From 8d234782df507b8584c599e8ffa09a3e6bd65a2c Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Mar 2021 21:50:09 +0000 Subject: [PATCH] Add unbound to gw hosts --- playbooks/gw.yml | 18 +++++++++++-- .../files/unbound.conf.gw01.home.foo.sh | 27 +++++++++++++++++++ 2 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 roles/unbound/files/unbound.conf.gw01.home.foo.sh diff --git a/playbooks/gw.yml b/playbooks/gw.yml index d9de521..1fc042c 100644 --- a/playbooks/gw.yml +++ b/playbooks/gw.yml @@ -9,6 +9,9 @@ vars_files: - "{{ ansible_private }}/vars.yml" + roles: + - base + tasks: - name: enable ip forwarding sysctl: @@ -19,5 +22,16 @@ - net.inet.ip.forwarding - net.inet6.ip6.forwarding - roles: - - base + - name: copy dns zone files + copy: + dest: "/var/unbound/db/{{ item }}" + src: "/srv/dns/{{ item }}" + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: restart unbound + with_items: + - 20.172.in-addr.arpa + - home.foo.sh + - import_role: + name: unbound diff --git a/roles/unbound/files/unbound.conf.gw01.home.foo.sh b/roles/unbound/files/unbound.conf.gw01.home.foo.sh new file mode 100644 index 0000000..4ab4b41 --- /dev/null +++ b/roles/unbound/files/unbound.conf.gw01.home.foo.sh @@ -0,0 +1,27 @@ + +server: + interface: 127.0.0.1 + interface: ::1 + interface: 0.0.0.0 + interface: ::0 + + access-control: 127.0.0.0/8 allow + access-control: ::1 allow + access-control: 172.20.20.0/22 allow + + hide-identity: yes + hide-version: yes + + prefetch: yes + unblock-lan-zones: yes + +remote-control: + control-enable: yes + control-interface: /var/run/unbound.sock + +auth-zone: + name: "home.foo.sh" + zonefile: "/var/unbound/db/home.foo.sh" +auth-zone: + name: "20.172.in-addr.arpa" + zonefile: "/var/unbound/db/20.172.in-addr.arpa"