From c41495066b0f0eb740f2577608cad838f5ee8997 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 25 Mar 2021 17:38:21 +0000 Subject: [PATCH] unbound: Initial version of role --- .../files/unbound.conf.nms01.home.foo.sh | 35 +++++++++++++++++++ .../files/unbound.conf.nms02.home.foo.sh | 1 + .../files/unbound.conf.print01.home.foo.sh | 35 +++++++++++++++++++ roles/unbound/handlers/main.yml | 5 +++ roles/unbound/tasks/main.yml | 29 +++++++++++++++ 5 files changed, 105 insertions(+) create mode 100644 roles/unbound/files/unbound.conf.nms01.home.foo.sh create mode 120000 roles/unbound/files/unbound.conf.nms02.home.foo.sh create mode 100644 roles/unbound/files/unbound.conf.print01.home.foo.sh create mode 100644 roles/unbound/handlers/main.yml create mode 100644 roles/unbound/tasks/main.yml diff --git a/roles/unbound/files/unbound.conf.nms01.home.foo.sh b/roles/unbound/files/unbound.conf.nms01.home.foo.sh new file mode 100644 index 0000000..27961bd --- /dev/null +++ b/roles/unbound/files/unbound.conf.nms01.home.foo.sh @@ -0,0 +1,35 @@ + +server: + interface: 0.0.0.0 + interface: ::0 + + access-control: 127.0.0.0/8 allow + access-control: ::1 allow + access-control: 172.20.25.1/32 allow + access-control: 172.20.25.2/32 allow + access-control: 172.20.25.3/32 allow + access-control: 172.20.25.0/24 refuse_non_local + + hide-identity: yes + hide-version: yes + + chroot: "" + + unblock-lan-zones: yes + +remote-control: + control-enable: yes + control-interface: /var/run/unbound.sock + +forward-zone: + name: "." + forward-addr: 172.20.20.10 + forward-addr: 172.20.21.1 + forward-addr: 172.20.21.2 + +auth-zone: + name: "oob.foo.sh" + zonefile: "/var/lib/unbound/oob.foo.sh" +auth-zone: + name: "25.20.172.in-addr.arpa" + zonefile: "/var/lib/unbound/25.20.172.in-addr.arpa" diff --git a/roles/unbound/files/unbound.conf.nms02.home.foo.sh b/roles/unbound/files/unbound.conf.nms02.home.foo.sh new file mode 120000 index 0000000..828eef3 --- /dev/null +++ b/roles/unbound/files/unbound.conf.nms02.home.foo.sh @@ -0,0 +1 @@ +unbound.conf.nms01.home.foo.sh \ No newline at end of file diff --git a/roles/unbound/files/unbound.conf.print01.home.foo.sh b/roles/unbound/files/unbound.conf.print01.home.foo.sh new file mode 100644 index 0000000..4c7c108 --- /dev/null +++ b/roles/unbound/files/unbound.conf.print01.home.foo.sh @@ -0,0 +1,35 @@ + +server: + interface: 0.0.0.0 + interface: ::0 + + access-control: 127.0.0.0/8 allow + access-control: ::1 allow + access-control: 172.20.24.1/32 allow + access-control: 172.20.24.2/32 allow + access-control: 172.20.24.3/32 allow + access-control: 172.20.24.0/24 refuse_non_local + + hide-identity: yes + hide-version: yes + + chroot: "" + + unblock-lan-zones: yes + +remote-control: + control-enable: yes + control-interface: /var/run/unbound.sock + +forward-zone: + name: "." + forward-addr: 172.20.20.10 + forward-addr: 172.20.21.1 + forward-addr: 172.20.21.2 + +auth-zone: + name: "print.foo.sh" + zonefile: "/var/lib/unbound/print.foo.sh" +auth-zone: + name: "24.20.172.in-addr.arpa" + zonefile: "/var/lib/unbound/24.20.172.in-addr.arpa" diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..91239c1 --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart unbound + service: + name: unbound + state: restarted diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..581b236 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: install packages + package: + name: unbound + state: installed + when: ansible_os_family != "OpenBSD" + +- name: create control keys + command: + argv: + - unbound-control-setup + creates: /etc/unbound/unbound_control.key + notify: restart unbound + +- name: copy config + copy: + dest: /etc/unbound/unbound.conf + src: "unbound.conf.{{ inventory_hostname }}" + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + validate: "unbound-checkconf %s" + notify: restart unbound + +- name: enable service + service: + name: unbound + state: started + enabled: true