Update to 2021-12-01 19:13

2025-07-27 00:05:44 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/unbound/defaults/main.yml
+++ b/roles/unbound/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+
+unbound_port: 53
+unbound_src_ip: []
+unbound_forward_zones: []
+# unbound_forward_zones:
+#   - name: domain.local
+#     forwarders:
+#       - ns1.domain.com
+#       - ns1.domain.com
+
+unbound_local_zones: []
+# unbound_localzones:
+#   - name: 3.29.10.in-addr.arpa.
+#     entries:
+#       - name: 1
+#         type: PTR
+#         value: mx.domain.net
--- a/roles/unbound/handlers/main.yml
+++ b/roles/unbound/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart unbound
+  service: name=unbound state=restarted
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+
+- name: Install packages
+  yum:
+    name:
+      - unbound
+  tags: unbound
+
+- name: Fetch the root hints
+  get_url:
+    url: https://www.internic.net/domain/named.cache
+    dest: /etc/unbound/root.hints
+  tags: unbound
+
+- name: Deploy unbound configuration
+  template: src=unbound.conf.j2 dest=/etc/unbound/unbound.conf
+  notify: restart unbound
+  tags: unbound
+
+- name: Handle port in the firewall
+  iptables_raw:
+    name: unbound_ports
+    state: "{{ (unbound_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p udp -m multiport --dports {{ unbound_port }} -s {{ unbound_src_ip | join(',') }} -j ACCEPT\n
+            -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ unbound_port }} -s {{ unbound_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: [unbound,firewall]
+
+- name: Start and enable the service
+  service: name=unbound state=started enabled=True
+  tags: unbound
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -0,0 +1,51 @@
+server:
+  verbosity: 1
+  statistics-interval: 0
+  num-threads: 4
+  chroot: ""
+  interface: 0.0.0.0
+  interface-automatic: yes
+  access-control: 0.0.0.0/0 allow
+  port: 53
+  do-ip6: no
+  so-reuseport: yes
+  username: "unbound"
+  directory: "/etc/unbound"
+  logfile: ""
+  log-time-ascii: no
+  pidfile: "/var/run/unbound/unbound.pid"
+  root-hints: "/etc/unbound/root.hints"
+  hide-identity: yes
+  hide-version: yes
+  unwanted-reply-threshold: 10000000
+  prefetch: yes
+  prefetch-key: yes
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+  val-log-level: 2
+  module-config: "validator iterator"
+  private-address: 10.0.0.0/8
+  private-address: 172.16.0.0/12
+  private-address: 192.168.0.0/16
+{% for zone in unbound_forward_zones %}
+  private-domain: "{{ zone.name }}"
+  domain-insecure: "{{ zone.name }}"
+{% endfor %}
+{% for zone in unbound_local_zones %}
+  local-zone: "{{ zone.name }}{% if not zone.name is search('\.$') %}.{% endif %}" static
+{% for entry in zone.entries | default([]) %}
+  local-data: "{{ entry.name }}.{{ zone.name }}{% if not zone.name is search('\.$') %}.{% endif %} IN {{ entry.type }} {{ entry.value }}"
+{% endfor %}
+{% endfor %}
+
+remote-control:
+  control-enable: no
+
+{% for zone in unbound_forward_zones %}
+forward-zone:
+  name: "{{ zone.name }}"
+{% for forwarder in zone.forwarders %}
+  forward-addr: {{ forwarder }}
+{% endfor %}
+
+{% endfor %}
+