fix: rename files to .yaml

Reviewed-on: #13

.ansible-lint

@@ -1,3 +1,4 @@
 ---
 
-skip_list: []
+exclude_paths:
+- .gitea/

.drone.yml

@@ -1,94 +0,0 @@
----
-kind: pipeline
-type: kubernetes
-name: linter
-
-platform:
-  os: linux
-
-steps:
-- name: markdown lint
-  commands:
-  - markdownlint *.md
-  image: docker.io/volkerraschek/markdownlint:0.31.1
-  resources:
-    limits:
-      cpu: 50
-      memory: 50M
-
-- name: email-notification
-  environment:
-    PLUGIN_HOST:
-      from_secret: smtp_host
-    PLUGIN_USERNAME:
-      from_secret: smtp_username
-    PLUGIN_PASSWORD:
-      from_secret: smtp_password
-    PLUGIN_FROM:
-      from_secret: smtp_mail_address
-  image: docker.io/drillster/drone-email:latest
-  resources:
-    limits:
-      cpu: 50
-      memory: 25M
-  when:
-    status:
-    - changed
-    - failure
-
-trigger:
-  event:
-    exclude:
-    - tag
-
----
-kind: pipeline
-type: kubernetes
-name: sync
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-- name: github
-  image: docker.io/appleboy/drone-git-push:latest
-  resources:
-    limits:
-      cpu: 50
-      memory: 25M
-  settings:
-    branch: master
-    remote: ssh://git@github.com/volker-raschek/bind9-role.git
-    force: true
-    ssh_key:
-      from_secret: ssh_key
-
-- name: email-notification
-  environment:
-    PLUGIN_HOST:
-      from_secret: smtp_host
-    PLUGIN_USERNAME:
-      from_secret: smtp_username
-    PLUGIN_PASSWORD:
-      from_secret: smtp_password
-    PLUGIN_FROM:
-      from_secret: smtp_mail_address
-  image: docker.io/drillster/drone-email:latest
-  resources:
-    limits:
-      cpu: 50
-      memory: 25M
-  when:
-    status:
-    - changed
-    - failure
-
-trigger:
-  branch:
-  - master
-  event:
-  - cron
-  - push
-  repo:
-  - volker.raschek/bind9-role

.gitea/workflows/ansible-linters.yaml

@@ -0,0 +1,20 @@
+name: Ansible Linter
+
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+
+jobs:
+  ansible-lint:
+    runs-on:
+    - ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.1
+    - name: Run ansible-lint
+      uses: ansible/ansible-lint@v25.11.0
+      with:
+        args: "--config-file .ansible-lint"
+        setup_python: "true"

.gitea/workflows/markdown-linters.yaml

@@ -0,0 +1,18 @@
+name: Lint Markdown files
+
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+
+jobs:
+  markdown-lint:
+    runs-on:
+    - ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.1
+    - uses: DavidAnson/markdownlint-cli2-action@v21.0.0
+      with:
+        globs: '**/*.md'

.gitignore

@@ -0,0 +1 @@
+.ansible

.markdownlint.yaml

@@ -45,19 +45,17 @@ MD012:
 # MD013/line-length - Line length
 MD013:
   # Number of characters
-  line_length: 80
+  line_length: 120
   # Number of characters for headings
-  heading_line_length: 80
+  heading_line_length: 120
   # Number of characters for code blocks
-  code_block_line_length: 80
+  code_block_line_length: 120
   # Include code blocks
   code_blocks: false
   # Include tables
   tables: false
   # Include headings
   headings: true
-  # Include headings
-  headers: true
   # Strict length checking
   strict: false
   # Stern length checking
@@ -70,11 +68,6 @@ MD022:
   # Blank lines below heading
   lines_below: 1
 
-# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
-MD024:
-  # Only check sibling headings
-  allow_different_nesting: true
-
 # MD025/single-title/single-h1 - Multiple top-level headings in the same document
 MD025:
   # Heading level
@@ -141,4 +134,4 @@ MD046:
 # MD048/code-fence-style - Code fence style
 MD048:
   # Code fence syle
-  style: "backtick"
+  style: "backtick"

.yamllint.yaml

@@ -0,0 +1,17 @@
+#
+# Documentation:
+# https://yamllint.readthedocs.io/en/stable/
+#
+
+rules:
+  brackets:
+    forbid: false
+    min-spaces-inside: 0
+    max-spaces-inside: 2
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 0
+  indentation:
+    spaces: 2
+    indent-sequences: false
+  line-length:
+    max: 360

README.md

@@ -1,14 +1,13 @@
 # bind9-role
 
-[![Build Status](https://drone.cryptic.systems/api/badges/volker.raschek/bind9-role/status.svg)](https://drone.cryptic.systems/volker.raschek/bind9-role)
-[![Ansible Role](https://img.shields.io/ansible/role/d/58170)](https://galaxy.ansible.com/volker_raschek/bind9_role)
+[![Ansible Role](https://img.shields.io/ansible/role/d/58170)](https://galaxy.ansible.com/volker_raschek/bind9)
 
 With following role can be bind installed and configured.
 
 ## Installation
 
 ```bash
-ansible-galaxy install volker_raschek.bind9_role
+ansible-galaxy install volker_raschek.bind9
 ```
 
 ## Supported distributions

defaults/main.yml

@@ -1,10 +1,18 @@
 ---
 
 bind9_acls:
-- name: internalnets
+- name: "internalnets"
   permissions: []
   # - "111.222.111.222"
 
+bind9_controls: []
+# - acls:
+#   - localhost
+#   inet: "127.0.0.1"
+#   port: "953"
+#   tsig_keys:
+#   - rndc
+
 bind9_logging:
   categories:
   - name: "security"
@@ -33,17 +41,27 @@ bind9_options:
   allow_update_forwarding: []
   auth_nxdomain: false
   blackhole: []
-  dnssec_validations: true
+  dnssec_accept_expired: false
+  dnssec_validation: "auto"
   forwarders:
-  - "8.8.8.8"               # Google IPv4
-  - "8.8.4.4"               # Google IPv4
-  - "2001:4860:4860::8888"  # Google IPv6
-  - "2001:4860:4860::8844"  # Google IPv6
-  - "208.67.222.222"        # OpenDNS IPv4
-  - "208.67.220.220"        # OpenDNS IPv4
-  - "2620:0:ccc::2"         # OpenDNS IPv6
-  - "2620:0:ccd::2"         # OpenDNS IPv6
+  - ip: "8.8.8.8"               # Google IPv4
+    port: "53"
+  - ip: "8.8.4.4"               # Google IPv4
+    port: "53"
+  - ip: "2001:4860:4860::8888"  # Google IPv6
+    port: "53"
+  - ip: "2001:4860:4860::8844"  # Google IPv6
+    port: "53"
+  - ip: "208.67.222.222"        # OpenDNS IPv4
+    port: "53"
+  - ip: "208.67.220.220"        # OpenDNS IPv4
+    port: "53"
+  - ip: "2620:0:ccc::2"         # OpenDNS IPv6
+    port: "53"
+  - ip: "2620:0:ccd::2"         # OpenDNS IPv6
+    port: "53"
   interface_interval: 0
+  key_directory: "/var/named/dnssec-keys"
   listen_on_ipv4:
   - "127.0.0.1"
   listen_on_ipv6:
@@ -52,42 +70,99 @@ bind9_options:
   minimal_responses: "no"
   notify: "yes"
   recursion: "yes"
+  update_policies: []
+  # - action: grant
+  #   identity: keyname
+  #   ruletype: name
+  #   name: _acme-challenge.example.com.
+  #   types:
+  #   - TXT
+
   transfer_format: "many-answers"
 
+bind9_rndc_key:
+  name: ""
+  algorithm: ""
+  secret: ""
+
+bind9_dnssec_keys: []
+# - origin: "hellenthal.cryptic.systems"
+#   key_signing_key:
+#     private:
+#       filename: "{{ bind9_options.key_directory }}/example.com.private"
+#       content: "private key"
+#     public:
+#       filename: "{{ bind9_options.key_directory }}/example.com.private"
+#       content: "public key"
+#   zone_signing_key:
+#     private:
+#       filename: "{{ bind9_options.key_directory }}/example.com.private"
+#       content: "private key"
+#     public:
+#       filename: "{{ bind9_options.key_directory }}/example.com.private"
+#       content: "public key"
+
+bind9_statics:
+  enabled: true
+  channels:
+  - inet: "127.0.0.1"
+    port: "8053"
+    acls:
+    - "localhost"
+
+
 bind9_tsigkeys: []
 # - name: "name"
 #   algorithm: "algorithm"
 #   secret: "secret"
 
 bind9_views: []
-# - name: external
+# - name: "external"
 #   match_clients:
 #   - "!internalnets"
 #   - "any"
 #   zones:
-#   - allow_notify: []
-#     allow_query:
-#     - "any"
-#     allow_query_on: []
-#     allow_update: []
-#     allow_update_forwarding: []
-#     allow_transfer: []
+#   - config:
+#       allow_notify: []
+#       allow_query:
+#       - "any"
+#       allow_query_on: []
+#       allow_update: []
+#       allow_update_forwarding: []
+#       allow_transfer: []
+#       file: zones/external/db.local.example
+#       origin: "example.local."
+#       type: master
+#       notify: true
 #     file: zones/external/db.local.example
-#     origin: "example.local."
-#     type: master
-# - name: internal
+# - name: "internal"
 #   match_clients:
 #   - "!192.168.178.1"
 #   - "internalnets"
 #   - "127.0.0.0/8"
 #   zones:
-#   - allow_notify: []
-#     allow_query:
-#     - "any"
-#     allow_query_on: []
-#     allow_update: []
-#     allow_update_forwarding: []
-#     allow_transfer: []
+#   - config:
+#       allow_notify: []
+#       allow_query:
+#       - "any"
+#       allow_query_on: []
+#       allow_update: []
+#       allow_update_forwarding: []
+#       allow_transfer: []
+#       file: zones/internal/db.local.example
+#       origin: "example.local."
+#       type: master
 #     file: zones/internal/db.local.example
-#     origin: "example.local."
-#     type: master
+#   - config:
+#       allow_notify: []
+#       allow_query: []
+#       allow_query_on: []
+#       allow_update: []
+#       allow_update_forwarding: []
+#       allow_transfer: []
+#       forward: only
+#       forwarders:
+#       - 192.168.175.1
+#       origin: "gitlab-runner.external.local"
+#       type: forward
+#     file: "gitlab-runner.external.local"

handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 
-- name: restart named
-  systemd:
+- name: Restart named
+  ansible.builtin.systemd:
     name: "{{ bind_service_name }}"
     state: restarted
     daemon_reload: true

meta/main.yml

@@ -1,23 +1,26 @@
+dependencies: []
 galaxy_info:
   author: Markus Pesch
-  description: Role to install and configure bind9 on different distributions
   company: Cryptic Systems
-  license: MIT
-  min_ansible_version: 2.1
-  platforms:
-  - name: Archlinux
-    versions:
-    - all
-  - name: Ubuntu
-    versions:
-    - 20.04
-  - name: RockyLinux
-    versions:
-    - 8.5
-
+  description: Role to install and configure bind9 on different distributions
   galaxy_tags:
   - named
   - bind
   - dyndns
-
-dependencies: []
+  license: MIT
+  min_ansible_version: "2.9"
+  namespace: volker-raschek
+  platforms:
+  - name: ArchLinux
+    versions:
+    - all
+  - name: EL
+    versions:
+    - all
+  - name: Fedora
+    versions:
+    - all
+  - name: Ubuntu
+    versions:
+    - all
+  role_name: bind9

renovate.json

@@ -1,17 +1,9 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "assignees": [ "volker.raschek" ],
-  "automergeStrategy": "merge-commit",
-  "automergeType": "pr",
-  "labels": [ "renovate" ],
-  "packageRules": [
-    {
-      "addLabels": [ "renovate/droneci", "renovate/automerge" ],
-      "automerge": true,
-      "matchManagers": "droneci",
-      "matchUpdateTypes": [ "minor", "patch"]
-    }
-  ],
-  "rebaseLabel": "renovate/rebase",
-  "rebaseWhen": "behind-base-branch"
-}
+  "extends": [
+    "local>volker.raschek/renovate-config:default#master",
+    "local>volker.raschek/renovate-config:container#master",
+    "local>volker.raschek/renovate-config:actions#master",
+    "local>volker.raschek/renovate-config:regexp#master"
+  ]
+}

tasks/create_dnssec_files.yaml

@@ -0,0 +1,25 @@
+---
+
+- name: "Create private DNSSEC: {{ bind9_dnssec_key.origin }}"
+  ansible.builtin.copy:
+    dest: "{{ item.private.filename }}"
+    content: "{{ item.private.content }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0600"
+  no_log: true
+  with_items:
+  - "{{ bind9_dnssec_key.key_signing_key }}"
+  - "{{ bind9_dnssec_key.zone_signing_key }}"
+
+- name: "Create public DNSSEC: {{ bind9_dnssec_key.origin }}"
+  ansible.builtin.copy:
+    dest: "{{ item.public.filename }}"
+    content: "{{ item.public.content }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0644"
+  no_log: true
+  with_items:
+  - "{{ bind9_dnssec_key.key_signing_key }}"
+  - "{{ bind9_dnssec_key.zone_signing_key }}"

tasks/main.yaml

@@ -0,0 +1,132 @@
+---
+
+- name: Include OS-specific variables
+  ansible.builtin.include_vars: "{{ ansible_facts['os_family'] }}.yaml"
+
+- name: Install bind and dependencies
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ bind_package_names }}"
+
+- name: Create logging directory
+  ansible.builtin.file:
+    path: "{{ bind_log_directory }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0755"
+    state: directory
+    recurse: true
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: "{{ bind_config_directory }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0755"
+    state: directory
+    recurse: true
+
+- name: Remove existing journal files
+  block:
+  - name: Find existing journal files
+    ansible.builtin.find:
+      path: "{{ bind_config_directory }}"
+      recurse: true
+      patterns: "*.jnl"
+    register: files_to_delete
+  - name: Delete existing journal files
+    ansible.builtin.file:
+      path: "{{ item.path }}"
+      state: absent
+    with_items: "{{ files_to_delete.files }}"
+
+- name: Remove existing signed zone files
+  block:
+  - name: Find existing signed zone files
+    ansible.builtin.find:
+      path: "{{ bind_config_directory }}"
+      recurse: true
+      patterns: "*.signed"
+    register: files_to_delete
+  - name: Delete existing signed zone files
+    ansible.builtin.file:
+      path: "{{ item.path }}"
+      state: absent
+    with_items: "{{ files_to_delete.files }}"
+
+- name: Remove existing DNSSEC key directory
+  block:
+  - name: Check if DNSSEC key directory exists
+    ansible.builtin.stat:
+      path: "{{ bind9_options.key_directory }}"
+    register: _stat_bind9_options_key_directory
+  - name: Remove DNSSEC key directory
+    ansible.builtin.file:
+      path: "{{ bind9_options.key_directory }}"
+      state: "absent"
+    when: _stat_bind9_options_key_directory.stat.exists
+
+- name: Create DNSSEC key directory
+  ansible.builtin.file:
+    path: "{{ bind9_options.key_directory }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0700"
+    state: directory
+
+- name: Create DNSSEC files
+  ansible.builtin.include_tasks: create_dnssec_files.yaml
+  with_items: "{{ bind9_dnssec_keys }}"
+  no_log: true
+  loop_control:
+    loop_var: bind9_dnssec_key
+
+- name: Create DNS-Zone files
+  ansible.builtin.include_tasks: template_zone_files.yaml
+  with_items:
+  - "{{ bind9_views }}"
+  loop_control:
+    loop_var: view
+
+- name: Create main configuration file
+  ansible.builtin.template:
+    src: "etc/named.conf.j2"
+    dest: "{{ bind_main_config }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0644"
+  notify: Restart named
+
+- name: Create excluded configuration files
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "{{ item | replace('etc/named', bind_config_directory) }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0644"
+  with_items:
+  - etc/named.conf
+  - etc/named/named.conf.acl
+  - etc/named/named.conf.logging
+  - etc/named/named.conf.options
+  - etc/named/named.conf.tsigkeys
+  - etc/named/named.conf.views
+  notify: Restart named
+
+- name: Start and enabled named
+  ansible.builtin.systemd:
+    name: named
+    state: started
+    enabled: true
+
+- name: Create rndc.key
+  ansible.builtin.template:
+    src: etc/rndc.key.j2
+    dest: /etc/rndc.key
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0600"
+  when: bind9_rndc_key.name | length > 0 and
+        bind9_rndc_key.algorithm | length > 0 and
+        bind9_rndc_key.secret | length > 0

tasks/main.yml

@@ -1,70 +0,0 @@
----
-
-- name: include special distribution-dependent variables
-  include_vars: "{{ ansible_os_family }}.yml"
-
-- name: install bind and dependencies
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items: "{{ bind_package_names }}"
-
-- name: create logging directory
-  file:
-    path: "{{ bind_log_directory }}"
-    owner: "{{ bind_unix_user }}"
-    group: "{{ bind_unix_group }}"
-    mode: 0755
-    state: directory
-    recurse: yes
-
-- name: remove existing journal files
-  block:
-  - name: find existing journal files
-    find:
-      path: "{{ bind_config_directory }}"
-      recurse: yes
-      patterns: "*.jnl"
-    register: files_to_delete
-  - name: delete existing journal files
-    file:
-      path: "{{ item.path }}"
-      state: absent
-    with_items: "{{ files_to_delete.files }}"
-
-
-#  - name: copy zone files
-#   include_tasks: copy_zone_files.yml
-#   with_items:
-#   - "{{ bind9_views }}"
-#   loop_control:
-#     loop_var: view
-
-- name: template zone files
-  include_tasks: template_zone_files.yml
-  with_items:
-  - "{{ bind9_views }}"
-  loop_control:
-    loop_var: view
-
-- name: set up global bind config
-  template:
-    src: "{{ item }}.j2"
-    dest: "/etc/{{ item }}"
-    owner: "{{ bind_unix_user }}"
-    group: "{{ bind_unix_group }}"
-    mode: 0644
-  with_items:
-  - named.conf
-  - named/named.conf.acl
-  - named/named.conf.logging
-  - named/named.conf.options
-  - named/named.conf.tsigkeys
-  - named/named.conf.views
-  notify: restart named
-
-- name: start and enabled named
-  systemd:
-    name: named
-    state: started
-    enabled: yes

tasks/sign_zone_file.yaml

@@ -0,0 +1,28 @@
+---
+
+- name: "Sign DNS Zone {{ zone.config.origin }}"
+  vars:
+    dnssec_cmd:
+    - dnssec-signzone
+    - -N
+    - INCREMENT
+    - -S
+    - -K
+    - "{{ bind9_options.key_directory }}"
+  block:
+  - name: "Extend dnssec command of ORIGIN"
+    ansible.builtin.set_fact:
+      _dnssec_cmd: "{{ dnssec_cmd + ['-o', zone.config.origin] }}"
+  - name: "Extend dnssec command of zone file"
+    ansible.builtin.set_fact:
+      _dnssec_cmd: "{{ _dnssec_cmd + [bind_config_directory + '/' + zone.file] }}"
+  - name: "Sign zone {{ zone.config.origin }}"
+    ansible.builtin.command:
+      argv: "{{ _dnssec_cmd }}"
+      creates: "{{ bind_config_directory + '/' + zone.file }}.signed"
+  - name: Adapt signed zone file permissions
+    ansible.builtin.file:
+      path: "{{ bind_config_directory + '/' + zone.file }}.signed"
+      owner: "{{ bind_unix_user }}"
+      group: "{{ bind_unix_group }}"
+      mode: "0644"

tasks/template_zone_files.yaml

@@ -0,0 +1,48 @@
+---
+
+- name: "Create config directory of DNS zones"
+  ansible.builtin.file:
+    path: "{{ bind_config_directory }}/{{ zone.file | dirname }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0755"
+    state: directory
+  with_items:
+  - "{{ view.zones }}"
+  loop_control:
+    loop_var: zone
+  when: zone.file is defined and
+        zone.file | length > 0
+
+- name: "Template view {{ view.name }}"
+  ansible.builtin.template:
+    src: "{{ inventory_hostname }}/etc/named/{{ zone.file }}.j2"
+    dest: "{{ bind_config_directory + '/' + zone.file }}"
+    owner: "{{ bind_unix_user }}"
+    group: "{{ bind_unix_group }}"
+    mode: "0644"
+  with_items:
+  - "{{ view.zones }}"
+  loop_control:
+    loop_var: zone
+  when: zone.config.type == 'master'
+  notify: Restart named
+
+- name: Check if last character in zone files is a newline
+  ansible.builtin.include_tasks: verify_zone_file.yaml
+  with_items:
+  - "{{ view.zones }}"
+  loop_control:
+    loop_var: zone
+  when: zone.config.type == 'master'
+
+- name: Sign Zones
+  ansible.builtin.include_tasks: sign_zone_file.yaml
+  with_items:
+  - "{{ view.zones }}"
+  loop_control:
+    loop_var: zone
+  when: zone.config.type == 'master' and
+        bind9_dnssec_keys | selectattr('origin', 'in', zone.config.origin) | map(attribute='zone_signing_key') | length > 0 and
+        (bind9_dnssec_keys | selectattr('origin', 'in', zone.config.origin) | map(attribute='zone_signing_key'))[0].private | length > 0 and
+        (bind9_dnssec_keys | selectattr('origin', 'in', zone.config.origin) | map(attribute='zone_signing_key'))[0].public  | length > 0

tasks/template_zone_files.yml

@@ -1,27 +0,0 @@
----
-
-- name: create directory for zone {{ zone.file | dirname }}
-  file:
-    path: "{{ bind_config_directory }}/{{ zone.file | dirname }}"
-    owner: "{{ bind_unix_user }}"
-    group: "{{ bind_unix_group }}"
-    mode: 0755
-    state: directory
-  with_items:
-  - "{{ view.zones }}"
-  loop_control:
-    loop_var: zone
-
-- name: "template view {{ view.name }}"
-  template:
-    src: "{{ inventory_hostname }}/etc/named/{{ zone.file }}.j2"
-    dest: "{{ bind_config_directory }}/{{ zone.file }}"
-    owner: "{{ bind_unix_user }}"
-    group: "{{ bind_unix_group }}"
-    mode: 0644
-  with_items:
-  - "{{ view.zones }}"
-  loop_control:
-    loop_var: zone
-  when: zone.type == 'master'
-  notify: restart named

tasks/verify_zone_file.yaml

@@ -0,0 +1,13 @@
+---
+
+- name: "Read the last character of DNS zone: {{ zone.config.origin }}"
+  ansible.builtin.command:
+    cmd: "tail --bytes 1 {{ bind_config_directory + '/' + zone.file }}"
+  register: _bind9_zone_last_character
+  changed_when: _bind9_zone_last_character.rc == 0
+  failed_when: _bind9_zone_last_character.rc > 0
+
+- name: "Fail when the last character of DNS zone file is not a newline: {{ bind_config_directory + '/' + zone.file }}"
+  ansible.builtin.fail:
+    msg: "Last character of DNS zone file is not a newline: {{ bind_config_directory + '/' + zone.file }}"
+  when: _bind9_zone_last_character.stdout != ''

templates/etc/named.conf.j2

@@ -0,0 +1,14 @@
+#
+# {{ ansible_managed }}
+#
+
+# zone "." IN {
+#   type hint;
+#   file "named.ca";
+# };
+
+include "{{ bind_config_directory }}/named.conf.acl";
+include "{{ bind_config_directory }}/named.conf.logging";
+include "{{ bind_config_directory }}/named.conf.options";
+include "{{ bind_config_directory }}/named.conf.tsigkeys";
+include "{{ bind_config_directory }}/named.conf.views";

templates/etc/named/named.conf.options.j2

@@ -2,6 +2,23 @@
 # {{ ansible_managed }}
 #
 
+{% if bind9_controls is defined and bind9_controls | length > 0 %}
+controls {
+{% for control in bind9_controls %}
+  inet {{ control.inet }} port {{ control.port }} allow {
+{% for acl in control.acls %}
+    {{ acl }};
+{% endfor %}
+  } keys {
+{% for name in control.tsig_keys %}
+    "{{ name }}";
+{% endfor %}
+  };
+
+{% endfor %}
+};
+{% endif %}
+
 options {
 
   # This specifies which hosts are allowed to ask ordinary DNS questions.
@@ -167,16 +184,35 @@ options {
   # allow-update-forwarding {};
 {% endif %}
 
-  directory "/etc/named";
+  directory "{{ bind_config_directory }}";
 
-  dnssec-validation {{ bind9_options.dnssec_validation | default('no') }};
+  # This accepts expired signatures when verifying DNSSEC signatures. The default is no. Setting this option to yes
+  # leaves named vulnerable to replay attacks.
+  dnssec-accept-expired {{ "yes" if bind9_options.dnssec_accept_expired else "no" }};
 
-  # dump-file "/var/bind/named.dump";
+  # Enables DNSSEC validation in named.
+  #
+  # auto: If set to auto, DNSSEC validation is enabled and a default trust anchor for the DNS root zone is used. This
+  # trust anchor is provided as part of BIND and is kept up-to-date
+  #
+  # yes: If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured using a
+  # trust-anchors statement (or the managed-keys or trusted-keys statements, both deprecated). If trust-anchors is not
+  # configured, it is a configuration error. If trust-anchors does not include a valid root key, then validation does
+  # not take place for names which are not covered by any of the configured trust anchors.
+  #
+  # no: If set to no, DNSSEC validation is disabled.
+  #
+  # https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-dnssec-validation
+  dnssec-validation {{ bind9_options.dnssec_validation | default('auto') }};
 
 {% if bind9_options.forwarders is defined and bind9_options.forwarders | length > 0 %}
   forwarders {
 {% for forwarder in bind9_options.forwarders %}
-    {{ forwarder }};
+{% if forwarder.port is defined and forwarder.port | length > 0 %}
+    {{ forwarder.ip }} port {{ forwarder.port }};
+{% else %}
+    {{ forwarder.ip }};
+{% endif %}
 {% endfor %}
   };
 {% else %}
@@ -210,6 +246,13 @@ options {
   };
 {% endif %}
 
+  # Indicates the directory where public and private DNSSEC key files are found.
+  #
+  # This is the directory where the public and private DNSSEC key files should be found when performing a dynamic update
+  # of secure zones, if different than the current working directory.
+  # https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-key-directory
+  key-directory "{{ bind9_options.key_directory }}";
+
   # managed-keys-directory "/var/named/dynamic";
   # memstatistics-file "/var/bind/named.memstats";
   minimal-responses {{ bind9_options.minimal_responses }};
@@ -230,4 +273,16 @@ options {
   version none;
 
   zone-statistics yes;
-};
+};
+
+{% if bind9_statics.enabled is defined and bind9_statics.enabled is true %}
+statistics-channels {
+{% for channel in bind9_statics.channels %}
+  inet {{ channel.inet }} port {{ channel.port }} allow {
+{% for acl in channel.acls %}
+    {{ acl }};
+{% endfor %}
+  };
+{% endfor %}
+};
+{% endif %}

templates/etc/named/named.conf.views.j2

@@ -1,3 +1,4 @@
+#jinja2: lstrip_blocks: True
 #
 # {{ ansible_managed }}
 #
@@ -12,7 +13,7 @@ view "{{ view.name }}" {
   };
 
 {% for zone in view.zones %}
-  zone "{{ zone.origin }}" {
+  zone "{{ zone.config.origin }}" {
 
     # Hosts which are allowed to issue queries to the server. If not specified all
     # hosts are allowed to make queries (defaults to allow-query {any;};
@@ -20,9 +21,9 @@ view "{{ view.name }}" {
     # NOTE:
     # - The statements may be used in a zone, view or a global options
     #   clause.
-{% if zone.allow_query is defined and zone.allow_query | length > 0 %}
+{% if zone.config.allow_query is defined and zone.config.allow_query | length > 0 %}
     allow-query {
-{% for entry in zone.allow_query %}
+{% for entry in zone.config.allow_query %}
       {{ entry }};
 {% endfor %}
     };
@@ -39,9 +40,9 @@ view "{{ view.name }}" {
     # NOTE:
     # - The statements may be used in a zone, view or a global options
     #   clause.
-{% if zone.allow_query_on is defined and zone.allow_query_on | length > 0 %}
+{% if zone.config.allow_query_on is defined and zone.config.allow_query_on | length > 0 %}
     allow-query {
-{% for entry in zone.allow_query_on %}
+{% for entry in zone.config.allow_query_on %}
       {{ entry }};
 {% endfor %}
     };
@@ -62,9 +63,9 @@ view "{{ view.name }}" {
     #
     # NOTE:
     # - This statement may be used in a zone, view or global options clause.
-{% if zone.allow_transfer is defined and zone.allow_transfer | length > 0 %}
+{% if zone.config.allow_transfer is defined and zone.config.allow_transfer | length > 0 %}
     allow-transfer {
-{% for entry in zone.allow_transfer %}
+{% for entry in zone.config.allow_transfer %}
       key {{ entry }};
 {% endfor %}
     };
@@ -85,9 +86,9 @@ view "{{ view.name }}" {
     #
     # NOTE:
     # - This statement may be used in a zone, view or an options clause.
-{% if zone.allow_update is defined and zone.allow_update | length > 0 %}
+{% if zone.config.allow_update is defined and zone.config.allow_update | length > 0 %}
     allow-update {
-{% for entry in zone.allow_update %}
+{% for entry in zone.config.allow_update %}
       key {{ entry }};
 {% endfor %}
     };
@@ -101,9 +102,9 @@ view "{{ view.name }}" {
     #
     # NOTE:
     # - This statement may be used in zone, view or an options clause.
-{% if zone.allow_update_forwarding is defined and zone.allow_update_forwarding | length > 0 %}
+{% if zone.config.allow_update_forwarding is defined and zone.config.allow_update_forwarding | length > 0 %}
     allow-update-forwarding {
-{% for entry in zone.allow_update_forwarding %}
+{% for entry in zone.config.allow_update_forwarding %}
       {{ entry }};
 {% endfor %}
     };
@@ -127,13 +128,45 @@ view "{{ view.name }}" {
     #   is complete. If the Master is not available or the Slave fails to
     #   contact the Master, ffor whatever reason, the zone may be left with
     #   no effective Authoritative Name Servers.
-    file "/etc/named/{{ zone.file }}";
+{% if zone.file is defined and zone.file | length > 0 and not zone.file.startswith('/') %}
+    file "{{ bind_config_directory }}/{{ zone.config.file }}";
+{% elif zone.file is defined and zone.file | length > 0 and zone.file.startswith('/')%}
+    file "{{ zone.config.file }}";
+{% else %}
+    # file "{{ bind_config_directory }}/...";
+{% endif %}
+
+    # This option is only meaningful if the forwarders list is not empty. A
+    # value of first is the default and causes the server to query the
+    # forwarders first; if that does not answer the question, the server then
+    # looks for the answer itself. If only is specified, the server only queries
+    # the forwarders.
+{% if zone.config.forward is defined and zone.config.forward | length > 0 %}
+    forward {{ zone.config.forward }};
+{% else %}
+    # forward first;
+{% endif %}
+
+    # This specifies a list of IP addresses to which queries are forwarded. The
+    # default is the empty list (no forwarding). Each address in the list can be
+    # associated with an optional port number and/or DSCP value, and a default
+    # port number and DSCP value can be set for the entire list.
+    # https://bind9.readthedocs.io/en/latest/reference.html#forwarding
+{% if zone.config.forwarders is defined and zone.config.forwarders | length > 0 %}
+    forwarders {
+{% for forwarder in zone.config.forwarders %}
+      {{ forwarder }};
+{% endfor %}
+    };
+{% else %}
+    # forwarders {};
+{% endif %}
 
     # master servers
     # https://bind9.readthedocs.io/en/latest/manpages.html?highlight=masters#masters
-{% if zone.masters is defined and zone.masters | length > 0 %}
+{% if zone.config.masters is defined and zone.config.masters | length > 0 %}
     masters {
-{% for master in zone.masters %}
+{% for master in zone.config.masters %}
       {{ master.ip }} key {{ master.tsigkey}};
 {% endfor %}
     };
@@ -157,7 +190,14 @@ view "{{ view.name }}" {
     # NOTE:
     # - This statement may be specified in zone, view clauses or in a
     #   global options clause.
+{% if zone.config.notify is defined and zone.config.notify %}
     notify yes;
+{% elif zone.config.notify is defined and not zone.config.notify %}
+    notify no;
+{% else %}
+    # notify yes | no;
+{% endif %}
+
 
     # Zones configured for dynamic DNS may use this option to set the
     # update method to be used for the zone serial number in the SOA
@@ -176,15 +216,32 @@ view "{{ view.name }}" {
     # is the current date in the form “YYYYMMDD”, followed by two
     # zeroes, unless the existing serial number is already greater than
     # or equal to that value, in which case it is incremented by one.
-{% if zone.serial_update_method is defined %}
-    serial-update-method {{ zone.serial_update_method }};
+{% if zone.config.serial_update_method is defined %}
+    serial-update-method {{ zone.config.serial_update_method }};
 {% else %}
     # serial-update-method [date | increment | unixtime ];
 {% endif %}
 
-    type {{ zone.type }};
+    type {{ zone.config.type }};
+
+    # The update-policy clause allows more fine-grained control over which
+    # updates are allowed. It specifies a set of rules, in which each rule
+    # either grants or denies permission for one or more names in the zone to be
+    # updated by one or more identities. Identity is determined by the key that
+    # signed the update request, using either TSIG or SIG(0).
+    # https://bind9.readthedocs.io/en/v9_16_5/reference.html#dynamic-update-policies
+{% if zone.config.update_policies is defined and zone.config.update_policies | length > 0 %}
+    update-policy {
+{% for update_policy in zone.config.update_policies %}
+      {{ update_policy.action }} {{ update_policy.identity }} {{ update_policy.ruletype }} {{ update_policy.name | default('') }} {{ update_policy.types | default('') | join(' ') }};
+{% endfor %}
+    };
+{% else %}
+    # update-policy {};
+{% endif %}
 
   };
+
 {% endfor %}
 
 };

templates/etc/rndc.key.j2

@@ -0,0 +1,7 @@
+#
+# {{ ansible_managed }}
+#
+key "{{ bind9_rndc_key.name }}" {
+  algorithm {{ bind9_rndc_key.algorithm }};
+  secret "{{ bind9_rndc_key.secret }}";
+};

templates/named.conf.j2

@@ -1,12 +0,0 @@
-# zone "." IN {
-#   type hint;
-#   file "named.ca";
-# };
-
-include "/etc/named/named.conf.acl";
-include "/etc/named/named.conf.logging";
-include "/etc/named/named.conf.options";
-include "/etc/named/named.conf.tsigkeys";
-include "/etc/named/named.conf.views";
-# include "/etc/named.rfc1912.zones";
-# include "/etc/named.root.key";

vars/Debian.yml

@@ -1,8 +1,8 @@
 ---
 
-bind_main_config: /etc/named.conf
-bind_config_directory: /etc/named
-bind_log_directory: /var/log/named
+bind_main_config: /etc/bind/named.conf
+bind_config_directory: /etc/bind
+bind_log_directory: /var/log/bind
 
 bind_package_names:
 - bind9
@@ -10,4 +10,4 @@ bind_package_names:
 bind_service_name: named
 
 bind_unix_user: bind
-bind_unix_group: bind
+bind_unix_group: bind

vars/RedHat.yml

@@ -11,4 +11,4 @@ bind_package_names:
 bind_service_name: named
 
 bind_unix_user: named
-bind_unix_group: named
+bind_unix_group: named