Default variable details: unbound__server
The unbound__*_server
variables are used to define the contents of the
/etc/unbound/unbound.conf.d/ansible.conf
configuration file. The
variables are YAML lists, concatenated together into
unbound__combined_server
variable, which is passed to the
configuration template. Only the server
section of the configuration is
managed by these variables.
Each list entry is a YAML dictionary, which can be written in a simple or complex form. Entries that control Unbound parameters of the same name will be combined together in order of appearance. Since most of the Unbound configuration options use dashes in their names, you might want to quote the YAML dictionary keys to avoid issues with Jinja templating.
Simple form of the configuration parameters
Simple form of the Unbound configuration uses the dictionary key as a option name, and its value as that option's parameters:
unbound__server:
# Option with boolean value
- 'extended-statistics': True
# Option with integer value
- verbosity: 1
# Option with string value
- 'private-domain': 'example.org'
# Option with multiple values in a list
- 'domain-insecure': [ 'example.org', 'example.com' ]
The result of the above configuration in /etc/unbound/unbound.conf.d/ansible.conf
:
server:
extended-statistics: yes
verbosity: 1
private-domain: "example.org"
domain-insecure: "example.org"
domain-insecure: "example.com"
The parameters in the configuration file will be present in the order they were first defined in the variables.
Complex form of the configuration parameters
Complex form of the Unbound configuration is detected when a dictionary key
contains a name
parameter. In that case, the role will interpret the entry
using specific parameters:
name
The name of the configuration option to manage. This parameter is used as an identifier during the variable parsing.
value
Required. A value which should be set for a given option. Values can be YAML strings, integers, booleans and lists (not dictionaries). Lists can contain simple strings, numbers, or YAML dictionaries that describe each value in greater detail. See Configuration values and their interactions for more details.
option
Optional. If specified, the option will use this string as the "name" instead of the
name
value. This is useful to create examples in the configuration file that have the same name as existing configuration options.comment
Optional. String or a YAML dictionary with additional comments for a given configuration option.
separator
Optional, boolean. if
True
, an empty line will be added above a given option, useful for readability.state
Optional. If not specified or
present
, the option will be present in the finished configuration file.If
absent
, the option will not be included in the configuration file.If
ignore
, the given entry will not be evaluated by the role, and no changes will be done to the preceding parameters with the same name. This can be used to conditionally activate entries with different configuration.If
hidden
, the option will not be displayed in the configuration file, but any comments will be present. This can be used to add free-form comments in the Postfix configuration file.If
comment
, the option will be present, but it will be commented out. This can be used to add examples in the configuration file.If
append
, the given entry will be evaluated only if an entry with the same name already exists. The current state will not be changed.weight
Optional. A positive or negative number which affects the position of a given option in the configuration file. The higher the number, the more a given option "weighs" and the lower it will be placed in the finished configuration file. Negative numbers make the option "lighter" and it will be placed higher.
copy_id_from
Optional. This is an internal role parameter which can be used to change the relative position of a given option in the configuration file. If you specify a name of an option, it's internal "id" number (used for sorting) will be copied to the current option. This can be used to move options around to different configuration file sections.
Examples
Define the previous example using complex form:
unbound__server:
- name: 'extended-statistics'
comment: 'Enable extended server statistics'
value: True
- name: 'verbosity'
value: 1
- name: 'private-domain'
value: 'example.org'
- name: 'domain-insecure'
value: [ 'example.org', 'example.com' ]
Unbound supports more complex parameters with arguments. You can define them using extended syntax as well:
unbound__server:
- 'define-tag': 'tag1 tag2 tag3'
- name: 'access-control'
value:
- name: '127.0.0.0/8'
args: 'allow_snoop'
- name: '::1/128'
args: 'allow_snoop'
- name: '192.0.2.0/24'
args: 'allow'
- name: 'access-control-tag'
value:
- name: '192.0.2.0/24'
args: '"tag1 tag2"'
The result of the above configuration in
/etc/unbound/unbound.conf.d/ansible.conf
:
server:
# Enable extended server statistics
extended-statistics: yes
verbosity: 1
private-domain: "example.org"
domain-insecure: "example.org"
domain-insecure: "example.com"
define-tag: "tag1 tag2 tag3"
access-control: 127.0.0.0/8 allow_snoop
access-control: 192.0.2.0/24 allow
access-control: ::1/128 allow_snoop
access-control-tag: 192.0.2.0/24 "tag1 tag2"
The parameters in the configuration file will be present in the order they were
first defined in the variables, unless the weight
parameter is added, which
will change the order.
Configuration values and their interactions
The Unbound configuration file
uses key-value format, with values being either strings, numbers, booleans or
lists. The first three types are handled by the debops.unbound
role as
normal.
List values are by default concatenated to allow easy extension of existing values. The values in a list are either YAML strings, numbers, or can be defined as YAML dictionaries with specific parameters:
name
orparam
Required. The value itself, usually a string.
state
Optional. If not defined or
present
, the value will be included in the list.If
absent
, the value will be removed from the list.If
ignore
, the given entry will not be evaluated by the role, and will not change the state of the value. This can be used to enable or disable values conditionally.weight
Optional. A positive or negative number which affects the position of a given value in the list. The higher the number, the more a given value "weighs" and the lower it will be placed in the finished list. Negative numbers make the value "lighter" and it will be placed higher.
args
Optional. Some Unbound values can have additional arguments. They should be added using this parameter which will be appended to a given value "as-is". Any quotes needed by Unbound (for example, tags) need to be included inside the quoted string itself.
Example list
Define a list with conditional values:
unbound__server:
- name: 'domain-insecure'
value:
- 'example.com'
- name: 'example.org'
state: '{{ "present"
if (ansible_domain.split(".")|count > 1)
else "ignore" }}'
- name: 'example.net'
weight: 100
Base value replacement
Repeating the string, number or boolean option will result in the latter entry replacing the former entry:
unbound__server:
# Old value
- verbosity: 1
# New, active value
- verbosity: 2
The result of the above configuration in
/etc/unbound/unbound.conf.d/ansible.conf
:
verbosity: 2
Lists are merged together
The list parameters behave differently. Specifying the same option multiple times, if the preceding option was a list, will add the specified parameters to the list:
unbound__server:
- 'domain-insecure': [ 'example.com', 'example.org' ]
- 'domain-insecure': [ 'example.net' ]
The result of the above configuration in
/etc/unbound/unbound.conf.d/ansible.conf
:
domain-insecure: "example.org"
domain-insecure: "example.net"
domain-insecure: "example.com"
How to reset a list
If the option was a list, and subsequent option specified a boolean, string or a number, the value will replace the previous one, instead of adding to a list. This can be used to reset the list instead of appending to it.
unbound__server:
- 'domain-insecure': [ 'example.com', 'example.org' ]
- 'domain-insecure': 'example.net'
The result of the above configuration in
/etc/unbound/unbound.conf.d/ansible.conf
:
domain-insecure: "example.net"
Lists don't add duplicates
The role checks if a given list element is already present, and it won't add a duplicate value to the list:
unbound__server:
- 'domain-insecure': [ 'example.org', 'example.com' ]
- 'domain-insecure': [ 'example.org' ]
The result of the above configuration in
/etc/unbound/unbound.conf.d/ansible.conf
:
domain-insecure: "example.org"
domain-insecure: "example.com"