fix role name auth-dns -> auth_dns

roles/auth_dns/templates/knot.conf.j2

@@ -0,0 +1,95 @@
+# {{ ansible_managed }}
+# See knot.conf(5) or refer to the server documentation.
+
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ "0.0.0.0@53", "::@53" ]
+
+log:
+  - target: syslog
+    any: info
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: {{ knot__dnssec_key_id }}
+    algorithm: hmac-sha512
+    secret: "{{ knot__dnssec_key_secret }}"
+
+remote:
+  # static, external and public remote used for DNSSEC KSK checking
+  - id: quad9
+    address: "2620:fe::fe"
+  {% if knot__remotes -%}
+  # additional remotes used in the config
+  {% for i_remote in knot__remotes -%}
+  - id: "{{ i_remote.id }}"
+    address: [ {% for i_addr in i_remote.address %}"{{ i_addr}}"{% if not loop.last %},{% endif %} {% endfor %} ]
+  {% endfor %}
+  {% endif %}
+
+# define how the presence of parent KSK keys is checked
+# in this case, we just ask quad9 which is an open resolver
+submission:
+  - id: default
+    parent: quad9
+    parent-delay: 1h
+
+# define how dnssec signing is done
+# in this case we don't do anything special but teach knot how to check for KSK presence
+policy:
+  - id: default
+    ksk-submission: default
+    nsec3: true
+    nsec3-salt-length: 0
+
+# define default settings that apply to all zones
+template:
+  # template for general-purpose user zones
+  - id: default
+    storage: "/etc/knot/zones"
+    file: "%s.zone"
+    semantic-checks: on
+    zonefile-sync: -1
+    zonefile-load: difference-no-serial
+    serial-policy: dateserial
+    journal-content: all
+    default-ttl: 7200
+    dnssec-signing: on
+    dnssec-policy: default
+
+    {# catalog-role: member #}
+    {# catalog-zone: hamburg.ccc.de.catalog. #}
+
+  # template for automatically created special zones
+  - id: catalog
+    catalog-role: generate
+    dnssec-signing: on
+    dnssec-policy: default
+
+
+# define zones on this server
+# See https://www.knot-dns.cz/docs/3.4/html/reference.html#zone-section
+zone:
+  # catalog zones
+  {% for i_zone in knot__catalog_zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: catalog
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+  {% endfor %}
+
+  # normal zones
+  {% for i_zone in knot__zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: default
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+    {% if i_zone.catalog_member | default(False) -%}
+    catalog-role: member
+    catalog-zone: "{{ i_zone.catalog_member }}"
+    {% endif %}
+  {% endfor %}
+
+  {# - domain: "onsite.eurofurence.org" #}

roles/auth_dns/templates/netplan-disable-ra.yaml

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+network:
+  ethernets:
+    {%- for i_iface_name in ansible_interfaces -%}
+    {%- if i_iface_name != "lo" -%}
+    {%- set i_iface = ansible_facts[i_iface_name] %}
+
+    {{ i_iface_name }}:
+      match:
+        macaddress: "{{ i_iface.macaddress }}"
+      accept-ra: false
+    {% endif %}
+    {% endfor %}
+

roles/auth_dns/templates/zone.j2

@@ -0,0 +1,4 @@
+; {{ ansible_managed }}
+
+{{ zone_content }}
+