From 3f8187f46a3d79cb0b90400251e375a3a5573368 Mon Sep 17 00:00:00 2001 From: lilly Date: Wed, 29 Apr 2026 22:44:20 +0200 Subject: [PATCH] wip: add basic knot config --- .../chaosknoten/host_vars/auth-dns.yaml | 6 ++ inventories/chaosknoten/hosts.yaml | 1 + .../auth-dns/docker_compose/compose.yaml.j2 | 13 ++++ .../auth-dns/docker_compose/knot.conf.j2 | 64 +++++++++++++++++++ 4 files changed, 84 insertions(+) create mode 100644 inventories/chaosknoten/host_vars/auth-dns.yaml create mode 100644 resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2 create mode 100644 resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2 diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml new file mode 100644 index 0000000..2e4380f --- /dev/null +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -0,0 +1,6 @@ +docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2') }}" + +docker_compose__configuration_files: + - name: "knot.conf" + content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2') }}" + diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index a6cea9b..5d97783 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -155,6 +155,7 @@ docker_compose_hosts: sunders: spaceapiccc: mjolnir: + auth-dns: nextcloud_hosts: hosts: cloud: diff --git a/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2 new file mode 100644 index 0000000..7ebc230 --- /dev/null +++ b/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2 @@ -0,0 +1,13 @@ +# Links & Resources +# https://www.knot-dns.cz/docs/latest/html/index.html + +services: + knot: + image: docker.io/cznic/knot:v3.5.4 + restart: unless-stopped + command: "knotd" + network_mode: host + volumes: + - ./configs:/config:ro + - ./storage:/storage + diff --git a/resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2 b/resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2 new file mode 100644 index 0000000..17f6144 --- /dev/null +++ b/resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2 @@ -0,0 +1,64 @@ +# {{ ansible_managed }} +# See knot.conf(5) or refer to the server documentation. + +server: + rundir: "/rundir" + user: knot:knot + automatic-acl: on + listen: [ "212.12.48.124", "2a00:14b0:4200:3000:124::1" ] + +log: + - target: stderr + any: info + +database: + storage: "/storage" + +key: + - id: auth-dns.hamburg.ccc.de + algorithm: hmac-sha512 + secret: "" + +remote: + - id: quad9 + address: "2620:fe::fe" + +# define how the presence of parent KSK keys is checked +# in this case, we just ask quad9 which is an open resolver +submission: + - id: default + parent: quad9 + parent-delay: 1h + +# define how dnssec signing is done +# in this case we don't do anything special but teach knot how to check of KSK presence +policy: + - id: default + ksk-submission: default + nsec3: true + nsec3-salt-length: 0 + +# define default settings that apply to all zones +template: + - id: default + storage: "/config/zones" + file: "%s.zone" + semantic-checks: on + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + default-ttl: 60 + catalog-role: member + catalog-zone: hamburg.ccc.de.catalog. + dnssec-signing: on + dnssec-policy: default + {# notify: ["ns1.hanse.de", "ns.bsd.network."] #} + + - id: minimal + {# notify: ["ns1.hanse.de", "ns.bsd.network."] #} + +zone: + {# - domain: onsite.eurofurence.catalog. #} + {# template: minimal #} + {# catalog-role: generate #} + {# - domain: "onsite.eurofurence.org" #}