wip: add basic knot config

2026-04-29 22:44:20 +02:00 · 2026-04-29 22:44:20 +02:00 · 3f8187f46a
commit 3f8187f46a
parent d9fc1ef401
4 changed files with 84 additions and 0 deletions
--- a/inventories/chaosknoten/host_vars/auth-dns.yaml
+++ b/inventories/chaosknoten/host_vars/auth-dns.yaml
@ -0,0 +1,6 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2') }}"
+
+docker_compose__configuration_files:
+  - name: "knot.conf"
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2') }}"
+
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -155,6 +155,7 @@ docker_compose_hosts:
    sunders:
    spaceapiccc:
    mjolnir:
+    auth-dns:
 nextcloud_hosts:
  hosts:
    cloud:
--- a/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2
@ -0,0 +1,13 @@
+# Links & Resources
+# https://www.knot-dns.cz/docs/latest/html/index.html
+
+services:
+  knot:
+    image: docker.io/cznic/knot:v3.5.4
+    restart: unless-stopped
+    command: "knotd"
+    network_mode: host
+    volumes:
+      - ./configs:/config:ro
+      - ./storage:/storage
+
--- a/resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2
+++ b/resources/chaosknoten/auth-dns/docker_compose/knot.conf.j2
@ -0,0 +1,64 @@
+# {{ ansible_managed }}
+# See knot.conf(5) or refer to the server documentation.
+
+server:
+    rundir: "/rundir"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ "212.12.48.124", "2a00:14b0:4200:3000:124::1" ]
+
+log:
+  - target: stderr
+    any: info
+
+database:
+    storage: "/storage"
+
+key:
+  - id: auth-dns.hamburg.ccc.de
+    algorithm: hmac-sha512
+    secret: ""
+
+remote:
+  - id: quad9
+    address: "2620:fe::fe"
+
+# define how the presence of parent KSK keys is checked
+# in this case, we just ask quad9 which is an open resolver
+submission:
+  - id: default
+    parent: quad9
+    parent-delay: 1h
+
+# define how dnssec signing is done
+# in this case we don't do anything special but teach knot how to check of KSK presence
+policy:
+  - id: default
+    ksk-submission: default
+    nsec3: true
+    nsec3-salt-length: 0
+
+# define default settings that apply to all zones
+template:
+  - id: default
+    storage: "/config/zones"
+    file: "%s.zone"
+    semantic-checks: on
+    zonefile-sync: -1
+    zonefile-load: difference-no-serial
+    journal-content: all
+    default-ttl: 60
+    catalog-role: member
+    catalog-zone: hamburg.ccc.de.catalog.
+    dnssec-signing: on
+    dnssec-policy: default
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+  - id: minimal
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+zone:
+  {# - domain: onsite.eurofurence.catalog. #}
+    {# template: minimal #}
+    {# catalog-role: generate #}
+  {# - domain: "onsite.eurofurence.org" #}