From 07c1734d2c00ce0a52830533b19a02faed678364 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 3 Dec 2018 03:45:59 +0100 Subject: Install unbound on metal hosts. (A validating, recursive, caching DNS resolver.) --- roles/common/handlers/main.yml | 3 ++ roles/common/tasks/main.yml | 5 ++++ roles/common/tasks/unbound.yml | 32 ++++++++++++++++++++++ roles/common/templates/etc/unbound/unbound.conf.j2 | 32 ++++++++++++++++++++++ 4 files changed, 72 insertions(+) create mode 100644 roles/common/tasks/unbound.yml create mode 100644 roles/common/templates/etc/unbound/unbound.conf.j2 diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 36f744e..dc6c457 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -11,6 +11,9 @@ - name: apt-get update apt: update_cache=yes +- name: Restart unbound + service: name=unbound state=restarted + - name: Update rkhunter's data file command: /usr/bin/rkhunter --propupd diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7795da8..33a2c39 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -18,6 +18,11 @@ when: "'webmail' in group_names and 'LDAP-provider' not in group_names" - import_tasks: auditd.yml tags: auditd +- import_tasks: unbound.yml + tags: + - unbound + - dns + when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'" - import_tasks: rkhunter.yml tags: rkhunter - import_tasks: clamav.yml diff --git a/roles/common/tasks/unbound.yml b/roles/common/tasks/unbound.yml new file mode 100644 index 0000000..b4554ac --- /dev/null +++ b/roles/common/tasks/unbound.yml @@ -0,0 +1,32 @@ +- name: Install unbound + apt: pkg={{ packages }} + vars: + packages: + - unbound + - dns-root-data + +- name: Copy unbound configuration + template: src=templates/etc/unbound/unbound.conf.j2 + dest=/etc/unbound/unbound.conf + owner=root group=root + mode=0644 + register: r + notify: + - Restart unbound + +- name: Start unbound + service: name=unbound state=started + when: not r.changed + +#- meta: flush_handlers + +- name: Use the local DNS server + lineinfile: dest=/etc/resolv.conf create=yes + regexp='^nameserver\s+127\.0\.0\.1\s*$' + line='nameserver 127.0.0.1' + insertbefore='^\s*#*?nameserver\s' + firstmatch=yes + tags: + - resolver + notify: + - Restart Postfix diff --git a/roles/common/templates/etc/unbound/unbound.conf.j2 b/roles/common/templates/etc/unbound/unbound.conf.j2 new file mode 100644 index 0000000..64f32bf --- /dev/null +++ b/roles/common/templates/etc/unbound/unbound.conf.j2 @@ -0,0 +1,32 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. + +remote-control: + control-enable: no + +server: + interface: 127.0.0.1 + root-hints: "/usr/share/dns/root.hints" + hide-identity: yes + hide-version: yes + prefetch: yes + qname-minimisation: yes + rrset-roundrobin: yes + use-caps-for-id: yes + + # RFC 1918 + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include: "/etc/unbound/unbound.conf.d/*.conf" -- cgit v1.2.3