refactor: Rename leaf config to site config

feat: Add argument specs and atomic validation

tasks/main.yml

@@ -18,18 +18,67 @@
     mode: 0750
   when: bind9_backup_config is defined and bind9_backup_config
 
-- name: Template named.conf.generator
-  ansible.builtin.template:
-    src: named.conf.generator.j2
-    dest: "{{ bind9_cfgdir }}/{{ item.name }}"
-    owner: root
-    group: bind
-    mode: 0640
-    backup: "{{ item.backup | default('false') | bool }}"
-  # validate: 'named-checkconf -z -j %s'
-  loop: "{{ bind9_config }}"
-  loop_control:
-    label: "{{ item.name }}"
+- name: Deploy and Validate Configuration
+  block:
+    - name: Create backup of current config
+      ansible.builtin.copy:
+        src: "{{ bind9_cfgdir }}/{{ item.name }}"
+        dest: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
+        remote_src: true
+        owner: root
+        group: bind
+        mode: 0640
+      failed_when: false # It's okay if the file doesn't exist yet
+      # We do this for every file in the loop
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+
+    - name: Template named.conf.generator
+      ansible.builtin.template:
+        src: named.conf.generator.j2
+        dest: "{{ bind9_cfgdir }}/{{ item.name }}"
+        owner: root
+        group: bind
+        mode: 0640
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+      register: _template_result
+
+    - name: Validate configuration using named-checkconf
+      ansible.builtin.command:
+        cmd: "named-checkconf -z {{ bind9_cfgdir }}/named.conf"
+      changed_when: false
+
+  rescue:
+    - name: Restore configuration from backup
+      ansible.builtin.copy:
+        src: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
+        dest: "{{ bind9_cfgdir }}/{{ item.name }}"
+        remote_src: true
+        owner: root
+        group: bind
+        mode: 0640
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+      failed_when: false # Best effort restore
+
+    - name: Fail due to invalid configuration
+      ansible.builtin.fail:
+        msg: "Configuration validation failed. Changes have been reverted. Check the logs for named-checkconf errors."
+
+  always:
+    - name: Remove backup files
+      ansible.builtin.file:
+        path: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
+        state: absent
+      loop: "{{ bind9_config }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when: bind9_backup_config | bool is false # Keep if backup is forced, otherwise cleanup temporary atomic backup
+  
   tags:
     - bind9
     - template