add barebones knot config

This configuration does not yet do much but it provisions a knot
server that runs.

roles/auth-dns/handlers/main.yaml

@@ -0,0 +1,8 @@
+- tags: [ 02-auth-dns ]
+  name: restart knot
+  become: true
+  notify: restart knot
+  ansible.builtin.systemd:
+    name: knot.service
+    state: restarted
+

roles/auth-dns/tasks/01-install.yaml

@@ -0,0 +1,11 @@
+---
+- name: Install knot
+  tags: [ auth-dns ]
+  become: true
+  ansible.builtin.package:
+    name:
+      - knot
+      - knot-exporter
+      - knot-dnssecutils
+      - knot-dnsutils
+      - knot-host

roles/auth-dns/tasks/02-configure.yaml

@@ -0,0 +1,11 @@
+- tags: [ auth-dns ]
+  name: Deploy knot configuration file
+  become: true
+  notify: restart knot
+  ansible.builtin.template:
+    src: knot.conf.j2
+    dest: /etc/knot/knot.conf
+    owner: knot
+    group: knot
+    mode: u=rw,g=r,o=
+

roles/auth-dns/tasks/main.yaml

@@ -0,0 +1,3 @@
+---
+- ansible.builtin.import_tasks: 01-install.yaml # noqa: name[missing]
+- ansible.builtin.import_tasks: 02-configure.yaml # noqa: name[missing]

roles/auth-dns/templates/knot.conf.j2

@@ -0,0 +1,64 @@
+# {{ ansible_managed }}
+# See knot.conf(5) or refer to the server documentation.
+
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ "0.0.0.0@53", "::@53" ]
+
+log:
+  - target: syslog
+    any: info
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: auth-dns.hamburg.ccc.de
+    algorithm: hmac-sha512
+    secret: ""
+
+remote:
+  - id: quad9
+    address: "2620:fe::fe"
+
+# define how the presence of parent KSK keys is checked
+# in this case, we just ask quad9 which is an open resolver
+submission:
+  - id: default
+    parent: quad9
+    parent-delay: 1h
+
+# define how dnssec signing is done
+# in this case we don't do anything special but teach knot how to check of KSK presence
+policy:
+  - id: default
+    ksk-submission: default
+    nsec3: true
+    nsec3-salt-length: 0
+
+# define default settings that apply to all zones
+template:
+  - id: default
+    storage: "/etc/knot/zones"
+    file: "%s.zone"
+    semantic-checks: on
+    zonefile-sync: -1
+    zonefile-load: difference-no-serial
+    journal-content: all
+    default-ttl: 60
+    catalog-role: member
+    catalog-zone: hamburg.ccc.de.catalog.
+    dnssec-signing: on
+    dnssec-policy: default
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+  - id: minimal
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+zone:
+  {# - domain: onsite.eurofurence.catalog. #}
+    {# template: minimal #}
+    {# catalog-role: generate #}
+  {# - domain: "onsite.eurofurence.org" #}