{{ ansible_managed | comment }}

server:
  rundir: "{{ knotd__run_dir }}"
  user: {{ knotd__user }}:{{ knotd__group }}
{% for listen in knotd__listen %}
  listen: {{ listen.address }}@{{ listen.port | default(knotd__port) }}
{% endfor %}
  version: ""
  identity: ""

log:
  - target: syslog
    any: info

database:
  storage: "{{ knotd__database_dir }}"

{% if knotd__keys %}
key:
{% for id, key in knotd__keys.items() %}
  - id: {{ id }}
    algorithm: {{ key.algorithm }}
    secret: {{ key.secret }}
{% endfor %}
{% endif %}

{% if knotd__remotes %}
remote:
{% for id, remote in knotd__remotes.items() %}
  - id: {{ id }}
    address: {{ remote.address }}
{% if remote.key is defined %}
    key: {{ remote.key }}
{% endif %}
{% endfor %}
{% endif %}

{% if knotd__submissions %}
submission:
{% for id, submission in knotd__submissions.items() %}
  - id: {{ id }}
    parent: {{ submission.parent }}
{% endfor %}
{% endif %}

{% if knotd__policies %}
policy:
{% for id, policy in knotd__policies.items() %}
  - id: {{ id }}
    algorithm: {{ policy.algorithm }}
{% if policy.algorithm.startswith("ECDSA") %}
    reproducible-signing: {{ policy.reproducible_signing
                             | default(knotd__reproducible_signing)
                             | ternary("on", "off") }}
{% endif %}
    ksk-lifetime: {{ policy.ksk_lifetime }}
    zsk-lifetime: {{ policy.zsk_lifetime }}
    nsec3: {{ policy.nsec3
              | default(knotd__nsec3)
              | ternary("on", "off") }}
{% if policy.ds_push is defined %}
    ds-push: {{ policy.ds_push }}
{% endif %}
    cds-cdnskey-publish: {{ policy.cds_cdnskey_publish
                            | default(knotd__cds_cdnskey_publish) }}
{% if policy.ksk_submission is defined %}
    ksk-submission: {{ policy.ksk_submission }}
{% endif %}
{% endfor %}
{% endif %}

{% if knotd__acl %}
acl:
{% for id, acl in knotd__acl.items() %}
  - id: {{ id }}
{% if acl.addresses is defined %}
    address: [ {{ acl.addresses | join(", ") }} ]
{% endif %}
    action: {{ acl.action }}
{% if acl.action == "update" %}
    update-type: [ {{ acl.update_types | join(", ") }} ]
    update-owner: {{ acl.update_owner
                     | default(knotd__acl_update_owner) }}
    update-owner-match: {{ acl.update_owner_match
                           | default(knotd__acl_update_owner_match) }}
    update-owner-name: [ {{ acl.update_owner_name | join(", ") }} ]
{% endif %}
{% if acl.key is defined %}
    key: {{ acl.key }}
{% endif %}
{% endfor %}
{% endif %}

{% if knotd__queryacl %}
mod-queryacl:
{% for id, acl in knotd__queryacl.items() %}
  - id: {{ id }}
    address: [ {{ acl.addresses | join(", ") }} ]
{% endfor %}
{% endif %}

template:
  - id: default
    storage: "{{ knotd__zones_dir }}"
    file: "%s.zone"
    zonefile-sync: -1
    journal-content: changes
    journal-content: all
    serial-policy: {{ knotd__serial_policy }}

{% if knotd__zones %}
zone:
{% for domain, zone in knotd__zones.items() %}
{% if zone.enabled | default(true) %}
  - domain: {{ domain }}
{% if zone.notify is defined %}
    notify: [ {{ zone.notify | join(", ") }} ]
{% endif %}
{% if zone.acl is defined %}
    acl: [ {{ zone.acl | join(", ") }} ]
{% endif %}
{% if zone.queryacl is defined %}
    module: mod-queryacl/{{ zone.queryacl }}
{% endif %}
{% if zone.master is defined %}
    master: {{ zone.master }}
    zonefile-load: none
{% else %}
    zonefile-load: difference-no-serial
    semantic-checks: {{ knotd__semantic_checks
                        | ternary("on", "off") }}
{% endif %}
{% if zone.dnssec_policy is defined %}
    dnssec-policy: {{ zone.dnssec_policy }}
    dnssec-signing: on
{% else %}
    dnssec-validation: {{ zone.dnssec_validation
                          | default(knotd__dnssec_validation)
                          | ternary("on", "off") }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}