---
# Sample zone file matching the format from the user's request
# This demonstrates how to use nsupdate_zone with the specified YAML format

list_of_nsupdate_zones:
  - name: hugs.dk
    dns_server: ns1.mydns.com
    records:
      # To remove a record, set state: absent
      - record: dnshenet-key
        type: TXT
        value: 'c8445a4f-cf4c-4130-94c8-21c2b0da80c0'
        state: absent
        
      # Multiple values are specified in list form.
      - record: 'hugs.dk.'
        type: CAA
        value:
          - "0 issue letsencrypt.org"
          - "0 iodef mailto:caa@valid.dk"

      # the 'record' field is prepended to the 'name' of the zone unless it is terminated with a dot '.'.
      # This record will be 'skibidi.ohio.hugs.dk' and will point to 'doesntexist.hugs.dk.'
      - record: skibidi.ohio
        type: CNAME
        value: doesntexist

      # You CANNOT specify other record types when the name already has a CNAME.
      # The following example will never be able to make it into the zone file
      # COMMENTED OUT because it would cause a CNAME conflict error
      # - record: skibidi.ohio
      #   type: TXT
      #   value:
      #     - "Q: Hey can we add an SPF record to this third party vendors CNAME?"
      #     - "A: The answer is always no"

      # Star aliases work as expected
      - record: '*'
        type: CNAME
        value: 'hugs.dk.'

      # When referencing the base domain, specify its FQDN followed by a period '.'
      # Like this
      - record: 'hugs.dk.'
        type: TXT
        value:
          - "v=spf1 mx a include:_spf.google.com ~all"
          - "google-site-verification=8PimrghUKUJi9dJhfj1CGyB7s5zzf6ZiiZxukzPALM0"

      # Complex records with multiple fields are simply 
      # separated by a space in the value field.
      - record: 'hugs.dk.'
        type: MX
        value:
          - "1 aspmx.l.google.com."
          - "5 alt2.aspmx.l.google.com."
          - "5 alt1.aspmx.l.google.com."
          - "10 alt3.aspmx.l.google.com."
          - "10 alt4.aspmx.l.google.com."

# Example playbook to use this zone file
---
- name: Provision DNS zones efficiently
  hosts: localhost
  gather_facts: false
  
  vars_files:
    - sample_zone_format.yml
  
  vars:
    # Your TSIG key for authentication
    dns_tsig_key_name: "nsupdate"
    dns_tsig_key_secret: "{{ vault_dns_key }}"  # Store in ansible-vault
    
  tasks:
    - name: Update DNS zones
      valid.nsupdate_zone.nsupdate_zone:
        key_name: "{{ dns_tsig_key_name }}"
        key_secret: "{{ dns_tsig_key_secret }}"
        key_algorithm: hmac-sha256
        protocol: tcp
        # SOA and DNSSEC records are ignored by default
        ignore_record_patterns:
          - '^_acme-challenge\..*'
        verbose: true  # Show detailed per-record actions
        zones: "{{ list_of_nsupdate_zones }}"
      register: zone_update_result
    
    - name: Display update summary
      debug:
        msg: |
          Zone: {{ item.zone }}
          Changed: {{ item.changed }}
          Changes: +{{ item.changes.adds }} -{{ item.changes.deletes }} ~{{ item.changes.updates }}
      loop: "{{ zone_update_result.results }}"
      loop_control:
        label: "{{ item.zone }}"