Ansible Role for Unbound

This is a flexible Ansible role for setting up Unbound DNS resolver.

• Requires Ansible 2.2 or later.
• Works on systems using systemd, including recent versions of Ubuntu, Debian, RHEL, CentOS 6.x, and FreeBSD.

Table of Contents

1. Installation
2. Examples and Common Use-Cases
3. Dependencies
4. Requirements
5. Role Variables
6. Example Playbook
7. Testing
   1. Using Molecule
   2. Using Geerlingguy's Script

Installation

To install the role, run:

$ ansible-galaxy install publicarray.unbound

Examples and Common Use-Cases

For additional examples, check the wiki: Examples.

Dependencies

Requires Ansible 2.2 or later.

Requirements

No specific requirements.

Role Variables

Here are some default variables you can customize. They're also listed in defaults/main.yml. It's a good idea to copy these variables to your group_vars/all/configs file. Refer to Unbound’s documentation for more detailed explanations: https://unbound.net/documentation/unbound.conf.html

---
unbound_compile: false  # Option to compile Unbound from source
unbound_compile_version: 1.8.0  # Version to download
unbound_compile_sha256: [checksum]  # Checksum for file verification
unbound_compile_config: "--enable-dnscrypt ..."  # Configuration options for compilation

unbound_optimise: false  # Whether to optimize
unbound_optimise_memory: 100  # Memory percentage if optimizing

# DNS-over-TLS settings
unbound_tls_domain: example.com  # Domain for TLS
unbound_tls_cert_provider: selfsigned  # Certificate provider
unbound_tls_acme_auto_upgrade: 0  # Auto-update option
unbound_tls_acme_ca: https://acme-v01.api.letsencrypt.org/directory  # Let's Encrypt CA
unbound_tls_acme_staging: false  # Use staging server
unbound_tls_acme_force: false  # Force creation of certificate
unbound_tls_acme_mode: dns dns_cf  # Domain validation mode
unbound_tls_acme_dns_acc:  # DNS API credentials
  CF_Email: 
  CF_Key: 
  CF_Api: https://api.cloudflare.com/client/v4
unbound_tls_acme_keysize: 4096  # Key size
unbound_tls_acme_ecc: false  # Create ECC certificate
unbound_tls_acme_debug: false  # Enable debug info

# Unbound main configuration
unbound:
  server:
    verbosity: 1
    logfile: unbound.log
    username: "{{_unbound.user}}"
    directory: "{{_unbound.conf_dir}}"

Example Playbook

---
- hosts: all
  roles:
    - { role: publicarray.unbound }
  vars:
    - unbound_optimise: true

To run the playbook, use:

$ ansible-playbook -i dns.example.com, playbook.yml

Testing

Using Molecule

Ensure you have Python 2.7 and Docker installed.

virtualenv --no-setuptools venv
source venv/bin/activate
pip install docker-py molecule
molecule test  # Add --debug for verbose output
deactivate

Using Geerlingguy's Script

1. Install and start Docker.
2. Download the testing script into tests/test.sh:
   • wget -O tests/test.sh https://gist.githubusercontent.com/geerlingguy/...
3. Make it executable: chmod +x tests/test.sh.
4. Run the test from the role's root directory using:

   distro=[distro] playbook=[playbook] ./tests/test.sh
   

Supported Distributions and Playbooks

Supported distributions include:

• CentOS 7
• Ubuntu 16.04
• Ubuntu 14.04
• Debian 9
• Debian 8

You can find test playbooks in the tests directory.

License

This role is licensed under MIT/BSD.

Author Information

Created by @publicarray.