Add support for on-secondary signing

roles/knot/templates/etc/knot/knot.conf.j2

@@ -68,7 +68,7 @@ acl:
     key: {{ hostvars[remote].knot_tsig_key.name }}
 {% endif %}
 {% for address in hostvars[remote].knot_dns_addresses %}
-    address: "{{ address }}"
+    address: "{{ address.split('@')[0] }}"
 {% endfor %}
 {% endfor %}
 
@@ -86,7 +86,7 @@ acl:
 
 submission:
 {% for zone in zones %}
-{% if inventory_hostname in zone.masters %}
+{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}
 
   - id: submission-{{ zone.name }}
     check-interval: {{ knot_dnssec_submission_check_interval }}