home-infra/30_knot_slave_setup.yaml

---
- name: "Basic knot slave setup"
  hosts: slave_nameservers
  become: true
  vars:
    master_ip_acl: "86.94.191.237, 2a02:a442:ba11::53"
    version: "off"
    knot_user: knot
    knot_group: knot
    catalog_domain: "catalog.internal."
    identity: "{{ nsid }}.m4n5.nl"

  handlers:
    - name: "Reload knot service"
      ansible.builtin.service:
        name: "knot.service"
        state: reloaded

  tasks:
    - name: "Add CZ.NIC Labs Packaging GPG key"
      ansible.builtin.get_url:
        url: "https://pkg.labs.nic.cz/gpg"
        dest: "/usr/share/keyrings/cznic-labs-pkg.gpg"
        mode: "0644"
        owner: root
        group: root

    - name: "Setup knot-dns repository"
      ansible.builtin.apt_repository:
        repo: "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns {{ ansible_distribution_release }} main"
        filename: "cznic-labs-knot-dns.list"

    - name: "Install knot"
      ansible.builtin.apt:
        state: present
        update_cache: true
        name:
          - "knot"

    - name: "Create knot.conf"
      ansible.builtin.template:
        src: templates/knot.conf.j2
        dest: /etc/knot/knot.conf
        owner: root
        group: knot
        mode: "0644"
      notify: "Reload knot service"

    - name: "Add DNS allow rule in ufw"
      community.general.ufw:
        rule: allow
        to_port: "53"
        protocol: udp
      when: ufw_status == "enabled"

    - name: "Add AXFR/IXFR allow rule in ufw"
      community.general.ufw:
        rule: allow
        to_port: "53"
        protocol: tcp
      when: ufw_status == "enabled"