router: Some updates for the new router.

New host with different interface names. Some updates for OpenBSD 7.6. While I'm here, set the correct time and date for the OpenBSD bootstrap role so that things like OCSP stapling work.

router: Some updates for the new router.
7e78b03c · nimrod · 60829fb6 · 7e78b03c · 7e78b03c · 7e78b03c
Commit 7e78b03c authored 2 months ago by nimrod
--- a/Ansible/roles/openbsd_bootstrap/tasks/main.yaml
+++ b/Ansible/roles/openbsd_bootstrap/tasks/main.yaml
 ---
+- name: Set correct time
+  ansible.builtin.raw: rdate pool.ntp.org
+
 - name: Install Python3
  ansible.builtin.raw: pkg_add -Iz py3-pip
  register: openbsd_pkg_add_python

--- a/Ansible/roles/router/files/unbound/shore.co.il.conf
+++ b/Ansible/roles/router/files/unbound/shore.co.il.conf
 server:
+    interface: 127.0.0.1
    interface: 192.168.3.1 #ingress
-    #local-zone: "shore.co.il." static
-    access-control: 192.168.3.0/8 allow
+
+    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
+    access-control: 192.168.3.0/8 allow
+    access-control: ::0/0 refuse
+    access-control: ::1 allow
+
+    hide-identity: yes
+    hide-version: yes
+
+    auto-trust-anchor-file: "/var/unbound/db/root.key"
+    val-log-level: 2
+
+    aggressive-nsec: yes
+
    local-data: "kodi.shore.co.il.          A   192.168.3.12"
    local-data: "mr8300.shore.co.il.        A   192.168.3.13"
    local-data: "host01.shore.co.il.        A   192.168.3.17"
    local-data: "smtp.shore.co.il.          A   192.168.3.17"
    local-data: "nintendoswitch.            A   192.168.3.20"
+
+remote-control:
+    control-enable: yes
+    control-interface: /var/run/unbound.sock
--- a/Ansible/roles/router/tasks/main.yaml
+++ b/Ansible/roles/router/tasks/main.yaml
@@ -65,7 +65,7 @@
  ansible.builtin.copy:
    content: |-
      search shore.co.il
-      nameserver 127.0.0.1
+      nameserver 192.168.3.1
      lookup file bind
    dest: /etc/resolv.conf
    mode: 0o0644
@@ -78,11 +78,11 @@
 - name: Configure the network interfaces
  with_dict:
    # yamllint disable rule:line-length
-    em1: |
+    igc1: |
      description "Connected to the fiber cable, used for PPPoE connection to the ISP."
      up
    # yamllint enable rule:line-length
-    em5: |
+    igc0: |
      description "Connected to internal LAN."
      inet 192.168.3.1 255.255.255.0
      group ingress
@@ -90,7 +90,7 @@
    pppoe0: |
      description "The connection to the internet."
      inet 62.219.131.121 255.255.255.255 NONE \
-      pppoedev em1 authproto pap \
+      pppoedev igc1 authproto pap \
      authname 'ns_nimadar@014' authkey '{{ bezeqint_password }}' up
      dest 0.0.0.1
      !/sbin/route add default -ifp pppoe0 62.219.131.121
@@ -108,36 +108,10 @@
    - network

 - name: Configure the Unbound DNS resolver
-  ansible.builtin.file:
-    path: /var/unbound/etc/unbound.conf.d
-    mode: 0o0755
-    state: directory
-  tags:
-    - unbound
-    - dns
-    - network
-
- name: Configure Ubnound DNS resolver
-  ansible.builtin.lineinfile:
-    insertafter: EOF
-    line: >-
-      include: "/var/unbound/etc/unbound.conf.d/*.conf"
-    path: /var/unbound/etc/unbound.conf
-    validate: unbound-checkconf %s
-  notify:
-    - Restart Unbound
-  tags:
-    - unbound
-    - dns
-    - network
-
- name: Configure the Unbound DNS resolver
-  loop:
-    - shore.co.il.conf
  ansible.builtin.copy:
-    dest: '/var/unbound/etc/unbound.conf.d/{{ item }}'
+    dest: /var/unbound/etc/unbound.conf
    mode: preserve
-    src: 'unbound/{{ item }}'
+    src: unbound.conf
    validate: unbound-checkconf %s
  diff: true
  notify: