diff options
Diffstat (limited to 'roles/dns/templates')
| -rw-r--r-- | roles/dns/templates/hostname.vether0.j2 | 1 | ||||
| -rw-r--r-- | roles/dns/templates/resolv.conf.j2 | 6 | ||||
| -rw-r--r-- | roles/dns/templates/unbound.conf.j2 | 41 |
3 files changed, 48 insertions, 0 deletions
diff --git a/roles/dns/templates/hostname.vether0.j2 b/roles/dns/templates/hostname.vether0.j2 new file mode 100644 index 00000000..e7ac2c71 --- /dev/null +++ b/roles/dns/templates/hostname.vether0.j2 @@ -0,0 +1 @@ +inet {{ (ocserv_network|default("172.16.16.0/24"))|ansible.utils.nthhost(2) }}/{{ (ocserv_network|default("172.16.16.0/24")|ipaddr('prefix')) }} diff --git a/roles/dns/templates/resolv.conf.j2 b/roles/dns/templates/resolv.conf.j2 new file mode 100644 index 00000000..7a0de7f4 --- /dev/null +++ b/roles/dns/templates/resolv.conf.j2 @@ -0,0 +1,6 @@ +{% if not disable_dns|default(false) %} +nameserver 127.0.0.1 +{% endif %} +nameserver 9.9.9.9 +nameserver 149.112.112.112 +lookup file bind diff --git a/roles/dns/templates/unbound.conf.j2 b/roles/dns/templates/unbound.conf.j2 new file mode 100644 index 00000000..b02df37e --- /dev/null +++ b/roles/dns/templates/unbound.conf.j2 @@ -0,0 +1,41 @@ +server: + interface: 127.0.0.1 +{% if inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([])) %} + interface: {{ (ocserv_network|default("172.16.16.0/24"))|ansible.utils.nthhost(2) }} +{% endif %} + do-ip6: no + + access-control: 0.0.0.0/0 refuse + access-control: 127.0.0.0/8 allow +{% if inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([])) %} + access-control: {{ ocserv_network|default("172.16.16.0/24") }} allow +{% endif %} + + hide-identity: yes + hide-version: yes + + auto-trust-anchor-file: "/var/unbound/db/root.key" + val-log-level: 2 + qname-minimisation: yes + + aggressive-nsec: yes + verbosity: 1 + log-queries: no + use-caps-for-id: yes + + cache-min-ttl: 3600 + cache-max-ttl: 86400 + prefetch: yes + unwanted-reply-threshold: 10000 + do-not-query-localhost: yes + val-clean-additional: yes + module-config: "respip validator iterator" + +remote-control: + control-enable: yes + +rpz: + name: "unbound-adblock" + zonefile: "/var/unbound/db/adblock.rpz" + rpz-log: no + rpz-log-name: "unbound-adblock" |