fix role name auth-dns -> auth_dns

roles/auth_dns/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+knot__remotes: [ ]

roles/auth_dns/handlers/main.yaml

@@ -0,0 +1,19 @@
+---
+- name: restart knot
+  tags: [ auth-dns ]
+  become: true
+  ansible.builtin.systemd:
+    name: knot.service
+    state: restarted
+
+- name: reload knot zones
+  tags: [ auth-dns ]
+  become: true
+  changed_when: true
+  ansible.builtin.command: "knotc zone-reload"
+
+- name: netplan apply
+  tags: [ auth-dns ]
+  become: true
+  changed_when: true
+  ansible.builtin.command: "netplan apply"

roles/auth_dns/meta/argument_specs.yaml

@@ -0,0 +1,59 @@
+---
+argument_specs:
+  main:
+    options:
+      knot__dnssec_key_id:
+        description: The id of the TSIG key which knot will use for zone transfer signing
+        type: str
+        required: true
+      knot__dnssec_key_secret:
+        description: The secret value of the TSIG key which knot will use for zone transfer signing
+        type: str
+        required: true
+      knot__remotes:
+        description:
+          - A list of definitions for remote nameservers that are used for different purposes
+          - See https://www.knot-dns.cz/docs/latest/html/reference.html#remote-section for details
+        type: list
+        elements: dict
+        required: false
+        options:
+          id:
+            type: str
+            required: true
+          address:
+            type: list
+            required: true
+            elements: str
+      knot__catalog_zones:
+        description: A list of catalog zones that will be served by knot
+        type: list
+        elements: dict
+        required: true
+        options:
+          domain:
+            type: str
+            required: true
+          notify_targets:
+            type: list
+            elements: str
+            required: false
+      knot__zones:
+        description: A list of user zones that will be served by knot
+        type: list
+        elements: dict
+        required: true
+        options:
+          domain:
+            type: str
+            required: true
+          notify_targets:
+            type: list
+            elements: str
+            required: false
+          catalog_member:
+            type: str
+            required: false
+          content:
+            type: str
+            required: true

roles/auth_dns/tasks/01-install.yaml

@@ -0,0 +1,11 @@
+---
+- name: Install knot
+  tags: [ auth-dns ]
+  become: true
+  ansible.builtin.package:
+    name:
+      - knot
+      - knot-exporter
+      - knot-dnssecutils
+      - knot-dnsutils
+      - knot-host

roles/auth_dns/tasks/02-configure.yaml

@@ -0,0 +1,53 @@
+---
+- name: Ensure required directories exist
+  tags: [ auth-dns ]
+  become: true
+  loop: [ "/etc/knot", "/etc/knot/zones" ]
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: knot
+    group: knot
+    mode: u=rwx,g=rx,o=
+
+- name: Deploy knot configuration file
+  tags: [ auth-dns ]
+  become: true
+  notify: restart knot
+  ansible.builtin.template:
+    src: knot.conf.j2
+    dest: /etc/knot/knot.conf
+    owner: knot
+    group: knot
+    mode: u=rw,g=r,o=
+
+- name: Deploy configured zones
+  tags: [ auth-dns ]
+  become: true
+  notify: reload knot zones
+  loop: "{{ knot__zones }}"
+  loop_control:
+    label: "{{ item.domain }}"
+  vars:
+    zone_content: "{{ item.content }}"
+  ansible.builtin.template:
+    src: zone.j2
+    dest: "/etc/knot/zones/{{ item.domain }}zone"
+    owner: knot
+    group: knot
+    mode: u=rw,g=r
+
+# this seems weird but hear me out:
+# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements
+# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one.
+# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled
+- name: Disable IPv6 SLAAC
+  tags: [ auth-dns ]
+  become: true
+  notify: netplan apply
+  ansible.builtin.template:
+    src: "netplan-disable-ra.yaml"
+    dest: "/etc/netplan/10-disable-ra.yaml"
+    owner: root
+    group: root
+    mode: u=rw,g=,o=

roles/auth_dns/tasks/main.yaml

@@ -0,0 +1,3 @@
+---
+- ansible.builtin.import_tasks: 01-install.yaml # noqa: name[missing]
+- ansible.builtin.import_tasks: 02-configure.yaml # noqa: name[missing]

roles/auth_dns/templates/knot.conf.j2

@@ -0,0 +1,95 @@
+# {{ ansible_managed }}
+# See knot.conf(5) or refer to the server documentation.
+
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ "0.0.0.0@53", "::@53" ]
+
+log:
+  - target: syslog
+    any: info
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: {{ knot__dnssec_key_id }}
+    algorithm: hmac-sha512
+    secret: "{{ knot__dnssec_key_secret }}"
+
+remote:
+  # static, external and public remote used for DNSSEC KSK checking
+  - id: quad9
+    address: "2620:fe::fe"
+  {% if knot__remotes -%}
+  # additional remotes used in the config
+  {% for i_remote in knot__remotes -%}
+  - id: "{{ i_remote.id }}"
+    address: [ {% for i_addr in i_remote.address %}"{{ i_addr}}"{% if not loop.last %},{% endif %} {% endfor %} ]
+  {% endfor %}
+  {% endif %}
+
+# define how the presence of parent KSK keys is checked
+# in this case, we just ask quad9 which is an open resolver
+submission:
+  - id: default
+    parent: quad9
+    parent-delay: 1h
+
+# define how dnssec signing is done
+# in this case we don't do anything special but teach knot how to check for KSK presence
+policy:
+  - id: default
+    ksk-submission: default
+    nsec3: true
+    nsec3-salt-length: 0
+
+# define default settings that apply to all zones
+template:
+  # template for general-purpose user zones
+  - id: default
+    storage: "/etc/knot/zones"
+    file: "%s.zone"
+    semantic-checks: on
+    zonefile-sync: -1
+    zonefile-load: difference-no-serial
+    serial-policy: dateserial
+    journal-content: all
+    default-ttl: 7200
+    dnssec-signing: on
+    dnssec-policy: default
+
+    {# catalog-role: member #}
+    {# catalog-zone: hamburg.ccc.de.catalog. #}
+
+  # template for automatically created special zones
+  - id: catalog
+    catalog-role: generate
+    dnssec-signing: on
+    dnssec-policy: default
+
+
+# define zones on this server
+# See https://www.knot-dns.cz/docs/3.4/html/reference.html#zone-section
+zone:
+  # catalog zones
+  {% for i_zone in knot__catalog_zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: catalog
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+  {% endfor %}
+
+  # normal zones
+  {% for i_zone in knot__zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: default
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+    {% if i_zone.catalog_member | default(False) -%}
+    catalog-role: member
+    catalog-zone: "{{ i_zone.catalog_member }}"
+    {% endif %}
+  {% endfor %}
+
+  {# - domain: "onsite.eurofurence.org" #}

roles/auth_dns/templates/netplan-disable-ra.yaml

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+network:
+  ethernets:
+    {%- for i_iface_name in ansible_interfaces -%}
+    {%- if i_iface_name != "lo" -%}
+    {%- set i_iface = ansible_facts[i_iface_name] %}
+
+    {{ i_iface_name }}:
+      match:
+        macaddress: "{{ i_iface.macaddress }}"
+      accept-ra: false
+    {% endif %}
+    {% endfor %}
+

roles/auth_dns/templates/zone.j2

@@ -0,0 +1,4 @@
+; {{ ansible_managed }}
+
+{{ zone_content }}
+