From 7e78b03ceb7648093906c6876e4663380511de49 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Mon, 3 Mar 2025 23:07:39 +0200
Subject: [PATCH] router: Some updates for the new router.
New host with different interface names. Some updates for OpenBSD 7.6.
While I'm here, set the correct time and date for the OpenBSD bootstrap
role so that things like OCSP stapling work.
---
.../roles/openbsd_bootstrap/tasks/main.yaml | 3 ++
.../shore.co.il.conf => unbound.conf} | 21 +++++++++-
Ansible/roles/router/tasks/main.yaml | 38 +++----------------
3 files changed, 28 insertions(+), 34 deletions(-)
rename Ansible/roles/router/files/{unbound/shore.co.il.conf => unbound.conf} (54%)
diff --git a/Ansible/roles/openbsd_bootstrap/tasks/main.yaml b/Ansible/roles/openbsd_bootstrap/tasks/main.yaml
index 8e9e1aa..1a017bf 100644
--- a/Ansible/roles/openbsd_bootstrap/tasks/main.yaml
+++ b/Ansible/roles/openbsd_bootstrap/tasks/main.yaml
@@ -1,4 +1,7 @@
---
+- name: Set correct time
+ ansible.builtin.raw: rdate pool.ntp.org
+
- name: Install Python3
ansible.builtin.raw: pkg_add -Iz py3-pip
register: openbsd_pkg_add_python
diff --git a/Ansible/roles/router/files/unbound/shore.co.il.conf b/Ansible/roles/router/files/unbound.conf
similarity index 54%
rename from Ansible/roles/router/files/unbound/shore.co.il.conf
rename to Ansible/roles/router/files/unbound.conf
index 31fb793..7d3ff75 100644
--- a/Ansible/roles/router/files/unbound/shore.co.il.conf
+++ b/Ansible/roles/router/files/unbound.conf
@@ -1,10 +1,27 @@
server:
+ interface: 127.0.0.1
interface: 192.168.3.1 #ingress
- #local-zone: "shore.co.il." static
- access-control: 192.168.3.0/8 allow
+
+ access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
+ access-control: 192.168.3.0/8 allow
+ access-control: ::0/0 refuse
+ access-control: ::1 allow
+
+ hide-identity: yes
+ hide-version: yes
+
+ auto-trust-anchor-file: "/var/unbound/db/root.key"
+ val-log-level: 2
+
+ aggressive-nsec: yes
+
local-data: "kodi.shore.co.il. A 192.168.3.12"
local-data: "mr8300.shore.co.il. A 192.168.3.13"
local-data: "host01.shore.co.il. A 192.168.3.17"
local-data: "smtp.shore.co.il. A 192.168.3.17"
local-data: "nintendoswitch. A 192.168.3.20"
+
+remote-control:
+ control-enable: yes
+ control-interface: /var/run/unbound.sock
diff --git a/Ansible/roles/router/tasks/main.yaml b/Ansible/roles/router/tasks/main.yaml
index 4171c12..168aba5 100644
--- a/Ansible/roles/router/tasks/main.yaml
+++ b/Ansible/roles/router/tasks/main.yaml
@@ -65,7 +65,7 @@
ansible.builtin.copy:
content: |-
search shore.co.il
- nameserver 127.0.0.1
+ nameserver 192.168.3.1
lookup file bind
dest: /etc/resolv.conf
mode: 0o0644
@@ -78,11 +78,11 @@
- name: Configure the network interfaces
with_dict:
# yamllint disable rule:line-length
- em1: |
+ igc1: |
description "Connected to the fiber cable, used for PPPoE connection to the ISP."
up
# yamllint enable rule:line-length
- em5: |
+ igc0: |
description "Connected to internal LAN."
inet 192.168.3.1 255.255.255.0
group ingress
@@ -90,7 +90,7 @@
pppoe0: |
description "The connection to the internet."
inet 62.219.131.121 255.255.255.255 NONE \
- pppoedev em1 authproto pap \
+ pppoedev igc1 authproto pap \
authname 'ns_nimadar@014' authkey '{{ bezeqint_password }}' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 62.219.131.121
@@ -108,36 +108,10 @@
- network
- name: Configure the Unbound DNS resolver
- ansible.builtin.file:
- path: /var/unbound/etc/unbound.conf.d
- mode: 0o0755
- state: directory
- tags:
- - unbound
- - dns
- - network
-
-- name: Configure Ubnound DNS resolver
- ansible.builtin.lineinfile:
- insertafter: EOF
- line: >-
- include: "/var/unbound/etc/unbound.conf.d/*.conf"
- path: /var/unbound/etc/unbound.conf
- validate: unbound-checkconf %s
- notify:
- - Restart Unbound
- tags:
- - unbound
- - dns
- - network
-
-- name: Configure the Unbound DNS resolver
- loop:
- - shore.co.il.conf
ansible.builtin.copy:
- dest: '/var/unbound/etc/unbound.conf.d/{{ item }}'
+ dest: /var/unbound/etc/unbound.conf
mode: preserve
- src: 'unbound/{{ item }}'
+ src: unbound.conf
validate: unbound-checkconf %s
diff: true
notify:
--
GitLab