From f76cc022ce267077b65eb6f9312b7f6ef9044afb Mon Sep 17 00:00:00 2001
From: Arnaud DABY-SEESARAM <ds-ac@crans.org>
Date: Sun, 20 Mar 2022 15:07:36 +0100
Subject: [PATCH 1/2] Unbound: initial config

---
 host_vars/romanesco.adm.crans.org.yml   | 43 ++++++++++++++++++++
 hosts                                   |  3 ++
 plays/unbound.yml                       |  5 +++
 roles/nftables/tasks/main.yml           | 10 +++++
 roles/unbound/handlers/main.yml         |  6 +++
 roles/unbound/tasks/main.yml            | 36 +++++++++++++++++
 roles/unbound/templates/unbound.conf.j2 | 52 +++++++++++++++++++++++++
 7 files changed, 155 insertions(+)
 create mode 100644 host_vars/romanesco.adm.crans.org.yml
 create mode 100755 plays/unbound.yml
 create mode 100644 roles/unbound/handlers/main.yml
 create mode 100644 roles/unbound/tasks/main.yml
 create mode 100644 roles/unbound/templates/unbound.conf.j2

diff --git a/host_vars/romanesco.adm.crans.org.yml b/host_vars/romanesco.adm.crans.org.yml
new file mode 100644
index 00000000..4bbdaaa4
--- /dev/null
+++ b/host_vars/romanesco.adm.crans.org.yml
@@ -0,0 +1,43 @@
+---
+interfaces:
+  name: ens18
+  name: ens19
+  name: ens20
+
+unbound:
+  verbosity: 1
+  interfaces:
+    - 0.0.0.0
+    - ::0
+  access-control:
+    - name: "srv"
+      addr:
+        - 185.230.79.0/26
+        - 2a0c:700:2::/48
+      policy: allow
+    - name: "srv-nat"
+      addr:
+        - 172.16.3.0/24
+        - 2a0c:700:3::/48
+      policy: allow
+    - name: "adm"
+      addr:
+        - 172.16.10.0/24
+        - fd00:0:0:10::/64
+      policy: allow
+    - name: "infra"
+      addr:
+        - 172.16.32.0/22
+        - fd00:0:0:11::/64
+      policy: allow
+    - name: "adh"
+      addr:
+        - 185.230.78.0/24
+        - 2a0c:700:12::/48
+      policy: allow
+    - name: "adh-nat"
+      addr:
+        - 100.64.0.0/16
+        - 2a0c:700:13::/48
+      policy: allow
+  val-log-level: 2
diff --git a/hosts b/hosts
index ca905ac9..1d3142f0 100644
--- a/hosts
+++ b/hosts
@@ -70,6 +70,9 @@ ovh_physical
 [dns_recursive:children]
 routeurs_vm
 
+[dns_recursive_unbound]
+romanesco.adm.crans.org
+
 [dovecot]
 owl.adm.crans.org
 
diff --git a/plays/unbound.yml b/plays/unbound.yml
new file mode 100755
index 00000000..8e93d886
--- /dev/null
+++ b/plays/unbound.yml
@@ -0,0 +1,5 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: dns_recursive_unbound
+  roles:
+    - unbound
diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml
index 8a5506a5..4abb5233 100644
--- a/roles/nftables/tasks/main.yml
+++ b/roles/nftables/tasks/main.yml
@@ -8,6 +8,16 @@
   retries: 3
   until: apt_result is succeeded
 
+- name: Deploy the configuration files
+  template:
+    src: "{{ item }}"
+    dest: "/etc/unbound/{{ item }}"
+    owner: "unbound"
+    group: "unbound"
+    mode: 0600
+  loop:
+    - unbound.conf
+
 - name: Enable and start nftables
   systemd:
     name: nftables
diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml
new file mode 100644
index 00000000..b433c429
--- /dev/null
+++ b/roles/unbound/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart unbound
+  systemd:
+    name: unbound
+    enabled: true
+    state: restart
diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
new file mode 100644
index 00000000..de4c69f7
--- /dev/null
+++ b/roles/unbound/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: Install unbound
+  apt:
+    name: unbound
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+
+- name: Download the root file
+  get_url:
+    url: https://www.internic.net/domain/named.root
+    dest: /var/unbound/etc/root.hints
+    mode: '0444'
+  notify: Reload unbound
+
+- name: Fetch the initial keys
+  command: unbound-anchor
+
+- name: Deploy the configuration
+  template:
+    src: unbound.conf.j2
+    dest: /etc/unbound/unbound.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Reload unbound
+
+- name: Enable and start unbound
+  systemd:
+    name: unbound
+    enabled: true
+    state: started
+
diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
new file mode 100644
index 00000000..3de6cc41
--- /dev/null
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -0,0 +1,52 @@
+server:
+	verbosity: {{ unbound['verbosity'] | default(1) }}
+
+{% for adr in unbound['interfaces'] %}
+    interface: {{ adr }}
+{% endfor %}
+
+{% for ac in unbound['access-control'] %}
+    # {{ ac['name'] }}
+{% for addr in ac['addr'] %}
+    access-control: {{ addr }} {{ ac['policy'] }}
+{% endfor %}
+{% endfor %}
+
+	# chroot: "/etc/unbound"
+	# username: "unbound"
+	# directory: "/etc/unbound"
+
+	# the log file, "" means log to stderr.
+	# Use of this option sets use-syslog to "no".
+	# logfile: ""
+
+	use-syslog: yes
+
+	# Log identity to report. if empty, defaults to the name of argv[0]
+	# (usually "unbound").
+	# log-identity: ""
+
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	# log-time-ascii: no
+
+	#log-queries: yes
+	#log-replies: yes
+
+	root-hints: "root.hints"
+
+    module-config: "validator iterator"
+    auto-trust-anchor-file: "/etc/unbound/root.key"
+    val-log-level: {{ unbound['val-log-level'] | default(2) }}
+
+
+
+
+python:
+	# ...
+
+dynlib:
+	# ...
+
+# Remote control config section.
+remote-control:
+    # ...

From 833c8ef9053159b61021b0ef05949afa5d3e1536 Mon Sep 17 00:00:00 2001
From: Arnaud DABY-SEESARAM <ds-ac@crans.org>
Date: Thu, 24 Mar 2022 11:25:58 +0100
Subject: [PATCH 2/2] [unbound] multi-threading

---
 roles/unbound/templates/unbound.conf.j2 | 38 +++++++++++++------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
index 3de6cc41..036dcf47 100644
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -1,5 +1,5 @@
 server:
-	verbosity: {{ unbound['verbosity'] | default(1) }}
+    verbosity: {{ unbound['verbosity'] | default(1) }}
 
 {% for adr in unbound['interfaces'] %}
     interface: {{ adr }}
@@ -12,27 +12,29 @@ server:
 {% endfor %}
 {% endfor %}
 
-	# chroot: "/etc/unbound"
-	# username: "unbound"
-	# directory: "/etc/unbound"
+    # chroot: "/etc/unbound"
+    # username: "unbound"
+    # directory: "/etc/unbound"
+    
+    num-threads: 8
 
-	# the log file, "" means log to stderr.
-	# Use of this option sets use-syslog to "no".
-	# logfile: ""
+    # the log file, "" means log to stderr.
+    # Use of this option sets use-syslog to "no".
+    # logfile: ""
 
-	use-syslog: yes
+    use-syslog: yes
 
-	# Log identity to report. if empty, defaults to the name of argv[0]
-	# (usually "unbound").
-	# log-identity: ""
+    # Log identity to report. if empty, defaults to the name of argv[0]
+    # (usually "unbound").
+    # log-identity: ""
 
-	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
-	# log-time-ascii: no
+    # print UTC timestamp in ascii to logfile, default is epoch in seconds.
+    # log-time-ascii: no
 
-	#log-queries: yes
-	#log-replies: yes
+    #log-queries: yes
+    #log-replies: yes
 
-	root-hints: "root.hints"
+    root-hints: "root.hints"
 
     module-config: "validator iterator"
     auto-trust-anchor-file: "/etc/unbound/root.key"
@@ -42,10 +44,10 @@ server:
 
 
 python:
-	# ...
+    # ...
 
 dynlib:
-	# ...
+    # ...
 
 # Remote control config section.
 remote-control: