use ip-transparent to be able to list addresses that turn on later.
    {% for ip in nsd_ip_listen %}
    	ip-address: {{ ip }}
    {% endfor %}
    # ip-address: 1.2.3.4@5678
    # ip-address: 12fe::8ef0

    # Allow binding to non local addresses. Default no.
    ip-transparent: {{ bool(nsd_ip_transparent) }}

    # enable debug mode, does not fork daemon process into the background.
    # debug-mode: no

    # listen on IPv4 connections
    do-ip4: {{ bool(nsd_do_ip4) }}

    # listen on IPv6 connections
    do-ip6: {{ bool(nsd_do_ip6) }}

    # port to answer queries on. default is 53.
    port: {{ nsd_port }}

    # Verbosity level.
    # verbosity: 0

    # After binding socket, drop user privileges.
    # can be a username, id or id.gid.
    # username: nsd

    # Run NSD in a chroot-jail.
    # make sure to have pidfile and database reachable from there.
    # by default, no chroot-jail is used.
    # chroot: "/etc/nsd"

    # The directory for zonefile: files.  The daemon chdirs here.
    # zonesdir: "/etc/nsd"

    # the list of dynamically added zones.
    # zonelistfile: "/var/lib/nsd/zone.list"

    # the database to use
    # if set to "" then no disk-database is used, less memory usage.
    # database: "/var/lib/nsd/nsd.db"

    # log messages to file. Default to stderr and syslog (with
    # facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
    # logfile: "/var/log/nsd.log"

    # File to store pid for nsd in.
    # pidfile: "/run/nsd/nsd.pid"

    # The file where secondary zone refresh and expire timeouts are kept.
    # If you delete this file, all secondary zones are forced to be
    # 'refreshing' (as if nsd got a notify).  Set to "" to disable.
    # xfrdfile: "/var/lib/nsd/xfrd.state"

    # The directory where zone transfers are stored, in a subdir of it.
    # xfrdir: "/tmp"

    # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
    hide-version: {{ bool(nsd_hide_version) }}

    # version string the server responds with for chaos queries.
    # default is 'NSD x.y.z' with the server's version number.
    # version: "NSD"

    # identify the server (CH TXT ID.SERVER entry).
    identity: "{{ nsd_identity }}"

    # NSID identity (hex string, or "ascii_somestring"). default disabled.
    # nsid: "aabbccdd"

    # Maximum number of concurrent TCP connections per server.
    # tcp-count: 100

    # Maximum number of queries served on a single TCP connection.
    # By default 0, which means no maximum.
    # tcp-query-count: 0

    # Override the default (120 seconds) TCP timeout.
    # tcp-timeout: 120

    # Preferred EDNS buffer size for IPv4.
    # ipv4-edns-size: 4096

    # Preferred EDNS buffer size for IPv6.
    # ipv6-edns-size: 4096

    # statistics are produced every number of seconds. Prints to log.
    # Default is 0, meaning no statistics are produced.
    # statistics: 3600

    # Number of seconds between reloads triggered by xfrd.
    # xfrd-reload-timeout: 1

    # log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
    # log-time-ascii: yes

    # round robin rotation of records in the answer.
    # round-robin: no

    # check mtime of all zone files on start and sighup
    # zonefiles-check: yes

    # write changed zonefiles to disk, every N seconds.
    # default is 0(disabled) or 3600(if database is "").
    # zonefiles-write: 3600

    # RRLconfig
    # Response Rate Limiting, size of the hashtable. Default 1000000.
    # rrl-size: 1000000

    # Response Rate Limiting, maximum QPS allowed (from one query source).
    # If set to 0, ratelimiting is disabled. Also set
    # rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
    # Default is on.
    # rrl-ratelimit: 200

    # Response Rate Limiting, number of packets to discard before
    # sending a SLIP response (a truncated one, allowing an honest
    # resolver to retry with TCP). Default is 2 (one half of the
    # queries will receive a SLIP response, 0 disables SLIP (all
    # packets are discarded), 1 means every request will get a
    # SLIP response.  When the ratelimit is hit the traffic is
    # divided by the rrl-slip value.
    # rrl-slip: 2

    # Response Rate Limiting, IPv4 prefix length. Addresses are
    # grouped by netblock.
    # rrl-ipv4-prefix-length: 24

    # Response Rate Limiting, IPv6 prefix length. Addresses are
    # grouped by netblock.
    # rrl-ipv6-prefix-length: 64

    # Response Rate Limiting, maximum QPS allowed (from one query source)
    # for whitelisted types. Default is on.
    # rrl-whitelist-ratelimit: 2000
    # RRLend

# Remote control config section.
remote-control:
    # Enable remote control with nsd-control(8) here.
    # set up the keys and certificates with nsd-control-setup.
    control-enable: {{ bool(nsd_remote_control_enable) }}

    # what interfaces are listened to for control, default is on localhost.
{% for control_interface in nsd_remote_control_interfaces %}
    control-interface: {{ control_interface }}
{% endfor %}

    # port number for remote control operations (uses TLS over TCP).
    control-port: {{ nsd_remote_control_port }}

    # nsd server key file for remote control.
    server-key-file: "/etc/nsd/nsd_server.key"

    # nsd server certificate file for remote control.
    server-cert-file: "/etc/nsd/nsd_server.pem"

    # nsd-control key file.
    control-key-file: "/etc/nsd/nsd_control.key"

    # nsd-control certificate file.
    control-cert-file: "/etc/nsd/nsd_control.pem"

{% for zone in zones %}
{% if zone.secret is defined %}
key:
    name: "{{ zone.name }}-key"
    algorithm: {{ zone.algorithm|default('hmac-sha256') }}
    secret: "{{ zone.secret }}"

{% endif %}
{% endfor %}
{% for zone in zones %}
zone:
    name: "{{ zone.name }}"
    {% if zone.dnssec is defined and zone.dnssec is sameas false %}
    zonefile: "zones/{{ zone.name }}.zone"
    {% else %}
    zonefile: "zones/{{ zone.name }}.zone.signed"
    {% endif %}

    
{% if zone.slaves is defined %}
{% for slave in zone.slaves %}
{% if zone.secret is defined %}
    {% if slave.nokey is defined %} 
    notify: {{ slave.ip }} NOKEY
    provide-xfr: {{ slave.ip }} NOKEY
    {% else %}
    notify: {{ slave.ip }} {{ zone.name }}-key
    provide-xfr: {{ slave.ip }} {{ zone.name }}-key
    {% endif %}
{% else %}
    notify: {{ slave.ip }} NOKEY
    provide-xfr: {{ slave.ip }} NOKEY
{% endif %}
{% endfor %}
{% endif %}
{% if zone.masters is defined %}

{% for master in zone.masters %}
{% if zone.secret is defined %}
    allow-notify: {{ master }} {{ zone.name }}-key
    request-xfr: AXFR {{ master }}@53 {{ zone.name }}-key
{% else %}
    allow-notify: {{ master }} NOKEY
    request-xfr: AXFR {{ master }}@53 NOKEY
{% endif %}
{% endfor %}
{% endif %}

{% endfor %}