diff --git a/CHANGELOG.md b/CHANGELOG.md index cf13de19..56b05cd2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,11 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) +* unbound: Big cleanup +* unbound: Use root hints provided by debian package dns-root-data instead of downloading them +* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` +* unbound: Add config file to allow configuration reload on Debian 11 and lower +* unbound: Add munin configuration & setup plugin * webapps/nextcloud: Add Ceph volume to fstab ### Fixed diff --git a/unbound/defaults/main.yml b/unbound/defaults/main.yml index 86f51822..0d7807c1 100644 --- a/unbound/defaults/main.yml +++ b/unbound/defaults/main.yml @@ -1,9 +1,11 @@ --- + unbound_interfaces: -- '127.0.0.1' -- '::1' + - '127.0.0.1' + - '::1' + unbound_acls: -- '0.0.0.0/0 refuse' -- '127.0.0.0/8 allow_snoop' -- '::0/0 refuse' -- '::1 allow_snoop' + - '0.0.0.0/0 refuse' + - '127.0.0.0/8 allow_snoop' + - '::0/0 refuse' + - '::1 allow_snoop' diff --git a/unbound/files/munin-plugin.conf b/unbound/files/munin-plugin.conf new file mode 100644 index 00000000..cf008d48 --- /dev/null +++ b/unbound/files/munin-plugin.conf @@ -0,0 +1,5 @@ +[unbound*] +user root +env.statefile /tmp/munin-unbound-state +env.unbound_conf /etc/unbound/unbound.conf +env.unbound_control /usr/sbin/unbound-control diff --git a/unbound/handlers/main.yml b/unbound/handlers/main.yml index 7c801751..fdb9a629 100644 --- a/unbound/handlers/main.yml +++ b/unbound/handlers/main.yml @@ -1,5 +1,15 @@ --- -- name: reload unbound +- name: Restart unbound + ansible.builtin.service: + name: unbound + state: restarted + +- name: Reload unbound ansible.builtin.service: name: unbound state: reloaded + +- name: Restart munin-node + ansible.builtin.service: + name: munin-node + state: restarted diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index 976c6386..6be337d3 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -1,38 +1,73 @@ --- - name: Install Unbound package ansible.builtin.apt: - name: unbound + name: + - unbound + - unbound-anchor + - dns-root-data state: present - when: ansible_distribution == "Debian" tags: - - unbound - -- name: Retrieve list of root DNS servers - ansible.builtin.get_url: - url: https://www.internic.net/domain/named.cache - dest: /etc/unbound/root.hints - force: true - mode: "0644" - notify: reload unbound - tags: - - unbound + - unbound - name: Copy Unbound config ansible.builtin.template: - src: unbound.conf.j2 - dest: /etc/unbound/unbound.conf + src: evolinux.conf.j2 + dest: /etc/unbound/unbound.conf.d/evolinux.conf owner: root group: root mode: "0644" - when: ansible_distribution == "Debian" - notify: reload unbound + notify: Reload unbound tags: - - unbound + - unbound + +- name: Copy Unbound config for reloading (Debian 11 and older) + ansible.builtin.template: + src: evolinux-reload.conf.j2 + dest: /etc/unbound/unbound.conf.d/evolinux-reload.conf + owner: root + group: root + mode: "0644" + when: + - ansible_distribution_major_version is version('11', '<=') + notify: Restart unbound + tags: + - unbound + +- name: Copy munin plugin config + ansible.builtin.copy: + src: munin-plugin.conf + dest: /etc/munin/plugin-conf.d/unbound + owner: root + group: root + mode: "0644" + tags: + - unbound + +- name: Enable unbound munin plugin + ansible.builtin.file: + src: /usr/share/munin/plugins/unbound_munin_ + dest: "/etc/munin/plugins/unbound_munin_{{ plugin_name }}" + state: link + loop: + - hits + - queue + - memory + - by_type + - by_class + - by_opcode + - by_rcode + - by_flags + - histogram + loop_control: + loop_var: plugin_name + notify: Restart munin-node + tags: + - unbound - name: Starting and enabling Unbound ansible.builtin.service: name: unbound - enabled: yes + enabled: true state: started tags: - - unbound + - unbound diff --git a/unbound/templates/evolinux-reload.conf.j2 b/unbound/templates/evolinux-reload.conf.j2 new file mode 100644 index 00000000..f2f395ae --- /dev/null +++ b/unbound/templates/evolinux-reload.conf.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +remote-control: + control-enable: yes + # by default the control interface is is 127.0.0.1 and ::1 and port 8953 + # it is possible to use a unix socket too + control-interface: /run/unbound.ctl diff --git a/unbound/templates/evolinux.conf.j2 b/unbound/templates/evolinux.conf.j2 new file mode 100644 index 00000000..339dfe45 --- /dev/null +++ b/unbound/templates/evolinux.conf.j2 @@ -0,0 +1,53 @@ +server: + #interface: X.X.X.X + #interface: 127.0.0.1@5353 # listen on alternative port +{% for interface in unbound_interfaces %} + interface: {{ interface }} +{% endfor %} + +{% for acl in unbound_acls %} + access-control: {{ acl }} +{% endfor %} + + hide-identity: yes + hide-version: yes + + root-hints: "/usr/share/dns/root.hints" + + # Uncomment to enable DNSSEC validation. + #auto-trust-anchor-file: "/etc/unbound/root.key" + + # Enable extended stats for munin plugin + extended-statistics: yes + statistics-cumulative: no + statistics-interval: 0 + + + # Serve zones authoritatively from Unbound to resolver clients. + # Not for external service. + + #local-zone: "local." static + #local-data: "mycomputer.local. IN A 192.0.2.51" + #local-zone: "2.0.192.in-addr.arpa." static + #local-data-ptr: "192.0.2.51 mycomputer.local + # UDP EDNS reassembly buffer advertised to peers. Default 4096. + # May need lowering on broken networks with fragmentation/MTU issues, + # particularly if validating DNSSEC. + + #edns-buffer-size: 1480 + # Use TCP for "forward-zone" requests. Useful if you are making + # DNS requests over an SSH port forwarding. + #tcp-upstream: yes + + +# Use an upstream forwarder (recursive resolver) for specific zones. +# Example addresses given below are public resolvers valid as of 2014/03. +# +#forward-zone: +# name: "." # use for ALL queries +# forward-addr: 74.82.42.42 # he.net +# forward-addr: 2001:470:20::2 # he.net v6 +# forward-addr: 8.8.8.8 # google.com +# forward-addr: 2001:4860:4860::8888 # google.com v6 +# forward-addr: 208.67.222.222 # opendns.com +# forward-first: yes # try direct if forwarder fails diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2 deleted file mode 100644 index a97e725d..00000000 --- a/unbound/templates/unbound.conf.j2 +++ /dev/null @@ -1,45 +0,0 @@ -server: - #interface: X.X.X.X - #interface: 127.0.0.1@5353 # listen on alternative port -{% for interface in unbound_interfaces %} - interface: {{ interface }} -{% endfor %} - #do-ip6: no - -{% for acl in unbound_acls %} - access-control: {{ acl }} -{% endfor %} - - hide-identity: yes - hide-version: yes - - root-hints: "/etc/unbound/root.hints" - # Uncomment to enable DNSSEC validation. - #auto-trust-anchor-file: "/etc/unbound/root.key" - # Serve zones authoritatively from Unbound to resolver clients. - # Not for external service. - - #local-zone: "local." static - #local-data: "mycomputer.local. IN A 192.0.2.51" - #local-zone: "2.0.192.in-addr.arpa." static - #local-data-ptr: "192.0.2.51 mycomputer.local - # UDP EDNS reassembly buffer advertised to peers. Default 4096. - # May need lowering on broken networks with fragmentation/MTU issues, - # particularly if validating DNSSEC. - - #edns-buffer-size: 1480 - # Use TCP for "forward-zone" requests. Useful if you are making - # DNS requests over an SSH port forwarding. - #tcp-upstream: yes - -# Use an upstream forwarder (recursive resolver) for specific zones. -# Example addresses given below are public resolvers valid as of 2014/03. -# -#forward-zone: -# name: "." # use for ALL queries -# forward-addr: 74.82.42.42 # he.net -# forward-addr: 2001:470:20::2 # he.net v6 -# forward-addr: 8.8.8.8 # google.com -# forward-addr: 2001:4860:4860::8888 # google.com v6 -# forward-addr: 208.67.222.222 # opendns.com -# forward-first: yes # try direct if forwarder fails