unbound: configure as a forwarded that accepts connections

roles/dns/defaults/main.yaml

@@ -6,6 +6,14 @@ unbound_service_name: 'unbound'
 unbound_service_state: 'started'
 unbound_service_enabled: yes
 
+unbound_interfaces:
+  - 127.0.0.1
+  - ::1
+
+unbound_access_control:
+  - 127.0.0.1 allow
+  - ::1 allow
+
 unbound_forward_zones:
   - name: .
     forward_addr:

roles/dns/handlers/main.yaml

@@ -5,4 +5,10 @@
     state: reloaded
   when: unbound_service_enabled
 
+- name: restart unbound
+  service:
+    name: "{{ unbound_service_name }}"
+    state: restarted
+  when: unbound_service_enabled
+
 # vim:ft=yaml.ansible:

roles/dns/tasks/main.yaml

@@ -1,14 +1,46 @@
 ---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
 - name: install unbound
   package:
     name: "{{ unbound_package_name }}"
     state: "{{ unbound_package_state }}"
 
-- name: configure unbound
+- name: configure unbound interfaces
+  template:
+    src: listen.conf.j2
+    dest: "{{ unbound_conf_d_path }}/listen.conf"
+    validate: "{{ unbound_checkconf_command }}"
+  notify:
+    - restart unbound
+
+- name: configure unbound forward zones
   template:
     src: forward.conf.j2
-    dest: /etc/unbound/unbound.conf.d/forward.conf
-    validate: 'unbound-checkconf %s'
+    dest: "{{ unbound_conf_d_path }}/forward.conf"
+    validate: "{{ unbound_checkconf_command }}"
   notify:
     - reload unbound
 

roles/dns/templates/listen.conf.j2

@@ -0,0 +1,9 @@
+server:
+{% if unbound_interfaces is defined %}
+{%   for iface in unbound_interfaces | default([]) %}
+  interface: {{ iface }}
+{%   endfor %}
+{%   for ac in unbound_access_control | default([]) %}
+  access-control: {{ ac }}
+{%   endfor %}
+{% endif %}

roles/dns/vars/Debian.yaml

@@ -0,0 +1,3 @@
+---
+unbound_conf_d_path: /etc/unbound/unbound.conf.d
+unbound_checkconf_command: unbound-checkconf %s

roles/dns/vars/RedHat.yaml

@@ -1,3 +1,5 @@
 ---
+unbound_conf_d_path: /etc/unbound/conf.d
+unbound_checkconf_command: 'true %s'
 
 # vim:ft=yaml.ansible: