3ecfa1968d
This adds needed roles, playbooks and secrets for our global base jobs. Change-Id: I466bc1b8b33ea806f0ec39aa9aca32b91e28e7f1
85 lines
2.3 KiB
YAML
85 lines
2.3 KiB
YAML
# This role assumes that Unbound is already installed, fail early if it isn't.
|
|
- name: Check that Unbound is installed
|
|
stat:
|
|
path: /etc/unbound
|
|
register: unbound_config
|
|
|
|
- name: Ensure that Unbound is installed
|
|
assert:
|
|
that:
|
|
- unbound_config.stat.exists
|
|
|
|
# ansible_default_ipv6 can either be undefined (no ipv6) or blank (no
|
|
# routable address). We only want to use ipv6 if it's available &
|
|
# routable; combine these checks into this fact.
|
|
- name: Check for IPv6
|
|
when:
|
|
- hostvars[inventory_hostname]['ansible_default_ipv6'] is defined
|
|
- hostvars[inventory_hostname]['ansible_default_ipv6']['address'] is defined
|
|
set_fact:
|
|
unbound_use_ipv6: True
|
|
|
|
# Use *only* ipv6 resolvers if ipv6 is present and routable. This
|
|
# avoids traversing potential NAT when using ipv4 which can be
|
|
# unreliable.
|
|
- name: Set IPv6 nameservers
|
|
when:
|
|
- unbound_use_ipv6 is defined
|
|
set_fact:
|
|
unbound_primary_nameserver: '{{ unbound_primary_nameserver_v6 }}'
|
|
unbound_secondary_nameserver: '{{ unbound_secondary_nameserver_v6 }}'
|
|
|
|
# Fallback to default ipv4 if there is no ipv6 available as this
|
|
# causes timeouts and failovers that are unnecesary.
|
|
- name: Set IPv4 nameservers
|
|
when:
|
|
- unbound_use_ipv6 is not defined
|
|
set_fact:
|
|
unbound_primary_nameserver: '{{ unbound_primary_nameserver_v4 }}'
|
|
unbound_secondary_nameserver: '{{ unbound_secondary_nameserver_v4 }}'
|
|
|
|
- name: Include OS-specific variables
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "{{ ansible_distribution }}.yaml"
|
|
- "{{ ansible_os_family }}.yaml"
|
|
- "default.yaml"
|
|
|
|
- name: Ensure Unbound conf.d directory exists
|
|
become: yes
|
|
file:
|
|
path: "{{ unbound_confd }}"
|
|
state: directory
|
|
|
|
# TODO: Move this to /etc/unbound/conf.d ?
|
|
- name: Configure unbound forwarding
|
|
become: yes
|
|
template:
|
|
dest: /etc/unbound/forwarding.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
src: forwarding.conf.j2
|
|
register: forwarding_config
|
|
notify:
|
|
- Restart unbound
|
|
|
|
- name: Configure unbound TTL
|
|
become: yes
|
|
template:
|
|
dest: "{{ unbound_confd }}/ttl.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
src: ttl.conf.j2
|
|
register: ttl_config
|
|
notify:
|
|
- Restart unbound
|
|
|
|
- name: Start unbound
|
|
become: yes
|
|
service:
|
|
name: unbound
|
|
state: started
|
|
enabled: yes
|