Add modified vavrusa.knot role

.gitignore

@@ -1,5 +1,4 @@
 roles/geerlingguy.*
-roles/vavrusa.*
 .vault-password
 *.retry
 inventory*

requirements.yml

@@ -2,4 +2,3 @@
 - name: geerlingguy.munin
 - name: geerlingguy.nginx
 - name: geerlingguy.certbot
-- name: vavrusa.knot

roles/vavrusa.knot/README.md

@@ -0,0 +1,125 @@
+Knot DNS authoritative
+======================
+
+Installs [Knot DNS][knot-dns] authoritative DNS server on Debian/Ubuntu/RedHat or FreeBSD.
+
+Requirements
+------------
+
+None.
+
+Role Variables
+--------------
+
+Available variables are listed below, along with default values (see `defaults/main.yml`):
+
+	knot_from_source: false # Default
+
+Set either of this to `true` or `false` to choose installation from sources or distribution packages.
+
+	knot_git_branch: master
+
+If building from sources, pick a git branch or tag.
+
+	knot_install_dir: /usr/local
+
+If building from sources, pick an installation prefix (`/usr/local` means the binary will be installed in `/usr/local/sbin/knotd` for example).
+
+	knot_user: knot
+	knot_group: knot
+
+Create a user for running Knot DNS daemon.
+
+	knot_daemon: knot
+
+Pick a different name for Knot DNS daemon service.
+
+	knot_interfaces:
+	  - 127.0.0.1
+	  - 192.168.1.1@5353
+
+Make Knot DNS listen on specific interfaces or ports. By default it listens on default IPv4/v6 interfaces and localhost.
+
+	knot_zones:
+	  - { name: 'example.com', file: '/tmp/example.zone', template: 'default', module: 'mymodule' }
+
+List of enabled zones. `name` is the only mandatory field, rest is undefined by default.
+You can reference defined templates or modules here.
+
+	knot_config_extras: |
+	  server:
+	    rate-limit: 10
+	  template:
+	    - id: default
+	      semantic-checks: on
+
+Extend configuration with server-specific or more advanced configuration here. Here you can define additional templates, ACLs or remotes,
+or redefine server options.
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+The role can be configured as a slave using just `knot_zones` and `knot_extras` to define remotes, you can complete these
+from host variables or include from a file:
+
+    - hosts: slaves
+      roles:
+         - role: knot.auth
+           knot_zones:
+            - { name: 'example.com' }
+           knot_extras: |
+             remote:
+               - id: master
+                 address: 192.168.1.1
+             acl:
+               - id: master_acl
+                 address: 192.179.1.1
+                 action: notify
+             template:
+               - id: default
+                 master: master
+                 acl: master_acl
+
+Example master role is the opposite, except this role doesn't guarantee bootstrapping of the zone files, you have to do this
+yourself, for example with [synchronize][ansible-synchronize]:
+
+    - hosts: master01
+      roles:
+         - role: knot.auth
+           knot_zones:
+            - { name: 'example.com' }
+           knot_keys:
+            - { id: 'slave1_key', algorithm: 'hmac-md5', secret: 'Wg==' }
+           knot_extras: |
+             remote:
+               - id: slave01
+                 address: 192.168.2.1
+                 key: slave_key
+             acl:
+               - id: slaves
+                 address: 192.168.2.0/24
+                 action: transfer
+                 key: slave_key
+             template:
+               - id: default
+                 storage: /var/lib/zones
+                 notify: slave01
+                 acl: slaves
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+* [www.knot-dns.cz][knot-dns]
+
+[knot-dns]: http://www.knot-dns.cz
+[ansible-synchronize]: http://docs.ansible.com/ansible/synchronize_module.html

roles/vavrusa.knot/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+## Installation options
+knot_from_source: false
+knot_git_branch: master
+knot_install_dir: ""
+knot_user: knot
+knot_group: knot
+knot_daemon: knot
+## Configuration options
+knot_interfaces:
+  - 127.0.0.1@5300
+  - ::1@5300
+  - "{{ ansible_default_ipv4.address }}"
+  - "{{ ansible_default_ipv6.address }}"
+knot_keys:
+  - { id: 'slave1_key', algorithm: 'hmac-md5', secret: 'Wg==' }
+knot_zones:
+  - { name: 'example.com', template: 'default' }
+knot_extras: |
+  server:
+    rate-limit: 10
+

roles/vavrusa.knot/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart knot
+  service: "name={{ knot_daemon }} state=restarted"

roles/vavrusa.knot/meta/.galaxy_install_info

@@ -0,0 +1 @@
+{install_date: 'Sat Aug 15 07:15:43 2020', version: master}

roles/vavrusa.knot/meta/main.yml

@@ -0,0 +1,129 @@
+---
+galaxy_info:
+  author: Knot DNS
+  description: High performance authoritative-only DNS server
+  company: CZ.NIC
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: BSD
+  min_ansible_version: 1.2
+  #
+  # Below are all platforms currently available. Just uncomment
+  # the ones that apply to your role. If you don't see your 
+  # platform on this list, let us know and we'll get it added!
+  #
+  platforms:
+  - name: EL
+    versions:
+  #  - all
+  #  - 5
+    - 6
+    - 7
+  #- name: GenericUNIX
+  #  versions:
+  #  - all
+  #  - any
+  - name: Fedora
+    versions:
+    - all
+  #  - 16
+  #  - 17
+  #  - 18
+  #  - 19
+  #  - 20
+  #  - 21
+  #  - 22
+  #- name: SmartOS
+  #  versions:
+  #  - all
+  #  - any
+  #- name: opensuse
+  #  versions:
+  #  - all
+  #  - 12.1
+  #  - 12.2
+  #  - 12.3
+  #  - 13.1
+  #  - 13.2
+  #- name: Amazon
+  #  versions:
+  #  - all
+  #  - 2013.03
+  #  - 2013.09
+  #- name: GenericBSD
+  #  versions:
+  #  - all
+  #  - any
+  - name: FreeBSD
+    versions:
+    - all
+  #  - 8.0
+  #  - 8.1
+  #  - 8.2
+  #  - 8.3
+  #  - 8.4
+  #  - 9.0
+  #  - 9.1
+  #  - 9.1
+  #  - 9.2
+  - name: Ubuntu
+    versions:
+    - all
+  #  - lucid
+  #  - maverick
+  #  - natty
+  #  - oneiric
+  #  - precise
+  #  - quantal
+  #  - raring
+  #  - saucy
+  #  - trusty
+  #  - utopic
+  #  - vivid
+  #- name: SLES
+  #  versions:
+  #  - all
+  #  - 10SP3
+  #  - 10SP4
+  #  - 11
+  #  - 11SP1
+  #  - 11SP2
+  #  - 11SP3
+  #- name: GenericLinux
+  #  versions:
+  #  - all
+  #  - any
+  - name: Debian
+    versions:
+    - all
+  #
+  # Below are all categories currently available. Just as with
+  # the platforms above, uncomment those that apply to your role.
+  #
+  categories:
+  #- cloud
+  #- cloud:ec2
+  #- cloud:gce
+  #- cloud:rax
+  #- clustering
+  #- database
+  #- database:nosql
+  #- database:sql
+  #- development
+  #- monitoring
+  - networking
+  #- packaging
+  #- system
+  #- web
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.

roles/vavrusa.knot/tasks/from_pkgs.yml

@@ -0,0 +1,32 @@
+---
+# Ubuntu
+- name: repository (Ubuntu)
+  apt_repository: repo="ppa:cz.nic-labs/knot-dns" state=present
+  when: ansible_distribution == "Ubuntu"
+
+# Debian
+- name: repository keys (Debian)
+  apt_key: url=https://deb.knot-dns.cz/knot/apt.gpg state=present
+  when: ansible_distribution == "Debian"
+- name: repository (Debian)
+  apt_repository: repo="deb https://deb.knot-dns.cz/knot/ {{ ansible_lsb.codename }} main" state=present
+  when: ansible_distribution == "Debian"
+
+# Debian Family (Debian, Ubuntu)
+- name: packages (Debian/Ubuntu)
+  apt: pkg=knot update_cache=yes state=present
+  when: ansible_os_family == "Debian"
+
+# FreeBSD Family
+- name: packages (FreeBSD)
+  pkgng: name={{ item }} state=present
+  loop:
+    - dns/knot2
+  when: ansible_os_family == "FreeBSD"
+
+# RedHat Family (RedHat, Fendora, CentOS, Amazon, etc)
+- name: packages (RedHat)
+  yum: >
+    name=knot
+    state=present
+  when: ansible_os_family == "RedHat"

roles/vavrusa.knot/tasks/from_source.yml

@@ -0,0 +1,54 @@
+---
+# Fetch dependencies (platform-specific)
+- name: install dependencies
+  apt: pkg={{ item }} update_cache=yes cache_valid_time=86400 state=present
+  loop:
+    - gcc 
+    - make
+    - libc6-dev
+    - libtool
+    - autoconf
+    - liburcu-dev
+    - libgnutls28-dev
+    - libjansson-dev
+  when: ansible_os_family == "Debian" 
+- name: dependencies (FreeBSD)
+  pkgng: name={{ item }} state=present
+  loop:
+    - security/nettle
+    - security/gnutls
+    - devel/jansson
+    - sysutils/liburcu
+    - databases/lmdb
+  when: ansible_os_family == "FreeBSD"
+
+# Clone and build from sources
+- name: git clone
+  git: repo=http://gitlab.labs.nic.cz/labs/knot.git dest=/usr/local/src/knot version={{ knot_git_branch }} update=yes
+- name: configure
+  shell: autoreconf -if && ./configure --prefix={{ knot_install_dir }} chdir=/usr/local/src/knot creates=/usr/local/src/knot/Makefile
+- name: build
+  command: make -j{{ansible_processor_count}} chdir=/usr/local/src/knot creates=/usr/local/src/knot/src/knotd
+- name: install
+  command: make install chdir=/usr/local/src/knot creates={{ knot_install_dir }}/sbin/knotd
+
+# Post-installation
+- name: add knot group
+  group:
+    name={{ knot_group }}
+    comment="Knot DNS"
+- name: add knot user
+  user:
+    name={{ knot_user }}
+    comment="Knot DNS"
+    home={{ knot_install_dir }}
+    shell=/bin/false
+    groups={{knot_group}}
+    system=yes
+
+- name: make sure directories are writeable
+  file: path={{ item }}  state=directory owner={{ knot_user }}
+  with_items:
+    - "{{ knot_install_dir }}/etc/knot"
+    - "{{ knot_install_dir }}/var/lib/knot"
+    - "{{ knot_install_dir }}/var/run/lib/knot"

roles/vavrusa.knot/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: install from source
+  include: from_source.yml
+  when: knot_from_source
+- name: install from packages
+  include: from_pkgs.yml
+  when: not knot_from_source
+
+# Post-install
+- name: set config path (FreeBSD)
+  lineinfile: dest=/etc/rc.conf regexp='^knot_config=' line="knot_config={{ knot_install_dir }}/etc/knot/knot.conf"
+  when: ansible_os_family == "FreeBSD"
+
+# Configuration
+- name: configure knot
+  template: >
+    src=knot.conf.j2
+    dest={{ knot_install_dir }}/etc/knot/knot.conf
+    mode=640
+    owner={{ knot_user }}
+    group={{ knot_group }}
+    validate="knotc -c %s conf-check"
+  notify: restart knot
+  tags: dns
+- name: enable knot
+  service: >
+    name={{ knot_daemon }}
+    enabled=True
+    state=started

roles/vavrusa.knot/templates/knot.conf.j2

@@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+# Server options
+server:
+  rundir: {{ knot_install_dir }}/var/run/knot
+  user: "{{ knot_user }}:{{ knot_group }}"
+{% for addr in knot_interfaces %}
+  listen: {{ addr }}
+{% endfor %}
+
+log:
+  - target: syslog
+    any: info
+
+# Key lists
+key:
+{% for key in knot_keys %}
+  - id: {{ key.id }}
+{% if 'algorithm' in key %}
+    algorithm: {{ key.algorithm }}
+{% endif %}
+{% if 'secret' in key %}
+    secret: {{ key.secret }}
+{% endif %}
+{% endfor %}
+
+# Server-specific extras
+{{ knot_extras }}
+
+# Zone lists
+zone:
+{% for zone in knot_zones %}
+  - domain: {{ zone.name }}
+{% if 'template' in zone %}
+    template: {{ zone.template }}
+{% endif %}
+{% if 'module' in zone %}
+    module: {{ zone.module }}
+{% endif %}
+{% if 'file' in zone %}
+    file: "{{ zone.file }}"
+{% endif %}
+{% if 'notify' in zone %}
+    notify: {{ zone.notify }}
+{% endif %}
+{% if 'acl' in zone %}
+    acl: {{ zone.acl }}
+{% endif %}
+    dnssec-signing: on
+    dnssec-policy: default
+{% endfor %}
+

roles/vavrusa.knot/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for knot.auth