jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: unbound ad filtering

Browse Source
This commit is contained in:
Clément Désiles 2025-12-14 00:41:32 +01:00
parent e003f30889
commit b35fbe63ee
No known key found for this signature in database
5 changed files with 37 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
roles/unbound/defaults/main.yml
View File

@ -10,8 +10,8 @@ unbound_custom_lan_domain: "example.lan"
unbound_port: 53 unbound_port: 53
unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
unbound_firewall_allowed_sources: unbound_firewall_allowed_sources:
- 192.168.1.0/24 # lan0 - { src: "192.168.1.0/24", comment: "DNS from LAN" }
- 192.168.27.0/27 # wg0 - { src: "192.168.27.0/27", comment: "DNS from VPN" }
unbound_custom_lan_records: unbound_custom_lan_records:
"example.lan": "example.lan":
v4: 192.168.1.2 v4: 192.168.1.2

16
roles/unbound/tasks/main.yml
View File

@ -38,6 +38,7 @@
capability sys_resource, capability sys_resource,
/etc/unbound/** r, /etc/unbound/** r,
/etc/unbound/root.key* rw,
/var/lib/unbound/** rwk, /var/lib/unbound/** rwk,
/run/unbound.pid rw, /run/unbound.pid rw,
/usr/sbin/unbound mr, /usr/sbin/unbound mr,
@ -67,7 +68,7 @@
- name: Update root.hints (if older than 6 months or missing) - name: Update root.hints (if older than 6 months or missing)
when: > when: >
(not root_hints.stat.exists) or (not root_hints.stat.exists) or
(ansible_date_time.epoch | int - root_hints.stat.mtime > 15552000) (ansible_facts['date_time']['epoch'] | int - root_hints.stat.mtime > 15552000)
block: block:
- name: Download latest root hints from internic - name: Download latest root hints from internic
@ -85,7 +86,7 @@
- name: Update the ad_servers list if older than 2 weeks or missing - name: Update the ad_servers list if older than 2 weeks or missing
when: > when: >
(not ad_servers.stat.exists) or (not ad_servers.stat.exists) or
(ansible_date_time.epoch | int - ad_servers.stat.mtime > 1209600) (ansible_facts['date_time']['epoch'] | int - ad_servers.stat.mtime > 1209600)
block: block:
- name: Download stevenblack's hosts file - name: Download stevenblack's hosts file
@ -110,6 +111,14 @@
args: args:
creates: "{{ unbound_anchor_root_key }}" creates: "{{ unbound_anchor_root_key }}"
- name: Ensure root.key has correct ownership and permissions
ansible.builtin.file:
path: "{{ unbound_anchor_root_key }}"
owner: unbound
group: unbound
mode: "0640"
state: file
- name: Install unbound config - name: Install unbound config
ansible.builtin.template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
@ -151,7 +160,8 @@
rule: allow rule: allow
port: "{{ unbound_port }}" port: "{{ unbound_port }}"
proto: any proto: any
src: "{{ item }}" src: "{{ item.src }}"
comment: "{{ item.comment }}"
direction: in direction: in
loop: "{{ unbound_firewall_allowed_sources | default([]) }}" loop: "{{ unbound_firewall_allowed_sources | default([]) }}"
retries: 5 retries: 5

19
roles/unbound/templates/custom-lan.conf.j2
View File

@ -1,9 +1,20 @@
# {{ ansible_managed }} # {{ ansible_managed }}
view: view:
name: "lan" name: "lan"
view-first: yes
{% for host, ips in unbound_custom_lan_records.items() %} {% for host, ips in unbound_custom_lan_records.items() %}
local-data: "{{ host }}. IN A {{ ips.v4 }}" local-data: "{{ host }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %} {% if ips.v6 is defined %}
local-data: "{{ host }}. IN AAAA {{ ips.v6 }}" local-data: "{{ host }}. IN AAAA {{ ips.v6 }}"
{% endif %} {% endif %}
{% if ips.aliases is defined %}
{% for alias in ips.aliases %}
local-data: "{{ alias }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %}
local-data: "{{ alias }}. IN AAAA {{ ips.v6 }}"
{% endif %}
{% endfor %} {% endfor %}
{% endif %}
{% endfor %}
include: "{{ unbound_ad_servers_config_path }}"

3
roles/unbound/templates/custom-vpn.conf.j2
View File

@ -1,9 +1,12 @@
# {{ ansible_managed }} # {{ ansible_managed }}
view: view:
name: "vpn" name: "vpn"
view-first: yes
{% for host, ips in unbound_custom_vpn_records.items() %} {% for host, ips in unbound_custom_vpn_records.items() %}
local-data: "{{ host }}. IN A {{ ips.v4 }}" local-data: "{{ host }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %} {% if ips.v6 is defined %}
local-data: "{{ host }}. IN AAAA {{ ips.v6 }}" local-data: "{{ host }}. IN AAAA {{ ips.v6 }}"
{% endif %} {% endif %}
{% endfor %} {% endfor %}
include: "{{ unbound_ad_servers_config_path }}"

6
roles/unbound/templates/unbound.conf.j2
View File

@ -15,6 +15,7 @@ server:
# Define access controls (note that ufw might be also configured) # Define access controls (note that ufw might be also configured)
access-control: 0.0.0.0/0 refuse access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow # lo interface
access-control: 192.168.1.0/24 allow # lan0 interface access-control: 192.168.1.0/24 allow # lan0 interface
access-control: 192.168.27.0/27 allow # wg0 interface access-control: 192.168.27.0/27 allow # wg0 interface
access-control: ::0/0 refuse access-control: ::0/0 refuse
@ -80,7 +81,9 @@ server:
# Perform prefetching of close to expired message cache entries # Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried # This only applies to domains that have been frequently queried
prefetch: yes # NOTE: Disabled because prefetch doesn't work with subnet module (views)
# see: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-prefetch
prefetch: no
# One thread should be sufficient, can be increased on beefy machines. # One thread should be sufficient, can be increased on beefy machines.
# In reality for most users running on small networks or on a single machine, # In reality for most users running on small networks or on a single machine,
@ -105,6 +108,5 @@ server:
# Enable DNSSEC # Enable DNSSEC
auto-trust-anchor-file: "{{ unbound_anchor_root_key }}" auto-trust-anchor-file: "{{ unbound_anchor_root_key }}"
include: "{{ unbound_ad_servers_config_path }}"
include: "{{ unbound_custom_lan_config_path }}" include: "{{ unbound_custom_lan_config_path }}"
include: "{{ unbound_custom_vpn_config_path }}" include: "{{ unbound_custom_vpn_config_path }}"