mmaassen · September 27, 2021 14:18
diff --git a/playbook-unbound.yml b/playbook-unbound.yml
 ---
 - hosts: unbound_docker
  become: true

  handlers:
    - name: "Re/Start unbound"
      shell: docker-compose up -d --force-recreate
      args:
        chdir: "{{ unbound_compose_dir | default('/opt/unbound') }}"
      listen: "handler_restart_unbound"
      when: not compose_file.changed

    - name: "Re/Start unbound"
      shell: docker-compose up -d
      args:
        chdir: "{{ unbound_compose_dir | default('/opt/unbound') }}"
      listen: "handler_restart_unbound"
      when: compose_file.changed

  tasks:
    - name: "Check if docker-compose is installed"
      shell: docker-compose --version
      args:
        executable: /bin/bash

    - name: "Ensure path '{{ unbound_compose_dir | default('/opt/unbound') }}' exits"
      file:
        path: "{{ unbound_compose_dir | default('/opt/unbound') }}/config"
        state: directory
        recurse: yes

    - name: "Create '{{ unbound_compose_dir | default('/opt/unbound') }}/docker-compose.yml'"
      copy:
        dest: "{{ unbound_compose_dir | default('/opt/unbound') }}/docker-compose.yml"
        content: |
          ---
          version: "3"
          services:
            {{ unbound_container_name | default('unbound') }}:
              container_name: {{ unbound_container_name | default('unbound') }}
              image: mvance/unbound:latest
              ports:
                - "{{ unbound_expose_port_tcp | default('5335') }}:53/tcp"
                - "{{ unbound_expose_port_udp | default('5335') }}:53/udp"
              volumes:
                - '{{ unbound_compose_dir | default('/opt/unbound') }}/config/:/opt/unbound/etc/unbound/'
              restart: unless-stopped
      notify: handler_restart_unbound
      register: compose_file

    - name: "Create '{{ unbound_compose_dir | default('/opt/unbound') }}/config/unbound.conf'"
      copy:
        dest: "{{ unbound_compose_dir | default('/opt/unbound') }}/config/unbound.conf"
        content: |
          server:
            do-ip4: yes
            do-udp: yes
            do-tcp: yes
            port: 53
            do-ip6: no
            cache-max-ttl: 86400
            cache-min-ttl: 300
            directory: "/opt/unbound/etc/unbound"
            edns-buffer-size: 1232
            interface: 0.0.0.0@53
            rrset-roundrobin: yes
            username: "_unbound"
            log-local-actions: no
            log-queries: no
            log-replies: no
            log-servfail: no
            logfile: {{ unbound_config_logfile | default('/dev/null')}}
            verbosity: 0
            aggressive-nsec: yes
            delay-close: 10000
            do-daemonize: no
            do-not-query-localhost: no
            neg-cache-size: 4M
            qname-minimisation: yes
            access-control: 127.0.0.1/32 allow
            access-control: 192.168.0.0/16 allow
            access-control: 172.16.0.0/12 allow
            access-control: 10.0.0.0/8 allow
            auto-trust-anchor-file: "var/root.key"
            chroot: "/opt/unbound/etc/unbound"
            deny-any: yes
            harden-algo-downgrade: yes
            harden-below-nxdomain: yes
            harden-dnssec-stripped: yes
            harden-glue: yes
            harden-large-queries: yes
            harden-referral-path: no
            harden-short-bufsize: yes
            hide-http-user-agent: no
            hide-identity: yes
            hide-version: yes
            http-user-agent: "DNS"
            identity: "DNS"
            private-address: 10.0.0.0/8
            private-address: 172.16.0.0/12
            private-address: 192.168.0.0/16
            private-address: 169.254.0.0/16
            ratelimit: {{ unbound_config_ratelimit | default('1000')}}
            tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
            unwanted-reply-threshold: 10000
            use-caps-for-id: yes
            val-clean-additional: yes
            infra-cache-slabs: 4
            incoming-num-tcp: 10
            key-cache-slabs: 4
            msg-cache-size: 173513386
            msg-cache-slabs: 4
            num-queries-per-thread: 4096
            num-threads: 3
            outgoing-range: 8192
            rrset-cache-size: 347026773
            rrset-cache-slabs: 4
            minimal-responses: yes
            prefetch: yes
            prefetch-key: yes
            serve-expired: yes
            so-reuseport: yes
          remote-control:
            control-enable: no
      notify: handler_restart_unbound
	---
	- hosts: unbound_docker
	become: true

	handlers:
	- name: "Re/Start unbound"
	shell: docker-compose up -d --force-recreate
	args:
	chdir: "{{ unbound_compose_dir \| default('/opt/unbound') }}"
	listen: "handler_restart_unbound"
	when: not compose_file.changed

	- name: "Re/Start unbound"
	shell: docker-compose up -d
	args:
	chdir: "{{ unbound_compose_dir \| default('/opt/unbound') }}"
	listen: "handler_restart_unbound"
	when: compose_file.changed

	tasks:
	- name: "Check if docker-compose is installed"
	shell: docker-compose --version
	args:
	executable: /bin/bash

	- name: "Ensure path '{{ unbound_compose_dir \| default('/opt/unbound') }}' exits"
	file:
	path: "{{ unbound_compose_dir \| default('/opt/unbound') }}/config"
	state: directory
	recurse: yes

	- name: "Create '{{ unbound_compose_dir \| default('/opt/unbound') }}/docker-compose.yml'"
	copy:
	dest: "{{ unbound_compose_dir \| default('/opt/unbound') }}/docker-compose.yml"
	content: \|
	---
	version: "3"
	services:
	{{ unbound_container_name \| default('unbound') }}:
	container_name: {{ unbound_container_name \| default('unbound') }}
	image: mvance/unbound:latest
	ports:
	- "{{ unbound_expose_port_tcp \| default('5335') }}:53/tcp"
	- "{{ unbound_expose_port_udp \| default('5335') }}:53/udp"
	volumes:
	- '{{ unbound_compose_dir \| default('/opt/unbound') }}/config/:/opt/unbound/etc/unbound/'
	restart: unless-stopped
	notify: handler_restart_unbound
	register: compose_file

	- name: "Create '{{ unbound_compose_dir \| default('/opt/unbound') }}/config/unbound.conf'"
	copy:
	dest: "{{ unbound_compose_dir \| default('/opt/unbound') }}/config/unbound.conf"
	content: \|
	server:
	do-ip4: yes
	do-udp: yes
	do-tcp: yes
	port: 53
	do-ip6: no
	cache-max-ttl: 86400
	cache-min-ttl: 300
	directory: "/opt/unbound/etc/unbound"
	edns-buffer-size: 1232
	interface: 0.0.0.0@53
	rrset-roundrobin: yes
	username: "_unbound"
	log-local-actions: no
	log-queries: no
	log-replies: no
	log-servfail: no
	logfile: {{ unbound_config_logfile \| default('/dev/null')}}
	verbosity: 0
	aggressive-nsec: yes
	delay-close: 10000
	do-daemonize: no
	do-not-query-localhost: no
	neg-cache-size: 4M
	qname-minimisation: yes
	access-control: 127.0.0.1/32 allow
	access-control: 192.168.0.0/16 allow
	access-control: 172.16.0.0/12 allow
	access-control: 10.0.0.0/8 allow
	auto-trust-anchor-file: "var/root.key"
	chroot: "/opt/unbound/etc/unbound"
	deny-any: yes
	harden-algo-downgrade: yes
	harden-below-nxdomain: yes
	harden-dnssec-stripped: yes
	harden-glue: yes
	harden-large-queries: yes
	harden-referral-path: no
	harden-short-bufsize: yes
	hide-http-user-agent: no
	hide-identity: yes
	hide-version: yes
	http-user-agent: "DNS"
	identity: "DNS"
	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	ratelimit: {{ unbound_config_ratelimit \| default('1000')}}
	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
	unwanted-reply-threshold: 10000
	use-caps-for-id: yes
	val-clean-additional: yes
	infra-cache-slabs: 4
	incoming-num-tcp: 10
	key-cache-slabs: 4
	msg-cache-size: 173513386
	msg-cache-slabs: 4
	num-queries-per-thread: 4096
	num-threads: 3
	outgoing-range: 8192
	rrset-cache-size: 347026773
	rrset-cache-slabs: 4
	minimal-responses: yes
	prefetch: yes
	prefetch-key: yes
	serve-expired: yes
	so-reuseport: yes
	remote-control:
	control-enable: no
	notify: handler_restart_unbound