bundles/unbound: introduce, add to nodes

bundles/unbound/files/unbound.conf

@@ -0,0 +1,44 @@
+server:
+    # provided by pkg_apt:unbound-anchor
+    auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+    verbosity: 0
+
+% if node.has_bundle('netdata'):
+    statistics-interval: 5
+    extended-statistics: yes
+% else:
+    statistics-interval: 300
+% endif
+    statistics-cumulative: no
+
+    num-threads: ${threads}
+
+% if node.has_bundle('iptables'):
+    # Use iptables to manage access to this service
+    interface: 0.0.0.0
+    interface: ::0
+    access-control: 0.0.0.0/0 allow
+    access-control: ::/0 allow
+% else:
+    interface: 127.0.0.1
+    interface: ::1
+    access-control: 127.0.0.1 allow
+    access-control: ::1 allow
+% endif
+
+    cache-max-ttl: ${max_ttl}
+
+    use-syslog: yes
+    log-queries: no
+
+    root-hints: "/etc/unbound/root-hints.txt"
+
+    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
+
+remote-control:
+% if node.has_bundle('netdata'):
+    control-enable: yes
+% else:
+    control-enable: no
+% endif

bundles/unbound/items.py

@@ -0,0 +1,44 @@
+files = {
+    '/etc/unbound/unbound.conf': {
+        'content_type': 'mako',
+        'context': node.metadata['unbound'],
+        'triggers': {
+            'svc_systemd:unbound:restart',
+        },
+    },
+}
+
+actions = {
+    'unbound_generate_certificates': {
+        'command': 'unbound-control-setup',
+        'unless': 'test -f /etc/unbound/unbound_server.key',
+        'needs': {
+            'pkg_apt:unbound',
+            'pkg_apt:unbound-anchor',
+        },
+    },
+    'unbound_download_root_hints': {
+        'command': 'wget -O/etc/unbound/root-hints.txt https://www.internic.net/domain/named.root',
+        'unless': 'test -f /etc/unbound/root-hints.txt',
+        'needs': {
+            'pkg_apt:unbound',
+        },
+    },
+}
+
+svc_systemd = {
+    'unbound': {
+        'needs': {
+            'action:unbound_generate_certificates',
+            'action:unbound_download_root_hints',
+            'file:/etc/unbound/unbound.conf',
+            'pkg_apt:unbound',
+            'pkg_apt:unbound-anchor',
+        },
+    },
+}
+
+if node.has_bundle('systemd-networkd'):
+    svc_systemd['unbound']['needed_by'] = {
+        'file:/etc/resolv.conf',
+    }

bundles/unbound/metadata.py

@@ -0,0 +1,42 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'unbound': {},
+            'unbound-anchor': {},
+        },
+    },
+    'nameservers': {
+        '127.0.0.1',
+    },
+    'unbound': {
+        'max_ttl': 3600,
+    },
+}
+
+
+@metadata_reactor
+def cpu_cores_to_threads(metadata):
+    return {
+        'unbound': {
+            'threads': metadata.get('vm/cpu', 1)*2,
+        },
+    }
+
+
+@metadata_reactor
+def iptables(metadata):
+    interfaces = metadata.get('unbound/restrict-to-interfaces', set())
+    iptables = []
+
+    for iface in sorted(interfaces):
+        iptables.append(f'iptables -A INPUT -i {iface} -p tcp --dport 53 -j ACCEPT')
+        iptables.append(f'iptables -A INPUT -i {iface} -p udp --dport 53 -j ACCEPT')
+
+    return {
+        'iptables': {
+            'bundle_rules': {
+                'unbound': iptables,
+            },
+        },
+    }
+

groups/locations.py

@@ -54,9 +54,6 @@ groups['home'] = {
     },
     'metadata': {
         'location': 'home',
-#        'nameservers': {
-#            '172.19.138.1',
-#        },
         'icinga_options': {
             'vars.notification.sms': False,
         },

nodes/home/router.py

@@ -10,6 +10,7 @@ nodes['home.router'] = {
         'openvpn-client',
         'pppd',
         'radvd',
+        'unbound',
         'vnstat',
         'wide-dhcp6c',
         'wireguard',
@@ -53,7 +54,7 @@ nodes['home.router'] = {
                     'interface': 'enp1s0.42',
                     'options': {
                         'routers': '172.19.138.1',
-                        'domain-name-servers': '8.8.8.8, 8.8.4.4',
+                        'domain-name-servers': '172.19.138.1',
                         'domain-name': 'franzi-home.kunbox.net',
                         'broadcast-address': '172.19.138.255',
                         'subnet-mask': '255.255.255.0',
@@ -77,9 +78,6 @@ nodes['home.router'] = {
                 'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',
             ],
         },
-        'nameservers': atomic({
-            '9.9.9.10',
-        }),
         'netdata': {
             'restrict-to-interfaces': {
                 'enp1s0.42',
@@ -99,12 +97,7 @@ nodes['home.router'] = {
         'radvd': {
             'integrate-with-pppd': True,
             'interfaces': {
-                'enp1s0.42': {
+                'enp1s0.42': {},
-                    'rdnss': {
-                        '2001:4860:4860::8888',
-                        '2001:4860:4860::8844',
-                    },
-                },
             },
         },
         'pppd': {
@@ -117,6 +110,12 @@ nodes['home.router'] = {
                 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
             },
         },
+        'unbound': {
+            'restrict-to-interfaces': {
+                'enp1s0.23',
+                'enp1s0.42',
+            },
+        },
         'users': {
             'f2k1de': {
                 'ssh_pubkey': {

nodes/htz-cloud/pirmasens.py

@@ -5,6 +5,7 @@ nodes['htz-cloud.pirmasens'] = {
         'postfixadmin',
         'postgresql',
         'rspamd',
+        'unbound',
     },
     'groups': {
         'debian-buster',

nodes/htz/ex42-1048908.py

@@ -14,6 +14,7 @@ nodes['htz.ex42-1048908'] = {
         'rspamd',
         'postgresql',
         'radicale',
+        'unbound',
         'smartd',
         'travelynx',
         'vmhost',