53 lines
1.5 KiB
YAML
53 lines
1.5 KiB
YAML
---
|
|
- name: Ensure required directories exist
|
|
tags: [ auth-dns ]
|
|
become: true
|
|
loop: [ "/etc/knot", "/etc/knot/zones" ]
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: knot
|
|
group: knot
|
|
mode: u=rwx,g=rx,o=
|
|
|
|
- name: Deploy knot configuration file
|
|
tags: [ auth-dns ]
|
|
become: true
|
|
notify: restart knot
|
|
ansible.builtin.template:
|
|
src: knot.conf.j2
|
|
dest: /etc/knot/knot.conf
|
|
owner: knot
|
|
group: knot
|
|
mode: u=rw,g=r,o=
|
|
|
|
- name: Deploy configured zones
|
|
tags: [ auth-dns ]
|
|
become: true
|
|
notify: reload knot zones
|
|
loop: "{{ knot__zones }}"
|
|
loop_control:
|
|
label: "{{ item.domain }}"
|
|
vars:
|
|
zone_content: "{{ item.content }}"
|
|
ansible.builtin.template:
|
|
src: zone.j2
|
|
dest: "/etc/knot/zones/{{ item.domain }}zone"
|
|
owner: knot
|
|
group: knot
|
|
mode: u=rw,g=r
|
|
|
|
# this seems weird but hear me out:
|
|
# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements
|
|
# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one.
|
|
# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled
|
|
- name: Disable IPv6 SLAAC
|
|
tags: [ auth-dns ]
|
|
become: true
|
|
notify: netplan apply
|
|
ansible.builtin.template:
|
|
src: "netplan-disable-ra.yaml"
|
|
dest: "/etc/netplan/10-disable-ra.yaml"
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,g=,o=
|