From 399f5541c6097d015856e6c9b1dc05d0939f2336 Mon Sep 17 00:00:00 2001 From: Ryan Cavicchioni Date: Tue, 30 Aug 2022 07:24:18 -0500 Subject: [PATCH] unbound: configure as a forwarded that accepts connections --- roles/dns/defaults/main.yaml | 8 +++++++ roles/dns/handlers/main.yaml | 6 +++++ roles/dns/tasks/default.yaml | 0 roles/dns/tasks/main.yaml | 38 +++++++++++++++++++++++++++--- roles/dns/templates/listen.conf.j2 | 9 +++++++ roles/dns/vars/Debian.yaml | 3 +++ roles/dns/vars/RedHat.yaml | 2 ++ 7 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 roles/dns/tasks/default.yaml create mode 100644 roles/dns/templates/listen.conf.j2 create mode 100644 roles/dns/vars/Debian.yaml diff --git a/roles/dns/defaults/main.yaml b/roles/dns/defaults/main.yaml index 0d43f5c..3e002c2 100644 --- a/roles/dns/defaults/main.yaml +++ b/roles/dns/defaults/main.yaml @@ -6,6 +6,14 @@ unbound_service_name: 'unbound' unbound_service_state: 'started' unbound_service_enabled: yes +unbound_interfaces: + - 127.0.0.1 + - ::1 + +unbound_access_control: + - 127.0.0.1 allow + - ::1 allow + unbound_forward_zones: - name: . forward_addr: diff --git a/roles/dns/handlers/main.yaml b/roles/dns/handlers/main.yaml index 6c43192..4a846c6 100644 --- a/roles/dns/handlers/main.yaml +++ b/roles/dns/handlers/main.yaml @@ -5,4 +5,10 @@ state: reloaded when: unbound_service_enabled +- name: restart unbound + service: + name: "{{ unbound_service_name }}" + state: restarted + when: unbound_service_enabled + # vim:ft=yaml.ansible: diff --git a/roles/dns/tasks/default.yaml b/roles/dns/tasks/default.yaml new file mode 100644 index 0000000..e69de29 diff --git a/roles/dns/tasks/main.yaml b/roles/dns/tasks/main.yaml index 0bd55a9..ea54f9b 100644 --- a/roles/dns/tasks/main.yaml +++ b/roles/dns/tasks/main.yaml @@ -1,14 +1,46 @@ --- +- name: gather os specific variables + include_vars: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml" + - "{{ ansible_distribution }}.yaml" + - "{{ ansible_os_family }}.yaml" + - "default.yaml" + paths: + - vars + +- name: include os specific tasks + include_tasks: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml" + - "{{ ansible_distribution }}.yaml" + - "{{ ansible_os_family }}.yaml" + - "default.yaml" + paths: + - tasks + - name: install unbound package: name: "{{ unbound_package_name }}" state: "{{ unbound_package_state }}" -- name: configure unbound +- name: configure unbound interfaces + template: + src: listen.conf.j2 + dest: "{{ unbound_conf_d_path }}/listen.conf" + validate: "{{ unbound_checkconf_command }}" + notify: + - restart unbound + +- name: configure unbound forward zones template: src: forward.conf.j2 - dest: /etc/unbound/unbound.conf.d/forward.conf - validate: 'unbound-checkconf %s' + dest: "{{ unbound_conf_d_path }}/forward.conf" + validate: "{{ unbound_checkconf_command }}" notify: - reload unbound diff --git a/roles/dns/templates/listen.conf.j2 b/roles/dns/templates/listen.conf.j2 new file mode 100644 index 0000000..61446a6 --- /dev/null +++ b/roles/dns/templates/listen.conf.j2 @@ -0,0 +1,9 @@ +server: +{% if unbound_interfaces is defined %} +{% for iface in unbound_interfaces | default([]) %} + interface: {{ iface }} +{% endfor %} +{% for ac in unbound_access_control | default([]) %} + access-control: {{ ac }} +{% endfor %} +{% endif %} diff --git a/roles/dns/vars/Debian.yaml b/roles/dns/vars/Debian.yaml new file mode 100644 index 0000000..196979b --- /dev/null +++ b/roles/dns/vars/Debian.yaml @@ -0,0 +1,3 @@ +--- +unbound_conf_d_path: /etc/unbound/unbound.conf.d +unbound_checkconf_command: unbound-checkconf %s diff --git a/roles/dns/vars/RedHat.yaml b/roles/dns/vars/RedHat.yaml index 3a79a49..7db3c77 100644 --- a/roles/dns/vars/RedHat.yaml +++ b/roles/dns/vars/RedHat.yaml @@ -1,3 +1,5 @@ --- +unbound_conf_d_path: /etc/unbound/conf.d +unbound_checkconf_command: 'true %s' # vim:ft=yaml.ansible: