From f3ad3c6bab287d2543c3d20017c37b8ce9ce909f Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 4 May 2018 19:47:14 +0200 Subject: [PATCH] Role that installs and configure the unbound resolver. --- .../{files => templates}/resolv.conf | 0 unbound-resolver/defaults/main.yml | 18 ++++++++++ unbound-resolver/handlers/main.yml | 4 +++ unbound-resolver/tasks/main.yml | 17 ++++++++++ .../templates/unbound-remote-control.conf | 2 ++ .../templates/unbound-server.conf | 34 +++++++++++++++++++ 6 files changed, 75 insertions(+) rename ubuntu-deb-general/{files => templates}/resolv.conf (100%) create mode 100644 unbound-resolver/defaults/main.yml create mode 100644 unbound-resolver/handlers/main.yml create mode 100644 unbound-resolver/tasks/main.yml create mode 100644 unbound-resolver/templates/unbound-remote-control.conf create mode 100644 unbound-resolver/templates/unbound-server.conf diff --git a/ubuntu-deb-general/files/resolv.conf b/ubuntu-deb-general/templates/resolv.conf similarity index 100% rename from ubuntu-deb-general/files/resolv.conf rename to ubuntu-deb-general/templates/resolv.conf diff --git a/unbound-resolver/defaults/main.yml b/unbound-resolver/defaults/main.yml new file mode 100644 index 00000000..aa48d735 --- /dev/null +++ b/unbound-resolver/defaults/main.yml @@ -0,0 +1,18 @@ +--- +unbound_pkgs: + - unbound + - unbound-anchor + - unbound-host + - dig + +unbound_interfaces: + - '0.0.0.0' + - '::0' + +unbound_allowed_clients: + - { cidr: '0.0.0.0/0', policy: 'allow' } + +unbound_verbosity: 1 +unbound_threads: '{{ ansible_processor_count }}' + +unbound_remote_control: 'no' diff --git a/unbound-resolver/handlers/main.yml b/unbound-resolver/handlers/main.yml new file mode 100644 index 00000000..262fab5a --- /dev/null +++ b/unbound-resolver/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Restart unbound + service: name=unbound state=restarted + \ No newline at end of file diff --git a/unbound-resolver/tasks/main.yml b/unbound-resolver/tasks/main.yml new file mode 100644 index 00000000..822bafe7 --- /dev/null +++ b/unbound-resolver/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- block: + - name: Install the unbound resolver packages + apt: pkg={{ item }} state=latest cache_valid_time=1800 update_cache=yes + with_items: '{{ unbound_pkgs }}' + + - name: Install the unbound config files + template: src={{ item }} dest=/etc/unbound/unbound.conf.d/{{ item }} + with_items: + - unbound-server.conf + - unbound-remote-control.conf + notify: Restart unbound + + - name: Ensure that the unbound service is started and enabled + service: name=unbound state=started enabled=yes + + tags: [ 'unbound' ] \ No newline at end of file diff --git a/unbound-resolver/templates/unbound-remote-control.conf b/unbound-resolver/templates/unbound-remote-control.conf new file mode 100644 index 00000000..42b29b9d --- /dev/null +++ b/unbound-resolver/templates/unbound-remote-control.conf @@ -0,0 +1,2 @@ +remote-control: + control-enable: {{ unbound_remote_control }} diff --git a/unbound-resolver/templates/unbound-server.conf b/unbound-resolver/templates/unbound-server.conf new file mode 100644 index 00000000..c59cfcef --- /dev/null +++ b/unbound-resolver/templates/unbound-server.conf @@ -0,0 +1,34 @@ +server: +{% for interface in unbound_interfaces %} + interface: {{ interface }} +{% endfor %} +{% for net in unbound_allowed_clients %} + access-control: {{ net.cidr }} {{ net.policy }} +{% endfor %} + verbosity: {{ unbound_verbosity }} + # use all CPUs + num-threads: {{ unbound_threads }} + + # power of 2 close to num-threads + msg-cache-slabs: {{ unbound_threads }} + rrset-cache-slabs: {{ unbound_threads }} + infra-cache-slabs: {{ unbound_threads }} + key-cache-slabs: {{ unbound_threads }} + + # more cache memory, rrset=msg*2 + rrset-cache-size: 100m + msg-cache-size: 50m + + # more outgoing connections + # depends on number of cores: 1024/cores - 50 + outgoing-range: {{ 1024 / unbound_threads - 50 }} + + # Larger socket buffer. OS may need config. + so-rcvbuf: 4m + so-sndbuf: 4m + + # Faster UDP with multithreading (only on Linux). + so-reuseport: yes + # with libevent + outgoing-range: 8192 + num-queries-per-thread: 4096