init config

.gitlab-ci.yml

@@ -0,0 +1,17 @@
+image: ansible/ansible-runner
+
+before_script:
+  # from https://docs.gitlab.com/ee/ci/ssh_keys/
+  - eval $(ssh-agent -s)
+  - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
+  - mkdir -p /root/.ssh
+  - chmod 700 /root/.ssh
+  - echo "$SSH_KNOWN_HOSTS" >> /root/.ssh/known_hosts
+  - chmod 644 /root/.ssh/known_hosts
+
+deploy:
+  script:
+  # TODO: build image with dependencies installed
+  - ansible-galaxy collection install ansible.netcommon
+  - pip3 install netaddr
+  - ansible-playbook -i config/hosts config/deploy.yml

deploy.yml

@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+  - knot

group_vars/all

@@ -0,0 +1,4 @@
+---
+catalog_zones:
+  - "dns-witch-catalog"
+key_name: dnswitch

hosts

@@ -0,0 +1,5 @@
+[primary]
+dev-ns1.vm ansible_user=roger
+
+[secondary]
+dev-ns2.vm ansible_user=roger

roles/knot/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload knot
+  become: yes
+  command:
+    cmd: knotc reload

roles/knot/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Install knot
+  become: yes
+  apt:
+    update_cache: yes
+    pkg:
+    - knot
+    - knot-dnsutils
+
+- name: Start knot
+  become: yes
+  service:
+    name: knot
+    state: started
+    enabled: yes
+
+- name: Generate tsig
+  become: yes
+  become_user: knot
+  ansible.builtin.shell: keymgr -t {{ key_name }} > /etc/knot/{{ key_name }}.key
+  args:
+    creates: /etc/knot/{{ key_name }}.key
+  when: "inventory_hostname in groups.primary"
+
+- name: Fetch key
+  become: yes
+  become_user: knot
+  ansible.builtin.slurp:
+    src: /etc/knot/{{ key_name }}.key
+  register: tsig_key
+  when: "inventory_hostname in groups.primary"
+
+- name: Deploy conf
+  become: yes
+  become_user: knot
+  template:
+    src: knot.conf.j2
+    dest: /etc/knot/knot.conf
+  notify: reload knot

roles/knot/templates/knot.conf.j2

@@ -0,0 +1,53 @@
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    listen: [ 0.0.0.0@53, ::@53 ]
+
+log:
+  - target: syslog
+    any: info
+
+{{ tsig_key.content | b64decode }}
+
+remote:
+{% for host in groups.all %}
+  - id: {{ hostvars[host].ansible_hostname }}
+    address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ]
+    key: {{ key_name }}
+{% endfor %}
+
+acl:
+{% for host in groups.all %}
+  - id: {{ hostvars[host].ansible_hostname }}
+    address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ]
+    action: {% if host in groups.secondary %} transfer {% elif host in groups.primary %} notify {% endif %}
+
+{% endfor %}
+
+template:
+  - id: default
+    storage: "/var/lib/knot"
+    file: "zones/%s.zone"
+
+{% if inventory_hostname in groups.primary %}
+    zonefile-load: difference-no-serial
+    journal-content: all
+    dnssec-signing: on
+    dnssec-policy: default
+    notify: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
+    acl: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
+{% endif %}
+
+{% if inventory_hostname in groups.secondary %}
+    master: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
+    acl: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
+{% endif %}
+
+zone:
+{% for zone in catalog_zones %}
+  - domain: dns-witch-catalog
+    file: "catalog-zones/%s.zone"
+    catalog-role: interpret
+    catalog-template: "default"
+    dnssec-signing: off
+{% endfor %}