Add unbound to gw hosts

playbooks/gw.yml

@@ -9,6 +9,9 @@
   vars_files:
     - "{{ ansible_private }}/vars.yml"
 
+  roles:
+    - base
+
   tasks:
     - name: enable ip forwarding
       sysctl:
@@ -19,5 +22,16 @@
         - net.inet.ip.forwarding
         - net.inet6.ip6.forwarding
 
-  roles:
+    - name: copy dns zone files
-    - base
+      copy:
+        dest: "/var/unbound/db/{{ item }}"
+        src: "/srv/dns/{{ item }}"
+        mode: 0644
+        owner: root
+        group: "{{ ansible_wheel }}"
+      notify: restart unbound
+      with_items:
+        - 20.172.in-addr.arpa
+        - home.foo.sh
+    - import_role:
+        name: unbound

roles/unbound/files/unbound.conf.gw01.home.foo.sh

@@ -0,0 +1,27 @@
+
+server:
+    interface: 127.0.0.1
+    interface: ::1
+    interface: 0.0.0.0
+    interface: ::0
+
+    access-control: 127.0.0.0/8 allow
+    access-control: ::1 allow
+    access-control: 172.20.20.0/22 allow
+
+    hide-identity: yes
+    hide-version: yes
+
+    prefetch: yes
+    unblock-lan-zones: yes
+
+remote-control:
+    control-enable: yes
+    control-interface: /var/run/unbound.sock
+
+auth-zone:
+    name: "home.foo.sh"
+    zonefile: "/var/unbound/db/home.foo.sh"
+auth-zone:
+    name: "20.172.in-addr.arpa"
+    zonefile: "/var/unbound/db/20.172.in-addr.arpa"