Install unbound on metal hosts.

(A validating, recursive, caching DNS resolver.)
author: Guilhem Moulin <guilhem@fripost.org> 2018-12-03 03:45:59 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-03 03:46:28 +0100
commit: 07c1734d2c00ce0a52830533b19a02faed678364 (patch)
tree: 917dca1d878e96c1ef28fced837a9059ed7dd765
parent: 5ad9fc5e963b9a461f60799d7f185a9e2e13522f (diff)
4 files changed, 72 insertions, 0 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 36f744e..dc6c457 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -1,33 +1,36 @@
 # 'service: name=... state=started' tasks should NOT run if there is a
 # corresponding state=restarted handler.  (Register the task notifying
 # the handler, and add a conditional.)
 ---
 - name: systemctl daemon-reload
   command: /bin/systemctl daemon-reload
 
 - name: Refresh hostname
   service: name=hostname.sh state=restarted
 
 - name: apt-get update
   apt: update_cache=yes
 
+- name: Restart unbound
+  service: name=unbound state=restarted
+
 - name: Update rkhunter's data file
   command: /usr/bin/rkhunter --propupd
 
 - name: Update firewall
   command: /usr/local/sbin/update-firewall.sh -c
 
 - name: Restart fail2ban
   service: name=fail2ban state=restarted
 
 - name: Restart IPsec
   service: name=ipsec state=restarted
 
 - name: Reload networking
   # /etc/init.d/networking doesn't answer the status command; but since
   # it should be "up" whenever ansible has access to the machine, we use
   # pattern=init as a dummy assumption.
   service: name=networking pattern=init state=reloaded
 
 - name: Restart rsyslog
   service: name=rsyslog state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 7795da8..33a2c39 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,40 +1,45 @@
 ---
 - import_tasks: sysctl.yml
   tags: sysctl
 - import_tasks: hosts.yml
 - import_tasks: apt.yml
   tags: apt
 - name: Install intel-microcode
   apt: pkg=intel-microcode
   when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
   tags: intel
 - import_tasks: firewall.yml
   tags:
     - firewall
     - iptables
 
 - import_tasks: stunnel.yml
   tags: stunnel
   when: "'webmail' in group_names and 'LDAP-provider' not in group_names"
 - import_tasks: auditd.yml
   tags: auditd
+- import_tasks: unbound.yml
+  tags:
+    - unbound
+    - dns
+  when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
 - import_tasks: rkhunter.yml
   tags: rkhunter
 - import_tasks: clamav.yml
   tags: clamav
 - import_tasks: fail2ban.yml
   tags: fail2ban
 - import_tasks: smart.yml
   tags:
     - smartmontools
     - smart
   when: "not ansible_virtualization_role == 'guest'"
 - import_tasks: haveged.yml
   tags:
     - haveged
     - entropy
 - name: Copy genkeypair.sh and gendhparam.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
         owner=root group=staff
         mode=0755
diff --git a/roles/common/tasks/unbound.yml b/roles/common/tasks/unbound.yml
new file mode 100644
index 0000000..b4554ac
--- /dev/null
+++ b/roles/common/tasks/unbound.yml
@@ -0,0 +1,32 @@
+- name: Install unbound
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - unbound
+    - dns-root-data
+
+- name: Copy unbound configuration
+  template: src=templates/etc/unbound/unbound.conf.j2
+            dest=/etc/unbound/unbound.conf
+            owner=root group=root
+            mode=0644
+  register: r
+  notify:
+    - Restart unbound
+
+- name: Start unbound
+  service: name=unbound state=started
+  when: not r.changed
+
+#- meta: flush_handlers
+
+- name: Use the local DNS server
+  lineinfile: dest=/etc/resolv.conf create=yes
+              regexp='^nameserver\s+127\.0\.0\.1\s*$'
+              line='nameserver 127.0.0.1'
+              insertbefore='^\s*#*?nameserver\s'
+              firstmatch=yes
+  tags:
+    - resolver
+  notify:
+    - Restart Postfix
diff --git a/roles/common/templates/etc/unbound/unbound.conf.j2 b/roles/common/templates/etc/unbound/unbound.conf.j2
new file mode 100644
index 0000000..64f32bf
--- /dev/null
+++ b/roles/common/templates/etc/unbound/unbound.conf.j2
@@ -0,0 +1,32 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/examples/unbound.conf for a commented
+# reference config file.
+
+remote-control:
+    control-enable: no
+
+server:
+    interface: 127.0.0.1
+    root-hints: "/usr/share/dns/root.hints"
+    hide-identity: yes
+    hide-version: yes
+    prefetch: yes
+    qname-minimisation: yes
+    rrset-roundrobin: yes
+    use-caps-for-id: yes
+
+    # RFC 1918
+    private-address: 10.0.0.0/8
+    private-address: 172.16.0.0/12
+    private-address: 192.168.0.0/16
+    private-address: 169.254.0.0/16
+    private-address: fd00::/8
+    private-address: fe80::/10
+
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+include: "/etc/unbound/unbound.conf.d/*.conf"
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-03 03:45:59 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-03 03:46:28 +0100
commit	07c1734d2c00ce0a52830533b19a02faed678364 (patch)
tree	917dca1d878e96c1ef28fced837a9059ed7dd765
parent	5ad9fc5e963b9a461f60799d7f185a9e2e13522f (diff)