CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1
Some checks failed
/ Ansible Lint (push) Failing after 2m30s
Details
/ Ansible Lint (pull_request) Failing after 2m27s
Details
/ build (pull_request) Failing after 2m39s
Details

Browse source 
- create unbound role
- create kea_dhcp role
- configure unbound and keadhcp on rt1(z9 host)
This commit is contained in:
bitwhisker 2026-05-24 04:01:11 +02:00
commit 866005c055
Signed by: bitwhisker
SSH key fingerprint: SHA256:KybIk/tusSKao6eLGY+ILlFa1rCrzwx66/acBAcKUqE
24 changed files with 1043 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
roles/unbound/README.md Normal file
View file

@ -0,0 +1,19 @@
# Unbound DNS resolver
Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/).
It is designed to be fast and lean and incorporates modern features based on open standards.
- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/)
## Role Customization
The following variables can be used to customize this role:
| Variable | Type | Default | Description |
|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| unbound_install_prometheus_exporter | Boolean | `true` | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format. |
| unbound_bind_interfaces | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries |
| unbound_enable_unbound_control | Boolean | `true` | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured. |
| unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled |
| unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) |
| unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. |

7
roles/unbound/defaults/main.yml Normal file
View file

@ -0,0 +1,7 @@
unbound_install_prometheus_exporter: true
unbound_bind_interfaces: [ "0.0.0.0", "::" ]
unbound_disable_systemd_networkd: true
unbound_enable_unbound_control: true
unbound_enable_dnssec: true
unbound_access_control: [ ]
unbound_private_domain: [ ]

1
roles/unbound/files/no-resolved.resolv.conf Normal file
View file

@ -0,0 +1 @@
nameserver 127.0.0.1

27
roles/unbound/handlers/main.yml Normal file
View file

@ -0,0 +1,27 @@
- name: unbound.restarted
tags: [ unbound, dns, dns_resolver ]
become: true
ansible.builtin.systemd:
name: unbound.service
state: restarted
- name: unbound.reloaded
tags: [ unbound, dns, dns_resolver ]
become: true
ansible.builtin.systemd:
name: unbound.service
state: reloaded
- name: prometheus-unbound-exporter.restarted
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
state: restarted
enabled: true
- name: prometheus-unbound-exporter.enabled
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
enabled: true
daemon_reload: true

63
roles/unbound/tasks/main.yml Normal file
View file

@ -0,0 +1,63 @@
- name: unbound role main
tags: [ unbound, dns, dns_resolver ]
block:
- name: install unbound dns resolver
become: true
ansible.builtin.package:
name: unbound
- name: install extra dns tooling
become: true
ansible.builtin.package:
name: [ bind ] # the bind package includes tools like dig in archlinux
- name: ensure correct directory permissions
become: true
ansible.builtin.file:
path: /etc/unbound
state: directory
mode: u=rwX,g=rX,o=rX
recurse: true
owner: unbound
group: unbound
- name: configure unbound dns resolver
become: true
notify: unbound.restarted
ansible.builtin.template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
- name: ensure unbound is running and enabled
become: true
ansible.builtin.systemd:
name: unbound.service
state: started
enabled: true
- name: disable systemd-resolved
become: true
when: unbound_disable_systemd_networkd
ansible.builtin.systemd:
name: systemd-resolved.service
state: stopped
enabled: false
- name: configure system resolver to point to local unbound
become: true
when: unbound_disable_systemd_networkd
ansible.builtin.copy:
src: no-resolved.resolv.conf
dest: /etc/resolv.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
- name: install and configure prometheus-exporter for unbound
ansible.builtin.import_tasks: prometheus-exporter.yml
when: unbound_install_prometheus_exporter

17
roles/unbound/tasks/prometheus-exporter.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: install unbound prometheus exporter
become: true
ansible.builtin.package:
name: prometheus-unbound-exporter
notify: prometheus-unbound-exporter.enabled
- name: configure unbound exporter
become: true
ansible.builtin.copy:
dest: /etc/conf.d/prometheus-unbound-exporter
content: |
UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock"
owner: root
group: root
mode: '0660'
notify: prometheus-unbound-exporter.restarted

73
roles/unbound/templates/unbound.conf.j2 Normal file
View file

@ -0,0 +1,73 @@
# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
# unbound.conf(5) man page
server:
{% if unbound_enable_dnssec -%}
# disable chroot because unbound is the only thing running on the VM
# and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file
chroot: ""
# location of the trust anchor file that enables DNSSEC
# this file is generated by the `unbound-anchor` command
auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
{% endif -%}
# use all CPUs
num-threads: 2
# more cache memory
rrset-cache-size: 60m
msg-cache-size: 30m
# prefetch to keep the cache up to date
prefetch: yes
# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
prefetch-key: yes
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# disable special large send buffer handling and just use kernel defaults
so-sndbuf: 0
# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# specify the interface to answer queries from by ip-address.
{% for i in unbound_bind_interfaces -%}
interface: "{{ i }}"
{% endfor %}
# addresses from the IP range that are allowed to connect to the resolver
{% for i in unbound_access_control -%}
access-control: {{ i }}
{% endfor -%}
{% for i in unbound_private_domain -%}
private-domain: {{ i }}
{% endfor -%}
# The number of seconds between printing statistics to the log for every thread.
statistics-interval: 0
# Extended statistics are printed, Keeping track of more statistics takes time.
extended-statistics: yes
remote-control:
control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
control-interface: /run/unbound-control.sock
# configure some zones for which this resolver will act authoritatively
# https://www.dns.icann.org/services/axfr/
{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
auth-zone:
name: "{{ i }}"
primary: "lax.xfr.dns.icann.org"
primary: "iad.xfr.dns.icann.org"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
{% endfor %}