unbound: initial deployment

group_vars/edc/ldap_local_replica.yml

@@ -0,0 +1,4 @@
+---
+ldap_local_replica_uri:
+  - 'ldap://ldap-replica-edc.adm.auro.re'
+

hosts

@@ -149,15 +149,15 @@ edc_pve
 gs_pve
 
 [dhcp]
-dhcp-fleming.adm.auro.re
+#dhcp-fleming.adm.auro.re
 dhcp-fleming-backup.adm.auro.re
 #dhcp-pacaterie.adm.auro.re
 #dhcp-pacaterie-backup.adm.auro.re
 #dhcp-edc.adm.auro.re
 #dhcp-gs.adm.auro.re
 
-[dns]
+[recursive_dns]
-#dns-fleming.adm.auro.re
+dns-fleming.adm.auro.re
 #dns-fleming-backup.adm.auro.re
 #dns-pacaterie.adm.auro.re
 #dns-pacaterie-backup.adm.auro.re

network.yml

@@ -1,20 +1,4 @@
 ---
-## Deploy DHCP
-#- hosts: dhcp
-#  vars:
-#    service_repo: https://gitlab.federez.net/re2o/dhcp.git
-#    service_name: dhcp
-#    service_version: master
-#    service_config:
-#      hostname: re2o-server.adm.auro.re
-#      username: service-user
-#      password: "{{ vault_serviceuser_passwd }}"
-#    dhcp:
-#      authoritative: true
-#  roles:
-#    - re2o-service
-#    - isc-dhcp-server
-    
 # Set up DHCP servers.
 - hosts: dhcp
   vars:
@@ -29,18 +13,29 @@
     - re2o-service
     - isc-dhcp-server
 
-# Deploy DNS
+
-- hosts: dns
+
+# Deploy unbound DNS server (recursive).
+- hosts: recursive_dns
   vars:
-    service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
+    - dns_host_suffix: 253
-    service_name: dns
-    service_version: crans
-    service_config:
-      hostname: re2o-server.adm.auro.re
-      username: service-user
-      password: "{{ vault_serviceuser_passwd }}"
   roles:
-    - re2o-service
+    - unbound
+
+
+# WIP: Deploy authoritative DNS servers
+# - hosts: authoritative_dns
+#   vars:
+#     service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
+#     service_name: dns
+#     service_version: crans
+#     service_config:
+#       hostname: re2o-server.adm.auro.re
+#       username: service-user
+#       password: "{{ vault_serviceuser_passwd }}"
+#   roles:
+#     - re2o-service
+
 
 # Deploy Unifi Controller
 #- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re

roles/unbound/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+
+- name: install unbound
+  apt:
+    update_cache: true
+    name: unbound
+    state: present
+
+- name: setup main unbound config file
+  template:
+    src: unbound.conf.j2
+    dest: /etc/unbound/unbound.conf
+    mode: 0644
+
+- name: setup recursive DNS server config
+  template:
+    src: recursive.conf.j2
+    dest: /etc/unbound/unbound.conf.d/recursive.conf
+    mode: 0644
+
+
+- name: restart unbound after editing config
+  systemd:
+    state: restarted
+    name: unbound

roles/unbound/templates/recursive.conf.j2

@@ -0,0 +1,89 @@
+server:
+    verbosity: 1
+    use-syslog: yes
+    logfile: "/var/log/unbound.log"
+    log-time-ascii: yes
+ 
+    # IP addresses on which to listen.
+    interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
+    interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
+    interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
+
+ 
+    # By default, anything other than localhost is refused.
+    # Whitelist some subnets:
+    access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
+    access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
+    access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
+
+    do-ip4: yes
+    # FIXME: IPv6 deployment... someday...
+    do-ip6: no
+
+    do-udp: yes
+    do-tcp: yes
+ 
+    num-threads: {{ ansible_processor_vcpus }}
+ 
+    # power of 2 close to num-threads  
+    # TODO: compute this dynamically w/ Ansible
+    msg-cache-slabs: 16
+    rrset-cache-slabs: 16
+    infra-cache-slabs: 16
+    key-cache-slabs: 16
+ 
+    # Read the root hints from this file
+    # FIXME: missing file.
+    # root-hints: "/var/lib/unbound/root.hints"
+ 
+    harden-referral-path: yes  
+    use-caps-for-id: yes
+    hide-identity: yes
+    hide-version: yes
+    harden-glue: yes
+    harden-dnssec-stripped: yes
+ 
+    # the time to live (TTL) value lower bound, in seconds. Default 0.
+    # If more than an hour could easily give trouble due to stale data.
+    # WARNING : against protocol rule but efficient against stupidly too low TTLs
+ 
+    cache-min-ttl: 3600	
+ 
+    # the time to live (TTL) value cap for RRsets and messages in the
+    # cache. Items are not cached for longer. In seconds.
+    cache-max-ttl: 86400
+ 
+    prefetch: yes	
+ 
+    # If nonzero, unwanted replies are not only reported in statistics, but also
+    # a running total is kept per thread. If it reaches the threshold, a warning
+    # is printed and a defensive action is taken, the cache is cleared to flush
+    # potential poison out of it.  A suggested value is 10000000, the default is
+    # 0 (turned off). We think 10K is a good value.
+    unwanted-reply-threshold: 10000
+ 
+    # Should additional section of secure message also be kept clean of unsecure
+    # data. Useful to shield the users of this validator from potential bogus
+    # data in the additional section. All unsigned data in the additional section
+    # is removed from secure messages.
+    val-clean-additional: yes
+ 
+    # Log validation failures
+    val-log-level: 2
+
+
+    private-address: 10.0.0.0/8
+ 
+    # Optimise
+    # https://unbound.net/documentation/howto_optimise.html
+ 
+    # Faster UDP with multithreading (only on Linux).
+    so-reuseport: yes
+ 
+    # Taille du cache
+    rrset-cache-size: 100m
+    msg-cache-size: 50m
+ 
+    # gestion DNSSEC
+   harden-below-nxdomain: yes
+   harden-dnssec-stripped: yes

roles/unbound/templates/unbound.conf.j2

@@ -0,0 +1,10 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/examples/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+include: "/etc/unbound/unbound.conf.d/*.conf"