new file: files/unbound-overplay.conf

new file:   files/unbound-pihole.conf
	new file:   files/unbound.conf
	new file:   install-unbound.yaml
Initial commit

files/unbound-overplay.conf

@@ -0,0 +1,47 @@
+## Simple recursive caching DNS, UDP port 53
+## unbound.conf -- https://calomel.org
+#
+server:
+#   access-control: 10.0.0.0/8 allow
+   access-control: 127.0.0.0/8 allow
+#   access-control: 192.168.0.0/16 allow
+#   aggressive-nsec: yes
+   cache-max-ttl: 14400
+   cache-min-ttl: 300
+   hide-identity: yes
+   hide-version: yes
+   interface: 127.0.0.1
+   minimal-responses: yes
+   num-threads: 4
+   prefetch: yes
+   qname-minimisation: yes
+   rrset-roundrobin: yes
+ # tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
+ # trust-anchor-file: "/usr/local/etc/unbound/root.key"
+   use-caps-for-id: yes
+   verbosity: 1
+
+forward-zone:
+      name: "ipa.champion"
+      forward-addr: 192.168.11.121 # Pi-Hole with Overplay upstream
+      forward-addr: 192.168.11.254 # Cerberus
+forward-zone:
+      name: "."
+      forward-addr: 1.1.1.1        # Cloudflare
+      forward-addr: 1.0.0.1        # Cloudflare
+      forward-addr: 8.8.4.4        # Google
+      forward-addr: 8.8.8.8        # Google
+      forward-addr: 37.235.1.174   # FreeDNS
+      forward-addr: 37.235.1.177   # FreeDNS
+      forward-addr: 50.116.23.211  # OpenNIC
+      forward-addr: 64.6.64.6      # Verisign
+      forward-addr: 64.6.65.6      # Verisign
+      forward-addr: 74.82.42.42    # Hurricane Electric
+      forward-addr: 84.200.69.80   # DNS Watch
+      forward-addr: 84.200.70.40   # DNS Watch
+      forward-addr: 91.239.100.100 # censurfridns.dk
+      forward-addr: 109.69.8.51    # puntCAT
+      forward-addr: 208.67.222.220 # OpenDNS
+      forward-addr: 208.67.222.222 # OpenDNS
+      forward-addr: 216.146.35.35  # Dyn Public
+      forward-addr: 216.146.36.36  # Dyn Public

files/unbound-pihole.conf

@@ -0,0 +1,47 @@
+## Simple recursive caching DNS, UDP port 53
+## unbound.conf -- https://calomel.org
+#
+server:
+#   access-control: 10.0.0.0/8 allow
+   access-control: 127.0.0.0/8 allow
+#   access-control: 192.168.0.0/16 allow
+#   aggressive-nsec: yes
+   cache-max-ttl: 14400
+   cache-min-ttl: 300
+   hide-identity: yes
+   hide-version: yes
+   interface: 127.0.0.1
+   minimal-responses: yes
+   num-threads: 4
+   prefetch: yes
+   qname-minimisation: yes
+   rrset-roundrobin: yes
+ # tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
+ # trust-anchor-file: "/usr/local/etc/unbound/root.key"
+   use-caps-for-id: yes
+   verbosity: 1
+
+forward-zone:
+      name: "ipa.champion"
+      forward-addr: 192.168.11.121 # Pi-Hole adblocker with Overplay upstream
+      forward-addr: 192.168.11.254 # Cerberus
+forward-zone:
+      name: "."
+      forward-addr: 1.1.1.1        # Cloudflare
+      forward-addr: 1.0.0.1        # Cloudflare
+      forward-addr: 8.8.4.4        # Google
+      forward-addr: 8.8.8.8        # Google
+      forward-addr: 37.235.1.174   # FreeDNS
+      forward-addr: 37.235.1.177   # FreeDNS
+      forward-addr: 50.116.23.211  # OpenNIC
+      forward-addr: 64.6.64.6      # Verisign
+      forward-addr: 64.6.65.6      # Verisign
+      forward-addr: 74.82.42.42    # Hurricane Electric
+      forward-addr: 84.200.69.80   # DNS Watch
+      forward-addr: 84.200.70.40   # DNS Watch
+      forward-addr: 91.239.100.100 # censurfridns.dk
+      forward-addr: 109.69.8.51    # puntCAT
+      forward-addr: 208.67.222.220 # OpenDNS
+      forward-addr: 208.67.222.222 # OpenDNS
+      forward-addr: 216.146.35.35  # Dyn Public
+      forward-addr: 216.146.36.36  # Dyn Public

files/unbound.conf

@@ -0,0 +1,46 @@
+## Simple recursive caching DNS, UDP port 53
+## unbound.conf -- https://calomel.org
+#
+server:
+#   access-control: 10.0.0.0/8 allow
+   access-control: 127.0.0.0/8 allow
+#   access-control: 192.168.0.0/16 allow
+#   aggressive-nsec: yes
+   cache-max-ttl: 14400
+   cache-min-ttl: 300
+   hide-identity: yes
+   hide-version: yes
+   interface: 127.0.0.1
+   minimal-responses: yes
+   num-threads: 4
+   prefetch: yes
+   qname-minimisation: yes
+   rrset-roundrobin: yes
+ # tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
+ # trust-anchor-file: "/usr/local/etc/unbound/root.key"
+   use-caps-for-id: yes
+   verbosity: 1
+
+forward-zone:
+      name: "ipa.champion"
+      forward-addr: 192.168.11.254 # Cerberus
+forward-zone:
+      name: "."
+      forward-addr: 1.1.1.1        # Cloudflare
+      forward-addr: 1.0.0.1        # Cloudflare
+      forward-addr: 8.8.4.4        # Google
+      forward-addr: 8.8.8.8        # Google
+      forward-addr: 37.235.1.174   # FreeDNS
+      forward-addr: 37.235.1.177   # FreeDNS
+      forward-addr: 50.116.23.211  # OpenNIC
+      forward-addr: 64.6.64.6      # Verisign
+      forward-addr: 64.6.65.6      # Verisign
+      forward-addr: 74.82.42.42    # Hurricane Electric
+      forward-addr: 84.200.69.80   # DNS Watch
+      forward-addr: 84.200.70.40   # DNS Watch
+      forward-addr: 91.239.100.100 # censurfridns.dk
+      forward-addr: 109.69.8.51    # puntCAT
+      forward-addr: 208.67.222.220 # OpenDNS
+      forward-addr: 208.67.222.222 # OpenDNS
+      forward-addr: 216.146.35.35  # Dyn Public
+      forward-addr: 216.146.36.36  # Dyn Public

install-unbound.yaml

@@ -0,0 +1,102 @@
+---
+- name: Setup unbound for name resolution
+  hosts: CentOS
+  become: true
+  tasks:
+  - name: Install unbound
+    yum:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "RedHat"
+  - name: Install unbound
+    dnf:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "Fedora"
+  - name: Install unbound
+    apt:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "Debian"
+
+  - name: Apply caching configuration to use non-Overplay upstream
+    copy:
+      src: files/unbound.conf
+      dest: /etc/unbound/unbound.conf
+
+  - name: Start and enable the unbound service
+    service:
+      name: unbound
+      state: started
+      enabled: true
+
+- name: Setup unbound for name resolution
+  hosts: Overplay
+  become: true
+  tasks:
+  - name: Install unbound
+    yum:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "RedHat"
+  - name: Install unbound
+    dnf:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "Fedora"
+  - name: Install unbound
+    apt:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "Debian"
+
+  - name: Apply caching configuration to use non-Overplay upstream
+    copy:
+      src: files/unbound-overplay.conf
+      dest: /etc/unbound/unbound.conf
+
+  - name: Start and enable the unbound service
+    service:
+      name: unbound
+      state: started
+      enabled: true
+
+- name: Setup unbound for name resolution
+  hosts: pihole
+  become: true
+  tasks:
+  - name: Install unbound
+    yum:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "RedHat"
+  - name: Install unbound
+    dnf:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "Fedora"
+  - name: Install unbound
+    apt:
+      name: unbound
+      state: present
+    when:
+      ansible_distribution == "Debian"
+
+  - name: Apply caching configuration to use non-Overplay upstream
+    copy:
+      src: files/unbound-pihole.conf
+      dest: /etc/unbound/unbound.conf
+
+  - name: Start and enable the unbound service
+    service:
+      name: unbound
+      state: started
+      enabled: true