From 4bd19f4b2706d1246b25862e7927907db37e8748 Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Thu, 17 Nov 2022 23:46:33 +0100
Subject: [PATCH] use templates for snippets

---
 defaults/main.yml                             | 17 ++++++++
 tasks/configure.yml                           | 41 ++++++++++++++-----
 .../snippets/private-addresses.conf           | 25 ++++++++---
 .../snippets/qname-minimisation.conf          |  1 +
 .../snippets/root-auto-trust-anchor-file.conf |  3 +-
 {files => templates}/unbound.conf             |  2 +
 vars/main.yml                                 |  2 +-
 7 files changed, 73 insertions(+), 18 deletions(-)
 rename {files => templates}/snippets/private-addresses.conf (62%)
 rename {files => templates}/snippets/qname-minimisation.conf (93%)
 rename {files => templates}/snippets/root-auto-trust-anchor-file.conf (62%)
 rename {files => templates}/unbound.conf (92%)

diff --git a/defaults/main.yml b/defaults/main.yml
index 1a9945e..b51c352 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -11,3 +11,20 @@ unbound_access_control:
   - 'access-control: ::1 allow'
 
 unbound__state: 'present'
+
+# snippets for dns rebinding protection
+unbount__dns_rebind_protection: true
+unbound__protect_rebind_localhost: true
+unbound__protect_rebind_rfc1918: true
+unbound__protect_rebind_carrier_grade_nat: true
+unbound__protect_rebind_v4_link_local: true
+unbound__protect_rebind_unique_local: true
+unbound__protect_rebind_v6_link_local: true
+unbound__protect_rebind_rfc4291: true
+
+# dns qname privacy
+unbount__dns_qname_minimisation: true
+
+# anchor file
+unbound__auto_trust_anchor: true
+unbound__auto_trust_anchor_file: "/var/lib/unbound/root.key"
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 2ee97af..4d6f333 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -1,23 +1,44 @@
 ---
-- name: Copy unbound configuration snippets
+- name: Copy snipet to protect for DNS rebinding
   become: true
-  ansible.builtin.copy:
-    src: '{{ item }}'
+  ansible.builtin.template:
+    src: 'templates/snippets/private-addresses.conf'
     dest: '/etc/unbound/unbound.conf.d/'
     owner: root
     group: root
-    mode: 'u=rwX,g=rX,o=rX'
-  with_fileglob:
-    - 'files/snippets/*.conf'
-  notify: Systemctl restart unbound
+    mode: 'u=rw,g=r,o=r'
+  notify: 'Systemctl restart unbound'
+  when: unbount__dns_rebind_protection | bool
 
-- name: Copy main unbound configuration
+- name: Copy snipet for qname privacy
   become: true
   ansible.builtin.template:
-    src: 'files/unbound.conf'
+    src: 'templates/snippets/qname-minimisation.conf'
+    dest: '/etc/unbound/unbound.conf.d/'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify: 'Systemctl restart unbound'
+  when: unbount__dns_qname_minimisation | bool
+
+- name: Copy anchor snippet
+  become: true
+  ansible.builtin.template:
+    src: 'templates/snippets/root-auto-trust-anchor-file.conf'
+    dest: '/etc/unbound/unbound.conf.d/'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  notify: 'Systemctl restart unbound'
+  when: unbound__auto_trust_anchor | bool
+
+- name: Transfer main unbound configuration
+  become: true
+  ansible.builtin.template:
+    src: 'templates/unbound.conf'
     dest: '/etc/unbound/unbound.conf'
     owner: root
     group: root
     mode: 'u=rw,g=r,o=r'
     validate: unbound-checkconf %s
-  notify: Systemctl restart unbound
+  notify: 'Systemctl restart unbound'
diff --git a/files/snippets/private-addresses.conf b/templates/snippets/private-addresses.conf
similarity index 62%
rename from files/snippets/private-addresses.conf
rename to templates/snippets/private-addresses.conf
index f164fab..028da62 100644
--- a/files/snippets/private-addresses.conf
+++ b/templates/snippets/private-addresses.conf
@@ -1,31 +1,44 @@
+{{ ansible_managed | comment }}
 server:
     # Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network,
     # and are not allowed to be returned for public internet names.  Any occurrence of such addresses
     # are removed from DNS answers. Additionally, the  DNSSEC validator may mark the answers bogus.
     # This protects against so-called DNS Rebinding.
 
+    # Legacy IP
+{% if unbound__protect_rebind_localhost | bool %}
     # localhost
     private-address: 127.0.0.0/8
-
+{% endif %}
+{% if unbound__protect_rebind_rfc1918 | bool %}
     # private IPv4 address spaces (rfc 1918)
     private-address: 10.0.0.0/8
     private-address: 172.16.0.0/12
     private-address: 192.168.0.0/16
-
+{% endif %}
+{% if unbound__protect_rebind_carrier_grade_nat | bool %}
     # carrier-grade NAT (rfc 6598)
     private-address: 100.64.0.0/10
-
+{% endif %}
+{% if unbound__protect_rebind_v4_link_local | bool %}
     # link-local addresses
     private-address: 169.254.0.0/16
+{% endif %}
 
+    # IPv6
+{% if unbound__protect_rebind_localhost | bool %}
     # localhost
     private-address: ::/128
-
+{% endif %}
+{% if unbound__protect_rebind_unique_local | bool %}
     # unique local addresses (rfc 4193)
     private-address: fd00::/8
-
+{% endif %}
+{% if unbound__protect_rebind_v6_link_local | bool %}
     # link-local addresses (rfc 4862, 4291)
     private-address: fe80::/10
-
+{% endif %}
+{% if unbound__protect_rebind_rfc4291 | bool %}
     # IPv4-mapped addresses (rfc 4291)
     private-address: ::ffff:0:0/96
+{% endif %}
diff --git a/files/snippets/qname-minimisation.conf b/templates/snippets/qname-minimisation.conf
similarity index 93%
rename from files/snippets/qname-minimisation.conf
rename to templates/snippets/qname-minimisation.conf
index 177bb78..893895e 100644
--- a/files/snippets/qname-minimisation.conf
+++ b/templates/snippets/qname-minimisation.conf
@@ -1,3 +1,4 @@
+{{ ansible_managed | comment }}
 server:
     # Send minimum amount of information to upstream servers to enhance
     # privacy. Only sends minimum required labels of the QNAME and sets
diff --git a/files/snippets/root-auto-trust-anchor-file.conf b/templates/snippets/root-auto-trust-anchor-file.conf
similarity index 62%
rename from files/snippets/root-auto-trust-anchor-file.conf
rename to templates/snippets/root-auto-trust-anchor-file.conf
index c0cec38..dceae77 100644
--- a/files/snippets/root-auto-trust-anchor-file.conf
+++ b/templates/snippets/root-auto-trust-anchor-file.conf
@@ -1,4 +1,5 @@
+{{ ansible_managed | comment }}
 server:
     # Perform cryptographic DNSSEC validation using the root trust anchor.
     # File with trust anchor for one zone, which is tracked with RFC5011 probes.
-    auto-trust-anchor-file: "/var/lib/unbound/root.key"
+    auto-trust-anchor-file: "{{ unbound__auto_trust_anchor_file }}"
diff --git a/files/unbound.conf b/templates/unbound.conf
similarity index 92%
rename from files/unbound.conf
rename to templates/unbound.conf
index 3eec9e2..483746c 100644
--- a/files/unbound.conf
+++ b/templates/unbound.conf
@@ -1,3 +1,5 @@
+{{ ansible_managed | comment }}
+
 include: "/etc/unbound/unbound.conf.d/*.conf"
 
 remote-control:
diff --git a/vars/main.yml b/vars/main.yml
index 861abc1..6c552f2 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 69  # should be integer
+playbook_version_number: 70  # should be integer
 playbook_version_path: 'role-unbound_roles-ansible_github.com.version'