debops.unbound default variables

APT packages

unbound__base_packages

List of default APT packages to install for Unbound support.

unbound__base_packages: [ 'unbound' ]
unbound__packages

List of additional APT packages to install with Unbound.

unbound__packages: []

Server (main) configuration

These variables can be used to configure main unbound configuration options. See Default variable details: unbound__server for more details.

unbound__default_server

The default Unbound 'server' configuration defined by the role.

unbound__default_server:

  - name: 'localhost-allow_snoop'
    option: 'access-control'
    comment: |
      By default unbound blocks non-recursive queries to prevent abuse; this
      prevents commands like 'dig +trace' from working correctly. Since query
      tracing is a useful debugging and diagnostic tool, non-recursive queries
      will be allowed when the host is managed locally with assumption that
      this is an administrator's machine.
    value:

      - name: '127.0.0.0/8'
        args: 'allow_snoop'

      - name: '::1/128'
        args: 'allow_snoop'

    state: '{{ "present"
               if (unbound__fact_ansible_connection == "local")
               else "ignore" }}'
unbound__server

The Unbound 'server' configuration which should be present on all hosts in the Ansible inventory.

unbound__server: []
unbound__group_server

The Unbound 'server' configuration which should be present on hosts in a specific Ansible inventory group.

unbound__group_server: []
unbound__host_server

The Unbound 'server' configuration which should be present on specific hosts in the Ansible inventory.

unbound__host_server: []
unbound__combined_server

This variable combines the 'server' configuration from other variables and passes it to the configuration file template.

unbound__combined_server: '{{ unbound__default_server
                              + unbound__server
                              + unbound__group_server
                              + unbound__host_server }}'

Remote control configuration

These variables can be used to configure unbound-control configuration options. The syntax is the same as the 'server' configuration. See Default variable details: unbound__server for more details.

unbound__default_remote_control

The default 'remote-control' configuration defined by the role.

unbound__default_remote_control:

  # On Debian Buster, remote control is disabled by default
  - name: 'control-enable'
    comment: |
      Enable remote control of the 'unbound' daemon by default. This is needed
      for the 'systemctl reload unbound.service' command to work correctly.
    value: True
unbound__remote_control

The Unbound 'remote-control' configuration which should be present on all hosts in the Ansible inventory.

unbound__remote_control: []
unbound__group_remote_control

The Unbound 'remote-control' configuration which should be present on hosts in a specific Ansible inventory group.

unbound__group_remote_control: []
unbound__host_remote_control

The Unbound 'remote-control' configuration which should be present on specific hosts in the Ansible inventory.

unbound__host_remote_control: []
unbound__combined_remote_control

This variable combines the 'remote-control' configuration from other variables and passes it to the configuration file template.

unbound__combined_remote_control: '{{ unbound__default_remote_control
                                      + unbound__remote_control
                                      + unbound__group_remote_control
                                      + unbound__host_remote_control }}'

Custom forward/stub DNS zones

These variables configure custom 'forward' or 'stub' DNS zones served by Unbound. See unbound__zones for more details.

List of forward or stub DNS zones defined by the role.

unbound__default_zones:

  - name: 'block-dns-over-https'
    comment: |
      Blocking the 'use-application-dns.net' domain instructs the applications
      that support DNS over HTTPS to not use it and rely on the system resolver
      instead. This might be required for certain applications to support
      access to internal services, resolve split-DNS correctly, etc.

      Ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
    zone: 'use-application-dns.net.'
    type: 'local'
    local_zone_type: 'always_nxdomain'

  - name: 'lxc-net'
    comment: |
      Support for resolving LXC container hosts that use the 'lxc-net' bridge
      configuration
    zone: '{{ (ansible_local.lxc.net_domain + ".")
              if (ansible_local|d() and ansible_local.lxc|d() and
                  ansible_local.lxc.net_domain|d())
              else "" }}'
    revdns: '{{ ansible_local.lxc.net_subnet
                if (ansible_local|d() and ansible_local.lxc|d() and
                    ansible_local.lxc.net_subnet|d())
                else "" }}'
    nameserver: '{{ ansible_local.lxc.net_address
                    if (ansible_local|d() and ansible_local.lxc|d() and
                        ansible_local.lxc.net_address|d())
                    else "" }}'
    state: '{{ "present"
               if (ansible_local|d() and ansible_local.lxc|d() and
                   ansible_local.lxc.net_domain|d())
               else "absent" }}'

  # Ref: https://learn.hashicorp.com/consul/security-networking/forwarding#unbound-setup
  - name: 'consul'
    comment: |
      Support for Consul Agent DNS service on localhost
      Ref: https://www.consul.io/docs/agent/dns.html
    zone: 'consul.'
    type: 'stub'
    options:
      - 'stub-addr': '127.0.0.1@8600'
    server_options:
      - 'do-not-query-localhost': False
      - 'domain-insecure': 'consul.'
    state: '{{ "present"
               if (ansible_local|d() and ansible_local.consul|d() and
                   (ansible_local.consul.installed|d())|bool)
               else "absent" }}'
unbound__zones

List of forward or stub DNS zones which should be defined on all hosts in the Ansible inventory.

unbound__zones: []
unbound__group_zones

List of forward or stub DNS zones which should be defined on hosts in specific Ansible inventory group.

unbound__group_zones: []
unbound__host_zones

List of forward or stub DNS zones which should be defined on specific hosts in the Ansible inventory.

unbound__host_zones: []
unbound__combined_zones

The variable that combines the zone configuration from other variables.

unbound__combined_zones: '{{ unbound__default_zones
                             + unbound__zones
                             + unbound__group_zones
                             + unbound__host_zones }}'
unbound__parsed_zones

The variable that parses the combined zone configuration and is used in the Ansible tasks to manage the DNS zone files.

unbound__parsed_zones: '{{ unbound__combined_zones
                                | parse_kv_items(merge_keys=["server_options"]) }}'

Configuration for other Ansible roles

unbound__python__dependent_packages3

Configuration for the debops.python Ansible role.

unbound__python__dependent_packages3:

  - 'python3-unbound'
unbound__python__dependent_packages2

Configuration for the debops.python Ansible role.

unbound__python__dependent_packages2:

  - 'python-unbound'
unbound__apt_preferences__dependent_list

Configuration for the debops.apt_preferences.

unbound__apt_preferences__dependent_list:

  - packages:  [ 'unbound', 'unbound-*', 'libunbound*' ]
    backports: [ 'wheezy', 'jessie' ]
    reason:    'Feature parity with the next Debian release'
    by_role:   'debops.unbound'
unbound__etc_services__dependent_list

Configuration for the debops.etc_services.

unbound__etc_services__dependent_list:

  - name: 'unbound-ctrl'
    port: '8953'
    comment: 'Unbound control service'