aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-02-24 17:49:06 +0800
committerAaron LI <aly@aaronly.me>2018-03-14 11:28:44 +0800
commit5fcd532b648824d947ec009d8d63508b9d3be7fa (patch)
treec12f3cc6dcd16eaef2ead40b630bf95efcc98bc5
parent30724d5f9f13530d7d81a51e6b040970bab49c00 (diff)
downloadansible-dfly-vps-5fcd532b648824d947ec009d8d63508b9d3be7fa.tar.bz2
dns/unbound: update config and enable remote-control
-rw-r--r--roles/dns/files/unbound.conf35
-rw-r--r--roles/dns/tasks/main.yml12
2 files changed, 35 insertions, 12 deletions
diff --git a/roles/dns/files/unbound.conf b/roles/dns/files/unbound.conf
index 18e3ae6..848945c 100644
--- a/roles/dns/files/unbound.conf
+++ b/roles/dns/files/unbound.conf
@@ -58,16 +58,11 @@ server:
statistics-interval: 7200
# Enable or disable whether IPv4 queries are answered or issued.
- # Default: yes
do-ip4: yes
# Enable or disable whether IPv6 queries are answered or issued.
do-ip6: yes
- # Whether prefer IPv6 transport for sending queries?
- # Default: no
- #prefer-ip6: no
-
# Enable or disable whether UDP queries are answered or issued.
# Default: yes
do-udp: yes
@@ -126,14 +121,30 @@ server:
# Default: 1 (operational info).
verbosity: 1
- # The log file, "" means log to stderr.
- # NOTE: set the below "use-syslog" to "no" when to use this option.
- logfile: "/usr/local/etc/unbound/unbound.log"
-
- # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
- # NOTE: will override the above "logfile" option if enabled.
- #use-syslog: no
+ # Log messages to syslog(3) with the LOG_DAEMON facility.
use-syslog: yes
+ #
+ # Log messages to the specified file.
+ #use-syslog: no
+ #logfile: "/usr/local/etc/unbound/unbound.log"
+
+# Remote control config section.
+#
+remote-control:
+ # Enable remote control with unbound-control(8) here.
+ control-enable: yes
+
+ # Interfaces listened to for remote control.
+ control-interface: 127.0.0.1
+ control-interface: ::1
+
+ # Server and unbound-control key and certificate files.
+ # Set up the keys and certificates with unbound-control-setup.
+ control-use-cert: yes
+ server-key-file: "/usr/local/etc/unbound/unbound_server.key"
+ server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
+ control-key-file: "/usr/local/etc/unbound/unbound_control.key"
+ control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
# WARNING:
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 04c45f3..d6bfb2f 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -22,6 +22,15 @@
"https://www.internic.net/domain/named.cache"
notify: reload-unbound
+- name: unbound - check existence of control key/cert
+ stat:
+ path: /usr/local/etc/unbound/unbound_control.key
+ register: stat_result
+
+- name: unbound - generate self-signed key/cert for control
+ command: unbound-control-setup
+ when: stat_result.stat.exists == False
+
- name: unbound - copy configuration
copy:
src: unbound.conf
@@ -36,6 +45,9 @@
src: resolv.conf
dest: /etc/resolv.conf
+#
+# NSD
+#
- name: NSD - copy configuration
template:
src: nsd.conf.j2