Added third party role to install and configure unbound

galaxy-roles/jdauphant.unbound/.travis.yml

@@ -0,0 +1,12 @@
+---
+language: python
+python: "2.7"
+before_install:
+ - sudo apt-get update -qq
+ - sudo apt-get install -qq python-apt python-pycurl
+install:
+  - pip install ansible
+script:
+  - echo localhost > inventory
+  - ansible-playbook -i inventory --syntax-check --list-tasks role.yml
+  - ansible-playbook -i inventory --connection=local --sudo -vvvv role.yml

galaxy-roles/jdauphant.unbound/LICENSE

@@ -0,0 +1,23 @@
+Copyright (c) 2014, DAUPHANT Julien
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this
+  list of conditions and the following disclaimer in the documentation and/or
+  other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

galaxy-roles/jdauphant.unbound/README.md

@@ -0,0 +1,98 @@
+ansible-role-unbound
+====================
+
+Ansible role for Unbound DNS Server and resolver
+
+
+# Supports
+- Add DNS entries
+- Generation of DNS entries from ansible inventory (A entries and reverse)
+- Forward to another dns
+- IPv4 only for reverse
+
+# Information :
+- Test on Ubuntu
+- Untested on debian and fedora
+
+# Example :
+
+## Simple forward on localhost :
+```
+# Activate forward (activate by default)
+unbound_forward_zone_active : true
+# Forward server to google DNS (activate by default)
+unbound_forward_zone:
+   - 8.8.8.8 #Google DNS 1
+   - 8.8.4.4 #Google DNS 2
+```
+
+## Generate entries and reverse from the inventory (need ansible_ssh_host set on all host)
+```
+# Listen interface
+unbound_interfaces: 
+    - 127.0.0.1
+    - 192.168.0.10
+
+# Authorized IPs
+unbound_access_control:
+    - 127.0.0.1 allow
+    - 192.168.0.0/24 allow
+
+# Create entries from inventory (reverse  also created by default)
+unbound_inventory_domain:
+    all: 'internal.domain' # All hosts
+
+# Create reverse entries from inventory
+unbound_inventory_reverse_domain:
+    all: 'internal.domain' # All hosts
+
+# Activate forward (activate by default)
+unbound_forward_zone_active : true
+# Forward server to google DNS (activate by default)
+unbound_forward_zone:
+   - 8.8.8.8 #Google DNS 1
+   - 8.8.4.4 #Google DNS 2
+
+```
+
+## More complete example (need ansible_ssh_host set on all host)
+```
+# Listen interface
+unbound_interfaces: 
+    - 127.0.0.1
+    - 192.168.0.10
+
+# Authorized IPs
+unbound_access_control:
+    - 127.0.0.1 allow
+    - 192.168.0.0/24 allow
+
+# Simple DNS entries
+unbound_domains:
+    - domain_name: "example.com"
+      host1: IN A 127.0.0.1
+      www: IN CNAME host1
+
+# Create entry and reverse
+unbound_domains_with_reverses:
+    - domain_name: "reversed.example.com"
+      host1: 127.0.0.1
+      host2: 127.0.0.2
+      host3: 127.0.0.3
+
+# Create entries from inventory
+unbound_inventory_domain:
+    all: 'localdomain' # All hosts
+    webserver: 'webserver.localdomain' # Hosts in webserver
+
+# Create reverse entries from inventory
+unbound_inventory_reverse_domain:
+    dbserver: 'dbserver.localdomain' # Hosts in dbserver
+    webserver: 'webserver.localdomain' # Hosts in webserver
+
+# Type of local host (default : static )
+unbound_local_zone_type:
+    example.com: "transparent"
+    reversed.example.com: "static"
+
+```

galaxy-roles/jdauphant.unbound/ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+roles_path = ../

galaxy-roles/jdauphant.unbound/defaults/main.yml

@@ -0,0 +1,57 @@
+---
+unbound_logfile: "/var/log/unbound.log"
+unbound_configuration:
+    - verbosity: 1
+    - do-ip4: "yes"
+    - do-ip6: "no"
+    - num-threads: 1
+    - pidfile: "/var/run/unbound.pid"
+    - logfile: "{{unbound_logfile}}"
+
+unbound_zone_name: "default"
+unbound_only_zones: false
+
+unbound_interfaces: 
+    - 127.0.0.1
+
+unbound_access_control:
+    - 127.0.0.1 allow
+
+unbound_private_address:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - 169.254.0.0/16 
+    - "fd00::/8"
+    - "fe80::/10"
+
+unbound_domains: {}
+
+unbound_domains_with_reverses: []
+
+unbound_inventory_domain: {}
+
+unbound_local_zone_type: {}
+unbound_local_zone: []
+
+unbound_default_local_zone: "static"
+
+unbound_inventory_domain_with_reverse: true
+
+unbound_zones: 
+    - name: "default"
+
+unbound_forward_zone_active : true
+unbound_forward_zone:
+   - 8.8.8.8 #Google DNS 1
+   - 8.8.4.4 #Google DNS 2
+
+# Package states: installed or latest
+unbound_pkg_state: installed
+
+# Service states: started or stopped
+unbound_service_state: started
+
+# Service enabled on startup: yes or no
+unbound_service_enabled: yes
+

galaxy-roles/jdauphant.unbound/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: restart unbound
+  service: name=unbound state=restarted
+
+- name: reload unbound
+  service: name=unbound state=reloaded
+

galaxy-roles/jdauphant.unbound/meta/.galaxy_install_info

@@ -0,0 +1 @@
+{install_date: 'Wed Jul 29 17:37:41 2015', version: v1.0.1}

galaxy-roles/jdauphant.unbound/meta/main.yml

@@ -0,0 +1,27 @@
+---
+galaxy_info:
+  author: "DAUPHANT Julien"
+  license: BSD
+  min_ansible_version: 1.4
+  platforms:
+   - name: EL
+     versions:
+      - 5
+      - 6
+   - name: Fedora
+     versions:
+      - 16
+      - 17
+      - 18
+   - name: Ubuntu
+     versions:
+      - precise
+      - quantal
+      - raring
+      - saucy
+      - trusty
+  categories:
+   - networking
+   - system
+dependencies: []
+

galaxy-roles/jdauphant.unbound/role.yml

@@ -0,0 +1,4 @@
+- hosts: localhost
+  remote_user: root
+  roles:
+    - ansible-role-unbound

galaxy-roles/jdauphant.unbound/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+- name: install unbound for Debian OS family
+  apt: pkg=unbound state={{ unbound_pkg_state }}
+  when: ansible_os_family == 'Debian' and unbound_only_zones == false
+  tags: ["packages","unbound"]
+
+- name: install unbound for RedHat OS family
+  yum: name=unbound state={{ unbound_pkg_state }}
+  when: ansible_os_family == 'RedHat' and unbound_only_zones == false
+  tags: ["packages","unbound"]
+
+- name: Ensure zones folder exist
+  file: path=/etc/unbound/conf.d state=directory mode=755
+  notify: restart unbound
+  tags: ["configuration","unbound"]
+
+- name: Ensure log file exist
+  file: path={{unbound_logfile}} state=touch mode=755 owner=unbound
+  notify: restart unbound
+  tags: ["configuration","unbound"]
+
+- name: configure add independant config file
+  template: 
+     src={{item}}.j2
+     dest="/etc/unbound/conf.d/{{item}}"
+  with_items: 
+     - 01general.conf
+     - 99forward_zone.conf
+  notify: restart unbound
+  when: unbound_only_zones == false
+  tags: ["configuration","unbound"]
+
+- name: configure unbound zones
+  template: 
+     src=10zone.conf.j2
+     dest="/etc/unbound/conf.d/10{{item.name}}.conf"
+  with_items: unbound_zones
+  notify: restart unbound
+  tags: ["configuration","unbound"]
+
+- name: retreive unbound conf file list
+  shell: /bin/ls /etc/unbound/conf.d/
+  register: unbound_conf_list
+  always_run: true
+  tags: ["configuration","unbound"]
+
+- name: configure unbound.conf to include all configuration
+  template: 
+     src=unbound.conf.j2
+     dest=/etc/unbound/unbound.conf
+     validate="/usr/sbin/unbound-checkconf %s"
+  notify: restart unbound
+  tags: ["configuration","unbound"]
+
+- name: ensure unbound is started/stopped
+  service: 
+     name=unbound
+     state={{ unbound_service_state }}
+     enabled={{ unbound_service_enabled }}
+     pattern="unbound"
+  tags: ["service","unbound"]
+

galaxy-roles/jdauphant.unbound/templates/01general.conf.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+
+{% for config in unbound_configuration %}
+    {{ config.keys().0 }}: {{ config.values().0 }}
+{% endfor %}
+    # auto-trust-anchor-file: "/var/lib/unbound/root.key"
+{% for interface in unbound_interfaces %}
+    interface: {{interface}}
+{% endfor %}
+{% for access_control in unbound_access_control %}
+    access-control: {{access_control}}
+{% endfor %}
+
+    hide-identity: yes
+    hide-version: yes
+
+{% for private_address in unbound_private_address %}
+    private-address: {{private_address}}
+{% endfor %}

galaxy-roles/jdauphant.unbound/templates/10zone.conf.j2

@@ -0,0 +1,42 @@
+# {{ ansible_managed }}
+
+{% set local_zone_type = item.local_zone_type | default(unbound_local_zone) %}
+{% set domains_with_reverses = item.domains_with_reverses | default(unbound_domains_with_reverses) %}
+{% set local_zones = item.local_zones | default(unbound_local_zone) %}
+{% set inventory_domain = item.inventory_domain | default(unbound_inventory_domain) %}
+{% set domains = item.domains | default(unbound_domains) %}
+{% set inventory_domain_with_reverse = item.inventory_domain_with_reverse|default(unbound_inventory_domain_with_reverse) %}
+
+
+{% for domain in domains_with_reverses %}
+    local-zone: "{{domain.domain_name}}." {{local_zone_type[domain.domain_name] | default(unbound_default_local_zone)}}
+{% for subdomain, ip in domain.iteritems() %}
+{% if subdomain != "domain_name" %}
+    local-data: "{{ subdomain }}.{{ domain.domain_name }}. IN A {{ ip }}"
+    local-data-ptr: "{{ ip }} {{ subdomain }}.{{ domain.domain_name }}"
+{% endif %}
+{% endfor %}
+{% endfor %}
+
+{% for domain in local_zones %}
+    local-zone: "{{domain}}." {{local_zone_type[domain] | default(unbound_default_local_zone)}}
+{% endfor %}
+
+{% for group, domain in inventory_domain.iteritems() %}
+    # Group {{group}}
+{% for host in groups[group] %}
+    local-data: "{{ hostvars[host]['inventory_hostname_short'] }}.{{ domain }}. IN A {{ hostvars[host][ 'ansible_ssh_host'] }}"
+{% if inventory_domain_with_reverse %}
+	local-data-ptr: "{{ hostvars[host]['ansible_ssh_host'] }} {{ hostvars[host]['inventory_hostname_short'] }}.{{ domain }}."
+{% endif %}
+{% endfor %}
+{% endfor %}
+
+{% for domain in domains %}
+#    local-zone: "{{domain.domain_name}}." {{local_zone_type[domain.domain_name] | default(unbound_default_local_zone)}}
+{% for subdomain, entry in domain.iteritems() %}
+{% if subdomain != "domain_name" %}
+    local-data: "{{ subdomain }}.{{ domain.domain_name }}. {{ entry }}"
+{% endif %}
+{% endfor %}
+{% endfor %}

galaxy-roles/jdauphant.unbound/templates/99forward_zone.conf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+{% if unbound_forward_zone_active %}
+    forward-zone:
+        name: "."
+{% for forward_addr in unbound_forward_zone %}
+        forward-addr: {{forward_addr}}
+{% endfor %}      
+{% endif %}

galaxy-roles/jdauphant.unbound/templates/unbound.conf.j2

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/examples/unbound.conf for a commented
+# reference config file.
+
+server:
+    # The following line will configure unbound to perform cryptographic
+    # DNSSEC validation using the root trust anchor.
+
+{% for include in unbound_conf_list.stdout_lines %}
+    include: "/etc/unbound/conf.d/{{include}}"
+{% endfor %}
+

galaxy-roles/jdauphant.unbound/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+

requirements.yml

@@ -7,4 +7,7 @@
   path: galaxy-roles
 
 - src: debops.radvd
+  path: galaxy-roles
+
+- src: jdauphant.unbound
   path: galaxy-roles