Role that installs and configure the unbound resolver.

2018-05-04 19:47:14 +02:00 · 2018-05-04 19:47:14 +02:00 · f3ad3c6bab
parent 7fac63e071
commit f3ad3c6bab
6 changed files with 75 additions and 0 deletions
--- a/ubuntu-deb-general/templates/resolv.conf
+++ b/ubuntu-deb-general/templates/resolv.conf
--- a/unbound-resolver/defaults/main.yml
+++ b/unbound-resolver/defaults/main.yml
@ -0,0 +1,18 @@
+---
+unbound_pkgs:
+  - unbound
+  - unbound-anchor
+  - unbound-host
+  - dig
+
+unbound_interfaces:
+  - '0.0.0.0'
+  - '::0'
+
+unbound_allowed_clients:
+  - { cidr: '0.0.0.0/0', policy: 'allow' }
+  
+unbound_verbosity: 1
+unbound_threads: '{{ ansible_processor_count }}'
+
+unbound_remote_control: 'no'
--- a/unbound-resolver/handlers/main.yml
+++ b/unbound-resolver/handlers/main.yml
@ -0,0 +1,4 @@
+---
+- name: Restart unbound
+  service: name=unbound state=restarted
+  
--- a/unbound-resolver/tasks/main.yml
+++ b/unbound-resolver/tasks/main.yml
@ -0,0 +1,17 @@
+---
+- block:
+  - name: Install the unbound resolver packages
+    apt: pkg={{ item }} state=latest cache_valid_time=1800 update_cache=yes
+    with_items: '{{ unbound_pkgs }}'
+
+  - name: Install the unbound config files
+    template: src={{ item }} dest=/etc/unbound/unbound.conf.d/{{ item }}
+    with_items:
+      - unbound-server.conf
+      - unbound-remote-control.conf
+    notify: Restart unbound
+  
+  - name: Ensure that the unbound service is started and enabled
+    service: name=unbound state=started enabled=yes    
+
+  tags: [ 'unbound' ]
--- a/unbound-resolver/templates/unbound-remote-control.conf
+++ b/unbound-resolver/templates/unbound-remote-control.conf
@ -0,0 +1,2 @@
+remote-control:
+        control-enable: {{ unbound_remote_control }}
--- a/unbound-resolver/templates/unbound-server.conf
+++ b/unbound-resolver/templates/unbound-server.conf
@ -0,0 +1,34 @@
+server:
+{% for interface in unbound_interfaces %}
+	interface: {{ interface }}
+{% endfor %}
+{% for net in unbound_allowed_clients %}
+        access-control: {{ net.cidr }} {{ net.policy }}
+{% endfor %}
+        verbosity: {{ unbound_verbosity }}
+        # use all CPUs
+        num-threads: {{ unbound_threads }}
+	
+        # power of 2 close to num-threads  
+        msg-cache-slabs: {{ unbound_threads }}
+        rrset-cache-slabs: {{ unbound_threads }}
+        infra-cache-slabs: {{ unbound_threads }}
+        key-cache-slabs: {{ unbound_threads }}
+
+        # more cache memory, rrset=msg*2
+        rrset-cache-size: 100m
+        msg-cache-size: 50m
+
+        # more outgoing connections
+        # depends on number of cores: 1024/cores - 50 
+        outgoing-range: {{ 1024 / unbound_threads - 50 }}
+
+        # Larger socket buffer.  OS may need config.
+        so-rcvbuf: 4m
+        so-sndbuf: 4m
+
+        # Faster UDP with multithreading (only on Linux).
+	so-reuseport: yes
+        # with libevent
+        outgoing-range: 8192
+        num-queries-per-thread: 4096