ansible-bind9-role/tasks/main.yml

---
# tasks file for bind9
- name: Install bind9
  ansible.builtin.apt:
    name: "{{ bind9_packages }}"
    state: present
    cache_valid_time: 3600
  tags:
    - bind9
    - packages

- name: Ensure backup directory exists
  ansible.builtin.file:
    path: "{{ bind9_backup_dir }}"
    state: directory
    owner: root
    group: root
    mode: 0750
  when: bind9_backup_config is defined and bind9_backup_config | bool

- name: Deploy and Validate Configuration
  block:
    - name: Create backup of current config
      ansible.builtin.copy:
        src: "{{ bind9_cfgdir }}/{{ item.name }}"
        dest: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
        remote_src: true
        owner: root
        group: bind
        mode: 0640
      failed_when: false # It's okay if the file doesn't exist yet
      # We do this for every file in the loop
      loop: "{{ bind9_config }}"
      loop_control:
        label: "{{ item.name }}"

    - name: Template named.conf.generator
      ansible.builtin.template:
        src: named.conf.generator.j2
        dest: "{{ bind9_cfgdir }}/{{ item.name }}"
        owner: root
        group: bind
        mode: 0640
      loop: "{{ bind9_config }}"
      loop_control:
        label: "{{ item.name }}"
      register: _template_result

    - name: Validate configuration using named-checkconf
      ansible.builtin.command:
        cmd: "named-checkconf -z {{ bind9_cfgdir }}/named.conf"
      changed_when: false

  rescue:
    - name: Restore configuration from backup
      ansible.builtin.copy:
        src: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
        dest: "{{ bind9_cfgdir }}/{{ item.name }}"
        remote_src: true
        owner: root
        group: bind
        mode: 0640
      loop: "{{ bind9_config }}"
      loop_control:
        label: "{{ item.name }}"
      failed_when: false # Best effort restore

    - name: Fail due to invalid configuration
      ansible.builtin.fail:
        msg: "Configuration validation failed. Changes have been reverted. Check the logs for named-checkconf errors."

  always:
    - name: Remove backup files
      ansible.builtin.file:
        path: "{{ bind9_cfgdir }}/{{ item.name }}.bak"
        state: absent
      loop: "{{ bind9_config }}"
      loop_control:
        label: "{{ item.name }}"
      when: bind9_backup_config | bool is false # Keep if backup is forced, otherwise cleanup temporary atomic backup
  
  tags:
    - bind9
    - template
  notify:
    - Backup bind config
    - Restart bind

- name: Ensure the named service is started
  ansible.builtin.service:
    name: named
    state: started
    enabled: true

- name: Print the bind9_config
  ansible.builtin.debug:
    var: bind9_config
  when: bind9_debug_config | bool