112 lines
3.3 KiB
YAML
112 lines
3.3 KiB
YAML
---
|
|
- name: unbound | Install dns-root-hints
|
|
community.general.apk:
|
|
name: dns-root-hints
|
|
state: present
|
|
|
|
- name: unbound | Create /dev directory inside unbound chroot
|
|
file:
|
|
path: /etc/unbound/dev
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '755'
|
|
|
|
# We are operating on special devices
|
|
# copy module doesn't seem to work
|
|
- name: unbound | Copy needed devices to unbound chroot
|
|
command:
|
|
cmd: /bin/cp -a /dev/urandom /dev/null /etc/unbound/dev/
|
|
creates: /etc/unbound/dev/urandom
|
|
|
|
# unbound user needs write permission to the anchor file, and also for the
|
|
# directory it is in (to create a temporary file)
|
|
- name: unbound | Create var directory inside unbound chroot
|
|
file:
|
|
path: /etc/unbound/var
|
|
state: directory
|
|
owner: root
|
|
group: unbound
|
|
mode: '775'
|
|
|
|
# unbound-anchor gives errors about connecting to IPv6 servers
|
|
- name: unbound | Generate trusted anchor file
|
|
command:
|
|
cmd: /usr/sbin/unbound-anchor -a /etc/unbound/var/trusted-key.key
|
|
creates: /etc/unbound/var/trusted-key.key
|
|
failed_when: false
|
|
|
|
- name: unbound | Ensure proper permissions on trusted anchor file
|
|
file:
|
|
path: /etc/unbound/var/trusted-key.key
|
|
state: file
|
|
owner: unbound
|
|
group: unbound
|
|
mode: '640'
|
|
|
|
- name: unbound | Gather package facts
|
|
package_facts:
|
|
manager: 'apk'
|
|
|
|
# We only need to run the DNS root hints update the 1st time, as
|
|
# dns-root-hints package comes with a monthly crontab
|
|
- name: unbound | Check the current DNS root zone version
|
|
lineinfile:
|
|
backup: true
|
|
path: /usr/share/dns-root-hints/named.root
|
|
regexp: '^;[ \t]+related version of root zone:[ \t]+{{ ansible_facts.packages["dns-root-hints"][0].version }}$'
|
|
state: absent
|
|
check_mode: true
|
|
register: root_hints_check
|
|
changed_when: false
|
|
|
|
- name: unbound | Get the latest DNS root hints
|
|
command:
|
|
cmd: /usr/bin/update-dns-root-hints
|
|
removes: /usr/bin/update-dns-root-hints
|
|
when: root_hints_check.found == 1
|
|
|
|
- name: unbound | Copy the updated root hints file to unbound chroot
|
|
copy:
|
|
src: /usr/share/dns-root-hints/named.root
|
|
dest: /etc/unbound/var/named.root
|
|
owner: root
|
|
group: unbound
|
|
mode: '640'
|
|
|
|
- name: unbound | Let dns-root-hints cron job copy root hints to unbound chroot
|
|
blockinfile:
|
|
path: /etc/periodic/monthly/dns-root-hints
|
|
block: |
|
|
updated_file="/usr/share/dns-root-hints/named.root"
|
|
current_file="/etc/unbound/var/named.root"
|
|
drh_new_ver=$(/bin/grep "related version of root zone:" $updated_file | /bin/grep -E -o '[0-9]{10}')
|
|
drh_current_ver=$(/bin/grep "related version of root zone:" $current_file | /bin/grep -E -o '[0-9]{10}')
|
|
|
|
if [ "$drh_new_ver" != "$drh_current_ver" ]; then
|
|
/bin/cp -f $updated_file $current_file
|
|
/bin/chown root:unbound $current_file
|
|
/bin/chmod 0640 $current_file
|
|
fi
|
|
marker: '# {mark} COPY THE UPDATED ROOT HINTS TO UNBOUND CHROOT'
|
|
insertafter: 'EOF'
|
|
owner: root
|
|
group: root
|
|
mode: '755'
|
|
|
|
- name: unbound | Copy unbound config
|
|
template:
|
|
src: dns/unbound.j2
|
|
dest: /etc/unbound/unbound.conf
|
|
owner: root
|
|
group: root
|
|
mode: '644'
|
|
validate: /usr/sbin/unbound-checkconf %s
|
|
|
|
- name: unbound | Add unbound service to runlevel 'default'
|
|
service:
|
|
name: unbound
|
|
runlevel: default
|
|
enabled: true
|
|
state: started
|