From 394df29769c6b7e17f7d7dd7311b2e08b9b1a17c Mon Sep 17 00:00:00 2001 From: Richard Lam <54393902+richlamdev@users.noreply.github.com> Date: Mon, 30 Dec 2024 23:41:55 -0800 Subject: [PATCH] inital commit of unbound role --- roles/unbound/handlers/main.yml | 5 + roles/unbound/tasks/dynamic.yml | 19 ++++ roles/unbound/tasks/main.yml | 6 ++ roles/unbound/tasks/static.yml | 45 ++++++++ roles/unbound/templates/unbound.conf.j2 | 134 ++++++++++++++++++++++++ roles/unbound/vars/main.yml | 5 + 6 files changed, 214 insertions(+) create mode 100644 roles/unbound/handlers/main.yml create mode 100644 roles/unbound/tasks/dynamic.yml create mode 100644 roles/unbound/tasks/main.yml create mode 100644 roles/unbound/tasks/static.yml create mode 100644 roles/unbound/templates/unbound.conf.j2 create mode 100644 roles/unbound/vars/main.yml diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..7c277b4 --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload unbound + service: + name: unbound + state: restarted diff --git a/roles/unbound/tasks/dynamic.yml b/roles/unbound/tasks/dynamic.yml new file mode 100644 index 0000000..ec276d8 --- /dev/null +++ b/roles/unbound/tasks/dynamic.yml @@ -0,0 +1,19 @@ +--- +# - name: Set _unbound user as owner for /var/unbound/etc folder +# file: +# path: /var/unbound/etc +# owner: _unbound +# group: "wheel" +# mode: "0755" + +- name: deploy unbound.conf template configuration file + template: + src: unbound.conf.j2 + dest: "/etc/unbound/" + mode: "0644" + owner: "root" + group: "root" + notify: reload unbound + +- name: restart unbound service unconditionally + meta: flush_handlers diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..98cdfb4 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: static file configuration + import_tasks: static.yml + +- name: dynamic file configuration + import_tasks: dynamic.yml diff --git a/roles/unbound/tasks/static.yml b/roles/unbound/tasks/static.yml new file mode 100644 index 0000000..8da2c6f --- /dev/null +++ b/roles/unbound/tasks/static.yml @@ -0,0 +1,45 @@ +--- +- name: Update APT package cache + apt: + update_cache: yes + cache_valid_time: 3600 # Cache is valid for 1 hour + +- name: Install Unbound and ca-certificates + apt: + name: "{{ item }}" + state: present + loop: + - unbound + - unbound-anchor + - ca-certificates + loop_control: + label: "{{ item }}" + +- name: Ensure /var/lib/unbound directory exists + file: + path: /var/lib/unbound + state: directory + owner: unbound + group: unbound + mode: '0755' + +- name: Download the latest root.hints file + get_url: + url: https://www.internic.net/domain/named.root + dest: /var/lib/unbound/root.hints + owner: unbound + group: unbound + mode: '0644' + force: yes + +- name: Install root.key from IANA using unbound-anchor + shell: '/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key' + register: rootkey + failed_when: rootkey.rc not in [0, 1] + changed_when: "'success' in rootkey.stdout or rootkey.rc == 0" + +- name: Ensure Unbound service is enabled and running + systemd: + name: unbound + enabled: yes + state: started diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..82aded7 --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,134 @@ +# /etc/unbound/unbound.conf +# +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include-toplevel: "/etc/unbound/unbound.conf.d/*.conf" + + + +server: + verbosity: 1 + #logfile: "/var/unbound/etc/unbound.log" + #logfile: "/var/log/unbound.log" + use-syslog: yes #overrides logfile setting above + log-queries: yes + log-replies: yes + log-tag-queryreply: yes + port: 53 + do-ip4: yes + do-ip6: no + do-udp: yes + do-tcp: yes + directory: "/etc/unbound" + #chroot: "/var/unbound" + interface: {{ host_ip }} + interface: 127.0.0.1 + + access-control: 0.0.0.0/0 refuse + access-control: ::0/0 refuse + access-control: {{ network_addr }}/24 allow + access-control: 127.0.0.0/8 allow_snoop + hide-identity: yes + hide-version: yes + harden-glue: yes + root-hints: "/var/lib/unbound/root.hints" + auto-trust-anchor-file: "/var/lib/unbound/root.key" + val-clean-additional: yes + + tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" + + prefetch: yes + + minimal-responses: yes + qname-minimisation: yes + rrset-roundrobin: yes + ssl-upstream: yes + use-caps-for-id: yes + harden-dnssec-stripped: yes + cache-min-ttl: 3600 + cache-max-ttl: 86400 + + private-address: 192.168.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + + private-address: 0.0.0.0/8 + private-address: 100.64.0.0/10 + private-address: 127.0.0.0/8 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 192.0.0.0/24 + private-address: 192.0.2.0/24 + private-address: 192.88.99.0/24 + private-address: 198.18.0.0/15 + private-address: 198.51.100.0/24 + private-address: 203.0.113.0/24 + private-address: 224.0.0.0/4 + private-address: 240.0.0.0/4 + private-address: 255.255.255.255/32 + + +# number of threads to create. 1 disables threading. This should equal the number +# of CPU cores in the machine. Our example machine has 4 CPU cores. + num-threads: 4 + +## Unbound Optimization and Speed Tweaks ### + +# the number of slabs to use for cache and must be a power of 2 times the +# number of num-threads set above. more slabs reduce lock contention, but +# fragment memory usage. + msg-cache-slabs: 8 + rrset-cache-slabs: 8 + infra-cache-slabs: 8 + key-cache-size: 32m + key-cache-slabs: 8 + +# Increase the memory size of the cache. Use roughly twice as much rrset cache +# memory as you use msg cache memory. Due to malloc overhead, the total memory +# usage is likely to rise to double (or 2.5x) the total cache memory. The test +# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects. + rrset-cache-size: 512m + msg-cache-size: 256m + +# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets +# the kernel buffer larger so that no messages are lost in spikes in the traffic. + #so-rcvbuf: 1m + #so-rcvbuf: 32m + + outgoing-range: 32768 + num-queries-per-thread: 4096 + infra-cache-numhosts: 100000 + + +## Unbound Optimization and Speed Tweaks ### + + +# Use an upstream forwarder (recursive resolver) for specific zones. +# Example addresses given below are public resolvers valid as of 2014/03. +# +forward-zone: + name: "." # use for ALL queries + forward-tls-upstream: yes + forward-addr: 9.9.9.9@853#dns.quad9.net + forward-addr: 149.112.112.112@853#dns.quad9.net + forward-addr: 1.1.1.2@853#cloudflare-dns.com + forward-addr: 1.0.0.2@853#cloudflare-dns.com + forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org + forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org + forward-addr: 176.103.130.130@853#dns.adguard.com + forward-addr: 176.103.130.131@853#dns.adguard.com + #forward-addr: 45.90.28.0#b978e6.dns1.nextdns.io + #forward-addr: 45.90.30.0#b978e6.dns2.nextdns.io + + + #forward-addr: 185.222.222.222@853 # dns.sb primary + #forward-addr: 185.184.222.222@853 # dns.sb secondary + #forward-addr: 8.8.8.8@853 # google primary + #forward-addr: 8.8.4.4@853 # google secondary diff --git a/roles/unbound/vars/main.yml b/roles/unbound/vars/main.yml new file mode 100644 index 0000000..4120905 --- /dev/null +++ b/roles/unbound/vars/main.yml @@ -0,0 +1,5 @@ +# replace network interface as required. +# within vim - :3,5s/re0/em0/g OR :3,5s/em0/re0/g +host_ip: "{{ ansible_em0['ipv4'][0].address }}" +network_addr: "{{ ansible_em0['ipv4'][0].network }}" +subnet_mask: "{{ ansible_em0['ipv4'][0].netmask }}"