fix(dns): internalize Unbound config

2025-10-08 01:18:30 +02:00 · 2025-10-08 01:18:30 +02:00 · 6357bc6c21
commit 6357bc6c21
parent 85f1f01fb7
3 changed files with 61 additions and 9 deletions
--- a/ansible/roles/dns/tasks/main.yaml
+++ b/ansible/roles/dns/tasks/main.yaml
@ -1,7 +1,7 @@
 - name: Setup unbound config
  become: true
-  copy:
-    src: "{{ home }}/.dots/config/unbound/unbound.conf"
+  template:
+    src: "unbound.conf"
    dest: "/etc/unbound/unbound.conf"
    owner: unbound
    mode: "u=rwX,g=rX,o="
@ -32,15 +32,16 @@
    enabled: true

 - name: Create unbound configs dir
+  become: true
  file:
    state: directory
    path: "/etc/unbound/config.d"

-# copy from dots file to the /etc/unbound/config.d the additonal config enabled
- name: Setup additonal profile config
-  when: organization is defined and "unbound" in organization_customize
-  become: true
-  copy:
-    src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
-    dest: "/etc/unbound/config.d/{{ organization }}.conf"
+# # copy from dots file to the /etc/unbound/config.d the additonal config enabled
+# - name: Setup additonal profile config
+#   when: organization is defined and "unbound" in organization_customize
+#   become: true
+#   copy:
+#     src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
+#     dest: "/etc/unbound/config.d/{{ organization }}.conf"

--- a/ansible/roles/dns/templates/unbound.conf
+++ b/ansible/roles/dns/templates/unbound.conf
@ -0,0 +1,48 @@
+server:
+    interface: 0.0.0.0
+    interface: ::0
+    interface-automatic: yes
+    
+    # Also listen on docker to allow docker container to reach unbound
+    #interface: 172.17.0.1
+    access-control: 172.0.0.0/8 allow
+    access-control: 172.31.0.0/16 allow
+    
+    trust-anchor-file: "/etc/unbound/trusted-key.key"
+    
+    cache-max-ttl: 86400
+    cache-min-ttl: 7200
+    
+    hide-identity: yes
+    hide-version: yes
+    
+    qname-minimisation: yes
+    
+    aggressive-nsec: yes
+    prefetch: yes
+    serve-expired: yes
+    serve-expired-ttl: 86400
+    
+    #tls-upstream: yes
+    #tls-cert-bundle: /etc/ca-certificates/extracted/tls-ca-bundle.pem
+
+    #verbosity: 1
+    #log-queries: yes
+    # use journalctl to see the logs
+    # e.g : journalctl --since 2023-01-01 -f -u unbound
+
+    local-data: "my-resolver.internal TXT local unbound"
+    local-zone: "custom.verify" redirect
+    local-data: "custom.verify A 42.42.42.42"
+    local-zone: "jpp.jpp" redirect
+    local-data: "jpp.jpp A 1.1.1.1"
+    local-zone: "e.e" redirect
+    local-data: "e.e A 42.42.42.42"
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+
+# Include others namespace/domains configs
+include: /etc/unbound/config.d/*
+
--- a/ansible/workstation.yaml
+++ b/ansible/workstation.yaml
@ -164,3 +164,6 @@
        name: uv_tools
      with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"

+    - name: Setup DNS forwarding (with Unbound)
+      include_role:
+        name: dns