commit 8e18cf27f889ad3b2a3a55bed3ea049b8842edf1
Author: s3lph <account-gitlab-ideynizv@kernelpanic.lol>
Date:   Thu Nov 19 00:21:11 2020 +0100

    Initial commit

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f7736a7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,5 @@
+# Ansible Collection - s3lph.nameserver
+
+Documentation for the collection.
+
+WIP
\ No newline at end of file
diff --git a/galaxy.yml b/galaxy.yml
new file mode 100644
index 0000000..44fb1f1
--- /dev/null
+++ b/galaxy.yml
@@ -0,0 +1,67 @@
+### REQUIRED
+# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
+# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
+# underscores or numbers and cannot contain consecutive underscores
+namespace: s3lph
+
+# The name of the collection. Has the same character restrictions as 'namespace'
+name: nameserver
+
+# The version of the collection. Must be compatible with semantic versioning
+version: 1.0.0
+
+# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
+readme: README.md
+
+# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
+# @nicks:irc/im.site#channel'
+authors:
+- s3lph <account-gitlab-ideynizv@kernelpanic.lol>
+
+
+### OPTIONAL but strongly recommended
+# A short summary description of the collection
+description: Authoritative nameserver setup with knot as master and nsd as replicas
+
+# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
+# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
+license:
+- MIT
+
+# The path to the license file for the collection. This path is relative to the root of the collection. This key is
+# mutually exclusive with 'license'
+license_file: ''
+
+# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
+# requirements as 'namespace' and 'name'
+tags:
+  - dns
+  - knot
+  - nsd
+  - nameserver
+  - dnssec
+
+# Collections that this collection requires to be installed for it to be usable. The key of the dict is the
+# collection label 'namespace.name'. The value is a version range
+# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
+# range specifiers can be set and are separated by ','
+dependencies: {}
+
+# The URL of the originating SCM repository
+repository: https://gitlab.com/s3lph/ansible-collection-nameserver
+
+# The URL to any online docs
+documentation: https://gitlab.com/s3lph/ansible-collection-nameserver
+
+# The URL to the homepage of the collection/project
+homepage: https://gitlab.com/s3lph/ansible-collection-nameserver
+
+# The URL to the collection issue tracker
+issues: https://gitlab.com/s3lph/ansible-collection-nameserver/-/issues
+
+# A list of file glob-like patterns used to filter any files or directories that should not be included in the build
+# artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This
+# uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry',
+# and '.git' are always filtered
+build_ignore: []
+
diff --git a/roles/master/tasks/config.yml b/roles/master/tasks/config.yml
new file mode 100644
index 0000000..cd21505
--- /dev/null
+++ b/roles/master/tasks/config.yml
@@ -0,0 +1,2 @@
+---
+
diff --git a/roles/master/tasks/install.yml b/roles/master/tasks/install.yml
new file mode 100644
index 0000000..aa13bdc
--- /dev/null
+++ b/roles/master/tasks/install.yml
@@ -0,0 +1,7 @@
+---
+
+- name: install knot
+  package:
+    name: knot
+    state: present
+
diff --git a/roles/master/tasks/main.yml b/roles/master/tasks/main.yml
new file mode 100644
index 0000000..5a5e77a
--- /dev/null
+++ b/roles/master/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: install knot
+  import_tasks: install.yml
+  tags:
+    - "role::nameserver:master"
+    - "role::nameserver:master:install"
+
+- name: configure knot
+  import_tasks: config.yml
+  tags:
+    - "role::nameserver:master"
+    - "role::nameserver:master:config"
diff --git a/roles/replica/defaults/main.yml b/roles/replica/defaults/main.yml
new file mode 100644
index 0000000..a6546b0
--- /dev/null
+++ b/roles/replica/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+
+nsd_server_hide_version: yes
+nsd_server_verbosity: 1
+nsd_server_database: "" # disable database
+nsd_server_zonefile_write: 300
+nsd_server_listen:
+  - "::@53"
+  - "0.0.0.0@53"
+nsd_server_minimal_responses: yes
+nsd_server_refuse_any: yes
+
+nsd_remote_control_enable: yes
+nsd_remote_control_interface: /var/run/nsd.sock
diff --git a/roles/replica/handlers/main.yml b/roles/replica/handlers/main.yml
new file mode 100644
index 0000000..6490ef0
--- /dev/null
+++ b/roles/replica/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: reload nsd
+  service:
+    name: nsd
+    state: reloaded
diff --git a/roles/replica/tasks/config.yml b/roles/replica/tasks/config.yml
new file mode 100644
index 0000000..4f5bc66
--- /dev/null
+++ b/roles/replica/tasks/config.yml
@@ -0,0 +1,35 @@
+---
+
+- name: render nsd main config
+  template:
+    src: etc/nsd/nsd.conf.j2
+    dest: /etc/nsd/nsd.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nsd
+
+- name: render nsd server config
+  template:
+    src: etc/nsd/nsd.conf.d/00-server.conf.j2
+    dest: /etc/nsd/nsd.conf.d/00-server.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nsd
+
+- name: render nsd replica configs
+  template:
+    src: etc/nsd/nsd.conf.d/10-replica.conf.j2
+    dest: "/etc/nsd/nsd.conf.d/{{ 10+i }}-replica-{{ item.primary }}.conf"
+    owner: root
+    group: root
+    mode: 0644
+  vars:
+    primary: "{{ item.primary }}"
+    masters: "{{ item.masters }}"
+    zones: "{{ item.zones }}"
+  loop: "{{ nsd_zone_groups }}"
+  loop_control:
+    index_var: i
+  notify: reload nsd
diff --git a/roles/replica/tasks/install.yml b/roles/replica/tasks/install.yml
new file mode 100644
index 0000000..f642a0d
--- /dev/null
+++ b/roles/replica/tasks/install.yml
@@ -0,0 +1,12 @@
+---
+
+- name: install nsd
+  package:
+    name: nsd
+    state: present
+
+- name: start and enable nsd
+  service:
+    name: nsd
+    state: started
+    enabled: yes
diff --git a/roles/replica/tasks/main.yml b/roles/replica/tasks/main.yml
new file mode 100644
index 0000000..363890a
--- /dev/null
+++ b/roles/replica/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: install nsd
+  import_tasks: install.yml
+  tags:
+    - "role::nameserver:replica"
+    - "role::nameserver:replica:install"
+
+- name: configure nsd
+  import_tasks: config.yml
+  tags:
+    - "role::nameserver:replica"
+    - "role::nameserver:replica:config"
diff --git a/roles/replica/templates/etc/nsd/nsd.conf.d/00-server.conf.j2 b/roles/replica/templates/etc/nsd/nsd.conf.d/00-server.conf.j2
new file mode 100644
index 0000000..5f0fea6
--- /dev/null
+++ b/roles/replica/templates/etc/nsd/nsd.conf.d/00-server.conf.j2
@@ -0,0 +1,18 @@
+{{ ansible_managed | comment }}
+
+server:
+  hide-version: {{ nsd_server_hide_version }}
+  verbosity: {{ nsd_server_verbosity }}
+  database: {{ nsd_server_database }}
+  zonefiles-write: {{ nsd_server_zonefile_write }}
+
+{%- for addr in nsd_server_listen %}
+  ip-address: {{ addr }}
+{%- endfor %}
+  
+  minimal-responses: {{ nsd_server_minimal_responses }}
+  refuse-any: {{ nsd_server_refuse_any }}
+
+remote-control:
+  control-enable: {{ nsd_remote_control_enable }}
+  control-interface: {{ nsd_remote_control_interface }}
diff --git a/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2 b/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2
new file mode 100644
index 0000000..8750405
--- /dev/null
+++ b/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2
@@ -0,0 +1,21 @@
+{{ ansible_managed | comment }}
+
+#
+#  Replica for zones of of primary {{ primary }}
+#
+
+pattern:
+  name: xfr-{{ primary }}
+  zonefile: "/var/lib/nsd/replica/%szone"
+{%- for addr in masters %}
+  allow-notify: {{ addr }} NOKEY
+{%- endfor %}
+{%- for addr in masters %}
+  request-xfr: {{ addr }} NOKEY
+{%- endfor %}
+
+{% for zone in zones %}
+zone:
+  name: {{ zone }}
+  include-pattern: "xfr-{{ primary }}"
+{%- endfor %}
diff --git a/roles/replica/templates/etc/nsd/nsd.conf.j2 b/roles/replica/templates/etc/nsd/nsd.conf.j2
new file mode 100644
index 0000000..937eac5
--- /dev/null
+++ b/roles/replica/templates/etc/nsd/nsd.conf.j2
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+# NSD configuration file for Debian.
+#
+# See the nsd.conf(5) man page.
+#
+# See /usr/share/doc/nsd/examples/nsd.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/nsd/nsd.conf.d directory.
+
+include: "/etc/nsd/nsd.conf.d/*.conf"