---
- name: Copy server certificate
  ansible.builtin.copy:
    dest: "{{ tls_private }}/{{ nsd_server }}.key"
    src: "{{ item }}"
    mode: 0600
    owner: root
    group: "{{ ansible_wheel }}"
  with_first_found:
    - "/srv/letsencrypt/live/{{ nsd_server }}/privkey.pem"
    - "/srv/ca/private/{{ nsd_server }}.key"
    - "/srv/ca/private/{{ inventory_hostname }}.key"
  tags: certificates
  notify: Restart nsd

- name: Copy server key
  ansible.builtin.copy:
    dest: "{{ tls_certs }}/{{ nsd_server }}.crt"
    src: "{{ item }}"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  with_first_found:
    - "/srv/letsencrypt/live/{{ nsd_server }}/fullchain.pem"
    - "/srv/ca/certs/hosts/{{ site }}.crt"
    - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
  tags: certificates
  notify: Restart nsd

- name: Create config
  ansible.builtin.template:
    src: nsd.conf.j2
    dest: /var/nsd/etc/nsd.conf
    mode: 0640
    owner: root
    group: _nsd
  notify: Restart nsd

- name: Copy zone files
  ansible.builtin.copy:
    dest: "/var/nsd/zones/master/{{ item | replace('/', '-') }}"
    src: "/srv/dns/{{ item | replace('/', '-') }}"
    mode: 0640
    owner: root
    group: _nsd
  tags: dns
  notify: Restart nsd
  with_items: "{{ nsd_zones }}"

- name: Enable service
  ansible.builtin.service:
    name: nsd
    state: started
    enabled: true