added roles for NSD and Unbound dns servers
diff --git a/roles/dns-unbound/defaults/main.yml b/roles/dns-unbound/defaults/main.yml
new file mode 100644
index 0000000..d0553b1
--- /dev/null
+++ b/roles/dns-unbound/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+
+unbound_conf: "/var/unbound/etc/unbound.conf"
+unbound_group: "wheel"
+
diff --git a/roles/dns-unbound/handlers/main.yml b/roles/dns-unbound/handlers/main.yml
new file mode 100644
index 0000000..6ad5de0
--- /dev/null
+++ b/roles/dns-unbound/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+#file: roles/dns-unbound/handlers/main.yml
+
+- name: restart-unbound
+ service: name=unbound state=restarted
diff --git a/roles/dns-unbound/tasks/main.yml b/roles/dns-unbound/tasks/main.yml
new file mode 100644
index 0000000..2666538
--- /dev/null
+++ b/roles/dns-unbound/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+#file: roles/dns-unbound/tasks/main.yml
+
+# OS specific vars
+- include_vars: "{{ ansible_os_family }}.yml"
+
+# Debian specific installation
+- include: unbound-Debian.yml
+ when: ansible_os_family == 'Debian'
+
+- name: create unbound.conf from template
+ template:
+ src=unbound.conf.j2
+ dest={{ unbound_conf }}
+ mode=0644 owner=root group={{ unbound_group }}
+ # validate='unbound-checkconf %s' - can't use, checks path, not just config.
+ notify:
+ - restart-unbound
+
diff --git a/roles/dns-unbound/tasks/unbound-Debian.yml b/roles/dns-unbound/tasks/unbound-Debian.yml
new file mode 100644
index 0000000..da0254f
--- /dev/null
+++ b/roles/dns-unbound/tasks/unbound-Debian.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Install unbound
+ apt:
+ name={{ item }}
+ state=present
+ with_items:
+ - unbound
+
diff --git a/roles/dns-unbound/templates/unbound.conf.j2 b/roles/dns-unbound/templates/unbound.conf.j2
new file mode 100644
index 0000000..1583028
--- /dev/null
+++ b/roles/dns-unbound/templates/unbound.conf.j2
@@ -0,0 +1,42 @@
+# unbound.conf (configured by Ansible)
+
+server:
+ {% for cidr_ipv4 in unbound_interfaces %}
+ interface: {{ cidr_ipv4 | ipaddr('address') }}
+ {% endfor %}
+ verbosity: 1
+ port: 53
+ do-ip4: yes
+ do-udp: yes
+ do-tcp: yes
+
+ # allow from localhost
+ access-control: 127.0.0.0/24 allow
+
+ # allow from local networks
+ {% for cidr_ipv4 in unbound_interfaces %}
+ access-control: {{ cidr_ipv4 | ipaddr('network') }}/28 allow
+ {% endfor %}
+
+{% if nsd_zones is defined %}
+# allow unbound to query localhost, where nsd is listening
+do-not-query-localhost: no
+
+# allow reverse queries for RFC1918 addresses
+{% for zone in nsd_zones %}
+local-zone: "{{ zone.name_reverse_unbound }}." nodefault
+{% endfor %}
+
+# stub-zones zones that nsd is serving
+{% for zone in nsd_zones %}
+stub-zone:
+ name: "{{ zone.name }}"
+ stub-addr: {{ nsd_ip | default("127.0.0.1") }}
+
+stub-zone:
+ name: "{{ zone.name_reverse_unbound }}."
+ stub-addr: {{ nsd_ip | default("127.0.0.1") }}
+
+{% endfor %}
+{% endif %}
+
diff --git a/roles/dns-unbound/vars/Debian.yml b/roles/dns-unbound/vars/Debian.yml
new file mode 100644
index 0000000..1edb86c
--- /dev/null
+++ b/roles/dns-unbound/vars/Debian.yml
@@ -0,0 +1,5 @@
+---
+
+unbound_conf: "/etc/unbound/unbound.conf"
+unbound_group: "unbound"
+