---
# Example playbook demonstrating nsupdate_zone module usage

- name: Manage DNS zones with nsupdate_zone
  hosts: localhost
  gather_facts: false

  vars:
    # TSIG authentication
    dns_key_name: "nsupdate"
    dns_key_secret: "+bFQtBCta7j2vWkjPkAFtgA=="

    # Example zone records
    example_com_records:
      # Zone apex records
      - record: 'example.com.'
        type: A
        value: 192.168.1.1
        ttl: 3600

      - record: 'example.com.'
        type: MX
        value:
          - "10 mail1.example.com."
          - "20 mail2.example.com."

      - record: 'example.com.'
        type: TXT
        value:
          - "v=spf1 mx a include:_spf.google.com ~all"
          - "google-site-verification=abc123"

      # Subdomains
      - record: www
        type: A
        value:
          - 192.168.1.10
          - 192.168.1.11
        ttl: 300

      - record: blog
        type: CNAME
        value: www.example.com.

      - record: mail1
        type: A
        value: 192.168.1.20

      - record: mail2
        type: A
        value: 192.168.1.21

      # Wildcard
      - record: '*'
        type: A
        value: 192.168.1.100

      # Remove old record
      - record: old-server
        type: A
        value: 192.168.1.99
        state: absent

  tasks:
    - name: Manage example.com zone
      valid.nsupdate_zone.nsupdate_zone:
        key_name: "{{ dns_key_name }}"
        key_secret: "{{ dns_key_secret }}"
        protocol: tcp
        # SOA and DNSSEC records are ignored by default
        ignore_record_patterns:
          - '^_acme-challenge\..*'
          - '^_dnsauth\..*'
        zones:
          - name: example.com
            dns_server: ns1.example.com
            records: "{{ example_com_records }}"
      register: result

    - name: Display results
      ansible.builtin.debug:
        var: result

    - name: Show changes made
      ansible.builtin.debug:
        msg: |
          Zone: {{ item.zone }}
          Changed: {{ item.changed }}
          Adds: {{ item.changes.adds }}
          Deletes: {{ item.changes.deletes }}
          Updates: {{ item.changes.updates }}
      loop: "{{ result.results }}"
      when: result.results is defined

    # Example: Manage multiple zones with global dns_server
    - name: Manage multiple zones with shared server
      valid.nsupdate_zone.nsupdate_zone:
        key_name: "{{ dns_key_name }}"
        key_secret: "{{ dns_key_secret }}"
        dns_server: ns1.example.com  # Global server for all zones
        zones:
          - name: example.com
            records:
              - record: 'example.com.'
                type: A
                value: 192.168.1.1

          - name: example.org
            records:
              - record: 'example.org.'
                type: A
                value: 192.168.2.1

          - name: example.net
            records:
              - record: 'example.net.'
                type: A
                value: 192.168.3.1
      register: multi_zone_result

    - name: Show multi-zone results
      ansible.builtin.debug:
        msg: >-
          Processed {{ multi_zone_result.results | length }} zones,
          {{ multi_zone_result.results | selectattr('changed', 'equalto', true) | list | length }} changed