- name: Install packages
  package:
    name:
      - powerdns
    state: present

- name: Install service configuration
  copy:
    src: "files/{{ item }}_rc.conf"
    dest: "/etc/rc.conf.d/{{ item }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - pdns

- name: Create directories
  file:
    name: "{{ item }}"
    state: directory
    mode: 0755
    owner: pdns
    group: pdns
  loop:
    - /var/lib/powerdns
    - /var/lib/powerdns/zones

- name: Copy files
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - src: pdns.conf
      dest: /usr/local/etc/pdns/
    - src: bind.conf
      dest: /usr/local/etc/pdns/

- name: Copy files
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: pdns
    group: pdns
  loop:
    - src: master.db
      dest: /var/lib/powerdns/zones/

- name: Initialize DB
  command: "sudo -u pdns sqlite3 -init /usr/local/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3"
  register: initdb
  args:
    creates: "/var/lib/powerdns/pdns.sqlite3"

- name: Initialize DB
  when: initdb.changed
  register: initsql
  command: "sudo -u pdns zone2sql zone2sql --gsqlite=yes --named-conf=/usr/local/etc/pdns/bind.conf --transactions=yes"

- name: Initialize DB
  when: initdb.changed
  command: "sudo -u pdns sqlite3 /var/lib/powerdns/pdns.sqlite3"
  args:
    stdin: "{{ initsql.stdout }}"

- name: Check TSIG keys
  command: pdnsutil list-tsig-keys
  register: tsigkeys
  changed_when: false
  check_mode: no

- name: Generate key for Secure AXFR replication
  command: pdnsutil generate-tsig-key secureaxfr hmac-sha512
  when: '"secureaxfr" not in tsigkeys.stdout'

- name: Check allowed TSIG keys for AXFR
  command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-AXFR
  register: tsigaxfr
  changed_when: false
  check_mode: no

- name: Allow AXFR from the secureaxfr tsig key
  command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR secureaxfr
  when: '"secureaxfr" not in tsigaxfr.stdout'

- name: Generate key for kubernetes external dns
  command: pdnsutil generate-tsig-key externaldns hmac-sha512
  when: '"externaldns" not in tsigkeys.stdout'

- name: Check allowed TSIG keys for TSIG-ALLOW-DNSUPDATE
  command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-DNSUPDATE
  register: tsigallowupdate
  changed_when: false
  check_mode: no

- name: Allow AXFR from the secureaxfr tsig key
  command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-DNSUPDATE externaldns
  when: '"externaldns" not in tsigallowupdate.stdout'

- name: Check ALLOW-DNSUPDATE-FROM
  command: pdnsutil get-meta fizz.buzz ALLOW-DNSUPDATE-FROM
  register: allowdnsupdatefrom
  changed_when: false
  check_mode: no

- name: Allow IP addresses
  command: pdnsutil add-meta fizz.buzz ALLOW-DNSUPDATE-FROM 10.215.1.0/24
  when: '"10.215.1.0/24" not in allowdnsupdatefrom.stdout'

- name: Allow AXFR from the externaldns tsig key
  command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR externaldns
  when: '"externaldns" not in tsigaxfr.stdout'

- name: Check AXFR-MASTER-TSIG
  command: pdnsutil get-meta fizz.buzz AXFR-MASTER-TSIG
  register: signnotify
  changed_when: false
  check_mode: no

- name: Sign the notifications
  command: pdnsutil set-meta fizz.buzz AXFR-MASTER-TSIG secureaxfr
  when: '"secureaxfr" not in signnotify.stdout'

- name: Check NOTIFY-DNSUPDATE
  command: pdnsutil get-meta fizz.buzz NOTIFY-DNSUPDATE
  register: notifydnsupdate
  changed_when: false
  check_mode: no

- name: Send out notifications on dns update
  command: pdnsutil set-meta fizz.buzz NOTIFY-DNSUPDATE 1
  when: '"1" not in notifydnsupdate.stdout'

- name: Check zone kind
  command: pdnsutil show-zone fizz.buzz
  register: showzone
  changed_when: false
  check_mode: no

- name: Set to Master to enable pushing updates
  command: pdnsutil set-kind fizz.buzz primary
  when: '"Master" not in showzone.stdout'