FROM debian:trixie-slim AS builder-common

ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y --no-install-recommends make

WORKDIR /etc/powerdns
RUN mkdir -p pdns.d

COPY pdns.conf pdns.conf

COPY zones pri

# this stage prepares the configuration files in /etc/powerdns for primary
FROM builder-common AS builder-primary

# build additional config files from templates (tpl)
COPY primary tpl
COPY primary/Makefile .
RUN make

RUN rm -rf tpl Makefile

# this stage prepares the configuration files in /etc/powerdns for secondary
FROM builder-common AS builder-secondary

COPY secondary tpl
COPY secondary/Makefile .
RUN make

RUN rm -rf tpl pri Makefile

FROM debian:trixie-slim AS common

# install make for building config files, pdns-server and bind backend for serving zones
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y --no-install-recommends \
  pdns-server pdns-backend-bind pdns-backend-sqlite3 \
  && rm -rf /var/lib/apt/lists/*

# install configuration files, create necessary directories
WORKDIR /etc/powerdns
RUN rm -rf *
RUN mkdir -p db sec /var/run/pdns

# user permissions
RUN chown pdns db sec /var/run/pdns
USER pdns

CMD ["pdns_server", "--guardian=no", "--daemon=no", "--loglevel=10", "--webserver=no"]

# this stage is the actual primary DNS server image
FROM common AS primary

COPY --from=builder-primary /etc/powerdns .

# DNSSEC setup
RUN pdnsutil create-bind-db /etc/powerdns/db/bind-dnssec-db.sqlite3
RUN pdnsutil secure-all-zones
RUN cd pri && for i in *; do pdnsutil set-nsec3 $i "1 1 5 $(od -N16 -x < /dev/urandom | head -n1 | cut -b9- | sed 's/ //gi')"; done
RUN pdnsutil rectify-all-zones

# this stage is the actual secondary DNS server image
FROM common AS secondary

COPY --from=builder-secondary /etc/powerdns .

# DNSSEC setup
RUN pdnsutil create-bind-db /etc/powerdns/db/bind-dnssec-db.sqlite3