Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/pimvh/unbound
Ansible role to configure Unbound
https://github.com/pimvh/unbound
ansible dnssec molecule-tested resolver role unbound
Last synced: about 1 month ago
JSON representation
Ansible role to configure Unbound
- Host: GitHub
- URL: https://github.com/pimvh/unbound
- Owner: pimvh
- License: gpl-3.0
- Created: 2022-11-24T12:19:24.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-05-20T18:51:36.000Z (7 months ago)
- Last Synced: 2024-05-20T22:10:56.976Z (7 months ago)
- Topics: ansible, dnssec, molecule-tested, resolver, role, unbound
- Language: Jinja
- Homepage:
- Size: 82 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Requirements
1. Ansible installed:
```
sudo apt install python3
python3 -m ensurepip --upgrade
pip3 install ansible
```
## Required variables
Review the variables as shown in defaults. Most have sensible defaults, you probably want to override some.
You probably want to pass interfaces, and additional access controls
```
---
unbound_interfaces:
- "127.0.0.1"
- "::1"
- << another IP here >>
- << another IP here >>
unbound_dns_port: "53"
unbound_do_ipv4: "yes"
unbound_do_ipv6: "yes"
unbound_forward_tls_upstream: "no"
unbound_prefer_ipv6: "yes"
unbound_do_udp: "yes"
unbound_do_tcp: "yes"
unbound_verbosity: "0"
unbound_log_queries: "no"
unbound_log_replies: "no"
unbound_log_tag_queryreply: "no"
unbound_log_local_actions: "no"
unbound_log_servfail: "no"
unbound_private_domains:
- "home.lan"
# Only give access to recursion clients from LAN IPs
unbound_additional_access_controls:
- cidr_range: 10.0.0.0/8
action: allow
- cidr_range: 127.0.0.0/8
action: allow
- cidr_range: 127.0.0.1/32
action: allow
- cidr_range: 172.16.0.0/12
action: allow
- cidr_range: 192.168.0.0/16
action: allow
- cidr_range: fc00::/7
action: allow
- cidr_range: ::1/128
action: allow
- cidr_range: << allow another range >>
action: allow
unbound_local_zones: []
# or with values;
# unbound_local_zones:
# - name: mydomain.lan
# type: nodefault
# - name: .10.in-addr.arpa.
# type: nodefault'
unbound_stub_zones: []
# or with values:
# unbound_stub_zones:
# - name: "mydomain.lan"
# secure: false
# addr: "<< ip addr >>@53"
unbound_forward_zones: {}
# or with values:
# unbound_forward_zones:
# dot configure everything else
# - name: "<< zone name to forward >>"
# forward_addrs: []
# forward_hosts:
# - # host to forward to
# - name: "." # or forward everthing like t
# either can be empty
# forward_addrs:
# - # to these addresses
# forward_hosts:
# - # or hosts
```
The Ansible playbook will validate whether the variables exist that you defined before running.
# Example playbook
```
hosts:
- foo
roles:
- pimvh.unbound
```
# TLDR - What will happen if I run this
- validate whether rules/some other variables are defined.
- create service that monthly pulls in the root hints.
- install unbound, when unbound_install.
- push config.
- point systemd-resolved of that system to unbound first.
- verify whether Unbound resolved a domain.
# Sources
- [Archlinux wiki on fetching root hints](https://wiki.archlinux.org/title/Unbound)
- [calomel.org for unbound configuration template](https://calomel.org)