ansible/unbound
ansible/unbound
2
0
Fork 0
Code Issues 1 Pull requests Activity

feat: make defaults configurable

Browse source
This commit is contained in:
Simon Cornet 2026-05-06 17:38:44 +02:00
commit 03c25e4aea
2 changed files with 49 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

42
defaults/main.yaml
View file

@ -1,5 +1,26 @@
--- ---
# unbound server settings
unbound_verbosity: 1
unbound_port: 53
unbound_do_ip6: true
unbound_do_tcp: true
unbound_num_threads: 2
unbound_so_reuseport: true
# security
unbound_use_caps_for_id: true
unbound_qname_minimisation: true
unbound_harden_dnssec_stripped: true
unbound_harden_glue: true
unbound_hide_identity: true
unbound_hide_version: true
# cache
unbound_cache_min_ttl: 5
unbound_cache_max_ttl: 86400
unbound_prefetch: true
# unbound upstream info # unbound upstream info
unbound_upstream_dns: unbound_upstream_dns:
- "8.8.8.8" - "8.8.8.8"
@ -11,23 +32,4 @@ unbound_allow_access:
network: "192.168.1.0/24" network: "192.168.1.0/24"
# unbound zones # unbound zones
unbound_zones: unbound_zones: []
# example.internal
- zone: "example.internal"
type: "static"
records:
- name: "server.example.internal"
value: "192.168.1.0"
- name: "example.internal"
type: "TXT"
value: "v=spf1 include:example.internal ~all"
- name: "_sip._tcp.example.internal"
type: "SRV"
priority: 10
weight: 60
port: 5060
value: "server.example.internal"

48
templates/unbound/unbound.conf.j2
View file

@ -1,35 +1,41 @@
server: server:
verbosity: 1 verbosity: {{ unbound_verbosity }}
interface-automatic: yes interface-automatic: yes
ip-freebind: yes ip-freebind: yes
port: 53 port: {{ unbound_port }}
do-ip4: yes do-ip4: yes
do-ip6: yes do-ip6: {{ 'yes' if unbound_do_ip6 else 'no' }}
do-udp: yes do-udp: yes
do-tcp: no do-tcp: {{ 'yes' if unbound_do_tcp else 'no' }}
# access control # access control
{% for network in unbound_allow_access %} {% for network in unbound_allow_access %}
## {{ network.name }} ## {{ network.name }}
access-control: {{ network.network }} allow access-control: {{ network.network }} allow
{% endfor %} {% endfor %}
# security and performance # performance
cache-max-ttl: 86400 num-threads: {{ unbound_num_threads }}
cache-min-ttl: 3600 so-reuseport: {{ 'yes' if unbound_so_reuseport else 'no' }}
harden-dnssec-stripped: yes infra-cache-slabs: {{ unbound_num_threads }}
harden-glue: yes key-cache-slabs: {{ unbound_num_threads }}
hide-identity: yes msg-cache-slabs: {{ unbound_num_threads }}
hide-version: yes rrset-cache-slabs: {{ unbound_num_threads }}
infra-cache-slabs: 8
key-cache-slabs: 8 # cache
msg-cache-slabs: 8 cache-max-ttl: {{ unbound_cache_max_ttl }}
num-threads: 2 cache-min-ttl: {{ unbound_cache_min_ttl }}
prefetch: yes prefetch: {{ 'yes' if unbound_prefetch else 'no' }}
rrset-cache-slabs: 8
use-caps-for-id: no # security
harden-dnssec-stripped: {{ 'yes' if unbound_harden_dnssec_stripped else 'no' }}
harden-glue: {{ 'yes' if unbound_harden_glue else 'no' }}
hide-identity: {{ 'yes' if unbound_hide_identity else 'no' }}
hide-version: {{ 'yes' if unbound_hide_version else 'no' }}
use-caps-for-id: {{ 'yes' if unbound_use_caps_for_id else 'no' }}
qname-minimisation: {{ 'yes' if unbound_qname_minimisation else 'no' }}
# include zone configurations # include zone configurations
include: "/etc/unbound/zones.conf" include: "/etc/unbound/zones.conf"