[unbound] wtf

2022-11-20 20:13:05 +01:00 · 2022-11-20 20:13:05 +01:00 · 052519e85e
parent 4fc73176d8
commit 052519e85e
3 changed files with 39 additions and 36 deletions
--- a/roles/unbound/handlers/main.yml
+++ b/roles/unbound/handlers/main.yml
@ -1,6 +1,11 @@
 ---
- name: Restart unbound
+- name: systemctl restart unbound.service
  systemd:
    name: unbound
    enabled: true
-    state: restart
+    state: restarted
+  listen: update root trust anchor
+
+- name: run unbound-anchor
+  command: unbound-anchor
+  listen: update root trust anchor
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@ -11,12 +11,9 @@
 - name: Download the root file
  get_url:
    url: https://www.internic.net/domain/named.root
-    dest: /var/unbound/etc/root.hints
-    mode: "0444"
-  notify: Reload unbound
-
- name: Fetch the initial keys
-  command: unbound-anchor
+    dest: /etc/unbound/root.hints
+    mode: "0644"
+  notify: update root trust anchor

 - name: Deploy the configuration
  template:
@ -25,7 +22,7 @@
    owner: root
    group: root
    mode: 0644
-  notify: Reload unbound
+  notify: systemctl restart unbound.service

 - name: Enable and start unbound
  systemd:
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@ -1,54 +1,55 @@
 server:
-    verbosity: {{ unbound['verbosity'] | default(1) }}
+	verbosity: {{ unbound['verbosity'] | default(1) }}

 {% for adr in unbound['interfaces'] %}
-    interface: {{ adr }}
+	interface: {{ adr }}
 {% endfor %}

 {% for ac in unbound['access-control'] %}
-    # {{ ac['name'] }}
+	# {{ ac['name'] }}
 {% for addr in ac['addr'] %}
-    access-control: {{ addr }} {{ ac['policy'] }}
+	access-control: {{ addr }} {{ ac['policy'] }}
 {% endfor %}
 {% endfor %}

-    # chroot: "/etc/unbound"
-    # username: "unbound"
-    # directory: "/etc/unbound"
+	# reply on the same interface that the query came from
+	interface-automatic: yes

-    num-threads: 8
+	# chroot: "/etc/unbound"
+	# username: "unbound"
+	# directory: "/etc/unbound"

-    # the log file, "" means log to stderr.
-    # Use of this option sets use-syslog to "no".
-    # logfile: ""
+	# the log file, "" means log to stderr.
+	# Use of this option sets use-syslog to "no".
+	# logfile: ""

-    use-syslog: yes
+	use-syslog: yes

-    # Log identity to report. if empty, defaults to the name of argv[0]
-    # (usually "unbound").
-    # log-identity: ""
+	# Log identity to report. if empty, defaults to the name of argv[0]
+	# (usually "unbound").
+	# log-identity: ""

-    # print UTC timestamp in ascii to logfile, default is epoch in seconds.
-    # log-time-ascii: no
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	# log-time-ascii: no

-    #log-queries: yes
-    #log-replies: yes
+	#log-queries: yes
+	#log-replies: yes

-    root-hints: "root.hints"
+	root-hints: "root.hints"

-    module-config: "validator iterator"
-    auto-trust-anchor-file: "/etc/unbound/root.key"
-    val-log-level: {{ unbound['val-log-level'] | default(2) }}
+	module-config: "validator iterator"
+	auto-trust-anchor-file: "/etc/unbound/root.key"
+	val-log-level: {{ unbound['val-log-level'] | default(2) }}




 python:
-    # ...
+	# ...

 dynlib:
-    # ...
+	# ...

 # Remote control config section.
 remote-control:
-    # ...
+	# ...