Use built-in roles and move /etc/resolv.conf replacement into tasks
This commit is contained in:
Alex
parent
7e4eba3ac9
commit
fa51f71e57
GPG Key ID:
F92BA85F61F4C173
|
|
@ -1,18 +1,3 @@
|
||||||
- name: Reload unbound
|
|
||||||
systemd:
|
|
||||||
name: unbound
|
|
||||||
state: reloaded
|
|
||||||
- name: Enable unbound
|
|
||||||
systemd:
|
|
||||||
name: unbound
|
|
||||||
enabled: yes
|
|
||||||
state: restarted
|
|
||||||
daemon_reload: yes
|
|
||||||
- name: Set unbound as default dns
|
|
||||||
replace:
|
|
||||||
path: /etc/resolv.conf
|
|
||||||
regexp: "^nameserver.*$"
|
|
||||||
replace: "nameserver 127.0.0.1"
|
|
||||||
- name: Disable systemd-resolved
|
- name: Disable systemd-resolved
|
||||||
systemd:
|
systemd:
|
||||||
name: systemd-resolved
|
name: systemd-resolved
|
||||||
|
|
@ -21,8 +6,3 @@
|
||||||
notify:
|
notify:
|
||||||
- Enable unbound
|
- Enable unbound
|
||||||
- Set unbound as default dns
|
- Set unbound as default dns
|
||||||
- name: Save netfilter rules
|
|
||||||
command:
|
|
||||||
argv:
|
|
||||||
- '/usr/sbin/netfilter-persistent'
|
|
||||||
- 'save'
|
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,3 @@
|
||||||
- name: Install Unbound
|
|
||||||
apt:
|
|
||||||
install_recommends: no
|
|
||||||
name: unbound
|
|
||||||
state: present
|
|
||||||
cache_valid_time: 3600
|
|
||||||
notify: Disable systemd-resolved
|
|
||||||
tags:
|
|
||||||
- setup
|
|
||||||
- packages
|
|
||||||
- name: Copy configuration files
|
- name: Copy configuration files
|
||||||
loop:
|
loop:
|
||||||
- internal.conf
|
- internal.conf
|
||||||
|
|
@ -16,30 +6,16 @@
|
||||||
template:
|
template:
|
||||||
follow: yes
|
follow: yes
|
||||||
src: '{{ item }}.j2'
|
src: '{{ item }}.j2'
|
||||||
dest: /etc/unbound/{{ item }}
|
dest: "/etc/unbound/{{ item }}"
|
||||||
notify:
|
notify: Run service actions
|
||||||
- Reload unbound
|
|
||||||
tags:
|
tags:
|
||||||
- update
|
- config
|
||||||
- unbound
|
- unbound
|
||||||
- name: Allow Unbound through iptables
|
- name: Set unbound as default dns
|
||||||
loop:
|
replace:
|
||||||
- { ipv: 'ipv4', proto: 'tcp' }
|
path: /etc/resolv.conf
|
||||||
- { ipv: 'ipv6', proto: 'tcp' }
|
regexp: "^nameserver.*$"
|
||||||
- { ipv: 'ipv4', proto: 'udp' }
|
replace: "nameserver 127.0.0.1"
|
||||||
- { ipv: 'ipv6', proto: 'udp' }
|
|
||||||
iptables:
|
|
||||||
chain: INPUT
|
|
||||||
ctstate:
|
|
||||||
- NEW
|
|
||||||
- ESTABLISHED
|
|
||||||
- RELATED
|
|
||||||
destination_port: "53"
|
|
||||||
jump: ACCEPT
|
|
||||||
ip_version: '{{ item.ipv }}'
|
|
||||||
protocol: '{{ item.proto }}'
|
|
||||||
notify:
|
|
||||||
- Save netfilter rules
|
|
||||||
tags:
|
tags:
|
||||||
- update
|
- config
|
||||||
- firewall
|
- unbound
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
firewall:
|
||||||
|
- { port: 53, ipv: "v4", proto: "tcp" }
|
||||||
|
- { port: 53, ipv: "v4", proto: "udp" }
|
||||||
|
- { port: 53, ipv: "v6", proto: "tcp" }
|
||||||
|
- { port: 53, ipv: "v6", proto: "udp" }
|
||||||
|
systemd:
|
||||||
|
services:
|
||||||
|
- { name: "systemd-resolved", state: stopped }
|
||||||
|
- { name: "unbound", enabled: true, state: reloaded }
|
||||||
|
apt_packages:
|
||||||
|
- { package: "unbound", state: present }
|
||||||
Reference in New Issue