fix(dns): internalize Unbound config
This commit is contained in:
Matthieu Bessat
parent
85f1f01fb7
commit
6357bc6c21
3 changed files with 61 additions and 9 deletions
|
|
@ -1,7 +1,7 @@
|
||||||
- name: Setup unbound config
|
- name: Setup unbound config
|
||||||
become: true
|
become: true
|
||||||
copy:
|
template:
|
||||||
src: "{{ home }}/.dots/config/unbound/unbound.conf"
|
src: "unbound.conf"
|
||||||
dest: "/etc/unbound/unbound.conf"
|
dest: "/etc/unbound/unbound.conf"
|
||||||
owner: unbound
|
owner: unbound
|
||||||
mode: "u=rwX,g=rX,o="
|
mode: "u=rwX,g=rX,o="
|
||||||
|
|
@ -32,15 +32,16 @@
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
- name: Create unbound configs dir
|
- name: Create unbound configs dir
|
||||||
|
become: true
|
||||||
file:
|
file:
|
||||||
state: directory
|
state: directory
|
||||||
path: "/etc/unbound/config.d"
|
path: "/etc/unbound/config.d"
|
||||||
|
|
||||||
# copy from dots file to the /etc/unbound/config.d the additonal config enabled
|
# # copy from dots file to the /etc/unbound/config.d the additonal config enabled
|
||||||
- name: Setup additonal profile config
|
# - name: Setup additonal profile config
|
||||||
when: organization is defined and "unbound" in organization_customize
|
# when: organization is defined and "unbound" in organization_customize
|
||||||
become: true
|
# become: true
|
||||||
copy:
|
# copy:
|
||||||
src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
|
# src: "{{ home }}/.dots/profiles/{{ organization }}/configs/unbound.conf"
|
||||||
dest: "/etc/unbound/config.d/{{ organization }}.conf"
|
# dest: "/etc/unbound/config.d/{{ organization }}.conf"
|
||||||
|
|
||||||
|
|
|
||||||
48
ansible/roles/dns/templates/unbound.conf
Normal file
48
ansible/roles/dns/templates/unbound.conf
Normal file
|
|
@ -0,0 +1,48 @@
|
||||||
|
server:
|
||||||
|
interface: 0.0.0.0
|
||||||
|
interface: ::0
|
||||||
|
interface-automatic: yes
|
||||||
|
|
||||||
|
# Also listen on docker to allow docker container to reach unbound
|
||||||
|
#interface: 172.17.0.1
|
||||||
|
access-control: 172.0.0.0/8 allow
|
||||||
|
access-control: 172.31.0.0/16 allow
|
||||||
|
|
||||||
|
trust-anchor-file: "/etc/unbound/trusted-key.key"
|
||||||
|
|
||||||
|
cache-max-ttl: 86400
|
||||||
|
cache-min-ttl: 7200
|
||||||
|
|
||||||
|
hide-identity: yes
|
||||||
|
hide-version: yes
|
||||||
|
|
||||||
|
qname-minimisation: yes
|
||||||
|
|
||||||
|
aggressive-nsec: yes
|
||||||
|
prefetch: yes
|
||||||
|
serve-expired: yes
|
||||||
|
serve-expired-ttl: 86400
|
||||||
|
|
||||||
|
#tls-upstream: yes
|
||||||
|
#tls-cert-bundle: /etc/ca-certificates/extracted/tls-ca-bundle.pem
|
||||||
|
|
||||||
|
#verbosity: 1
|
||||||
|
#log-queries: yes
|
||||||
|
# use journalctl to see the logs
|
||||||
|
# e.g : journalctl --since 2023-01-01 -f -u unbound
|
||||||
|
|
||||||
|
local-data: "my-resolver.internal TXT local unbound"
|
||||||
|
local-zone: "custom.verify" redirect
|
||||||
|
local-data: "custom.verify A 42.42.42.42"
|
||||||
|
local-zone: "jpp.jpp" redirect
|
||||||
|
local-data: "jpp.jpp A 1.1.1.1"
|
||||||
|
local-zone: "e.e" redirect
|
||||||
|
local-data: "e.e A 42.42.42.42"
|
||||||
|
|
||||||
|
remote-control:
|
||||||
|
control-enable: yes
|
||||||
|
control-interface: 127.0.0.1
|
||||||
|
|
||||||
|
# Include others namespace/domains configs
|
||||||
|
include: /etc/unbound/config.d/*
|
||||||
|
|
||||||
|
|
@ -164,3 +164,6 @@
|
||||||
name: uv_tools
|
name: uv_tools
|
||||||
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
|
with_items: "{{ lookup('pipe', 'cat packages/essentials/python_packages.yaml | python3 parse_arch_packages.py all') | from_json }}"
|
||||||
|
|
||||||
|
- name: Setup DNS forwarding (with Unbound)
|
||||||
|
include_role:
|
||||||
|
name: dns
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue