- tags: [ auth-dns ]
  name: Ensure required directories exist
  become: true
  loop: [ "/etc/knot", "/etc/knot/zones" ]
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: knot
    group: knot
    mode: u=rwx,g=rx,o=

- tags: [ auth-dns ]
  name: Deploy knot configuration file
  become: true
  notify: restart knot
  ansible.builtin.template:
    src: knot.conf.j2
    dest: /etc/knot/knot.conf
    owner: knot
    group: knot
    mode: u=rw,g=r,o=

- name: Deploy configured zones
  tags: [ auth-dns ]
  become: true
  notify: reload knot zones
  loop: "{{ knot__zones }}"
  loop_control:
    label: "{{ item.domain }}"
  vars:
    zone_content: "{{ item.content }}"
  ansible.builtin.template:
    src: zone.j2
    dest: "/etc/knot/zones/{{ item.domain }}zone"
    owner: knot
    group: knot
    mode: u=rw,g=r

# this seems weird but hear me out:
# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements
# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one.
# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled
- name: Disable IPv6 SLAAC
  tags: [ auth-dns ]
  become: true
  notify: netplan apply
  ansible.builtin.template:
    src: "netplan-disable-ra.yaml"
    dest: "/etc/netplan/10-disable-ra.yaml"
    owner: root
    group: root
    mode: u=rw,g=,o=