CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 9 Pull requests 10 Wiki Activity Actions

WIP: new z9 ccchh router #98

Draft
bitwhisker wants to merge 15 commits from new_ccchh_router into main
pull from: new_ccchh_router
merge into: CCCHH:main
Conversation 2 Commits 15 Files changed 44 +22 -29
5 changed files with 22 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 0a74ac02c2 - Show all commits

unbound(role): use existing deploy_systemd_resolved_config role and some reordering

Prev Next
bitwhisker 2026-05-26 10:06:52 +02:00
commit 0a74ac02c2
Signed by: bitwhisker
SSH key fingerprint: SHA256:KybIk/tusSKao6eLGY+ILlFa1rCrzwx66/acBAcKUqE

3
inventories/z9/hosts.yaml
View file

@ -17,6 +17,9 @@ all:
z9-router: z9-router:
bitwhisker marked this conversation as resolved Outdated
june commented 2026-05-24 16:51:45 +02:00
Outdated
Copy link

It's fine, just feel like rt1 is one of those obscure names again, which gives more trouble than benefit.

It's fine, just feel like `rt1` is one of those obscure names again, which gives more trouble than benefit.
bitwhisker commented 2026-05-24 21:34:26 +02:00
Outdated
Copy link

do you have an idea/a proposal for a better name?
maybe z9-router or something like that?
I would say it would not be a good idea to name it just router,
because of the indirect name collision with the chaosknoten router.

do you have an idea/a proposal for a better name? maybe z9-router or something like that? I would say it would not be a good idea to name it just router, because of the indirect name collision with the chaosknoten router.
june commented 2026-05-24 22:14:02 +02:00
Outdated
Copy link

Oh, that totally makes sense. I'm fine with the name, if others really like it, but personally I would prefer something like z9-router indeed.

Oh, that totally makes sense. I'm fine with the name, if others really like it, but personally I would prefer something like `z9-router` indeed.
👍 1
ansible_host: z9-router.ccchh.net ansible_host: z9-router.ccchh.net
ansible_user: chaos ansible_user: chaos
base_config_hosts:
hosts:
z9-router:
certbot_hosts: certbot_hosts:
hosts: hosts:
dooris: dooris:

7
roles/unbound/handlers/main.yml
View file

@ -18,10 +18,3 @@
name: prometheus-unbound-exporter.service name: prometheus-unbound-exporter.service
state: restarted state: restarted
enabled: true enabled: true
- name: prometheus-unbound-exporter.enabled
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
enabled: true
daemon_reload: true

24
roles/unbound/tasks/main.yml
View file

@ -7,11 +7,6 @@
ansible.builtin.package: ansible.builtin.package:
name: unbound name: unbound
- name: install extra dns tooling
become: true
ansible.builtin.package:
name: [ bind ] # the bind package includes tools like dig in archlinux
- name: ensure correct directory permissions - name: ensure correct directory permissions
become: true become: true
ansible.builtin.file: ansible.builtin.file:
@ -40,23 +35,10 @@
enabled: true enabled: true
- name: disable systemd-resolved - name: disable systemd-resolved
become: true
when: unbound_disable_systemd_networkd when: unbound_disable_systemd_networkd
ansible.builtin.systemd: ansible.builtin.include_role:
name: systemd-resolved.service name: deploy_systemd_resolved_config
state: stopped vars_from: deploy_systemd_resolved_config
enabled: false
- name: configure system resolver to point to local unbound
become: true
when: unbound_disable_systemd_networkd
ansible.builtin.copy:
src: no-resolved.resolv.conf
dest: /etc/resolv.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
bitwhisker marked this conversation as resolved Outdated
june commented 2026-05-24 18:46:03 +02:00
Outdated
Copy link

We have a nice role for managing systemd-resolved already, so no need to duplicate functionality here.
See: 7832978ff7/roles/deploy_systemd_resolved_config

We have a nice role for managing systemd-resolved already, so no need to duplicate functionality here. See: https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/7832978ff732208f2f29f04ef446c7c51076c6d1/roles/deploy_systemd_resolved_config
- name: install and configure prometheus-exporter for unbound - name: install and configure prometheus-exporter for unbound
ansible.builtin.import_tasks: prometheus-exporter.yml ansible.builtin.import_tasks: prometheus-exporter.yml

8
roles/unbound/tasks/prometheus-exporter.yml
View file

@ -3,7 +3,13 @@
become: true become: true
ansible.builtin.package: ansible.builtin.package:
june commented 2026-05-24 18:43:20 +02:00
Outdated
Copy link

There's no unbound-prometheus-exporter package on Debian.

There's no `unbound-prometheus-exporter` package on Debian.
name: prometheus-unbound-exporter name: prometheus-unbound-exporter
notify: prometheus-unbound-exporter.enabled
bitwhisker marked this conversation as resolved Outdated
june commented 2026-05-24 18:43:07 +02:00
Outdated
Copy link

I would rather move the enable and start logic into the file itself, since that's not really the job of a handler. See the main unbound setup tasks for reference.

I would rather move the enable and start logic into the file itself, since that's not really the job of a handler. See the main unbound setup tasks for reference.
- name: enable unbound prometheus exporter
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
enabled: true
daemon_reload: true
- name: configure unbound exporter - name: configure unbound exporter
become: true become: true

9
roles/unbound/vars/deploy_systemd_resolved_config.yaml Normal file
View file

@ -0,0 +1,9 @@
---
deploy_systemd_resolved_config__enable: false
deploy_systemd_resolved_config__dns:
- 127.0.0.1
deploy_systemd_resolved_config__fallback_dns: # Fux DNS Server
- 185.161.128.66
- 2a07:c481:0:4::2
- 185.161.128.67
- 2a07:c481:0:4::3