From facd770f10a6516bc9a77f19667c67fdffb7e33e Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Wed, 29 Apr 2026 22:44:20 +0200
Subject: [PATCH 1/2] add barebones knot config

This configuration does not yet do much but it provisions a knot
server that runs.
---
 .../chaosknoten/host_vars/auth-dns.yaml       |  1 +
 playbooks/deploy.yaml                         |  5 ++
 .../auth-dns/docker_compose/compose.yaml.j2   | 13 ++++
 roles/auth-dns/handlers/main.yaml             |  8 +++
 roles/auth-dns/tasks/01-install.yaml          |  6 ++
 roles/auth-dns/tasks/02-configure.yaml        | 11 ++++
 roles/auth-dns/tasks/main.yaml                |  2 +
 roles/auth-dns/templates/knot.conf.j2         | 64 +++++++++++++++++++
 8 files changed, 110 insertions(+)
 create mode 100644 inventories/chaosknoten/host_vars/auth-dns.yaml
 create mode 100644 resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2
 create mode 100644 roles/auth-dns/handlers/main.yaml
 create mode 100644 roles/auth-dns/tasks/01-install.yaml
 create mode 100644 roles/auth-dns/tasks/02-configure.yaml
 create mode 100644 roles/auth-dns/tasks/main.yaml
 create mode 100644 roles/auth-dns/templates/knot.conf.j2

diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/auth-dns.yaml
@@ -0,0 +1 @@
+---
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index e032782..130d914 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -101,3 +101,8 @@
 
 - name: Run ensure_eh22_styleguide_dir Playbook
   ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml
+
+- name: Setup authoritative dns servers
+  hosts: auth-dns
+  roles:
+    - auth-dns
diff --git a/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2
new file mode 100644
index 0000000..7ebc230
--- /dev/null
+++ b/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2
@@ -0,0 +1,13 @@
+# Links & Resources
+# https://www.knot-dns.cz/docs/latest/html/index.html
+
+services:
+  knot:
+    image: docker.io/cznic/knot:v3.5.4
+    restart: unless-stopped
+    command: "knotd"
+    network_mode: host
+    volumes:
+      - ./configs:/config:ro
+      - ./storage:/storage
+
diff --git a/roles/auth-dns/handlers/main.yaml b/roles/auth-dns/handlers/main.yaml
new file mode 100644
index 0000000..5ee0a5d
--- /dev/null
+++ b/roles/auth-dns/handlers/main.yaml
@@ -0,0 +1,8 @@
+- tags: [ 02-auth-dns ]
+  name: restart knot
+  become: true
+  notify: restart knot
+  ansible.builtin.systemd:
+    name: knot.service
+    state: restarted
+
diff --git a/roles/auth-dns/tasks/01-install.yaml b/roles/auth-dns/tasks/01-install.yaml
new file mode 100644
index 0000000..e3a66e3
--- /dev/null
+++ b/roles/auth-dns/tasks/01-install.yaml
@@ -0,0 +1,6 @@
+- tags: [ auth-dns ]
+  name: Install knot
+  become: true
+  package:
+    name: [ knot, knot-exporter ]
+
diff --git a/roles/auth-dns/tasks/02-configure.yaml b/roles/auth-dns/tasks/02-configure.yaml
new file mode 100644
index 0000000..6577a79
--- /dev/null
+++ b/roles/auth-dns/tasks/02-configure.yaml
@@ -0,0 +1,11 @@
+- tags: [ auth-dns ]
+  name: Deploy knot configuration file
+  become: true
+  notify: restart knot
+  template:
+    src: knot.conf.j2
+    dest: /etc/knot/knot.conf
+    owner: knot
+    group: knot
+    mode: u=rw,g=r,o=
+
diff --git a/roles/auth-dns/tasks/main.yaml b/roles/auth-dns/tasks/main.yaml
new file mode 100644
index 0000000..8bf981f
--- /dev/null
+++ b/roles/auth-dns/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: 01-install.yaml
+- import_tasks: 02-configure.yaml
diff --git a/roles/auth-dns/templates/knot.conf.j2 b/roles/auth-dns/templates/knot.conf.j2
new file mode 100644
index 0000000..d0e5a5a
--- /dev/null
+++ b/roles/auth-dns/templates/knot.conf.j2
@@ -0,0 +1,64 @@
+# {{ ansible_managed }}
+# See knot.conf(5) or refer to the server documentation.
+
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ "0.0.0.0@53", "::@53" ]
+
+log:
+  - target: syslog
+    any: info
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: auth-dns.hamburg.ccc.de
+    algorithm: hmac-sha512
+    secret: ""
+
+remote:
+  - id: quad9
+    address: "2620:fe::fe"
+
+# define how the presence of parent KSK keys is checked
+# in this case, we just ask quad9 which is an open resolver
+submission:
+  - id: default
+    parent: quad9
+    parent-delay: 1h
+
+# define how dnssec signing is done
+# in this case we don't do anything special but teach knot how to check of KSK presence
+policy:
+  - id: default
+    ksk-submission: default
+    nsec3: true
+    nsec3-salt-length: 0
+
+# define default settings that apply to all zones
+template:
+  - id: default
+    storage: "/etc/knot/zones"
+    file: "%s.zone"
+    semantic-checks: on
+    zonefile-sync: -1
+    zonefile-load: difference-no-serial
+    journal-content: all
+    default-ttl: 60
+    catalog-role: member
+    catalog-zone: hamburg.ccc.de.catalog.
+    dnssec-signing: on
+    dnssec-policy: default
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+  - id: minimal
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+zone:
+  {# - domain: onsite.eurofurence.catalog. #}
+    {# template: minimal #}
+    {# catalog-role: generate #}
+  {# - domain: "onsite.eurofurence.org" #}

From 70a4d4a0e47d4b701bf24390f46f34c0363b839e Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Thu, 30 Apr 2026 22:53:07 +0200
Subject: [PATCH 2/2] disable systemd-resolved on auth-dns

---
 inventories/chaosknoten/host_vars/auth-dns.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml
index ed97d53..25b3de1 100644
--- a/inventories/chaosknoten/host_vars/auth-dns.yaml
+++ b/inventories/chaosknoten/host_vars/auth-dns.yaml
@@ -1 +1,2 @@
 ---
+deploy_systemd_resolved_config__enable: false