From 03c25e4aea468d90e2b407c5e7ee7b6bebb87f87 Mon Sep 17 00:00:00 2001 From: Simon Cornet Date: Wed, 6 May 2026 17:38:44 +0200 Subject: [PATCH] feat: make defaults configurable --- defaults/main.yaml | 42 ++++++++++++++------------- templates/unbound/unbound.conf.j2 | 48 +++++++++++++++++-------------- 2 files changed, 49 insertions(+), 41 deletions(-) diff --git a/defaults/main.yaml b/defaults/main.yaml index a2934dd..e996a6b 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1,5 +1,26 @@ --- +# unbound server settings +unbound_verbosity: 1 +unbound_port: 53 +unbound_do_ip6: true +unbound_do_tcp: true +unbound_num_threads: 2 +unbound_so_reuseport: true + +# security +unbound_use_caps_for_id: true +unbound_qname_minimisation: true +unbound_harden_dnssec_stripped: true +unbound_harden_glue: true +unbound_hide_identity: true +unbound_hide_version: true + +# cache +unbound_cache_min_ttl: 5 +unbound_cache_max_ttl: 86400 +unbound_prefetch: true + # unbound upstream info unbound_upstream_dns: - "8.8.8.8" @@ -11,23 +32,4 @@ unbound_allow_access: network: "192.168.1.0/24" # unbound zones -unbound_zones: - - # example.internal - - zone: "example.internal" - type: "static" - records: - - - name: "server.example.internal" - value: "192.168.1.0" - - - name: "example.internal" - type: "TXT" - value: "v=spf1 include:example.internal ~all" - - - name: "_sip._tcp.example.internal" - type: "SRV" - priority: 10 - weight: 60 - port: 5060 - value: "server.example.internal" +unbound_zones: [] diff --git a/templates/unbound/unbound.conf.j2 b/templates/unbound/unbound.conf.j2 index 3af4e6d..a22374d 100644 --- a/templates/unbound/unbound.conf.j2 +++ b/templates/unbound/unbound.conf.j2 @@ -1,35 +1,41 @@ server: - verbosity: 1 + verbosity: {{ unbound_verbosity }} interface-automatic: yes ip-freebind: yes - port: 53 + port: {{ unbound_port }} do-ip4: yes - do-ip6: yes + do-ip6: {{ 'yes' if unbound_do_ip6 else 'no' }} do-udp: yes - do-tcp: no - + do-tcp: {{ 'yes' if unbound_do_tcp else 'no' }} + # access control {% for network in unbound_allow_access %} ## {{ network.name }} access-control: {{ network.network }} allow {% endfor %} - - # security and performance - cache-max-ttl: 86400 - cache-min-ttl: 3600 - harden-dnssec-stripped: yes - harden-glue: yes - hide-identity: yes - hide-version: yes - infra-cache-slabs: 8 - key-cache-slabs: 8 - msg-cache-slabs: 8 - num-threads: 2 - prefetch: yes - rrset-cache-slabs: 8 - use-caps-for-id: no - + + # performance + num-threads: {{ unbound_num_threads }} + so-reuseport: {{ 'yes' if unbound_so_reuseport else 'no' }} + infra-cache-slabs: {{ unbound_num_threads }} + key-cache-slabs: {{ unbound_num_threads }} + msg-cache-slabs: {{ unbound_num_threads }} + rrset-cache-slabs: {{ unbound_num_threads }} + + # cache + cache-max-ttl: {{ unbound_cache_max_ttl }} + cache-min-ttl: {{ unbound_cache_min_ttl }} + prefetch: {{ 'yes' if unbound_prefetch else 'no' }} + + # security + harden-dnssec-stripped: {{ 'yes' if unbound_harden_dnssec_stripped else 'no' }} + harden-glue: {{ 'yes' if unbound_harden_glue else 'no' }} + hide-identity: {{ 'yes' if unbound_hide_identity else 'no' }} + hide-version: {{ 'yes' if unbound_hide_version else 'no' }} + use-caps-for-id: {{ 'yes' if unbound_use_caps_for_id else 'no' }} + qname-minimisation: {{ 'yes' if unbound_qname_minimisation else 'no' }} + # include zone configurations include: "/etc/unbound/zones.conf"