enable auth-dns role to actually configure useful zones

roles/auth-dns/tasks/01-install.yaml

@@ -2,5 +2,9 @@
   name: Install knot
   become: true
   package:
-    name: [ knot, knot-exporter ]
-
+    name:
+      - knot
+      - knot-exporter
+      - knot-dnssecutils
+      - knot-dnsutils
+      - knot-host

roles/auth-dns/tasks/02-configure.yaml

@@ -1,3 +1,14 @@
+- tags: [ auth-dns ]
+  name: Ensure required directories exist
+  become: true
+  loop: [ "/etc/knot", "/etc/knot/zones" ]
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: knot
+    group: knot
+    mode: u=rwx,g=rx,o=
+
 - tags: [ auth-dns ]
   name: Deploy knot configuration file
   become: true
@@ -9,3 +20,34 @@
     group: knot
     mode: u=rw,g=r,o=
 
+- tags: [ auth-dns ]
+  name: Deploy configured zones
+  become: true
+  notify: reload knot zones
+  loop: "{{ knot__zones }}"
+  loop_control:
+    label: "{{ item.domain }}"
+  vars:
+    zone_content: "{{ item.content }}"
+  template:
+    src: zone.j2
+    dest: "/etc/knot/zones/{{ item.domain }}zone"
+    owner: knot
+    group: knot
+    mode: u=rw,g=r
+
+# this seems weird but hear me out:
+# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements
+# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one.
+# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled
+- tags: [ auth-dns ]
+  name: Disable IPv6 SLAAC
+  become: true
+  notify: netplan apply
+  ansible.builtin.template:
+    src: "netplan-disable-ra.yaml"
+    dest: "/etc/netplan/10-disable-ra.yaml"
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+