summaryrefslogtreecommitdiff
path: root/roles/dns/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/dns/tasks')
-rw-r--r--roles/dns/tasks/check_dns_setup.yaml13
-rw-r--r--roles/dns/tasks/main.yaml3
-rw-r--r--roles/dns/tasks/setup_adblock.yaml66
-rw-r--r--roles/dns/tasks/setup_unbound.yaml44
4 files changed, 126 insertions, 0 deletions
diff --git a/roles/dns/tasks/check_dns_setup.yaml b/roles/dns/tasks/check_dns_setup.yaml
new file mode 100644
index 00000000..b1fdb500
--- /dev/null
+++ b/roles/dns/tasks/check_dns_setup.yaml
@@ -0,0 +1,13 @@
+---
+- name: "check if adblock.rpz exists"
+ ansible.builtin.stat:
+ path: /var/unbound/db/adblock.rpz
+ register: adblock_rpz
+
+- name: "setup dns resolver (unbound)"
+ ansible.builtin.include_tasks: setup_unbound.yaml
+ when: not adblock_rpz.stat.exists
+
+- name: "setup adblocking"
+ ansible.builtin.include_tasks: setup_adblock.yaml
+ when: not adblock_rpz.stat.exists
diff --git a/roles/dns/tasks/main.yaml b/roles/dns/tasks/main.yaml
new file mode 100644
index 00000000..27978e73
--- /dev/null
+++ b/roles/dns/tasks/main.yaml
@@ -0,0 +1,3 @@
+---
+- name: "check dns resolver setup"
+ ansible.builtin.include_tasks: check_dns_setup.yaml
diff --git a/roles/dns/tasks/setup_adblock.yaml b/roles/dns/tasks/setup_adblock.yaml
new file mode 100644
index 00000000..edf09a7e
--- /dev/null
+++ b/roles/dns/tasks/setup_adblock.yaml
@@ -0,0 +1,66 @@
+---
+- name: "activate unbound control"
+ ansible.builtin.command: unbound-control-setup
+ changed_when: false
+
+- name: "fetch unbound filter script"
+ ansible.builtin.get_url:
+ url: https://geoghegan.ca/pub/unbound-adblock/latest/unbound-adblock.sh
+ dest: /usr/local/bin/unbound-adblock
+ group: bin
+ mode: 755
+ register: adblock_changed
+ # DL fails from time to time, so we retry a couple times
+ until: adblock_changed.state == "file"
+ retries: 10
+ delay: 2
+ ignore_errors: yes
+ notify:
+ - restart_unbound
+
+- name: "create adblock user"
+ ansible.builtin.user:
+ name: _adblock
+ shell: nologin
+ home: /var/empty
+ create_home: false
+
+- name: "add _adblock doas privileges"
+ ansible.builtin.blockinfile:
+ path: /etc/doas.conf
+ create: true
+ backup: true
+ marker: "### REACTANCE - Unbound Adblock - {mark} ###"
+ insertafter: "EOF"
+ block: |
+ permit nopass root
+ permit nopass _adblock cmd /usr/sbin/unbound-control args -q status
+ permit nopass _adblock cmd /usr/sbin/unbound-control args -q flush_zone unbound-adblock
+ permit nopass _adblock cmd /usr/sbin/unbound-control args -q auth_zone_reload unbound-adblock
+
+- name: "create binaries for adblock"
+ ansible.builtin.command: "{{ item }}"
+ loop:
+ - install -m 644 -o _adblock -g wheel /dev/null /var/unbound/db/adblock.rpz
+ - install -d -o root -g wheel -m 755 /var/log/unbound-adblock
+ - install -o _adblock -g wheel -m 640 /dev/null /var/log/unbound-adblock/unbound-adblock.log
+ - install -o _adblock -g wheel -m 640 /dev/null /var/log/unbound-adblock/unbound-adblock.log.0.gz
+ changed_when: false
+ notify: restart_unbound
+
+- name: "restarting adblock (as separate task otherwise cant create rule)"
+ ansible.builtin.service:
+ name: unbound
+ state: restarted
+ enabled: true
+
+- name: "create first ruleset"
+ ansible.builtin.shell: "cd /var/unbound/db && doas -u _adblock /usr/local/bin/unbound-adblock -O openbsd"
+ changed_when: false
+
+- name: "setup daily cronjob"
+ ansible.builtin.cron:
+ name: "update dns blocklist"
+ user: root
+ job: "cd /var/unbound/db && doas -u _adblock /usr/local/bin/unbound-adblock -O openbsd 1> /dev/null"
+ special_time: daily
diff --git a/roles/dns/tasks/setup_unbound.yaml b/roles/dns/tasks/setup_unbound.yaml
new file mode 100644
index 00000000..ec6f123e
--- /dev/null
+++ b/roles/dns/tasks/setup_unbound.yaml
@@ -0,0 +1,44 @@
+---
+- name: "template out configs"
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ loop:
+ - src: unbound.conf.j2
+ dest: /var/unbound/etc/unbound.conf
+ - src: resolv.conf.j2
+ dest: /etc/resolv.conf.j2
+ - src: hostname.vether0.j2
+ dest: /etc/hostname.vether0
+ # we need a separate virtual network interface for binding the dns resolver to since ocserv doesn't creates tunnel interface for each separate connected client, it does not create a primary interface
+
+ # unbound will fail if there's nonexisting interface in config
+- name: "create vether0 interface"
+ ansible.builtin.shell: "sh /etc/netstart vether0"
+ when: inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([]))
+
+- name: "setup log file"
+ ansible.builtin.file:
+ path: /var/log/unbound.log
+ state: touch
+ mode: "0600"
+
+ # pure convenience
+- name: "obsd : dns : symlink it to /etc"
+ ansible.builtin.file:
+ src: /var/unbound/etc/unbound.conf
+ dest: /etc/unbound.conf
+ state: link
+
+- name: "obsd : dns : not exists. generate..."
+ ansible.builtin.command: /usr/sbin/unbound-anchor -a /var/unbound/db/root.key
+ args:
+ creates: /var/unbound/db/root.key
+ failed_when: false
+
+- name: "obsd : dns : get root hints"
+ ansible.builtin.command: ftp -o /var/unbound/etc/root.hints https://www.internic.net/domain/named.root
+ args:
+ creates: /var/unbound/db/root.key
+ notify:
+ - restart_unbound
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 22:44:07 +0000