From 69acb7a82a68eeb439e55b994281056df52c81b1 Mon Sep 17 00:00:00 2001 From: repliqa Date: Wed, 23 Jul 2025 14:06:15 +0600 Subject: v0.0.1alpha --- roles/dns/tasks/setup_unbound.yaml | 44 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 roles/dns/tasks/setup_unbound.yaml (limited to 'roles/dns/tasks/setup_unbound.yaml') diff --git a/roles/dns/tasks/setup_unbound.yaml b/roles/dns/tasks/setup_unbound.yaml new file mode 100644 index 00000000..ec6f123e --- /dev/null +++ b/roles/dns/tasks/setup_unbound.yaml @@ -0,0 +1,44 @@ +--- +- name: "template out configs" + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + loop: + - src: unbound.conf.j2 + dest: /var/unbound/etc/unbound.conf + - src: resolv.conf.j2 + dest: /etc/resolv.conf.j2 + - src: hostname.vether0.j2 + dest: /etc/hostname.vether0 + # we need a separate virtual network interface for binding the dns resolver to since ocserv doesn't creates tunnel interface for each separate connected client, it does not create a primary interface + + # unbound will fail if there's nonexisting interface in config +- name: "create vether0 interface" + ansible.builtin.shell: "sh /etc/netstart vether0" + when: inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([])) + +- name: "setup log file" + ansible.builtin.file: + path: /var/log/unbound.log + state: touch + mode: "0600" + + # pure convenience +- name: "obsd : dns : symlink it to /etc" + ansible.builtin.file: + src: /var/unbound/etc/unbound.conf + dest: /etc/unbound.conf + state: link + +- name: "obsd : dns : not exists. generate..." + ansible.builtin.command: /usr/sbin/unbound-anchor -a /var/unbound/db/root.key + args: + creates: /var/unbound/db/root.key + failed_when: false + +- name: "obsd : dns : get root hints" + ansible.builtin.command: ftp -o /var/unbound/etc/root.hints https://www.internic.net/domain/named.root + args: + creates: /var/unbound/db/root.key + notify: + - restart_unbound -- cgit v1.2.3