unbound: configure unbound-control

2020-04-28 20:21:47 +02:00 · 2020-04-28 20:21:47 +02:00 · b4482b6d3b
commit b4482b6d3b
parent bac131791b
2 changed files with 46 additions and 0 deletions
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@ -17,6 +17,29 @@
    update_cache: true
    name: unbound
    state: present
+  register: unbound_install
+
+- name: check if unbound-control certificate exists
+  stat:
+    path: /etc/unbound/unbound_control.pem
+  register: ubc_control_pem
+
+
+- name: check if unbound server certificate exists
+  stat:
+    path: /etc/unbound/unbound_server.pem
+  register: ubc_server_pem
+
+- name: run unbound-control-setup if a certificate is missing
+  command: unbound-control-setup
+  become: yes
+  when: ubc_control_pem.stat.exists == False or ubc_server_pem.stat.exists == False
+
+- name: add unbound-control configuration
+  template:
+    src: unbound-control.conf.j2
+    dest: /etc/unbound/unbound.conf.d/unbound-control.conf
+    mode: 0644

 - name: setup main unbound config file
  template:
--- a/roles/unbound/templates/unbound-control.conf.j2
+++ b/roles/unbound/templates/unbound-control.conf.j2
@ -0,0 +1,23 @@
+remote-control:
+    # Enable remote control with unbound-control(8) here.
+    # set up the keys and certificates with unbound-control-setup.
+    control-enable: yes
+   
+    # what interfaces are listened to for remote control.
+    # give 0.0.0.0 and ::0 to listen to all interfaces.
+    control-interface: 127.0.0.1
+   
+    # port number for remote control operations.
+    control-port: 8953
+   
+    # unbound server key file.
+    server-key-file: "/etc/unbound/unbound_server.key"
+   
+    # unbound server certificate file.
+    server-cert-file: "/etc/unbound/unbound_server.pem"
+   
+    # unbound-control key file.
+    control-key-file: "/etc/unbound/unbound_control.key"
+   
+    # unbound-control certificate file.
+    control-cert-file: "/etc/unbound/unbound_control.pem"