# NOTE: I had to disable bind and manually create the fizz.buzz zone with the sqlite backend or else the metadata updates would have no effect.
- name: Install packages
  package:
    name:
      - powerdns
    state: present

- name: Install service configuration
  copy:
    src: "files/{{ item }}_rc.conf"
    dest: "/etc/rc.conf.d/{{ item }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - pdns

- name: Create directories
  file:
    name: "{{ item }}"
    state: directory
    mode: 0755
    owner: pdns
    group: pdns
  loop:
    - /var/lib/powerdns
    - /var/lib/powerdns/zones/

- name: Copy files
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: root
    group: wheel
  loop:
    - src: pdns.conf
      dest: /usr/local/etc/pdns/
    - src: bind.conf
      dest: /usr/local/etc/pdns/

- name: Initialize DB
  command: "sudo -u pdns sqlite3 -init /usr/local/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3"
  args:
    creates: "/var/lib/powerdns/pdns.sqlite3"

- name: Copy files
  copy:
    src: "files/{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
    owner: pdns
    group: pdns
  loop:
    - src: master.db
      dest: /var/lib/powerdns/zones/

- name: Check TSIG keys
  command: pdnsutil list-tsig-keys
  register: tsigkeys
  changed_when: false
  check_mode: no

- name: Generate key for Secure AXFR replication
  command: pdnsutil generate-tsig-key secureaxfr hmac-sha512
  when: '"secureaxfr" not in tsigkeys.stdout'

- name: Check allowed TSIG keys for AXFR
  command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-AXFR
  register: tsigaxfr
  changed_when: false
  check_mode: no

- name: Allow AXFR from the secureaxfr tsig key
  command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR secureaxfr
  when: '"secureaxfr" not in tsigaxfr.stdout'

- name: Generate key for kubernetes external dns
  command: pdnsutil generate-tsig-key externaldns hmac-sha512
  when: '"externaldns" not in tsigkeys.stdout'

- name: Check allowed TSIG keys for TSIG-ALLOW-DNSUPDATE
  command: pdnsutil get-meta fizz.buzz TSIG-ALLOW-DNSUPDATE
  register: tsigallowupdate
  changed_when: false
  check_mode: no

- name: Allow AXFR from the secureaxfr tsig key
  command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-DNSUPDATE externaldns
  when: '"externaldns" not in tsigallowupdate.stdout'