unbound: initial deployment

This commit is contained in:
Yohaï-Eliel BERREBY 2020-04-13 16:35:09 +02:00
parent 9b043d95d3
commit b3712ed335
8 changed files with 152 additions and 29 deletions

View file

@ -0,0 +1,4 @@
---
ldap_local_replica_uri:
- 'ldap://ldap-replica-edc.adm.auro.re'

6
hosts
View file

@ -149,15 +149,15 @@ edc_pve
gs_pve gs_pve
[dhcp] [dhcp]
dhcp-fleming.adm.auro.re #dhcp-fleming.adm.auro.re
dhcp-fleming-backup.adm.auro.re dhcp-fleming-backup.adm.auro.re
#dhcp-pacaterie.adm.auro.re #dhcp-pacaterie.adm.auro.re
#dhcp-pacaterie-backup.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re
#dhcp-edc.adm.auro.re #dhcp-edc.adm.auro.re
#dhcp-gs.adm.auro.re #dhcp-gs.adm.auro.re
[dns] [recursive_dns]
#dns-fleming.adm.auro.re dns-fleming.adm.auro.re
#dns-fleming-backup.adm.auro.re #dns-fleming-backup.adm.auro.re
#dns-pacaterie.adm.auro.re #dns-pacaterie.adm.auro.re
#dns-pacaterie-backup.adm.auro.re #dns-pacaterie-backup.adm.auro.re

View file

@ -1,20 +1,4 @@
--- ---
## Deploy DHCP
#- hosts: dhcp
# vars:
# service_repo: https://gitlab.federez.net/re2o/dhcp.git
# service_name: dhcp
# service_version: master
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# dhcp:
# authoritative: true
# roles:
# - re2o-service
# - isc-dhcp-server
# Set up DHCP servers. # Set up DHCP servers.
- hosts: dhcp - hosts: dhcp
vars: vars:
@ -29,18 +13,29 @@
- re2o-service - re2o-service
- isc-dhcp-server - isc-dhcp-server
# Deploy DNS
- hosts: dns
# Deploy unbound DNS server (recursive).
- hosts: recursive_dns
vars: vars:
service_repo: https://gitlab.crans.org/nounous/re2o-dns.git - dns_host_suffix: 253
service_name: dns
service_version: crans
service_config:
hostname: re2o-server.adm.auro.re
username: service-user
password: "{{ vault_serviceuser_passwd }}"
roles: roles:
- re2o-service - unbound
# WIP: Deploy authoritative DNS servers
# - hosts: authoritative_dns
# vars:
# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git
# service_name: dns
# service_version: crans
# service_config:
# hostname: re2o-server.adm.auro.re
# username: service-user
# password: "{{ vault_serviceuser_passwd }}"
# roles:
# - re2o-service
# Deploy Unifi Controller # Deploy Unifi Controller
#- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re #- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re

View file

@ -0,0 +1,25 @@
---
- name: install unbound
apt:
update_cache: true
name: unbound
state: present
- name: setup main unbound config file
template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
mode: 0644
- name: setup recursive DNS server config
template:
src: recursive.conf.j2
dest: /etc/unbound/unbound.conf.d/recursive.conf
mode: 0644
- name: restart unbound after editing config
systemd:
state: restarted
name: unbound

View file

@ -0,0 +1,89 @@
server:
verbosity: 1
use-syslog: yes
logfile: "/var/log/unbound.log"
log-time-ascii: yes
# IP addresses on which to listen.
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
# By default, anything other than localhost is refused.
# Whitelist some subnets:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
do-ip4: yes
# FIXME: IPv6 deployment... someday...
do-ip6: no
do-udp: yes
do-tcp: yes
num-threads: {{ ansible_processor_vcpus }}
# power of 2 close to num-threads
# TODO: compute this dynamically w/ Ansible
msg-cache-slabs: 16
rrset-cache-slabs: 16
infra-cache-slabs: 16
key-cache-slabs: 16
# Read the root hints from this file
# FIXME: missing file.
# root-hints: "/var/lib/unbound/root.hints"
harden-referral-path: yes
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
# WARNING : against protocol rule but efficient against stupidly too low TTLs
cache-min-ttl: 3600
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400
prefetch: yes
# If nonzero, unwanted replies are not only reported in statistics, but also
# a running total is kept per thread. If it reaches the threshold, a warning
# is printed and a defensive action is taken, the cache is cleared to flush
# potential poison out of it. A suggested value is 10000000, the default is
# 0 (turned off). We think 10K is a good value.
unwanted-reply-threshold: 10000
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Log validation failures
val-log-level: 2
private-address: 10.0.0.0/8
# Optimise
# https://unbound.net/documentation/howto_optimise.html
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# Taille du cache
rrset-cache-size: 100m
msg-cache-size: 50m
# gestion DNSSEC
harden-below-nxdomain: yes
harden-dnssec-stripped: yes

View file

@ -0,0 +1,10 @@
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"