debops.unbound default variables

Sections

APT packages
Server (main) configuration
Remote control configuration
Custom forward/stub DNS zones
Configuration for other Ansible roles

APT packages 

unbound__base_packages

List of default APT packages to install for Unbound support.

unbound__base_packages: [ 'unbound' ]

unbound__packages

List of additional APT packages to install with Unbound.

unbound__packages: []

Server (main) configuration 

These variables can be used to configure main unbound configuration options. See Default variable details: unbound__server for more details.

unbound__default_server

The default Unbound 'server' configuration defined by the role.

unbound__default_server:

  - name: 'localhost-allow_snoop'
    option: 'access-control'
    comment: |
      By default unbound blocks non-recursive queries to prevent abuse; this
      prevents commands like 'dig +trace' from working correctly. Since query
      tracing is a useful debugging and diagnostic tool, non-recursive queries
      will be allowed when the host is managed locally with assumption that
      this is an administrator's machine.
    value:

      - name: '127.0.0.0/8'
        args: 'allow_snoop'

      - name: '::1/128'
        args: 'allow_snoop'

    state: '{{ "present"
               if (unbound__fact_ansible_connection == "local")
               else "ignore" }}'

unbound__server

The Unbound 'server' configuration which should be present on all hosts in the Ansible inventory.

unbound__server: []

unbound__group_server

The Unbound 'server' configuration which should be present on hosts in a specific Ansible inventory group.

unbound__group_server: []

unbound__host_server

The Unbound 'server' configuration which should be present on specific hosts in the Ansible inventory.

unbound__host_server: []

unbound__combined_server

This variable combines the 'server' configuration from other variables and passes it to the configuration file template.

unbound__combined_server: '{{ unbound__default_server
                              + unbound__server
                              + unbound__group_server
                              + unbound__host_server }}'

Remote control configuration 

These variables can be used to configure unbound-control configuration options. The syntax is the same as the 'server' configuration. See Default variable details: unbound__server for more details.

unbound__default_remote_control

The default 'remote-control' configuration defined by the role.

unbound__default_remote_control:

  # On Debian Buster, remote control is disabled by default
  - name: 'control-enable'
    comment: |
      Enable remote control of the 'unbound' daemon by default. This is needed
      for the 'systemctl reload unbound.service' command to work correctly.
    value: True

unbound__remote_control

The Unbound 'remote-control' configuration which should be present on all hosts in the Ansible inventory.

unbound__remote_control: []

unbound__group_remote_control

The Unbound 'remote-control' configuration which should be present on hosts in a specific Ansible inventory group.

unbound__group_remote_control: []

unbound__host_remote_control

The Unbound 'remote-control' configuration which should be present on specific hosts in the Ansible inventory.

unbound__host_remote_control: []

unbound__combined_remote_control

This variable combines the 'remote-control' configuration from other variables and passes it to the configuration file template.

unbound__combined_remote_control: '{{ unbound__default_remote_control
                                      + unbound__remote_control
                                      + unbound__group_remote_control
                                      + unbound__host_remote_control }}'

Custom forward/stub DNS zones 

These variables configure custom 'forward' or 'stub' DNS zones served by Unbound. See unbound__zones for more details.

List of forward or stub DNS zones defined by the role.

unbound__default_zones:

  - name: 'block-dns-over-https'
    comment: |
      Blocking the 'use-application-dns.net' domain instructs the applications
      that support DNS over HTTPS to not use it and rely on the system resolver
      instead. This might be required for certain applications to support
      access to internal services, resolve split-DNS correctly, etc.

      Ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
    zone: 'use-application-dns.net.'
    type: 'local'
    local_zone_type: 'always_nxdomain'

  - name: 'lxc-net'
    comment: |
      Support for resolving LXC container hosts that use the 'lxc-net' bridge
      configuration
    zone: '{{ (ansible_local.lxc.net_domain + ".")
              if (ansible_local.lxc.net_domain|d())
              else "" }}'
    revdns: '{{ ansible_local.lxc.net_subnet|d("") }}'
    nameserver: '{{ ansible_local.lxc.net_address|d("") }}'
    state: '{{ "present"
               if (ansible_local.lxc.net_domain|d())
               else "absent" }}'

  # Ref: https://learn.hashicorp.com/consul/security-networking/forwarding#unbound-setup
  - name: 'consul'
    comment: |
      Support for Consul Agent DNS service on localhost
      Ref: https://www.consul.io/docs/agent/dns.html
    zone: 'consul.'
    type: 'stub'
    options:
      - 'stub-addr': '127.0.0.1@8600'
    server_options:
      - 'do-not-query-localhost': False
      - 'domain-insecure': 'consul.'
    state: '{{ "present"
               if (ansible_local|d() and ansible_local.consul|d() and
                   (ansible_local.consul.installed|d())|bool)
               else "absent" }}'

unbound__zones

List of forward or stub DNS zones which should be defined on all hosts in the Ansible inventory.

unbound__zones: []

unbound__group_zones

List of forward or stub DNS zones which should be defined on hosts in specific Ansible inventory group.

unbound__group_zones: []

unbound__host_zones

List of forward or stub DNS zones which should be defined on specific hosts in the Ansible inventory.

unbound__host_zones: []

unbound__combined_zones

The variable that combines the zone configuration from other variables.

unbound__combined_zones: '{{ unbound__default_zones
                             + unbound__zones
                             + unbound__group_zones
                             + unbound__host_zones }}'

unbound__parsed_zones

The variable that parses the combined zone configuration and is used in the Ansible tasks to manage the DNS zone files.

unbound__parsed_zones: '{{ unbound__combined_zones
                                | parse_kv_items(merge_keys=["server_options"]) }}'

Configuration for other Ansible roles 

unbound__python__dependent_packages3

Configuration for the debops.python Ansible role.

unbound__python__dependent_packages3:

  - 'python3-unbound'

unbound__python__dependent_packages2

Configuration for the debops.python Ansible role.

unbound__python__dependent_packages2:

  - 'python-unbound'

unbound__apt_preferences__dependent_list

Configuration for the debops.apt_preferences.

unbound__apt_preferences__dependent_list:

  - packages:  [ 'unbound', 'unbound-*', 'libunbound*' ]
    backports: [ 'wheezy', 'jessie' ]
    reason:    'Feature parity with the next Debian release'
    by_role:   'debops.unbound'

unbound__etc_services__dependent_list

Configuration for the debops.etc_services.

unbound__etc_services__dependent_list:

  - name: 'unbound-ctrl'
    port: '8953'
    comment: 'Unbound control service'

debops.unbound default variables

APT packages

Server (main) configuration

Remote control configuration

Custom forward/stub DNS zones

Configuration for other Ansible roles

APT packages 

Server (main) configuration 

Remote control configuration 

Custom forward/stub DNS zones 

Configuration for other Ansible roles 