diff --git a/unbound/README.md b/unbound/README.md new file mode 100644 index 00000000..e299e976 --- /dev/null +++ b/unbound/README.md @@ -0,0 +1,16 @@ +# unbound + +Install Unbound. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Main variables are : + +* `unbound_interfaces` : list of IP addresses to listen of ; +* 'unbound_acls' : list of unbound access-control ; + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/unbound/defaults/main.yml b/unbound/defaults/main.yml new file mode 100644 index 00000000..86f51822 --- /dev/null +++ b/unbound/defaults/main.yml @@ -0,0 +1,9 @@ +--- +unbound_interfaces: +- '127.0.0.1' +- '::1' +unbound_acls: +- '0.0.0.0/0 refuse' +- '127.0.0.0/8 allow_snoop' +- '::0/0 refuse' +- '::1 allow_snoop' diff --git a/unbound/handlers/main.yml b/unbound/handlers/main.yml new file mode 100644 index 00000000..346edf1a --- /dev/null +++ b/unbound/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload unbound + service: + name: unbound + state: reloaded diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml new file mode 100644 index 00000000..33d4a4ff --- /dev/null +++ b/unbound/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: Install Unbound package + apt: + name: unbound + state: present + when: ansible_distribution == "Debian" + tags: + - unbound + +- name: Copy Unbound config + template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + owner: root + group: root + mode: "0644" + when: ansible_distribution == "Debian" + notify: reload unbound + tags: + - unbound + +- name: Copy Unbound config + template: + src: unbound.conf.j2 + dest: /var/unbound/etc/unbound.conf + owner: root + group: wheel + mode: "0644" + when: ansible_distribution == "OpenBSD" + notify: reload unbound + tags: + - unbound + +- name: Starting and enabling Unbound + service: + name: unbound + enabled: yes + state: started + tags: + - unbound diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2 new file mode 100644 index 00000000..baf80564 --- /dev/null +++ b/unbound/templates/unbound.conf.j2 @@ -0,0 +1,45 @@ +server: + #interface: X.X.X.X + #interface: 127.0.0.1@5353 # listen on alternative port +{% for interface in unbound_interfaces %} + interface: {{ interface }} +{% endfor %} + #do-ip6: no + +{% for acl in unbound_acls %} + access-control: {{ acl }} +{% endfor %} + + hide-identity: yes + hide-version: yes + + # root-hints: "/var/unbound/etc/named.cache" + # Uncomment to enable DNSSEC validation. + #auto-trust-anchor-file: "/var/unbound/db/root.key" + # Serve zones authoritatively from Unbound to resolver clients. + # Not for external service. + + #local-zone: "local." static + #local-data: "mycomputer.local. IN A 192.0.2.51" + #local-zone: "2.0.192.in-addr.arpa." static + #local-data-ptr: "192.0.2.51 mycomputer.local + # UDP EDNS reassembly buffer advertised to peers. Default 4096. + # May need lowering on broken networks with fragmentation/MTU issues, + # particularly if validating DNSSEC. + + #edns-buffer-size: 1480 + # Use TCP for "forward-zone" requests. Useful if you are making + # DNS requests over an SSH port forwarding. + #tcp-upstream: yes + +# Use an upstream forwarder (recursive resolver) for specific zones. +# Example addresses given below are public resolvers valid as of 2014/03. +# +#forward-zone: +# name: "." # use for ALL queries +# forward-addr: 74.82.42.42 # he.net +# forward-addr: 2001:470:20::2 # he.net v6 +# forward-addr: 8.8.8.8 # google.com +# forward-addr: 2001:4860:4860::8888 # google.com v6 +# forward-addr: 208.67.222.222 # opendns.com +# forward-first: yes # try direct if forwarder fails