├── roles
├── ghost
│ ├── defaults
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── vars
│ │ └── main.yml
│ ├── templates
│ │ ├── config.json
│ │ └── ghost-smf.xml
│ └── tasks
│ │ └── main.yml
├── plex
│ ├── defaults
│ │ └── main.yml
│ ├── vars
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── redis
│ ├── defaults
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ └── redis.conf
│ ├── tasks
│ │ └── main.yml
│ └── vars
│ │ └── main.yml
├── common-debian
│ ├── defaults
│ │ └── main.yml
│ ├── templates
│ │ ├── hostname
│ │ └── sshd_config
│ ├── handlers
│ │ └── main.yml
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── git
│ ├── defaults
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── minecraft
│ ├── templates
│ │ ├── eula.txt
│ │ ├── minecraft-smf.xml
│ │ └── server.properties
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ ├── server-paper.yml
│ │ ├── server-mojang.yml
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ └── vars
│ │ └── main.yml
├── tor
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ └── torrc
│ └── tasks
│ │ └── main.yml
├── clamav
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── mysql
│ ├── meta
│ │ └── main.yml
│ ├── templates
│ │ ├── my.cnf
│ │ └── system-my.cnf
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── vars
│ │ └── main.yml
├── neo4j
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ ├── neo4j.conf
│ │ └── neo4j-smf.xml
│ ├── tasks
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ └── vars
│ │ └── main.yml
├── postgresql
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ ├── postgresql.conf
│ │ ├── pg_ident.conf
│ │ └── pg_hba.conf
│ ├── tasks
│ │ └── main.yml
│ └── defaults
│ │ └── main.yml
├── samba
│ ├── meta
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── templates
│ │ └── smb.conf
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── common
│ ├── defaults
│ │ └── main.yml
│ ├── templates
│ │ ├── useradd
│ │ ├── inputrc
│ │ └── sshd_config
│ ├── handlers
│ │ └── main.yml
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ ├── home_dataset.yml
│ │ └── main.yml
├── ansible
│ ├── meta
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ ├── vars
│ │ └── main.yml
│ ├── templates
│ │ └── ansible.cfg
│ └── tasks
│ │ └── main.yml
├── router
│ └── templates
│ │ └── ipnat.conf
└── dhcpdns
│ └── templates
│ ├── dnsmasq.conf
│ ├── dhcpd.conf
│ ├── powerdns-recursor.conf
│ └── unbound.conf
├── .gitignore
├── bootstrap.yml
├── bootstrap.sh
├── example.yml
└── README.md
/roles/ghost/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ghost: {}
3 |
--------------------------------------------------------------------------------
/roles/plex/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | plex: {}
3 |
--------------------------------------------------------------------------------
/roles/plex/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | default_plex: {}
3 |
--------------------------------------------------------------------------------
/roles/redis/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | redis: {}
3 |
--------------------------------------------------------------------------------
/roles/common-debian/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | sshd: {}
3 |
--------------------------------------------------------------------------------
/roles/git/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | git:
3 | users: []
4 |
--------------------------------------------------------------------------------
/roles/git/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/roles/minecraft/templates/eula.txt:
--------------------------------------------------------------------------------
1 | eula={{ minecraft.eula }}
2 |
--------------------------------------------------------------------------------
/roles/tor/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/roles/clamav/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/roles/ghost/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: mysql
4 |
--------------------------------------------------------------------------------
/roles/mysql/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/roles/neo4j/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/roles/redis/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/roles/minecraft/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/roles/plex/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common-debian
4 |
--------------------------------------------------------------------------------
/roles/postgresql/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | !bootstrap.yml
2 | !example.yml
3 | *.retry
4 | /*.yml
5 | .*.swp
6 |
--------------------------------------------------------------------------------
/roles/common-debian/templates/hostname:
--------------------------------------------------------------------------------
1 | {{ ( default_plex | combine( plex, recursive=True )).hostname }}
2 |
--------------------------------------------------------------------------------
/roles/samba/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: common
4 | vars:
5 | home_dataset: true
6 |
--------------------------------------------------------------------------------
/bootstrap.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: 'Bootstrap Ansible'
3 | hosts: 127.0.0.1
4 | connection: local
5 | roles:
6 | - ansible
7 |
--------------------------------------------------------------------------------
/roles/mysql/templates/my.cnf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | [client]
4 | user=root
5 | password={{ mysql_root_password }}
6 |
--------------------------------------------------------------------------------
/roles/common/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_python_interpreter: /opt/local/bin/python3
3 | home_dataset: false
4 | inputrc: {}
5 | sshd: {}
6 |
--------------------------------------------------------------------------------
/roles/git/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | home_dataset: true
3 | sshd:
4 | match:
5 | 'Group other':
6 | DisableForwarding: 'yes'
7 | PermitTTY: 'no'
8 |
--------------------------------------------------------------------------------
/roles/ghost/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart ghost
3 | when: not ghost_enabled.changed
4 | service:
5 | name: 'svc:/ghost:default'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/neo4j/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart neo4j
3 | when: not neo4j_enabled.changed
4 | service:
5 | name: 'svc:/neo4j:default'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/tor/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart tor
3 | when: not tor_enabled.changed
4 | service:
5 | name: 'svc:/pkgsrc/tor:default'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/redis/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart redis
3 | when: not redis_enabled.changed
4 | service:
5 | name: 'svc:/pkgsrc/redis:default'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/ansible/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - role: redis
4 | vars:
5 | redis: '{{ ansible_passed_redis_variables_that_ansible_apparently_cant_figure_out_on_its_own }}'
6 |
--------------------------------------------------------------------------------
/roles/common/templates/useradd:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | EXCEED_TRAD=silent
4 | {% if home_dataset and delegate_dataset is succeeded %}
5 | MANAGE_ZFS=yes
6 | {% endif %}
7 |
--------------------------------------------------------------------------------
/roles/minecraft/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart minecraft
3 | when: not minecraft_enabled.changed
4 | service:
5 | name: 'svc:/minecraft:default'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/plex/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart plexmediaserver
3 | when: not plexmediaserver_enabled.changed
4 | service:
5 | name: plexmediaserver
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/samba/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart samba
3 | when: not samba_enabled.changed
4 | service:
5 | name: 'svc:/pkgsrc/samba:smbd svc:/pkgsrc/samba:nmbd'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/postgresql/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart postgresql-server
3 | when: not postgresql_enabled.changed
4 | service:
5 | name: 'svc:/pkgsrc/postgresql:default'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/clamav/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart clamav
3 | when: not clamav_enabled.changed
4 | service:
5 | name: 'svc:/pkgsrc/clamav:freshclamd svc:/pkgsrc/clamav:clamd'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/ansible/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible: {}
3 | ansible_passed_redis_variables_that_ansible_apparently_cant_figure_out_on_its_own:
4 | config:
5 | databases: 2
6 | maxmemory: 1mb
7 | maxmemory-policy: volatile-ttl
8 |
--------------------------------------------------------------------------------
/roles/common-debian/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: remove delegated mountpoint
3 | file:
4 | path: '/zones'
5 | state: absent
6 |
7 | - name: restart sshd
8 | service:
9 | name: ssh
10 | state: restarted
11 |
--------------------------------------------------------------------------------
/roles/mysql/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart mysql-server
3 | when: not mysql_enabled.changed
4 | service:
5 | name: 'svc:/pkgsrc/{{ (default_mysql|combine(mysql, recursive=True)).server }}:default'
6 | state: restarted
7 |
--------------------------------------------------------------------------------
/roles/common/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: remove delegated mountpoint
3 | file:
4 | path: '/zones'
5 | state: absent
6 |
7 | - name: restart sshd
8 | service:
9 | name: 'svc:/network/ssh:default'
10 | state: restarted
11 |
--------------------------------------------------------------------------------
/roles/ansible/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | default_ansible:
3 | config:
4 | defaults:
5 | gathering: smart
6 | fact_caching: redis
7 | fact_caching_timeout: 3600
8 | fact_caching_connection: localhost:6379:0
9 | ssh_connection:
10 | pipelining: true
11 |
--------------------------------------------------------------------------------
/roles/ansible/templates/ansible.cfg:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 | {% for section,parameters in (default_ansible|combine(ansible, recursive=True)).config|dictsort %}
3 |
4 | [{{ section }}]
5 | {% for key,value in parameters|dictsort %}
6 | {{ key }} = {{ value }}
7 | {% endfor %}
8 | {% endfor %}
9 |
--------------------------------------------------------------------------------
/roles/tor/templates/torrc:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | {% for key,value in tor|dictsort %}
4 | {% if value is iterable and value is not string %}
5 | {% for v in value %}
6 | {{ key }} {{ v }}
7 | {% endfor %}
8 | {% else %}
9 | {{ key }} {{ value }}
10 | {% endif %}
11 | {% endfor %}
12 |
--------------------------------------------------------------------------------
/roles/postgresql/templates/postgresql.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | # Complete documentation is available at the following URL:
4 | # https://www.postgresql.org/docs/current/runtime-config.html
5 |
6 | {% for key,value in postgresql.config|dictsort %}
7 | {{ key }} = {{ value }}
8 | {% endfor %}
9 |
--------------------------------------------------------------------------------
/roles/ghost/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | default_ghost:
3 | env: production
4 | url: 'http://localhost/'
5 | path: /var/www/ghost
6 | user: ghost
7 | group: ghost
8 | project: ghost
9 | dataset: ghost
10 | db_host: '127.0.0.1'
11 | db_name: ghost
12 | db_user: ghost
13 | socket: /var/www/ghost/app.sock
14 |
--------------------------------------------------------------------------------
/roles/clamav/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that clamav has been installed
3 | notify: restart clamav
4 | pkgin:
5 | name: clamav
6 |
7 | - name: ensure that clamav has been enabled
8 | register: clamav_enabled
9 | service:
10 | name: 'svc:/pkgsrc/clamav:freshclamd svc:/pkgsrc/clamav:clamd'
11 | enabled: true
12 |
--------------------------------------------------------------------------------
/roles/minecraft/tasks/server-paper.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that server-{{ minecraft.server }}-{{ minecraft.version }}.jar has been downloaded
3 | get_url:
4 | url: 'https://papermc.io/api/v1/paper/{{ minecraft.version.replace("-","/") }}/download'
5 | dest: '{{ minecraft.path }}/server-{{ minecraft.server }}-{{ minecraft.version }}.jar'
6 |
--------------------------------------------------------------------------------
/roles/postgresql/templates/pg_ident.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | # Complete documentation is available at the following URL:
4 | # https://www.postgresql.org/docs/current/auth-username-maps.html
5 |
6 | {% for row in postgresql.ident | default([]) %}
7 | {{ row.mapname }} {{ row.system_username }} {{ row.postgres_username }}
8 | {% endfor %}
9 |
--------------------------------------------------------------------------------
/roles/common/templates/inputrc:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | {% for key,value in (default_inputrc|combine(inputrc, recursive=True)).config|dictsort %}
4 | set {{ key }} {{ value }}
5 | {% endfor %}
6 |
7 | {% for key,value in (default_inputrc|combine(inputrc, recursive=True)).bindings|dictsort %}
8 | "{{ key }}": {{ value }}
9 | {% endfor %}
10 |
--------------------------------------------------------------------------------
/bootstrap.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # For now, install py39-pip and core ansible dependencies
4 | /opt/local/bin/pkgin -y install py38-cryptography py38-jinja2 py38-pip py38-pyparsing
5 |
6 | # Install ansible directly via pip
7 | /opt/local/bin/pip install ansible
8 |
9 | # Use Ansible to update ansible
10 | /opt/local/bin/ansible-playbook bootstrap.yml
11 |
--------------------------------------------------------------------------------
/roles/redis/templates/redis.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | {% for key,value in (default_redis|combine(redis, recursive=True)).config|dictsort %}
4 | {% if value is number or value is string %}
5 | {{ key }} {{ value }}
6 | {% elif value is iterable %}
7 | {% for v in value|sort %}
8 | {{ key }} {{ v }}
9 | {% endfor %}
10 | {% endif %}
11 | {% endfor %}
12 |
--------------------------------------------------------------------------------
/roles/samba/templates/smb.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 | # Example configuration available at /opt/local/share/examples/samba/smb.conf.default
3 |
4 | {% for section,parameters in default_samba|combine(samba, recursive=True)|dictsort %}
5 | [{{ section }}]
6 | {% for key,value in parameters|dictsort %}
7 | {{ key }} = {{ value }}
8 | {% endfor %}
9 | {% endfor %}
10 |
--------------------------------------------------------------------------------
/roles/common-debian/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | configuration_header: '# Configuration generated by Ansible SmartOS Tricks'
3 |
4 | default_sshd:
5 | key_types: []
6 | config:
7 | ChallengeResponseAuthentication: 'no'
8 | PasswordAuthentication: 'no'
9 | PrintMotd: 'no'
10 | Subsystem: 'sftp /usr/lib/openssh/sftp-server'
11 | UsePrivilegeSeparation: 'yes'
12 |
--------------------------------------------------------------------------------
/roles/postgresql/templates/pg_hba.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | # Complete documentation is available at the following URL:
4 | # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
5 |
6 | {% for row in postgresql.hba | default({}) %}
7 | {{ row.type }} {{ row.database }} {{ row.user }} {{ row.address | default('') }} {{ row.method }} {{ row.options | default('') }}
8 | {% endfor %}
9 |
--------------------------------------------------------------------------------
/roles/minecraft/tasks/server-mojang.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that server-{{ minecraft.server }}-{{ minecraft.version }}.jar has been downloaded
3 | get_url:
4 | url: 'https://launcher.mojang.com/v1/objects/{{ mojang_checksum[minecraft.version|string].split(":")[1] }}/server.jar'
5 | dest: '{{ minecraft.path }}/server-{{ minecraft.server }}-{{ minecraft.version }}.jar'
6 | checksum: '{{ mojang_checksum[minecraft.version|string] }}'
7 |
--------------------------------------------------------------------------------
/roles/neo4j/templates/neo4j.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | # Complete documentation is available at the following URL:
4 | # https://neo4j.com/docs/operations-manual/current/configuration/
5 |
6 | {% for key,value in neo4j.config|dictsort %}
7 | {% if value is iterable and value is not mapping and value is not string %}
8 | {% for row in value %}
9 | {{ key }}={{ row }}
10 | {% endfor %}
11 | {% else %}
12 | {{ key }}={{ value }}
13 | {% endif %}
14 | {% endfor %}
15 |
--------------------------------------------------------------------------------
/roles/git/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that git has been installed
3 | pkgin:
4 | name: git
5 |
6 | - name: ensure that git-shell is a valid shell
7 | lineinfile:
8 | path: /etc/shells
9 | line: /opt/local/bin/git-shell
10 |
11 | - name: ensure that git repository users exist
12 | loop: '{{ git.users }}'
13 | user:
14 | name: '{{ item }}'
15 | shell: /opt/local/bin/git-shell
16 |
17 | - name: ensure that git repository users can login
18 | loop: '{{ git.users }}'
19 | command: passwd -N {{ item }}
20 |
--------------------------------------------------------------------------------
/roles/mysql/templates/system-my.cnf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | # Complete documentation is available at the following URL:
4 | # https://mariadb.com/kb/en/configuring-mariadb-with-option-files/
5 |
6 | {% for key,options in (default_mysql|combine(mysql, recursive=True)).config|dictsort %}
7 | [{{ key }}]
8 | {% for option_key,option_value in options|dictsort %}
9 | {% if option_value is none %}
10 | {{ option_key }}
11 | {% else %}
12 | {{ option_key }} = {{ option_value }}
13 | {% endif %}
14 | {% endfor %}
15 |
16 | {% endfor %}
17 |
--------------------------------------------------------------------------------
/roles/samba/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | default_samba:
3 | global:
4 | 'workgroup': 'MYGROUP'
5 | 'server string': 'Samba %v (%h)'
6 | 'server role': 'standalone server'
7 | 'log file': '/var/log/samba/log.%m'
8 | 'max log size': 50
9 | 'dns proxy': 'no'
10 | homes:
11 | 'comment': 'Home Directories'
12 | 'browseable': 'no'
13 | 'writable': 'yes'
14 | printers:
15 | 'comment': 'All Printers'
16 | 'path': '/var/spool/samba'
17 | 'browseable': 'no'
18 | 'guest ok': 'no'
19 | 'writable': 'no'
20 | 'printable': 'yes'
21 |
--------------------------------------------------------------------------------
/roles/common/templates/sshd_config:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | {% for key,value in (default_sshd|combine(sshd, recursive=True)).config|dictsort %}
4 | {{ key }} {{ value }}
5 | {% endfor %}
6 |
7 | {% for key_type in (default_sshd|combine(sshd, recursive=True)).key_types|sort %}
8 | HostKey /var/ssh/ssh_host_{{ key_type }}_key
9 | {% endfor %}
10 |
11 | {% for match,parameters in (default_sshd|combine(sshd, recursive=True)).match|default({})|dictsort %}
12 | Match {{ match }}
13 | {% for key,value in parameters|dictsort %}
14 | {{ key }} {{ value }}
15 | {% endfor %}
16 | {% endfor %}
17 |
--------------------------------------------------------------------------------
/roles/common-debian/templates/sshd_config:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | {% for key,value in (default_sshd|combine(sshd, recursive=True)).config|dictsort %}
4 | {{ key }} {{ value }}
5 | {% endfor %}
6 |
7 | {% for key_type in (default_sshd|combine(sshd, recursive=True)).key_types|sort %}
8 | HostKey /etc/ssh/ssh_host_{{ key_type }}_key
9 | {% endfor %}
10 |
11 | {% for match,parameters in (default_sshd|combine(sshd, recursive=True)).match|default({})|dictsort %}
12 | Match {{ match }}
13 | {% for key,value in parameters|dictsort %}
14 | {{ key }} {{ value }}
15 | {% endfor %}
16 | {% endfor %}
17 |
--------------------------------------------------------------------------------
/roles/router/templates/ipnat.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | {% for net in private %}
4 | {% set net_mask = ansible_facts[net.interface].ipv4.0.network ~ '/' ~ ansible_facts[net.interface].ipv4.0.netmask %}
5 | # NAT for {{ net_mask | ipaddr('net') }}
6 | map {{ public.interface }} {{ net_mask | ipaddr('net') }} -> 0/32 proxy port ftp ftp/tcp
7 | map {{ public.interface }} {{ net_mask | ipaddr('net') }} -> 0/32 portmap tcp/udp auto
8 | map {{ public.interface }} {{ net_mask | ipaddr('net') }} -> 0/32
9 |
10 | {% endfor %}
11 | {% for redirect in redirects %}
12 | # {{ redirect.desc }}
13 | rdr {{ public.interface }} {{ ansible_facts[public.interface].ipv4.0.address }}/32 port {{ redirect.src }} -> {{ redirect.ip }} port {{ redirect.dst }} {{ redirect.type | default('') }}
14 |
15 | {% endfor %}
16 |
--------------------------------------------------------------------------------
/roles/redis/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure presence of redis ZFS dataset
3 | when: delegate_dataset is succeeded
4 | zfs:
5 | name: '{{ zone_dataset }}/redis'
6 | state: present
7 | extra_zfs_properties:
8 | mountpoint: '{{ (default_redis|combine(redis, recursive=True)).config.dir }}'
9 |
10 | - name: ensure that redis has been installed
11 | notify: restart redis
12 | pkgin:
13 | name: redis
14 |
15 | - name: ensure that redis has been configured
16 | notify: restart redis
17 | template:
18 | src: redis.conf
19 | dest: /opt/local/etc/redis.conf
20 | owner: root
21 | group: root
22 | mode: 0644
23 |
24 | - name: ensure that redis has been enabled
25 | register: redis_enabled
26 | service:
27 | name: 'svc:/pkgsrc/redis:default'
28 | enabled: true
29 |
--------------------------------------------------------------------------------
/roles/samba/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that samba has been installed
3 | notify: restart samba
4 | pkgin:
5 | name: samba
6 |
7 | - name: ensure that samba has been configured
8 | notify: restart samba
9 | template:
10 | src: smb.conf
11 | dest: /opt/local/etc/samba/smb.conf
12 | mode: 0644
13 | owner: root
14 | group: root
15 |
16 | - name: ensure that the log directory ({{ (default_samba|combine(samba, recursive=True)).global["log file"] | dirname }}) exists
17 | when: (default_samba|combine(samba, recursive=True)).global['log file'] is defined
18 | file:
19 | path: '{{ (default_samba|combine(samba, recursive=True)).global["log file"] | dirname }}'
20 | state: directory
21 | owner: root
22 | group: root
23 | mode: 0750
24 |
25 | - name: ensure that samba has been enabled
26 | register: samba_enabled
27 | service:
28 | name: 'svc:/pkgsrc/samba:smbd svc:/pkgsrc/samba:nmbd'
29 | enabled: true
30 |
--------------------------------------------------------------------------------
/roles/tor/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure presence of tor
3 | notify: restart tor
4 | pkgin:
5 | name:
6 | - tor
7 | - nyx
8 | - py37-curses
9 |
10 | - name: ensure that tor is properly configured
11 | notify: restart tor
12 | template:
13 | src: torrc
14 | dest: /opt/local/etc/tor/torrc
15 | mode: 0644
16 | owner: root
17 | group: root
18 |
19 | - name: ensure that tor is executed with ASLR
20 | command: 'svccfg -s tor setprop method_context/security_flags = astring: aslr'
21 |
22 | - name: ensure that tor is allowed to lock memory and bind to ports under 1024 and can't snoop on other processes
23 | command: 'svccfg -s tor setprop method_context/privileges = astring: "basic,net_privaddr,!proc_chroot,!proc_info,proc_lock_memory,!proc_session"'
24 |
25 | - name: refresh tor:default configuration
26 | command: 'svccfg -s tor:default refresh'
27 |
28 | - name: ensure that tor has been enabled
29 | register: tor_enabled
30 | service:
31 | name: 'svc:/pkgsrc/tor:default'
32 | enabled: true
33 |
--------------------------------------------------------------------------------
/roles/ghost/templates/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "url": "{{ (default_ghost|combine(ghost, recursive=True)).url }}",
3 |
4 | "database": {
5 | "client": "mysql",
6 | "connection": {
7 | "host": "{{ (default_ghost|combine(ghost, recursive=True)).db_host }}",
8 | "user": "{{ (default_ghost|combine(ghost, recursive=True)).db_user }}",
9 | "password": "{{ ghost_db_pass }}",
10 | "database": "{{ (default_ghost|combine(ghost, recursive=True)).db_name }}"
11 | }
12 | },
13 |
14 | "mail": {
15 | "transport": "Direct"
16 | },
17 |
18 | "server": {
19 | {% if (default_ghost|combine(ghost, recursive=True)).http_host is defined and (default_ghost|combine(ghost, recursive=True)).http_port is defined %}
20 | "host": "{{ (default_ghost|combine(ghost, recursive=True)).http_host }}",
21 | "port": {{ (default_ghost|combine(ghost, recursive=True)).http_port }}
22 | {% elif (default_ghost|combine(ghost, recursive=True)).socket is defined %}
23 | "socket": "{{ (default_ghost|combine(ghost, recursive=True)).socket }}"
24 | {% endif %}
25 | },
26 |
27 | "logging": { "transports": [ "stdout" ] }
28 | }
29 |
--------------------------------------------------------------------------------
/roles/postgresql/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure presence of postgresql ZFS dataset
3 | when: delegate_dataset is succeeded
4 | zfs:
5 | name: '{{ zone_dataset }}/pgsql'
6 | state: present
7 | extra_zfs_properties:
8 | mountpoint: /var/pgsql
9 | recordsize: '{{ postgresql.recordsize }}'
10 |
11 | - name: ensure secure permissions on postgresql ZFS mountpoint
12 | file:
13 | path: /var/pgsql
14 | state: directory
15 | owner: 907
16 | group: 907
17 | mode: 0700
18 |
19 | - name: ensure presence of {{ postgresql.server }}
20 | notify: restart postgresql-server
21 | pkgin:
22 | name: '{{ postgresql.server }}'
23 |
24 | - name: ensure that postgresql-server is properly configured
25 | notify: restart postgresql-server
26 | loop:
27 | - postgresql.conf
28 | - pg_hba.conf
29 | - pg_ident.conf
30 | template:
31 | src: '{{ item }}'
32 | dest: '/var/pgsql/data/{{ item }}'
33 | owner: postgres
34 | group: postgres
35 | mode: 0600
36 |
37 | - name: ensure that postgresql-server is enabled
38 | register: postgresql_enabled
39 | service:
40 | name: 'svc:/pkgsrc/postgresql:default'
41 | enabled: true
42 |
--------------------------------------------------------------------------------
/roles/ansible/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that pkgin managed software has been installed
3 | pkgin:
4 | name:
5 | - git
6 | - py38-cryptography
7 | - py38-jinja2
8 | - py38-pip
9 | - py38-pyparsing
10 | # - libyaml
11 | # - py38-bcrypt
12 | # - py38-nacl
13 |
14 | - name: ensure that pip has been updated to its latest version
15 | pip:
16 | name: pip
17 | state: latest
18 |
19 | - name: ensure that ansible has been updated to its latest version
20 | pip:
21 | name:
22 | - ansible
23 | # - netaddr
24 | - redis
25 | state: latest
26 |
27 | - name: ensure existance of ansible configuration directory
28 | file:
29 | path: /etc/ansible
30 | state: directory
31 | owner: root
32 | group: root
33 | mode: 0755
34 |
35 | - name: ensure that ansible has been configured
36 | template:
37 | src: ansible.cfg
38 | dest: /etc/ansible/ansible.cfg
39 | owner: root
40 | group: root
41 | mode: 0644
42 |
43 | - name: ensure that an OpenSSH ed25519 keypair exists for root
44 | openssh_keypair:
45 | path: /root/.ssh/id_ed25519
46 | type: ed25519
47 | owner: root
48 | group: root
49 | comment: Ansible
50 |
--------------------------------------------------------------------------------
/roles/common/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | configuration_header: '# Configuration generated by Ansible SmartOS Tricks'
3 |
4 | default_inputrc:
5 | config: {}
6 | bindings:
7 | \e[1~: beginning-of-line
8 | \e[4~: end-of-line
9 | \eOC: forward-word
10 | \eOD: backward-word
11 | \e[5~: history-search-backward
12 | \e[6~: history-search-forward
13 | \e[3~: delete-char
14 |
15 | default_sshd:
16 | key_types:
17 | - dsa
18 | - ecdsa
19 | - ed25519
20 | - rsa
21 | config:
22 | ChallengeResponseAuthentication: 'no'
23 | GSSAPIAuthentication: 'no'
24 | GSSAPIKeyExchange: 'no'
25 | GatewayPorts: 'no'
26 | IgnoreRhosts: 'yes'
27 | KeepAlive: 'yes'
28 | ListenAddress: '::'
29 | LogLevel: 'info'
30 | LoginGraceTime: 600
31 | MaxAuthTries: 6
32 | PasswordAuthentication: 'no'
33 | PermitEmptyPasswords: 'no'
34 | PermitRootLogin: 'without-password'
35 | PermitUserEnvironment: 'yes'
36 | Port: 22
37 | PrintMotd: 'no'
38 | Protocol: 2
39 | PubKeyPlugin: 'libsmartsshd.so'
40 | StrictModes: 'yes'
41 | Subsystem: 'sftp internal-sftp'
42 | SyslogFacility: 'auth'
43 | X11DisplayOffset: 10
44 | X11Forwarding: 'yes'
45 | X11UseLocalhost: 'yes'
46 | XAuthLocation: '/opt/local/bin/xauth'
47 |
--------------------------------------------------------------------------------
/roles/dhcpdns/templates/dnsmasq.conf:
--------------------------------------------------------------------------------
1 | #{{ configuration_header }}
2 |
3 | {% if dns.provider == 'dnsmasq' %}
4 | # DNS specific configuration
5 |
6 | {% if dns.port is defined %}
7 | # Set listening DNS port to {{ dns.port }}
8 | port={{ dns.port }}
9 |
10 | {% endif %}
11 | {% if dns.cache_size is defined %}
12 | # Set DNS cache size
13 | cache-size={{ dns.cache_size }}
14 |
15 | {% endif %}
16 | # Never forward plain names (without a dot or domain part)
17 | domain-needed
18 |
19 | # Never forward addresses in the non-routed address spaces.
20 | bogus-priv
21 |
22 | # We don't want dnsmasq to poll /etc/resolv.conf or other resolv files for changes, we will manually tell it to do so with a refresh
23 | no-poll
24 | {% else %}
25 | # DNS is disabled
26 | port=0
27 | {% endif %}
28 |
29 | # Shared configuration
30 |
31 | # Interfaces used for DHCP & DNS
32 | {% for net in private %}
33 | interface={{ net.interface }}
34 | {% endfor %}
35 |
36 | {% if dhcp.provider == 'dnsmasq' %}
37 | # DHCP specific configuration
38 |
39 | {% for net in private %}
40 | # DHCP range for {{ net.interface }}: {{ net.dhcp.min }}-{{ net.dhcp.max }}
41 | dhcp-range={{ net.dhcp.min }},{{ net.dhcp.max }},{{ net.dhcp.ttl }}
42 |
43 | {% endfor %}
44 | # Read /etc/ethers for static allocation map
45 | read-ethers
46 |
47 | {% if ntp.address is defined %}
48 | # Set the NTP time server addresses to {{ ntp.address }}
49 | dhcp-option=option:ntp-server,{{ ntp.address }}
50 |
51 | {% endif %}
52 | # This should be the authoritative DHCP server on the network
53 | dhcp-authoritative
54 | {% else %}
55 | # DHCP is disabled
56 | {% endif %}
57 |
--------------------------------------------------------------------------------
/roles/common/tasks/home_dataset.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: determine if a dataset exists at /home
3 | ignore_errors: true
4 | register: delegate_home_dataset
5 | zfs_facts:
6 | name: '{{ zone_dataset }}/home'
7 | type: filesystem
8 |
9 | - name: move existing /home to /home_tmp
10 | when: delegate_home_dataset is failed
11 | command: 'mv -n /home /home_tmp'
12 | ignore_errors: true
13 |
14 | - name: ensure that the delegated home ZFS dataset exists
15 | zfs:
16 | name: '{{ zone_dataset }}/home'
17 | state: present
18 | extra_zfs_properties:
19 | mountpoint: /home
20 |
21 | - name: determine home directorys to re-create in /home
22 | register: home_tmp
23 | find:
24 | paths: /home_tmp
25 | file_type: directory
26 |
27 | - name: ensure that delegated home ZFS datasets exist for each temporary home directory
28 | with_items: '{{ home_tmp.files }}'
29 | zfs:
30 | name: '{{ zone_dataset }}/home/{{ item.path | basename }}'
31 | state: present
32 |
33 | - name: ensure that delegated home ZFS datasets have the proper permissions
34 | with_items: '{{ home_tmp.files }}'
35 | file:
36 | path: '/home/{{ item.path | basename }}'
37 | mode: '{{ item.mode }}'
38 | state: directory
39 | owner: '{{ item.uid }}'
40 | group: '{{ item.gid }}'
41 |
42 | - name: return contents of temporary home directories
43 | ignore_errors: true
44 | with_items: '{{ home_tmp.files }}'
45 | shell:
46 | cmd: 'mv {{ item.path }}/* {{ item.path }}/.??* /home/{{ item.path | basename }}'
47 |
48 | - name: ensure temporary home directory is absent
49 | file:
50 | path: '/home_tmp'
51 | state: absent
52 |
--------------------------------------------------------------------------------
/roles/neo4j/templates/neo4j-smf.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 | Neo4j Database Server
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/roles/common-debian/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: fail when not Debian or Ubuntu
3 | when: ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu'
4 | fail:
5 | msg: This role is intended to only be used on Debian or Ubuntu distributions
6 |
7 | - name: ensure that /native is available in the $PATH variable
8 | when: ansible_distribution == 'Debian'
9 | lineinfile:
10 | path: /etc/profile
11 | regex: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
12 | line: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/native/usr/sbin:/native/usr/bin:/native/bin"
13 |
14 | - name: ensure that the hostname has been set
15 | when: hostname is defined
16 | hostname:
17 | name: "{{ hostname }}"
18 |
19 | # Apparently Ansible does not respect PATH variables defined on the remote side. Lovely
20 | - name: determine the zone uuid
21 | command: /native/usr/bin/zonename
22 | register: zonename_command
23 |
24 | - name: set the zone dataset fact
25 | set_fact:
26 | zone_dataset: 'zones/{{ zonename_command.stdout }}/data'
27 |
28 | - name: ensure that the delegated ZFS filesystem is unmounted
29 | ignore_errors: true
30 | notify: remove delegated mountpoint
31 | register: delegate_dataset
32 | environment:
33 | PATH: "{{ ansible_env.PATH }}:/native/usr/sbin"
34 | zfs:
35 | name: '{{ zone_dataset }}'
36 | state: present
37 | extra_zfs_properties:
38 | mountpoint: none
39 |
40 | - name: ensure that all packages have been upgraded
41 | apt:
42 | update_cache: true
43 | upgrade: full
44 |
45 | - name: ensure that sshd is securely configured
46 | notify: restart sshd
47 | template:
48 | src: sshd_config
49 | dest: /etc/ssh/sshd_config
50 | owner: root
51 | group: root
52 | mode: 0644
53 |
--------------------------------------------------------------------------------
/roles/plex/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that the Plex package signing key has been added
3 | apt_key:
4 | url: https://downloads.plex.tv/plex-keys/PlexSign.key
5 |
6 | - name: ensure that the Plex repository has been added to the sources list
7 | apt_repository:
8 | filename: plexmediaserver
9 | repo: deb https://downloads.plex.tv/repo/deb public main
10 |
11 | - name: ensure presence of ZFS dataset at /var/lib/plexmediaserver
12 | environment:
13 | PATH: "{{ ansible_env.PATH }}:/native/usr/sbin"
14 | zfs:
15 | name: '{{ zone_dataset }}/plex'
16 | state: present
17 | extra_zfs_properties:
18 | mountpoint: /var/lib/plexmediaserver
19 |
20 | - name: ensure presence of ZFS dataset at /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Plug-in Support/Databases
21 | environment:
22 | PATH: "{{ ansible_env.PATH }}:/native/usr/sbin"
23 | zfs:
24 | name: '{{ zone_dataset }}/plex/database'
25 | state: present
26 | extra_zfs_properties:
27 | recordsize: 16k
28 | mountpoint: /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Plug-in Support/Databases
29 |
30 | - name: ensure ownership of /var/lib/plexmediaserver is 999:999
31 | file:
32 | state: directory
33 | path: /var/lib/plexmediaserver
34 | mode: 0755
35 | owner: '999'
36 | group: '999'
37 | recurse: true
38 |
39 | - name: ensure that Plex Media Server has been installed
40 | notify: restart plexmediaserver
41 | apt:
42 | name: plexmediaserver
43 |
44 | - name: ensure that Plex Media Server is enabled
45 | register: plexmediaserver_enabled
46 | service:
47 | name: plexmediaserver
48 | enabled: true
49 |
50 | - name: ensure that system will update all packages automatically
51 | cron:
52 | name: apt autoupdate
53 | minute: '15'
54 | hour: '0,12'
55 | user: root
56 | job: apt update && apt full-upgrade
57 |
--------------------------------------------------------------------------------
/roles/ghost/templates/ghost-smf.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 | Ghost blogging server
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/roles/minecraft/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | minecraft:
3 | server: mojang
4 | version: 1.16.1
5 | path: /var/games/minecraft
6 | eula: true
7 | user: minecraft
8 | group: minecraft
9 | project: minecraft
10 | openjdk: 8
11 | quota: none
12 | parameters:
13 | - Xms2G
14 | - Xmx2G
15 | - XX:+UseG1GC
16 | - XX:+UnlockExperimentalVMOptions
17 | - XX:MaxGCPauseMillis=100
18 | - XX:+DisableExplicitGC
19 | - XX:TargetSurvivorRatio=90
20 | - XX:G1NewSizePercent=50
21 | - XX:G1MaxNewSizePercent=80
22 | - XX:G1MixedGCLiveThresholdPercent=35
23 | - XX:+AlwaysPreTouch
24 | - XX:+ParallelRefProcEnabled
25 | - XX:+UseLargePages
26 | - XX:+UseLargePagesInMetaspace
27 | - showversion
28 | properties:
29 | allow_flight: false
30 | allow_nether: true
31 | broadcast_console_to_ops: true
32 | broadcast_rcon_to_ops: true
33 | difficulty: easy
34 | enable_command_block: false
35 | enable_query: false
36 | enable_rcon: false
37 | enforce_whitelist: false
38 | force_gamemode: false
39 | function_permission_level: 2
40 | gamemode: survival
41 | generate_structures: true
42 | generator_settings:
43 | hardcore: false
44 | level_name: world
45 | level_seed:
46 | level_type: default
47 | max_build_height: 256
48 | max_players: 20
49 | max_tick_time: 60000
50 | max_world_size: 29999984
51 | motd: A Minecraft Server
52 | network_compression_threshold: 256
53 | online_mode: true
54 | op_permission_level: 4
55 | player_idle_timeout: 0
56 | prevent_proxy_connections: false
57 | pvp: true
58 | query_port: 25565
59 | rcon_password:
60 | rcon_port: 25575
61 | resource_pack_sha1:
62 | resource_pack:
63 | server_ip:
64 | server_port: 25565
65 | snooper_enabled: true
66 | spawn_animals: true
67 | spawn_monsters: true
68 | spawn_npcs: true
69 | spawn_protection: 16
70 | use_native_transport: true
71 | view_distance: 10
72 | white_list: false
73 |
--------------------------------------------------------------------------------
/roles/common/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: fail when not SmartOS
3 | when: ansible_distribution != 'SmartOS'
4 | fail:
5 | msg: This role is intended to only be used on SmartOS distributions
6 |
7 | - name: determine the zone uuid
8 | command: sysinfo
9 | register: sysinfo_command
10 |
11 | - name: set the zone dataset fact
12 | set_fact:
13 | zone_dataset: 'zones/{{ (sysinfo_command.stdout | from_json).UUID }}/data'
14 |
15 | - name: ensure that unnecessary default services are disabled
16 | service:
17 | name: 'svc:/network/inetd:default svc:/system/sac:default'
18 | enabled: false
19 |
20 | - name: ensure that the delegated ZFS filesystem is unmounted
21 | ignore_errors: true
22 | notify: remove delegated mountpoint
23 | register: delegate_dataset
24 | zfs:
25 | name: '{{ zone_dataset }}'
26 | state: present
27 | extra_zfs_properties:
28 | mountpoint: none
29 |
30 | - name: ensure that the home ZFS dataset exists
31 | when: home_dataset and delegate_dataset is succeeded
32 | include_tasks: home_dataset.yml
33 |
34 | - name: ensure that all packages have been upgraded
35 | pkgin:
36 | clean: true
37 | full_upgrade: true
38 | update_cache: true
39 |
40 | - name: ensure that useradd is properly configured
41 | template:
42 | src: useradd
43 | dest: /etc/default/useradd
44 | owner: root
45 | group: root
46 | mode: 0644
47 |
48 | - name: ensure that inputrc is properly configured
49 | template:
50 | src: inputrc
51 | dest: /etc/inputrc
52 | owner: root
53 | group: root
54 | mode: 0644
55 |
56 | - name: ensure that sshd is securely configured
57 | notify: restart sshd
58 | template:
59 | src: sshd_config
60 | dest: /etc/ssh/sshd_config
61 | owner: root
62 | group: root
63 | mode: 0644
64 |
65 | - name: ensure that the root home directory is secured
66 | file:
67 | path: /root
68 | state: directory
69 | owner: root
70 | group: root
71 | mode: 0750
72 |
73 | - name: ensure that vim colorscheme is set
74 | when: vim.colorscheme is defined
75 | lineinfile:
76 | path: /root/.vimrc
77 | line: colorscheme {{ vim.colorscheme }}
78 |
--------------------------------------------------------------------------------
/roles/minecraft/templates/minecraft-smf.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 | {% for parameter in minecraft.parameters %}
32 |
33 | {% endfor %}
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 | Minecraft Game Server
52 |
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/roles/minecraft/templates/server.properties:
--------------------------------------------------------------------------------
1 | allow-flight={{ minecraft.properties.allow_flight }}
2 | allow-nether={{ minecraft.properties.allow_nether }}
3 | broadcast-console-to-ops={{ minecraft.properties.broadcast_console_to_ops }}
4 | broadcast-rcon-to-ops={{ minecraft.properties.broadcast_rcon_to_ops }}
5 | difficulty={{ minecraft.properties.difficulty }}
6 | enable-command-block={{ minecraft.properties.enable_command_block }}
7 | enable-query={{ minecraft.properties.enable_query }}
8 | enable-rcon={{ minecraft.properties.enable_rcon }}
9 | enforce-whitelist={{ minecraft.properties.enforce_whitelist }}
10 | force-gamemode={{ minecraft.properties.force_gamemode }}
11 | function-permission-level={{ minecraft.properties.function_permission_level }}
12 | gamemode={{ minecraft.properties.gamemode }}
13 | generate-structures={{ minecraft.properties.generate_structures }}
14 | generator-settings={{ minecraft.properties.generator_settings }}
15 | hardcore={{ minecraft.properties.hardcore }}
16 | level-name={{ minecraft.properties.level_name }}
17 | level-seed={{ minecraft.properties.level_seed }}
18 | level-type={{ minecraft.properties.level_type }}
19 | max-build-height={{ minecraft.properties.max_build_height }}
20 | max-players={{ minecraft.properties.max_players }}
21 | max-tick-time={{ minecraft.properties.max_tick_time }}
22 | max-world-size={{ minecraft.properties.max_world_size }}
23 | motd={{ minecraft.properties.motd }}
24 | network-compression-threshold={{ minecraft.properties.network_compression_threshold }}
25 | online-mode={{ minecraft.properties.online_mode }}
26 | op-permission-level={{ minecraft.properties.op_permission_level }}
27 | player-idle-timeout={{ minecraft.properties.player_idle_timeout }}
28 | prevent-proxy-connections={{ minecraft.properties.prevent_proxy_connections }}
29 | pvp={{ minecraft.properties.pvp }}
30 | query.port={{ minecraft.properties.query_port }}
31 | rcon.password={{ minecraft.properties.rcon_password }}
32 | rcon.port={{ minecraft.properties.rcon_port }}
33 | resource-pack-sha1={{ minecraft.properties.resource_pack_sha1 }}
34 | resource-pack={{ minecraft.properties.resource_pack }}
35 | server-ip={{ minecraft.properties.server_ip }}
36 | server-port={{ minecraft.properties.server_port }}
37 | snooper-enabled={{ minecraft.properties.snooper_enabled }}
38 | spawn-animals={{ minecraft.properties.spawn_animals }}
39 | spawn-monsters={{ minecraft.properties.spawn_monsters }}
40 | spawn-npcs={{ minecraft.properties.spawn_npcs }}
41 | spawn-protection={{ minecraft.properties.spawn_protection }}
42 | use-native-transport={{ minecraft.properties.use_native_transport }}
43 | view-distance={{ minecraft.properties.view_distance }}
44 | white-list={{ minecraft.properties.white_list }}
45 |
--------------------------------------------------------------------------------
/roles/mysql/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure presence of mysql ZFS filesystem
3 | when: delegate_dataset is succeeded
4 | zfs:
5 | name: '{{ zone_dataset }}/mysql'
6 | state: present
7 | extra_zfs_properties:
8 | mountpoint: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }}'
9 | recordsize: '{{ (default_mysql|combine(mysql, recursive=True)).recordsize }}'
10 |
11 | - name: ensure presence of {{ (default_mysql|combine(mysql, recursive=True)).server }}-server and pymysql (for ansible configuration of {{ (default_mysql|combine(mysql, recursive=True)).server }})
12 | notify: restart mysql-server
13 | pkgin:
14 | name:
15 | - '{{ (default_mysql|combine(mysql, recursive=True)).server }}-server'
16 | - py38-pymysql
17 |
18 | - name: determine if {{ (default_mysql|combine(mysql, recursive=True)).server }}-server database cluster has been properly initialized
19 | register: mysql_cluster
20 | command: ls {{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }}
21 |
22 | - name: ensure that {{ (default_mysql|combine(mysql, recursive=True)).server }}-server database cluster has been properly initialized
23 | when: mysql_cluster.stdout == ""
24 | command: /opt/local/bin/mysql_install_db --user={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.user }} --group={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.user }} --basedir={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.basedir }} --datadir={{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }}
25 |
26 | - name: ensure secure permissions on mysql ZFS mountpoint
27 | file:
28 | path: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.datadir }}'
29 | state: directory
30 | owner: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.user }}'
31 | group: '{{ (default_mysql|combine(mysql, recursive=True)).config.mysqld.group }}'
32 | mode: 0750
33 |
34 | # Configuring MySQL is apparently off the table
35 | # - name: ensure that {{ (default_mysql|combine(mysql, recursive=True)).server }}-server is properly configured
36 | # notify: restart mysql-server
37 | # template:
38 | # src: system-my.cnf
39 | # dest: /opt/local/etc/my.cnf
40 | # owner: root
41 | # group: root
42 | # mode: 0644
43 |
44 | - name: ensure that {{ (default_mysql|combine(mysql, recursive=True)).server }}-server is enabled
45 | register: mysql_enabled
46 | service:
47 | name: 'svc:/pkgsrc/{{ (default_mysql|combine(mysql, recursive=True)).server }}:default'
48 | enabled: true
49 |
50 | - name: generate a randomized password for the database root user
51 | set_fact:
52 | mysql_root_password: "{{ lookup( 'password', '/dev/null' ) }}"
53 |
54 | - name: ensure that database root password is set to the previously generated password
55 | mysql_user:
56 | check_implicit_admin: true
57 | name: root
58 | host_all: true
59 | password: '{{ mysql_root_password }}'
60 |
61 | - name: ensure that .my.cnf exists with root credentials
62 | template:
63 | src: my.cnf
64 | dest: /root/.my.cnf
65 | owner: root
66 | group: root
67 | mode: 0640
68 |
--------------------------------------------------------------------------------
/roles/mysql/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | default_mysql:
3 | server: mysql
4 | recordsize: 16k
5 | config:
6 | client:
7 | port: 3306
8 | socket: /tmp/mysql.sock
9 | default-character-set: utf8mb4
10 | mysql:
11 | no-auto-rehash:
12 | mysqlhotcopy:
13 | interactive-timeout:
14 | mysqldump:
15 | quick:
16 | max_allowed_packet: 16M
17 | myisamchk:
18 | key_buffer_size: 128M
19 | sort_buffer_size: 128M
20 | read_buffer: 2M
21 | write_buffer: 2M
22 | mysqld:
23 | #------------------
24 | # General Settings
25 | #------------------
26 | user: mysql
27 | group: mysql
28 | port: 3306
29 | basedir: /opt/local
30 | datadir: /var/mysql
31 | socket: /tmp/mysql.sock
32 | bind-address: '127.0.0.1'
33 | default-storage-engine: innodb
34 | character-set-server: utf8
35 | skip-external-locking:
36 | log_warnings:
37 | skip_name_resolve:
38 | server-id: 1
39 |
40 | #-----------------
41 | # MyISAM Settings
42 | #-----------------
43 | key_buffer_size: 16M
44 | sort_buffer_size: 1M
45 | read_buffer_size: 1M
46 | read_rnd_buffer_size: 4M
47 | myisam_sort_buffer_size: 64M
48 |
49 | #-----------------
50 | # InnoDB Settings
51 | #-----------------
52 | innodb_data_home_dir: /var/mysql
53 | innodb_log_group_home_dir: /var/mysql
54 | innodb_data_file_path: ibdata1:100M:autoextend
55 | innodb_buffer_pool_size: 16M
56 | innodb_log_file_size: 400M
57 | innodb_log_buffer_size: 8M
58 | innodb_flush_log_at_trx_commit: 2
59 | innodb_lock_wait_timeout: 50
60 | innodb_file_per_table:
61 | innodb_doublewrite: 0
62 | innodb_io_capacity: 1500
63 | innodb_read_io_threads: 8
64 | innodb_write_io_threads: 8
65 |
66 | #-------------------------
67 | # Slow Query Log Settings
68 | #-------------------------
69 | # use_global_long_query_time: 1
70 | # long_query_time: 0.5
71 | slow_query_log_file: /var/log/mysql/slowquery.log
72 | slow_query_log: 1
73 |
74 | #------------------------------
75 | # Other General MySQL Settings
76 | #------------------------------
77 | table_open_cache: 512
78 | thread_cache_size: 1000
79 | # query_cache_size: 16M
80 | # query_cache_strip_comments:
81 | query_cache_type: 0
82 | back_log: 64
83 | thread_concurrency: 32
84 | tmpdir: /tmp
85 | max_connections: 1000
86 | max_allowed_packet: 24M
87 | max_join_size: 4294967295
88 | net_buffer_length: 2K
89 | thread_stack: 256K
90 | tmp_table_size: 64M
91 | max_heap_table_size: 64M
92 |
93 | #-------------------------------------------------------------
94 | # Replication Settings (master to slave, disabled by default)
95 | # See: http://wiki.joyent.com/wiki/display/jpc2/Replication
96 | #-------------------------------------------------------------
97 | binlog_format: mixed
98 | log-bin: /var/log/mysql/bin.log
99 | # log-bin-index: /var/log/mysql/log-bin.index
100 | log-error: /var/log/mysql/error.log
101 | # report-host: percona
102 | # relay_log_purge: 1
103 | expire_logs_days: 7
104 | # slave-skip-errors: 1062
105 | # binlog-ignore-db: mysql
106 |
--------------------------------------------------------------------------------
/roles/minecraft/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that OpenJDK{{ minecraft.openjdk }} is present
3 | pkgin:
4 | name: openjdk{{ minecraft.openjdk }}
5 |
6 | - name: ensure that authorization description exists for Minecraft Service State Management
7 | lineinfile:
8 | path: /etc/security/auth_attr
9 | insertafter: ^solaris.smf.manage.mdns
10 | line: 'solaris.smf.manage.minecraft:::Manage Minecraft Service States::'
11 |
12 | - name: ensure that authorization description exists for Minecraft Service Properties Management
13 | lineinfile:
14 | path: /etc/security/auth_attr
15 | insertafter: ^solaris.smf.value.mdns
16 | line: 'solaris.smf.value.minecraft:::Change Values of Minecraft Service Properties::'
17 |
18 | - name: ensure presence of {{ minecraft.group }} group
19 | group:
20 | gid: 900
21 | name: '{{ minecraft.group }}'
22 |
23 | - name: ensure presence of {{ minecraft.user }} user
24 | user:
25 | uid: 900
26 | name: '{{ minecraft.user }}'
27 | group: '{{ minecraft.group }}'
28 | home: '{{ minecraft.path }}'
29 | create_home: false
30 | shell: /bin/bash
31 | comment: Minecraft User
32 |
33 | - name: ensure presence of {{ minecraft.project }} project
34 | command: projadd -U {{ minecraft.user }} -G {{ minecraft.group }} -c "Minecraft server" -K "process.max-file-descriptor=(basic,65536,deny)" {{ minecraft.project }}
35 | ignore_errors: true
36 |
37 | - name: ensure presence of Minecraft ZFS dataset at {{ minecraft.path }}
38 | when: delegate_dataset is succeeded
39 | zfs:
40 | name: '{{ zone_dataset }}/minecraft'
41 | state: present
42 | extra_zfs_properties:
43 | mountpoint: '{{ minecraft.path }}'
44 | quota: '{{ minecraft.quota }}'
45 |
46 | - name: ensure correct permissions on Minecraft path at {{ minecraft.path }}
47 | file:
48 | path: '{{ minecraft.path }}'
49 | state: directory
50 | owner: '{{ minecraft.user }}'
51 | group: '{{ minecraft.group }}'
52 | mode: 0750
53 |
54 | # Download and symlink the specified minecraft server
55 |
56 | - import_tasks: server-mojang.yml
57 | when: minecraft.server|lower == 'mojang'
58 | - import_tasks: server-paper.yml
59 | when: minecraft.server|lower == 'paper'
60 |
61 | - name: ensure presence of symlink server.jar -> server-{{ minecraft.server }}-{{ minecraft.version }}.jar
62 | file:
63 | src: 'server-{{ minecraft.server }}-{{ minecraft.version }}.jar'
64 | dest: '{{ minecraft.path }}/server.jar'
65 | state: link
66 |
67 | - name: ensure that the EULA file is present
68 | template:
69 | src: eula.txt
70 | dest: '{{ minecraft.path }}/eula.txt'
71 | owner: root
72 | group: root
73 | mode: 0644
74 |
75 | - name: ensure that Minecraft server.properties have been configured
76 | template:
77 | src: server.properties
78 | dest: '{{ minecraft.path }}/server.properties'
79 | owner: root
80 | group: root
81 | mode: 0644
82 |
83 | - name: ensure presence of Minecraft SMF manifest
84 | template:
85 | src: minecraft-smf.xml
86 | dest: /tmp/minecraft-smf.xml
87 | owner: root
88 | group: root
89 | mode: 0644
90 |
91 | - name: ensure that Minecraft SMF manifest has been imported
92 | command: svccfg import /tmp/minecraft-smf.xml
93 |
94 | - name: ensure that Minecraft is enabled
95 | register: minecraft_enabled
96 | service:
97 | name: 'svc:/minecraft:default'
98 | enabled: true
99 |
--------------------------------------------------------------------------------
/example.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #
3 | # The common role performs the common configuration and decrufting steps for a base SmartOS zone
4 | #
5 | # - hosts: common
6 | # roles:
7 | # - common
8 | # vars:
9 | # ansible_python_interpreter: /opt/local/bin/python # specify a python intrepreter other than the SmartOS default
10 | # home_dataset: false # specify if a home dataset should be established
11 | # inputrc:
12 | # config: {} # specify additional inputrc configuration parameters
13 | # bindings: {} # specify additional inputrc key-bindings
14 | # sshd:
15 | # config: {} # specify additional sshd configuration parameters
16 | # key_types: [dsa, ecdsa, ed25519, rsa ] # specify sshd host key types
17 | # vim:
18 | # colorscheme: '' # specify a custom colorscheme in /root/.vimrc
19 | #
20 | #
21 | # The ansible role installs and configures a base SmartOS zone to act as an Ansible host to run this, and any other playbooks, templates and modules.
22 | #
23 | # - hosts: ansible
24 | # roles:
25 | # - ansible
26 | # vars:
27 | # ansible:
28 | # config:
29 | # default: {} # specify additional default configuration parameters
30 | #
31 | #
32 | # The git role installsand configures a base SmartOS zone to serve as a get repository
33 | #
34 | # - hosts: test
35 | # roles:
36 | # - git
37 | # vars:
38 | # git:
39 | # users: # specify a set of users to create with git-shell configured
40 | # - user1
41 | # - user2
42 | # - ...
43 | #
44 | #
45 | # The mysql role installs and configures MySQL on a base SmartOS zone
46 | #
47 | # - hosts: mysql
48 | # roles:
49 | # - mysql
50 | # vars:
51 | # mysql:
52 | # server: mariadb # specify a specific MySQL fork ( mariadb | mysql | percona )
53 | # recordsize: 16k # specify the ZFS filesystem recordsize
54 | #
55 | #
56 | # The neo4j role installs and configures Neo4j on a base SmartOS zone
57 | #
58 | # - hosts: neo4j
59 | # roles:
60 | # - neo4j
61 | # vars:
62 | # neo4j:
63 | # user: neo4j # specify the user name to use
64 | # group: neo4j # specify the group name to use
65 | # project: neo4j # specify the project name to use
66 | # path: /opt/local/neo4j # specify the install path
67 | # conf_path: /opt/local/etc/neo4j # specify the configuration path
68 | # data_path: /var/db/neo4j # specify the data path
69 | # recordsize: 16k # specify the ZFS filesystem recordsize
70 | # version: '3.5.8' # specify the version of Neo4j to install
71 | #
72 | #
73 | # The postgresql role installs and configures PostgreSQL on a base SmartOS zone
74 | #
75 | # - hosts: postgresql
76 | # roles:
77 | # - postgresql
78 | # vars:
79 | # postgresql:
80 | # server: postgresql11-server # specify the version of PostgreSQL to install
81 | # locale: C # specify the default locale
82 | # max_connections: 100 # specify the maximum connection count
83 | # shared_buffers: 128MB # specify the shared buffer size
84 | # recordsize: 16k # specify the ZFS filesystem recordsize
85 | #
86 | #
87 | # The redis role installs and configures Redis on a base SmartOS zone
88 | #
89 | #- hosts: redis
90 | # roles:
91 | # - redis
92 | # vars:
93 | # redis:
94 | # config: {} # specify additional redis configuration parameters
95 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Ansible SmartOS Tricks
2 |
3 | This collection of Ansible roles is the companion piece to my blog, [Stupid SmartOS Tricks](https://blog.brianewell.com/).
4 |
5 | ## Installation
6 |
7 | Clone this repository and optionally run `ansible-bootstrap.sh` to have it bootstrap Ansible within your local environment (assuming SmartOS):
8 |
9 | ```
10 | # pkgin -y install git
11 | # git clone https://github.com/brianewell/ansible-smartos-tricks
12 | # cd ansible-smartos-tricks
13 | # ./ansible-bootstrap.sh
14 | ```
15 |
16 | ## Common Role
17 |
18 | The common role performs the configuration and decrufting steps for a base SmartOS zone that I use in all other roles. It is inherited into those other roles by default, but is also available for direct use.
19 |
20 | ### Configuration Variables
21 |
22 | * **ansible_python_intrepreter**: String that can override the SmartOS default of `/opt/local/bin/python`
23 | * **home_dataset**: Boolean that determines if a home dataset should be configured if delegated_dataset is configured in the zone manifest.
24 | * **inputrc.config**: Dictionary that can be merged with existing inputrc configuration parameters
25 | * **inputrc.bindings**: Dictionary that can be merged with existing inputrc key-bindings
26 | * **sshd.key_types**: List that can override the default of dsa, ecdsa, ed25519 and rsa
27 | * **sshd.config**: Dictionary of sshd configuration parameters can be merged with default sshd configuration parameters
28 | * **sshd.match**: Dictionary of sshd match strings (as keys) and dictionaries (as values) of configuration parameters to use in sshd configuration.
29 |
30 | ## Ansible Role
31 |
32 | The ansible role installs and configures a base SmartOS zone to act as an Ansible host to run this, and any other playbooks, templates and modules.
33 |
34 | ### Configuration Variables
35 |
36 | * **ansible.config.{section name}**: Dictionary that can be merged with existing ansible configuration parameters
37 |
38 | ## MySQL Role
39 |
40 | The mysql role installs and configures MySQL on a base SmartOS zone
41 |
42 | ### Configuration Variables
43 |
44 | * **mysql.server**: Specify a specific fork of the MySQL server (default: mariadb, options: mariadb | mysql | percona )
45 | * **mysql.recordsize**: Specify the recordsize of the underlying ZFS filesystem that the database is installed on (default: 16k)
46 |
47 | ## Neo4j Role
48 |
49 | The neo4j role installs and configures Neo4j on a base SmartOS zone
50 |
51 | ### Configuration Variables
52 |
53 | * **neo4j.user**: Specify the name of the user
54 | * **neo4j.group**: Specify the name of the group
55 | * **neo4j.project**: Specify the name of the project
56 | * **neo4j.path**: Specify the path in which to install the database software
57 | * **neo4j.conf_path**: Specify the path in which to store configuration data
58 | * **neo4j.data_path**: Specify the path in which to install the database cluster
59 | * **neo4j.recordsize**: Specify the recordsize of the underlying ZFS filesystem that the database is installed on (default: 16k)
60 | * **neo4j.version**: Specify the version of Neo4j to install into the system (default: latest)
61 |
62 | ## PostgreSQL Role
63 |
64 | The postgresql role installs and configures PostgreSQL on a base SmartOS zone
65 |
66 | ### Configuration Variables
67 |
68 | * **postgresql.server**: Specify the version of PostgreSQL to install
69 | * **postgresql.locale**: Specify the default locale
70 | * **postgresql.max_connections**: Specify the maximum connection count
71 | * **postgresql.shared_buffers**: Specify the shared buffer size
72 | * **postgresql.recordsize**: Specify the ZFS filesystem recordsize
73 |
--------------------------------------------------------------------------------
/roles/dhcpdns/templates/dhcpd.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | # option definitions common to all supported networks...
4 | option domain-name "example.org";
5 | option domain-name-servers ns1.example.org, ns2.example.org;
6 |
7 | default-lease-time 600;
8 | max-lease-time 7200;
9 |
10 | # Use this to enble / disable dynamic dns updates globally.
11 | #ddns-update-style none;
12 |
13 | # If this DHCP server is the official DHCP server for the local
14 | # network, the authoritative directive should be uncommented.
15 | #authoritative;
16 |
17 | # Use this to send dhcp log messages to a different log file (you also
18 | # have to hack syslog.conf to complete the redirection).
19 | log-facility local7;
20 |
21 | # No service will be given on this subnet, but declaring it helps the
22 | # DHCP server to understand the network topology.
23 |
24 | subnet 10.152.187.0 netmask 255.255.255.0 {
25 | }
26 |
27 | # This is a very basic subnet declaration.
28 |
29 | subnet 10.254.239.0 netmask 255.255.255.224 {
30 | range 10.254.239.10 10.254.239.20;
31 | option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
32 | }
33 |
34 | # This declaration allows BOOTP clients to get dynamic addresses,
35 | # which we don't really recommend.
36 |
37 | subnet 10.254.239.32 netmask 255.255.255.224 {
38 | range dynamic-bootp 10.254.239.40 10.254.239.60;
39 | option broadcast-address 10.254.239.31;
40 | option routers rtr-239-32-1.example.org;
41 | }
42 |
43 | # A slightly different configuration for an internal subnet.
44 | subnet 10.5.5.0 netmask 255.255.255.224 {
45 | range 10.5.5.26 10.5.5.30;
46 | option domain-name-servers ns1.internal.example.org;
47 | option domain-name "internal.example.org";
48 | option routers 10.5.5.1;
49 | option broadcast-address 10.5.5.31;
50 | default-lease-time 600;
51 | max-lease-time 7200;
52 | }
53 |
54 | # Hosts which require special configuration options can be listed in
55 | # host statements. If no address is specified, the address will be
56 | # allocated dynamically (if possible), but the host-specific information
57 | # will still come from the host declaration.
58 |
59 | host passacaglia {
60 | hardware ethernet 0:0:c0:5d:bd:95;
61 | filename "vmunix.passacaglia";
62 | server-name "toccata.example.com";
63 | }
64 |
65 | # Fixed IP addresses can also be specified for hosts. These addresses
66 | # should not also be listed as being available for dynamic assignment.
67 | # Hosts for which fixed IP addresses have been specified can boot using
68 | # BOOTP or DHCP. Hosts for which no fixed address is specified can only
69 | # be booted with DHCP, unless there is an address range on the subnet
70 | # to which a BOOTP client is connected which has the dynamic-bootp flag
71 | # set.
72 | host fantasia {
73 | hardware ethernet 08:00:07:26:c0:a5;
74 | fixed-address fantasia.example.com;
75 | }
76 |
77 | # You can declare a class of clients and then do address allocation
78 | # based on that. The example below shows a case where all clients
79 | # in a certain class get addresses on the 10.17.224/24 subnet, and all
80 | # other clients get addresses on the 10.0.29/24 subnet.
81 |
82 | class "foo" {
83 | match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
84 | }
85 |
86 | shared-network 224-29 {
87 | subnet 10.17.224.0 netmask 255.255.255.0 {
88 | option routers rtr-224.example.org;
89 | }
90 | subnet 10.0.29.0 netmask 255.255.255.0 {
91 | option routers rtr-29.example.org;
92 | }
93 | pool {
94 | allow members of "foo";
95 | range 10.17.224.10 10.17.224.250;
96 | }
97 | pool {
98 | deny members of "foo";
99 | range 10.0.29.10 10.0.29.230;
100 | }
101 | }
102 |
--------------------------------------------------------------------------------
/roles/neo4j/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that OpenJDK{{ neo4j.openjdk }} is present
3 | pkgin:
4 | name: openjdk{{ neo4j.openjdk }}
5 |
6 | - name: ensure presence of {{ neo4j.group }} group
7 | group:
8 | gid: 814
9 | name: '{{ neo4j.group }}'
10 |
11 | - name: ensure presence of {{ neo4j.user }} user
12 | user:
13 | uid: 814
14 | name: '{{ neo4j.user }}'
15 | group: '{{ neo4j.group }}'
16 | home: /nonexistent
17 | create_home: false
18 | shell: /usr/bin/false
19 | comment: Neo4j daemon user
20 |
21 | - name: ensure precence of {{ neo4j.project }} project
22 | command: projadd -U {{ neo4j.user }} -G {{ neo4j.group }} -c "Neo4j server" -K "process.max-file-descriptor=(basic,65536,deny)" {{ neo4j.project }}
23 | ignore_errors: true
24 |
25 | - name: ensure presence of neo4j ZFS filesystem at {{ neo4j.data_path }}
26 | when: delegate_dataset is succeeded
27 | zfs:
28 | name: '{{ zone_dataset }}/neo4j'
29 | state: present
30 | extra_zfs_properties:
31 | mountpoint: '{{ neo4j.data_path }}'
32 | recordsize: '{{ neo4j.recordsize }}'
33 |
34 | - name: ensure that root owned Neo4j directories exist and have the proper permissions
35 | file:
36 | path: '{{ item }}'
37 | state: directory
38 | owner: root
39 | group: root
40 | mode: 0755
41 | loop:
42 | - '{{ neo4j.path }}'
43 | - '{{ neo4j.conf_path }}'
44 |
45 | - name: ensure that Neo4j {{ neo4j.version }} has been downloaded
46 | get_url:
47 | url: 'https://neo4j.com/artifact.php?name=neo4j-community-{{ neo4j.version }}-unix.tar.gz'
48 | dest: '/tmp/neo4j-community-{{ neo4j.version }}-unix.tar.gz'
49 | checksum: '{{ neo4j_checksum[neo4j.version] }}'
50 | timeout: 30
51 |
52 | - name: ensure that Neo4j {{ neo4j.version }} has been installed
53 | unarchive:
54 | src: '/tmp/neo4j-community-{{ neo4j.version }}-unix.tar.gz'
55 | dest: '{{ neo4j.path }}'
56 | owner: root
57 | group: root
58 | mode: 0755
59 | remote_src: true
60 | extra_opts:
61 | - '--strip-components=1'
62 |
63 | - name: ensure that unnecessary files are absent
64 | file:
65 | path: '{{ neo4j.path }}/{{ item }}'
66 | state: absent
67 | loop:
68 | - LICENSE.txt
69 | - LICENSES.txt
70 | - NOTICE.txt
71 | - README.txt
72 | - UPGRADE.txt
73 | - data
74 | - conf
75 |
76 | - name: ensure presence of required symlinks
77 | file:
78 | src: '{{ item.src }}'
79 | path: '{{ item.path }}'
80 | state: link
81 | force: true
82 | loop:
83 | - src: '{{ neo4j.conf_path }}'
84 | path: '{{ neo4j.path }}/conf'
85 | - src: '{{ neo4j.data_path }}'
86 | path: '{{ neo4j.path }}/data'
87 |
88 | - name: ensure that neo4j owned directories exist and have the proper permissions
89 | file:
90 | path: '{{ item }}'
91 | state: directory
92 | owner: '{{ neo4j.user }}'
93 | group: '{{ neo4j.group }}'
94 | mode: 0700
95 | loop:
96 | - '{{ neo4j.data_path }}'
97 | - '{{ neo4j.path }}/certificates'
98 | - '{{ neo4j.path }}/logs'
99 | - '{{ neo4j.path }}/run'
100 |
101 | - name: ensure that Neo4j has been properly configured
102 | template:
103 | src: neo4j.conf
104 | dest: /opt/local/etc/neo4j/neo4j.conf
105 | owner: root
106 | group: root
107 | mode: 0644
108 | notify: restart neo4j
109 |
110 | - name: ensure presence of Neo4j SMF manifest
111 | template:
112 | src: neo4j-smf.xml
113 | dest: /tmp/neo4j-smf.xml
114 | owner: root
115 | group: root
116 | mode: 0644
117 |
118 | - name: ensure that Neo4j SMF manifest has been imported
119 | command: svccfg import /tmp/neo4j-smf.xml
120 |
121 | - name: ensure that Neo4j is enabled
122 | register: neo4j_enabled
123 | service:
124 | name: 'svc:/neo4j:default'
125 | enabled: true
126 |
--------------------------------------------------------------------------------
/roles/minecraft/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | mojang_checksum:
3 | '1.2.4': 'sha1:d8321edc9470e56b8ad5c67bbd16beba25843336'
4 | '1.2.5': 'sha1:d8321edc9470e56b8ad5c67bbd16beba25843336'
5 | '1.3': 'sha1:cb21a9aaaf599c94dd7fa1b777b2f0cc37a776c7'
6 | '1.3.1': 'sha1:82563ce498bfc1fc8a2cb5bf236f7da86a390646'
7 | '1.3.2': 'sha1:3de2ae6c488135596e073a9589842800c9f53bfe'
8 | '1.4': 'sha1:9470a2bb0fcb8a426328441a01dba164fbbe52c9'
9 | '1.4.1': 'sha1:baa4e4a7adc3dc9fbfc5ea36f0777b68c9eb7f4a'
10 | '1.4.2': 'sha1:5be700523a729bb78ef99206fb480a63dcd09825'
11 | '1.4.3': 'sha1:9be68adf6e80721975df12f2445fa24617328d18'
12 | '1.4.4': 'sha1:4215dcadb706508bf9d6d64209a0080b9cee9e71'
13 | '1.4.5': 'sha1:c12fd88a8233d2c517dbc8196ba2ae855f4d36ea'
14 | '1.4.6': 'sha1:a0aeb5709af5f2c3058c1cf0dc6b110a7a61278c'
15 | '1.4.7': 'sha1:2f0ec8efddd2f2c674c77be9ddb370b727dec676'
16 | '1.5': 'sha1:aedad5159ef56d69c5bcf77ed141f53430af43c3'
17 | '1.5.1': 'sha1:d07c71ee2767dabb79fb32dad8162e1b854d5324'
18 | '1.5.2': 'sha1:f9ae3f651319151ce99a0bfad6b34fa16eb6775f'
19 | '1.6': 'sha1:ee6d5161ac28eef285df571dc1235d48f03c3e88'
20 | '1.6.1': 'sha1:0252918a5f9d47e3c6eb1dfec02134d1374a89b4'
21 | '1.6.2': 'sha1:01b6ea555c6978e6713e2a2dfd7fe19b1449ca54'
22 | '1.6.3': 'sha1:5a4c69bdf7c4a9aa9580096805d8497ba7721e05'
23 | '1.6.4': 'sha1:050f93c1f3fe9e2052398f7bd6aca10c63d64a87'
24 | '1.7': 'sha1:3f031ab8b9cafedeb822febe89d271b72565712c'
25 | '1.7.1': 'sha1:d26d79675147253b7a35dd32dc5dbba0af1be7e2'
26 | '1.7.2': 'sha1:3716cac82982e7c2eb09f83028b555e9ea606002'
27 | '1.7.3': 'sha1:707857a7bc7bf54fe60d557cca71004c34aa07bb'
28 | '1.7.4': 'sha1:61220311cef80aecc4cd8afecd5f18ca6b9461ff'
29 | '1.7.5': 'sha1:e1d557b2e31ea881404e41b05ec15c810415e060'
30 | '1.7.6': 'sha1:41ea7757d4d7f74b95fc1ac20f919a8e521e910c'
31 | '1.7.7': 'sha1:a6ffc1624da980986c6cc12a1ddc79ab1b025c62'
32 | '1.7.8': 'sha1:c69ebfb84c2577661770371c4accdd5f87b8b21d'
33 | '1.7.9': 'sha1:4cec86a928ec171fdc0c6b40de2de102f21601b5'
34 | '1.7.10': 'sha1:952438ac4e01b4d115c5fc38f891710c4941df29'
35 | '1.8': 'sha1:a028f00e678ee5c6aef0e29656dca091b5df11c7'
36 | '1.8.1': 'sha1:68bfb524888f7c0ab939025e07e5de08843dac0f'
37 | '1.8.2': 'sha1:a37bdd5210137354ed1bfe3dac0a5b77fe08fe2e'
38 | '1.8.3': 'sha1:163ba351cb86f6390450bb2a67fafeb92b6c0f2f'
39 | '1.8.4': 'sha1:dd4b5eba1c79500390e0b0f45162fa70d38f8a3d'
40 | '1.8.5': 'sha1:ea6dd23658b167dbc0877015d1072cac21ab6eee'
41 | '1.8.6': 'sha1:2bd44b53198f143fb278f8bec3a505dad0beacd2'
42 | '1.8.7': 'sha1:35c59e16d1f3b751cd20b76b9b8a19045de363a9'
43 | '1.8.8': 'sha1:5fafba3f58c40dc51b5c3ca72a98f62dfdae1db7'
44 | '1.8.9': 'sha1:b58b2ceb36e01bcd8dbf49c8fb66c55a9f0676cd'
45 | '1.9': 'sha1:b4d449cf2918e0f3bd8aa18954b916a4d1880f0d'
46 | '1.9.1': 'sha1:bf95d9118d9b4b827f524c878efd275125b56181'
47 | '1.9.2': 'sha1:2b95cc7b136017e064c46d04a5825fe4cfa1be30'
48 | '1.9.3': 'sha1:8e897b6b6d784f745332644f4d104f7a6e737ccf'
49 | '1.9.4': 'sha1:edbb7b1758af33d365bf835eb9d13de005b1e274'
50 | '1.10': 'sha1:a96617ffdf5dabbb718ab11a9a68e50545fc5bee'
51 | '1.10.1': 'sha1:cb4c6f9f51a845b09a8861cdbe0eea3ff6996dee'
52 | '1.10.2': 'sha1:3d501b23df53c548254f5e3f66492d178a48db63'
53 | '1.11': 'sha1:48820c84cb1ed502cb5b2fe23b8153d5e4fa61c0'
54 | '1.11.1': 'sha1:1f97bd101e508d7b52b3d6a7879223b000b5eba0'
55 | '1.11.2': 'sha1:f00c294a1576e03fddcac777c3cf4c7d404c4ba4'
56 | '1.12': 'sha1:8494e844e911ea0d63878f64da9dcc21f53a3463'
57 | '1.12.1': 'sha1:561c7b2d54bae80cc06b05d950633a9ac95da816'
58 | '1.12.2': 'sha1:886945bfb2b978778c3a0288fd7fab09d315b25f'
59 | '1.13': 'sha1:d0caafb8438ebd206f99930cfaecfa6c9a13dca0'
60 | '1.13.1': 'sha1:fe123682e9cb30031eae351764f653500b7396c9'
61 | '1.13.2': 'sha1:3737db93722a9e39eeada7c27e7aca28b144ffa7'
62 | '1.14': 'sha1:f1a0073671057f01aa843443fef34330281333ce'
63 | '1.14.1': 'sha1:ed76d597a44c5266be2a7fcd77a8270f1f0bc118'
64 | '1.14.2': 'sha1:808be3869e2ca6b62378f9f4b33c946621620019'
65 | '1.14.3': 'sha1:d0d0fe2b1dc6ab4c65554cb734270872b72dadd6'
66 | '1.14.4': 'sha1:3dc3d84a581f14691199cf6831b71ed1296a9fdf'
67 | '1.15': 'sha1:e9f105b3c5c7e85c7b445249a93362a22f62442d'
68 | '1.15.1': 'sha1:4d1826eebac84847c71a77f9349cc22afd0cf0a1'
69 | '1.15.2': 'sha1:bb2b6b1aefcd70dfd1892149ac3a215f6c636b07'
70 | '1.16': 'sha1:a0d03225615ba897619220e256a266cb33a44b6b'
71 | '1.16.1': 'sha1:a412fd69db1f81db3f511c1463fd304675244077'
72 |
--------------------------------------------------------------------------------
/roles/ghost/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: ensure that nodejs and npm are installed
3 | pkgin:
4 | name:
5 | - nodejs
6 | - npm
7 |
8 | - name: ensure that ghost-cli is installed
9 | npm:
10 | name: ghost-cli
11 | global: true
12 |
13 | - name: ensure the existence of ghost ZFS dataset at {{ (default_ghost|combine(ghost, recursive=True)).path }}
14 | when: delegate_dataset is succeeded
15 | zfs:
16 | name: '{{ zone_dataset }}/{{ (default_ghost|combine(ghost, recursive=True)).dataset }}'
17 | state: present
18 | extra_zfs_properties:
19 | mountpoint: '{{ (default_ghost|combine(ghost, recursive=True)).path }}'
20 |
21 | - name: ensure presence of {{ (default_ghost|combine(ghost, recursive=True)).group }} group
22 | group:
23 | name: '{{ (default_ghost|combine(ghost, recursive=True)).group }}'
24 |
25 | - name: ensure presence of {{ (default_ghost|combine(ghost, recursive=True)).user }} user
26 | user:
27 | name: '{{ (default_ghost|combine(ghost, recursive=True)).user }}'
28 | home: '{{ (default_ghost|combine(ghost, recursive=True)).path }}'
29 | group: '{{ (default_ghost|combine(ghost, recursive=True)).group }}'
30 |
31 | - name: ensure presence of {{ (default_ghost|combine(ghost, recursive=True)).project }} project
32 | command: projadd -U {{ (default_ghost|combine(ghost, recursive=True)).user }} -G {{ (default_ghost|combine(ghost, recursive=True)).group }} -c "Ghost server" -K "process.max-file-descriptor=(basic,65536,deny)" {{ (default_ghost|combine(ghost, recursive=True)).project }}
33 | ignore_errors: true
34 |
35 | - name: ensure correct permissions of {{ (default_ghost|combine(ghost, recursive=True)).path }}
36 | file:
37 | path: '{{ (default_ghost|combine(ghost, recursive=True)).path }}'
38 | state: directory
39 | owner: '{{ (default_ghost|combine(ghost, recursive=True)).user }}'
40 | group: '{{ (default_ghost|combine(ghost, recursive=True)).group }}'
41 | mode: 0755
42 |
43 | - name: ensure a randomized password for the Ghost MySQL user
44 | set_fact:
45 | ghost_db_pass: "{{ lookup( 'password', '/dev/null' ) }}"
46 |
47 | - name: ensure the existence of MySQL database {{ (default_ghost|combine(ghost, recursive=True)).db_name }}
48 | mysql_db:
49 | name: '{{ (default_ghost|combine(ghost, recursive=True)).db_name }}'
50 |
51 | - name: ensure the existence of MySQL user {{ (default_ghost|combine(ghost, recursive=True)).db_user }}
52 | mysql_user:
53 | host: '{{ (default_ghost|combine(ghost, recursive=True)).db_host }}'
54 | name: '{{ (default_ghost|combine(ghost, recursive=True)).db_user }}'
55 | password: '{{ ghost_db_pass }}'
56 | priv: '{{ (default_ghost|combine(ghost, recursive=True)).db_name }}.*:ALL'
57 |
58 | # Attempt to update Ghost before installing. This will avoid performing both operations
59 | - name: ensure that ghost is up to date
60 | notify: restart ghost
61 | become: true
62 | become_user: '{{ (default_ghost|combine(ghost, recursive=True)).user }}'
63 | command: ghost update
64 | args:
65 | chdir: '{{ (default_ghost|combine(ghost, recursive=True)).path }}'
66 | removes: '{{ (default_ghost|combine(ghost, recursive=True)).path }}/*'
67 |
68 | - name: ensure that ghost is installed
69 | notify: restart ghost
70 | become: true
71 | become_user: '{{ (default_ghost|combine(ghost, recursive=True)).user }}'
72 | command: ghost install local --no-stack --no-setup --no-check-mem --no-start --no-enable
73 | args:
74 | chdir: '{{ (default_ghost|combine(ghost, recursive=True)).path }}'
75 | creates: '{{ (default_ghost|combine(ghost, recursive=True)).path }}/*'
76 |
77 | - name: ensure that ghost is configured {{ (default_ghost|combine(ghost, recursive=True)).url }}
78 | notify: restart ghost
79 | template:
80 | src: config.json
81 | dest: '{{ (default_ghost|combine(ghost, recursive=True)).path }}/config.{{ (default_ghost|combine(ghost, recursive=True)).env }}.json'
82 | owner: '{{ (default_ghost|combine(ghost, recursive=True)).user }}'
83 | group: '{{ (default_ghost|combine(ghost, recursive=True)).group }}'
84 | mode: 0644
85 |
86 | - name: ensure presence of Ghost SMF manifest
87 | template:
88 | src: ghost-smf.xml
89 | dest: /tmp/ghost-smf.xml
90 | owner: root
91 | group: root
92 | mode: 0644
93 |
94 | - name: ensure that Ghost SMF manifest has been imported
95 | command: svccfg import /tmp/ghost-smf.xml
96 |
97 | - name: ensure that ghost is enabled
98 | register: ghost_enabled
99 | service:
100 | name: 'svc:/ghost:default'
101 | enabled: true
102 |
--------------------------------------------------------------------------------
/roles/neo4j/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | neo4j:
3 | user: neo4j
4 | group: neo4j
5 | project: neo4j
6 | path: /opt/local/neo4j
7 | conf_path: /opt/local/etc/neo4j
8 | data_path: /var/db/neo4j
9 | recordsize: 16k
10 | version: '4.2.2'
11 | openjdk: 11
12 | config:
13 | #-----------------------
14 | # General Configuration
15 | #-----------------------
16 | # dbms.default_database: neo4j
17 | # dbms.directories.data: data
18 | # dbms.directories.plugins: plugins
19 | # dbms.directories.certificates: certificates
20 | # dbms.directories.logs: logs
21 | # dbms.directories.lib: lib
22 | # dbms.directories.run: run
23 | dbms.directories.import: import
24 | # dbms.security.auth_enabled: false
25 | # dbms.allow_upgrade: true
26 | # dbms.memory.heap.initial_size: 512m
27 | # dbms.memory.heap.max_size: 512m
28 | # dbms.memory.pagecache.size: 10g
29 | #
30 | #---------------------------------
31 | # Network Connector Configuration
32 | #---------------------------------
33 | dbms.connectors.default_listen_address: '0.0.0.0'
34 | # dbms.connectors.default_advertised_address: localhost
35 | dbms.connector.bolt.enabled: true
36 | # dbms.connector.bolt.tls_level: DISABLED
37 | # dbms.connector.bolt.listen_address: :7687
38 | dbms.connector.http.enabled: true
39 | # dbms.connector.http.listen_address: :7474
40 | dbms.connector.https.enabled: false
41 | # dbms.connector.https.listen_address: :7473
42 | # dbms.threads.worker_count:
43 | #
44 | #--------------------------
45 | # SSL Policy Configuration
46 | #--------------------------
47 | # dbms.ssl.policy.bolt.enabled: true
48 | # dbms.ssl.policy.bolt.base_directory: certificates/bolt
49 | # dbms.ssl.policy.bolt.private_key: private.key
50 | # dbms.ssl.policy.bolt.public_certificate: public.crt
51 | # dbms.ssl.policy.https.enabled: true
52 | # dbms.ssl.policy.https.base_directory: certificates/https
53 | # dbms.ssl.policy.https.private_key: private.key
54 | # dbms.ssl.policy.https.public_certificate: public.crt
55 | # dbms.ssl.policy.cluster.enabled: true
56 | # dbms.ssl.policy.cluster.base_directory: certificates/cluster
57 | # dbms.ssl.policy.cluster.private_key: private.key
58 | # dbms.ssl.policy.cluster.public_certificate: public.crt
59 | # dbms.ssl.policy.backup.enabled: true
60 | # dbms.ssl.policy.backup.base_directory: certificates/backup
61 | # dbms.ssl.policy.backup.private_key: private.key
62 | # dbms.ssl.policy.backup.public_certificate: public.crt
63 | #
64 | #-----------------------
65 | # Logging Configuration
66 | #-----------------------
67 | # dbms.logs.http.enabled: true
68 | # dbms.logs.http.rotation.keep_number: 5
69 | # dbms.logs.http.rotation.size: 20m
70 | # dbms.logs.gc.enabled: true
71 | # dbms.logs.gc.options: -Xlog:gc*,safepoint,age*=trace
72 | # dbms.logs.gc.rotation.keep_number: 5
73 | # dbms.logs.gc.rotation.size: 20m
74 | # dbms.logs.debug.level: INFO
75 | # dbms.logs.debug.rotation.size: 20m
76 | # dbms.logs.debug.rotation.keep_number: 7
77 | # dbms.logs.query.threshold: 2s
78 | #
79 | #-----------------------------
80 | # Miscellaneous Configuration
81 | #-----------------------------
82 | # cypher.default_language_version: 3.5
83 | # dbms.security.allow_csv_import_from_file_urls: true
84 | # dbms.security.http_access_control_allow_origin: *
85 | # dbms.security.http_strict_transport_security:
86 | dbms.tx_log.rotation.retention_policy: 1 days
87 | # dbms.read_only: false
88 | # dbms.unmanaged_extension_classes: org.neo4j.examples.server.unmanaged=/examples/unmanaged
89 | # dbms.security.procedures.unrestricted: my.extensions.example,my.procedures.*
90 | # dbms.security.procedures.whitelist: apoc.coll.*,apoc.load.*
91 | #
92 | #----------------
93 | # JVM Parameters
94 | #----------------
95 | dbms.jvm.additional:
96 | - -XX:+UseG1GC
97 | - -XX:-OmitStackTraceInFastThrow
98 | - -XX:+AlwaysPreTouch
99 | - -XX:+UnlockExperimentalVMOptions
100 | - -XX:+TrustFinalNonStaticFields
101 | - -XX:+DisableExplicitGC
102 | - -Djdk.nio.maxCachedBufferSize=262144
103 | - -Dio.netty.tryReflectionSetAccessible=true
104 | # - -XX:+ExitOnOutOfMemoryError
105 | # - -Dcom.sun.management.jmxremote.port=3637
106 | # - -Dcom.sun.management.jmxremote.authenticate=true
107 | # - -Dcom.sun.management.jmxremote.ssl=false
108 | # - -Dcom.sun.management.jmxremote.password.file=/absolute/path/to/conf/jmx.password
109 | # - -Dcom.sun.management.jmxremote.access.file=/absolute/path/to/conf/jmx.access
110 | # - -Djava.rmi.server.hostname=$THE_NEO4J_SERVER_HOSTNAME
111 | - -Djdk.tls.ephemeralDHKeySize=2048
112 | - -Djdk.tls.rejectClientInitiatedRenegotiation=true
113 | # - -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
114 | # - -Djdk.serialFilter=java.**;org.neo4j.**;com.neo4j.**;com.hazelcast.**;net.sf.ehcache.Element;com.sun.proxy.*;org.openjdk.jmh.**;!*
115 |
--------------------------------------------------------------------------------
/roles/neo4j/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | neo4j_checksum:
3 | '3.2.0': 'sha256:77c0c142343ea834852d237828f1ddd8cb2d4b7be9131a00b4ec4e3c48d6f6d0'
4 | '3.2.1': 'sha256:24fd6a704e0d80c4b4f9a3d17ce0db23f258a8cdcfa1eb28d7803b7d1811ee96'
5 | '3.2.2': 'sha256:de607436b9708ee708447be367439a4c8c30bd97ca77e84e3a081b8b6d378d95'
6 | '3.2.3': 'sha256:65e1de8a025eae4ba42ad3947b7ecbf758a11cf41f266e8e47a83cd93c1d83d2'
7 | '3.2.5': 'sha256:2e3854dbd0fe4db1c4fd870f02a90e62eca64ea515cf229b9b9df3509b2aa423'
8 | '3.2.6': 'sha256:6d68363595c9288dc734301de6d8f935b7a0febcb59b88ff77676b95cd0a8950'
9 | '3.2.7': 'sha256:7f347196a1f2026f8daa9ee045d3fbb404d961dd81b3a8363132aaaf60cf316f'
10 | '3.2.8': 'sha256:d2615c97d55e5ee08098b85dbd004eb6c83eff5d054c6f13d47c4dd007b8ca47'
11 | '3.2.9': 'sha256:6bcf88935e262b9ffa62ce7bf3c8b0887a19abbe6a5b615e4bcc724942e140fa'
12 | '3.2.10': 'sha256:7095457c7f27ee3653f66504ae67b5c3a18c51e6a96b986341850897d45696d5'
13 | '3.2.11': 'sha256:c634bfdc8c3c1d879c1af1db31496745afcdb70a34674c9f1f8c3bedd5628c4a'
14 | '3.2.12': 'sha256:fd1d7a5464a4528f63df93b1dae9d272bfcd37cf3730b45f2ac9bca458cb68a8'
15 | '3.2.13': 'sha256:ab3f57ec86fd99f980dbcbdc7d0f8dc0e609138231470c4ab4e343038246efe0'
16 | '3.2.14': 'sha256:530abde4c84da78503b7b1fe2dcc932d14048a855cf6a561b8b912bacca24f2f'
17 | '3.3.0': 'sha256:dbbc65683d65018c48fc14d82ee7691ca75f8f6ea79823b21291970638de5d88'
18 | '3.3.1': 'sha256:0e5c6492cd274edf06c5f10d2b64711bd559aaff37c646e03bfa65e613994174'
19 | '3.3.2': 'sha256:8a2a74f1270944d9b72f2af2c15cb350718e697af6e3800e67cb32a5d1605f6e'
20 | '3.3.3': 'sha256:a57be049906cc871b59d7a8283d265485b2c31de47b208ef18636901859232f9'
21 | '3.3.4': 'sha256:cc2fda6ededfc4678d1fc9be9dc1c5c2902fe2bc184125b59ae6f9183a98571c'
22 | '3.3.5': 'sha256:c603da37a6102252d91328aec4b018ccff417588c29b6888d7260a0840135a3b'
23 | '3.3.6': 'sha256:e6d3c28621eaac7306c706fb22d8336d150d2b37218ca89f5ed5d15fd1676d26'
24 | '3.3.7': 'sha256:8fbd688ad05b02860310d5b1f4ffc172f6a966a597b7d5b3ef1609d1d0125003'
25 | '3.3.8': 'sha256:1a6bc266806823b1fc2b3ec55e2f21b19a81617fffb45781d20a69f8a98e30be'
26 | '3.3.9': 'sha256:e7a02a2b6c1965dbfb60f498b5675e1d10d35422e9ec72eedfffa4206af7ad0a'
27 | '3.4.0': 'sha256:ea04207536c91e83e1889b04ae3276876d1a9612e7fba69dbf188bb3d5e08cdd'
28 | '3.4.1': 'sha256:57ae9e512705b7c2f09067b6bc1c4d1727334e0081d01ce6bded65f0eb7cf7c1'
29 | '3.4.4': 'sha256:0cde1e638cf17900d4039d853e8017562b767853eb26f643134fc8e732db27b4'
30 | '3.4.5': 'sha256:af53823776645e11d04436a513368e7e417b515572d6228da6b2977c8490ffbb'
31 | '3.4.6': 'sha256:8302c45ba4efa14ee5019120a6dd9f8cd1ff61c2b6b0012e7dfebe73b5207e2d'
32 | '3.4.7': 'sha256:f2a2eda7a4313216a99a9400001fef6de1a3aa399602dd1a57f552a5f73cf349'
33 | '3.4.8': 'sha256:5bf8f530e8e9584e2a3810d18e44c7f8ba956239e9a047094986fd5ebcc3bdd5'
34 | '3.4.9': 'sha256:2715282a71d805cbc547ed174c8a3e09ea4bda678fc110c7e30c452c486ee04d'
35 | '3.4.10': 'sha256:59a6fe8e0ae31baf03b6be07e2350d8666ed4752ea98affee0084c6eade6ac73'
36 | '3.4.11': 'sha256:f174210cd2791912fcf8e272f948097a00d6aaccca34e96f856dba3bc21f15c9'
37 | '3.4.12': 'sha256:dd7f201b973d10e3b8a6133a7487ababa5cf397da458c12738a8a2b8d60f7816'
38 | '3.4.13': 'sha256:ac2a30eb72bacbac1e5ec4aeed82cab13a96732a49e1350389785d4f5dbd4203'
39 | '3.4.14': 'sha256:fcbdd7abc28a50cca76daed96d60a6d7d03a4db5bbbfdfb8e520ee1984698461'
40 | '3.4.15': 'sha256:7e230753e2c53c912829f1ed2df963fbacc3892acd3501a84892118317fbccda'
41 | '3.4.16': 'sha256:8c42ebe3455d92deedb09417dc02bcd37f5e0f13eb3f3faa5f1a5b9d4a781c7b'
42 | '3.4.17': 'sha256:fbb03e85a09e1e8a77c496ad61e8094ef94185268098634a4aaf1d1a01b841a6'
43 | '3.5.0': 'sha256:a33df85dbdd22297d5bc9962bd42f7e70c3703ba3067b1adeaf5c18240944f37'
44 | '3.5.1': 'sha256:abec3a53d8c04cb5caf76194199017a41901159d47c57b888ebf37f29a905400'
45 | '3.5.2': 'sha256:c1dec66aaf4d97b2e538ec0068de172ef454de101cce37196c8b8865f4db6644'
46 | '3.5.3': 'sha256:d4b6e48327d5283131e9a38db25d722119e21ef5420b3cc393b9263aa37313ea'
47 | '3.5.4': 'sha256:70c944ce8c089506c8812c6ab85d7569b5800a772381c98e120b97fcc01c173b'
48 | '3.5.5': 'sha256:b89ea38ef315ed3466aa51fb6af1d496fa78b54a8c654b4e6f0722e87b78f0b6'
49 | '3.5.6': 'sha256:f536224565ce27b95947c91a37d52b9ba9e80247d8d3262075b24b8d47f8532a'
50 | '3.5.7': 'sha256:31c8f398df9342928502a7321f045eb8f2b96ec4ded26f9f057dc6f6fa10c60c'
51 | '3.5.8': 'sha256:ef714d0e7067d437649e52b6727d258c46a144db2ce567dc4d13b62ee916494e'
52 | '3.5.9': 'sha256:cf0e6c6e9733cda11922a4a060e53269ac05b6e55cb7817c55621e005928f6cf'
53 | '3.5.10': 'sha256:57dbeb858dd327f907d3f11cfb3239b3f537668c00e087e59ebad0e2bc7c135b'
54 | '3.5.11': 'sha256:4dd4f2b6c32e216b42ab8d2235f10c4d992d567d36927df93d2d9fb1763e6376'
55 | '3.5.12': 'sha256:3b82b72a211d1b628b64f18f4af9f10b12ed6e2fd0ad94910e11b7fef5d0d86c'
56 | '3.5.13': 'sha256:2fdb29816bc72894b10f082b5d542fdaa0cf5d9cfdb899d9aac1e34bc2006250'
57 | '3.5.14': 'sha256:fb435b11494cde475f748f057a192bcbd8580c7445b380afe9ff52311f334bfe'
58 | '3.5.15': 'sha256:32ed30e81aed0fc32d7ca8245b4a25e7aa1c08b89770ea33da1f4b427f1f7664'
59 | '3.5.16': 'sha256:3eded9065de1ddd39d519b05845da2f572b5ddb4e6440b93555927f329eaf222'
60 | '3.5.17': 'sha256:1c8b6ac0ffd346f0707fe1af713ef74f1c6ce1ea6feb5e9a0bd170e7a8a34a10'
61 | '3.5.18': 'sha256:ed6c2c52faf048919cea6da8f214071b57e3cdcfae4527957d25948a35c6c75a'
62 | '3.5.19': 'sha256:c0b514af785fb5649963706d98864cc690397e14b3ff3942ec8dabf02c2f768a'
63 | '3.5.20': 'sha256:01406d4e6a9e89340637aac779adb189db9af66e9c615804ad1ccc17346c7c0b'
64 | '3.5.21': 'sha256:b166846e1e247ca809e5036a1efee852a9df36eeabbbccc8e7b74138399f894c'
65 | '3.5.22': 'sha256:fa1d88c7b560cc40598323618d002cbdfa1191d3abb8aa83929a61e3a2ef642c'
66 | '3.5.23': 'sha256:6fb21b6487a0663168e103c948968ea3f9d9760bb91a1fb2f3879b36ad62a413'
67 | '3.5.24': 'sha256:7cddfdccc75c493ee110cf27e17e2521218741e2b6adb4c67cadc8774ac12907'
68 | '3.5.25': 'sha256:3a1241ae118fb89d1db17f05a9e8a9a71c2a53ee15f574f21acbd507e3fa9b50'
69 | '3.5.26': 'sha256:7e5bc2ccd0dd5ac4cf845843dd05e5d7d43bbfc57604a1ff855b0e1ed4092071'
70 | '4.0.0': 'sha256:63c85ee709916f9f5fa2fac7274f1a55bdd44d6ab353cbdd05f050aed9532e82'
71 | '4.0.1': 'sha256:623c807ec23ed5c5e8db665a36bcdcb03a11ca2179ce24b61b220ecac60ace90'
72 | '4.0.2': 'sha256:e189f557a41835170fae42ee8d2dea9a94a3c790cfc73f0d9eb28be21b806830'
73 | '4.0.3': 'sha256:34db8c51899eced35ca5b9ba764649419f160b944b81abc52ed3587492c07085'
74 | '4.0.4': 'sha256:e467b30f483132e62be0288f7db337148cea25221a80e23dba8af995a03b60a3'
75 | '4.0.5': 'sha256:7f3c17b4d33d0cbda0d2bce2e48ee0ede06d948ed0fd1b7bf64b6a00d858c93f'
76 | '4.0.6': 'sha256:47a7edfe0f673517c7c21b33b5f124377cbfa1763081475ba1013caa6ad2340e'
77 | '4.0.7': 'sha256:975476bdd11c466769e5cd34e6bac85b43a29f1ccda8a5da8b764a71d752641c'
78 | '4.0.8': 'sha256:1731957124dd0cecf7c096ba5d09e6eed07ea587ffb1c0f11e3699f4d00d6a08'
79 | '4.0.9': 'sha256:d04e8e26bfb32267f33ac46fe51ffe0d677246328c94c61f3f3483f9c2e03e4d'
80 | '4.0.10': 'sha256:1ebe1fe8760b34811cc0d610f69133da67cf376c74b0b29f8ca9a6176092c9ea'
81 | '4.0.11': 'sha256:913ab0acce7a8020213ce1cb0d4414a31ead29e3e31d4358c5553d3ade340241'
82 | '4.1.0': 'sha256:b598edeb3401e5ec40fb7bc3370307addfcaa21565f731016c9c7f8e70af659a'
83 | '4.1.1': 'sha256:4f663a520bec40dfd0b1972feb3cf93af321c230b448adb6dc917717e67a1271'
84 | '4.1.2': 'sha256:c4917a1f16da0ab214de9fa04e4db351efbd0b92a7f2314d27501c1d82293a6f'
85 | '4.1.3': 'sha256:6da059f04f86e1a74221eb0103da38a1f645969cbbfe1b37c9de48bf55acabdc'
86 | '4.1.4': 'sha256:c6e555e35fd08ab1129f57c4346450b1bc3793488a270fa9b2271a41b5b39455'
87 | '4.1.5': 'sha256:f636596c6b7ba49a61e3cfbdbf0daf420892be68d187371edaae3157bad8ed29'
88 | '4.2.0': 'sha256:188cfb1f36c5aa4228d9c7f921eac489e1bcaa5a53e301568cea4b650152e075'
89 | '4.2.1': 'sha256:0f074e2d84c265fbb066ad648b52c62c623d1f1b18b9d4d04356d46726853c96'
90 | '4.2.2': 'sha256:6bbd385fea4b23f4447926209168499b361774f1cadae71ad4a960e648821359'
91 |
--------------------------------------------------------------------------------
/roles/redis/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | default_redis:
3 | config:
4 | #---------
5 | # Network
6 | # --------
7 | bind: '::1 127.0.0.1' # The address or addresses to bind to (IPv4|IPv6)
8 | protected-mode: 'yes' # Protects the redis instance from unauthenticated requests from other hosts
9 | port: 6379 # port to listen to, 0 disables TCP
10 | tcp-backlog: 511 # TCP listen() backlog
11 | unixsocket: /tmp/redis.sock # listening UNIX socket
12 | unixsocketperm: 700 # Permissions of listening UNIX socket
13 | timeout: 0 # Close the connection after timeout seconds (0 to disable)
14 | tcp-keepalive: 300 # If non-zero, uses SO_KEEPALIVE to send TCP ACKs to clients in absence of communication
15 |
16 | #---------
17 | # General
18 | #---------
19 | daemonize: 'yes' # Run as a daemon (SMF assumes this)
20 | supervised: 'no' # Controls Redis interactions with the supervisor (Redis doesn't talk to SMF)
21 | pidfile: /var/db/redis/redis.pid # Specify the pid file name
22 | loglevel: notice # Specify the server verbosity level ( warning | notice | verbose | debug )
23 | logfile: /var/log/redis/redis.log # Specify the log file name
24 | # syslog-enabled: 'yes' # Enable logging to the system logger
25 | # syslog-ident: redis # Specify the syslog identity
26 | # syslog-facility: local0 # Specify the syslog facility
27 | databases: 16 # Set the number of databases
28 | always-show-logo: 'no' # We're boring, we don't need logos in our logs
29 |
30 | #--------------
31 | # Snapshotting
32 | #--------------
33 | save: # : will save the DB if both the given number of seconds and the given number of write operations have occurred
34 | - 900 1
35 | - 300 10
36 | - 60 10000
37 | stop-writes-on-bgsave-error: 'yes' # Ensure that redis doesn't blindly accept writes if it's unable to persist them to the filesystem
38 | rdbcompression: 'yes' # Compress string objects when persisting the database to the filesystem, may be unnecessary with ZFS compression
39 | rdbchecksum: 'yes' # Appends a CRC64 checksum to the end of the file, may be unnecessary with ZFS checksumming
40 | dbfilename: dump.rdb # The RDB database filename
41 | dir: /var/db/redis # Directory where RDB and AOF data will be stored
42 |
43 | #-------------
44 | # Replication
45 | #-------------
46 | # replicaof: # Master server to replicate from
47 | # masterauth: # Must match the "requirepass" configuration option on the master server
48 | replica-serve-stale-data: 'yes' # Will allow replica to serve data while resynchronization is in progress with master
49 | replica-read-only: 'yes' # If clients are allowed to write data to the replica. This data will be overwritten after resync with the master
50 | repl-diskless-sync: 'no' # Determines the replication strategy on the master. diskless sync uses a socket and is quicker, but doesn't scale as well and is also experimental
51 | repl-diskless-sync-delay: 5 # Delay the master waits in order to spawn the child that transfers the RDB via socket to the replicas
52 | # repl-ping-replica-period: 10 # Interval between pings sent from the replicas to the master
53 | # repl-timeout: 60 # Replication timeout for bulk transfers during sync, master timeout from the replica's PoV, replica timeout from the PoV of the master
54 | repl-disable-tcp-nodelay: 'no' # Disable TCP_NODELAY
55 | # repl-backlog-size: 1mb # Sets the replication backlog size
56 | # repl-backlog-ttl: 3600 # Number of seconds that the backlog buffer will be freed after the last replica disconnects
57 | replica-priority: 100 # Used by Redis Sentinel to select a replica to promote to master if master is no longer available, lower is better for promotion, 0 disables promotion
58 | # min-replicas-to-write: 3 # Determines the minimum number of connected replicas for a master to accept a write from a client
59 | # min-replicas-max-lag: 10 # Determines the maximum number of seconds to wait for replication to a replica to complete
60 | # replica-announce-ip: 5.5.5.5 # Overrides the master announced replica IP address
61 | # replica-announce-port: 1234 # Overrides the master announced replica port
62 | #
63 | #----------
64 | # Security
65 | #----------
66 | # requirepass: # Requires clients to issue AUTH before processing any other commands
67 | # rename-command: # Renames commands to prevent dangerous commands from being available in a shared environment
68 | # - # Disable a command by renaming it to an empty string
69 | #
70 | #---------
71 | # Clients
72 | #---------
73 | # maxclients: 10000 # Set the maximum number of simultaneously connected clients
74 | #
75 | #-------------------
76 | # Memory Management
77 | #-------------------
78 | # maxmemory: # Set a memory usage limit in bytes
79 | # maxmemory-policy: noeviction # How redis will resolve reaching maxmemory (volatile-lru|allkeys-lru|volatile-lfu|allkeys-lfu|volatile-random|allkeys-random|volatile-ttl|noeviction)
80 | # maxmemory-samples: 5 # Number of key samples redis will check to perform its evictions
81 | # replica-ignore-maxmemory: 'yes' # Max memory settings will be ignored by replicas, but apply if they're promoted to master
82 | #
83 | #--------------
84 | # Lazy Freeing
85 | #--------------
86 | lazyfree-lazy-eviction: 'no' # Use non-blocking deletion to evict data due to maxmemory being met
87 | lazyfree-lazy-expire: 'no' # Use non-blocking deletion to expire data that has exceeded its TTL
88 | lazyfree-lazy-server-del: 'no' # Use non-blocking deletion to delete key overwrites (such as key renames overwriting another key)
89 | replica-lazy-flush: 'no' # Use non-blocking deletion to delete data that has been flushed due to master resynchronization
90 |
91 | #------------------
92 | # Append Only Mode
93 | #------------------
94 | appendonly: 'no' # Write out an Append Only File (AOF) to the disk. This acts much like the WAL or ZIL of other databases and filesystems
95 | appendfilename: "appendonly.aof" # The AOF database filename
96 | # appendfsync: always # Fsync after every write to the append only log. Good idea if you have a fast SLOG on your ZFS pool
97 | # appendfsync: everysec # Fsync once per second. Sane compromise for most situations
98 | appendfsync: 'no' # Disable fsync calls. Reasonable approach for ZFS which should commit a transaction group every 5 seconds
99 | no-appendfsync-on-rewrite: 'no' # If you have latency problems with appendfsync set to always or everysec, turn this on
100 | auto-aof-rewrite-percentage: 100 # Triggers an AOF automatic rewrite (by file size as a percentage)
101 | auto-aof-rewrite-min-size: 64mb # Triggers an AOF automatic rewrite (by absolute file size)
102 | aof-load-truncated: 'yes' # Allows redis to start and recover an obviously truncated AOF file (corruption in the middle of the file will still result in a startup error)
103 | aof-use-rdb-preamble: 'yes' # Load the most recent RDB file, and then recover the remainder of the data from the AOF file
104 |
105 | #---------------
106 | # Lua Scripting
107 | #---------------
108 | lua-time-limit: 5000 # Maximum execution time of a Lua script in milliseconds
109 |
110 | #---------------
111 | # Redis Cluster
112 | #---------------
113 | # cluster-enabled: 'yes' # Start this redis instance as a cluster member
114 | # cluster-config-file: nodes-6379.conf # Unique machine edited cluster configuration file
115 | # cluster-node-timeout: 15000 # Timeout in milliseconds a node must be unreachable for it to be considered in the failure state
116 | # cluster-replica-validity-factor: 10 # Cluster replicas will disqualify their data for use to regenerate the master if it hasn't interacted with the previous master for this value * the cluster-node-timeout
117 | # cluster-migration-barrier: 1 # Minimum number of replicas to leave on a previous master if a replica is going to migrate to an orphaned master (a master with no replicas)
118 | # cluster-require-full-coverage: 'yes' # Will cause the cluster to stop accepting queries if it detects at least one unserved hash-slot. Set to 'no' if you want the cluster to continue regardless
119 | # cluster-replica-no-failover: 'yes' # Will prevent replicas from trying to failover its master during master failures. Master can still manually failover to this replica
120 | #
121 | #----------------------------
122 | # Cluster Docker/NAT Support
123 | #----------------------------
124 | # cluster-announce-ip: 10.1.1.5 # IP address that this node will announce to the rest of the cluster
125 | # cluster-announce-port: 6379 # Client port that this node will announce to the rest of the cluster
126 | # cluster-announce-bus-port: 6380 # Cluster message bus port that this node will announce to the rest of the cluster
127 | #
128 | #----------
129 | # Slow Log
130 | #----------
131 | slowlog-log-slower-than: 10000 # Logs queries that exceed this number of microseconds
132 | slowlog-max-len: 128 # Limit the slow query log to this number of entries. Old ones will be removed from the end
133 |
134 | #-----------------
135 | # Latency Monitor
136 | #-----------------
137 | latency-monitor-threshold: 0 # Set the minimum trigger latency of operations for the latency monitor, accessible through the LATENCY command
138 |
139 | #--------------------
140 | # Event Notification
141 | #--------------------
142 | notify-keyspace-events: '""' # Sets the key space notifications Redis will push to interested parties via Pub/Sub. Read more at http://redis.io/topics/notifications
143 |
144 | #------------------------
145 | # Advanced Configuration
146 | #------------------------
147 | # If you're editing these, you should already know what they do.
148 | hash-max-ziplist-entries: 512
149 | hash-max-ziplist-value: 64
150 | list-max-ziplist-size: -2
151 | list-compress-depth: 0
152 | set-max-intset-entries: 512
153 | zset-max-ziplist-entries: 128
154 | zset-max-ziplist-value: 64
155 | hll-sparse-max-bytes: 3000
156 | stream-node-max-bytes: 4096
157 | stream-node-max-entries: 100
158 | activerehashing: 'yes'
159 | client-output-buffer-limit:
160 | - normal 0 0 0
161 | - replica 256mb 64mb 60
162 | - pubsub 32mb 8mb 60
163 | hz: 10
164 | dynamic-hz: 'yes'
165 | aof-rewrite-incremental-fsync: 'yes'
166 | rdb-save-incremental-fsync: 'yes'
167 |
--------------------------------------------------------------------------------
/roles/dhcpdns/templates/powerdns-recursor.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 |
3 | # Autogenerated configuration file template
4 | #################################
5 | # allow-from If set, only allow these comma separated netmasks to recurse
6 | #
7 | # allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
8 |
9 | #################################
10 | # allow-from-file If set, load allowed netmasks from this file
11 | #
12 | # allow-from-file=
13 |
14 | #################################
15 | # any-to-tcp Answer ANY queries with tc=1, shunting to TCP
16 | #
17 | # any-to-tcp=no
18 |
19 | #################################
20 | # api-config-dir Directory where REST API stores config and zones
21 | #
22 | # api-config-dir=
23 |
24 | #################################
25 | # api-key Static pre-shared authentication key for access to the REST API
26 | #
27 | # api-key=
28 |
29 | #################################
30 | # api-logfile Location of the server logfile (used by the REST API)
31 | #
32 | # api-logfile=/var/log/pdns.log
33 |
34 | #################################
35 | # api-readonly Disallow data modification through the REST API when set
36 | #
37 | # api-readonly=no
38 |
39 | #################################
40 | # auth-zones Zones for which we have authoritative data, comma separated domain=file pairs
41 | #
42 | # auth-zones=
43 |
44 | #################################
45 | # carbon-interval Number of seconds between carbon (graphite) updates
46 | #
47 | # carbon-interval=30
48 |
49 | #################################
50 | # carbon-ourname If set, overrides our reported hostname for carbon stats
51 | #
52 | # carbon-ourname=
53 |
54 | #################################
55 | # carbon-server If set, send metrics in carbon (graphite) format to this server IP address
56 | #
57 | # carbon-server=
58 |
59 | #################################
60 | # chroot switch to chroot jail
61 | #
62 | # chroot=
63 |
64 | #################################
65 | # client-tcp-timeout Timeout in seconds when talking to TCP clients
66 | #
67 | # client-tcp-timeout=2
68 |
69 | #################################
70 | # config-dir Location of configuration directory (recursor.conf)
71 | #
72 | # config-dir=/opt/local/etc
73 |
74 | #################################
75 | # config-name Name of this virtual configuration - will rename the binary image
76 | #
77 | # config-name=
78 |
79 | #################################
80 | # cpu-map Thread to CPU mapping, space separated thread-id=cpu1,cpu2..cpuN pairs
81 | #
82 | # cpu-map=
83 |
84 | #################################
85 | # daemon Operate as a daemon
86 | #
87 | # daemon=no
88 |
89 | #################################
90 | # delegation-only Which domains we only accept delegations from
91 | #
92 | # delegation-only=
93 |
94 | #################################
95 | # disable-packetcache Disable packetcache
96 | #
97 | # disable-packetcache=no
98 |
99 | #################################
100 | # disable-syslog Disable logging to syslog, useful when running inside a supervisor that logs stdout
101 | #
102 | # disable-syslog=no
103 |
104 | #################################
105 | # distribution-load-factor The load factor used when PowerDNS is distributing queries to worker threads
106 | #
107 | # distribution-load-factor=0.0
108 |
109 | #################################
110 | # dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
111 | #
112 | # dnssec=process-no-validate
113 |
114 | #################################
115 | # dnssec-log-bogus Log DNSSEC bogus validations
116 | #
117 | # dnssec-log-bogus=no
118 |
119 | #################################
120 | # dont-query If set, do not query these netmasks for DNS data
121 | #
122 | # dont-query=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32
123 |
124 | #################################
125 | # ecs-cache-limit-ttl Minimum TTL to cache ECS response
126 | #
127 | # ecs-cache-limit-ttl=0
128 |
129 | #################################
130 | # ecs-ipv4-bits Number of bits of IPv4 address to pass for EDNS Client Subnet
131 | #
132 | # ecs-ipv4-bits=24
133 |
134 | #################################
135 | # ecs-ipv4-cache-bits Maximum number of bits of IPv4 mask to cache ECS response
136 | #
137 | # ecs-ipv4-cache-bits=24
138 |
139 | #################################
140 | # ecs-ipv6-bits Number of bits of IPv6 address to pass for EDNS Client Subnet
141 | #
142 | # ecs-ipv6-bits=56
143 |
144 | #################################
145 | # ecs-ipv6-cache-bits Maximum number of bits of IPv6 mask to cache ECS response
146 | #
147 | # ecs-ipv6-cache-bits=56
148 |
149 | #################################
150 | # ecs-scope-zero-address Address to send to whitelisted authoritative servers for incoming queries with ECS prefix-length source of 0
151 | #
152 | # ecs-scope-zero-address=
153 |
154 | #################################
155 | # edns-outgoing-bufsize Outgoing EDNS buffer size
156 | #
157 | # edns-outgoing-bufsize=1680
158 |
159 | #################################
160 | # edns-subnet-whitelist List of netmasks and domains that we should enable EDNS subnet for
161 | #
162 | # edns-subnet-whitelist=
163 |
164 | #################################
165 | # entropy-source If set, read entropy from this file
166 | #
167 | # entropy-source=/dev/urandom
168 |
169 | #################################
170 | # etc-hosts-file Path to 'hosts' file
171 | #
172 | # etc-hosts-file=/etc/hosts
173 |
174 | #################################
175 | # export-etc-hosts If we should serve up contents from /etc/hosts
176 | #
177 | # export-etc-hosts=off
178 |
179 | #################################
180 | # export-etc-hosts-search-suffix Also serve up the contents of /etc/hosts with this suffix
181 | #
182 | # export-etc-hosts-search-suffix=
183 |
184 | #################################
185 | # forward-zones Zones for which we forward queries, comma separated domain=ip pairs
186 | #
187 | # forward-zones=
188 |
189 | #################################
190 | # forward-zones-file File with (+)domain=ip pairs for forwarding
191 | #
192 | # forward-zones-file=
193 |
194 | #################################
195 | # forward-zones-recurse Zones for which we forward queries with recursion bit, comma separated domain=ip pairs
196 | #
197 | # forward-zones-recurse=
198 |
199 | #################################
200 | # gettag-needs-edns-options If EDNS Options should be extracted before calling the gettag() hook
201 | #
202 | # gettag-needs-edns-options=no
203 |
204 | #################################
205 | # hint-file If set, load root hints from this file
206 | #
207 | # hint-file=
208 |
209 | #################################
210 | # include-dir Include *.conf files from this directory
211 | #
212 | # include-dir=
213 |
214 | #################################
215 | # latency-statistic-size Number of latency values to calculate the qa-latency average
216 | #
217 | # latency-statistic-size=10000
218 |
219 | #################################
220 | # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
221 | #
222 | # local-address=127.0.0.1
223 |
224 | #################################
225 | # local-port port to listen on
226 | #
227 | # local-port=53
228 |
229 | #################################
230 | # log-common-errors If we should log rather common errors
231 | #
232 | # log-common-errors=no
233 |
234 | #################################
235 | # log-rpz-changes Log additions and removals to RPZ zones at Info level
236 | #
237 | # log-rpz-changes=no
238 |
239 | #################################
240 | # log-timestamp Print timestamps in log lines, useful to disable when running with a tool that timestamps stdout already
241 | #
242 | # log-timestamp=yes
243 |
244 | #################################
245 | # logging-facility Facility to log messages as. 0 corresponds to local0
246 | #
247 | # logging-facility=
248 |
249 | #################################
250 | # loglevel Amount of logging. Higher is more. Do not set below 3
251 | #
252 | # loglevel=6
253 |
254 | #################################
255 | # lowercase-outgoing Force outgoing questions to lowercase
256 | #
257 | # lowercase-outgoing=no
258 |
259 | #################################
260 | # lua-config-file More powerful configuration options
261 | #
262 | # lua-config-file=
263 |
264 | #################################
265 | # lua-dns-script Filename containing an optional 'lua' script that will be used to modify dns answers
266 | #
267 | # lua-dns-script=
268 |
269 | #################################
270 | # max-cache-entries If set, maximum number of entries in the main cache
271 | #
272 | # max-cache-entries=1000000
273 |
274 | #################################
275 | # max-cache-ttl maximum number of seconds to keep a cached entry in memory
276 | #
277 | # max-cache-ttl=86400
278 |
279 | #################################
280 | # max-mthreads Maximum number of simultaneous Mtasker threads
281 | #
282 | # max-mthreads=2048
283 |
284 | #################################
285 | # max-negative-ttl maximum number of seconds to keep a negative cached entry in memory
286 | #
287 | # max-negative-ttl=3600
288 |
289 | #################################
290 | # max-packetcache-entries maximum number of entries to keep in the packetcache
291 | #
292 | # max-packetcache-entries=500000
293 |
294 | #################################
295 | # max-qperq Maximum outgoing queries per query
296 | #
297 | # max-qperq=50
298 |
299 | #################################
300 | # max-recursion-depth Maximum number of internal recursion calls per query, 0 for unlimited
301 | #
302 | # max-recursion-depth=40
303 |
304 | #################################
305 | # max-tcp-clients Maximum number of simultaneous TCP clients
306 | #
307 | # max-tcp-clients=128
308 |
309 | #################################
310 | # max-tcp-per-client If set, maximum number of TCP sessions per client (IP address)
311 | #
312 | # max-tcp-per-client=0
313 |
314 | #################################
315 | # max-tcp-queries-per-connection If set, maximum number of TCP queries in a TCP connection
316 | #
317 | # max-tcp-queries-per-connection=0
318 |
319 | #################################
320 | # max-total-msec Maximum total wall-clock time per query in milliseconds, 0 for unlimited
321 | #
322 | # max-total-msec=7000
323 |
324 | #################################
325 | # max-udp-queries-per-round Maximum number of UDP queries processed per recvmsg() round, before returning back to normal processing
326 | #
327 | # max-udp-queries-per-round=10000
328 |
329 | #################################
330 | # minimum-ttl-override Set under adverse conditions, a minimum TTL
331 | #
332 | # minimum-ttl-override=0
333 |
334 | #################################
335 | # network-timeout Wait this number of milliseconds for network i/o
336 | #
337 | # network-timeout=1500
338 |
339 | #################################
340 | # no-shuffle Don't change
341 | #
342 | # no-shuffle=off
343 |
344 | #################################
345 | # non-local-bind Enable binding to non-local addresses by using FREEBIND / BINDANY socket options
346 | #
347 | # non-local-bind=no
348 |
349 | #################################
350 | # nsec3-max-iterations Maximum number of iterations allowed for an NSEC3 record
351 | #
352 | # nsec3-max-iterations=2500
353 |
354 | #################################
355 | # packetcache-servfail-ttl maximum number of seconds to keep a cached servfail entry in packetcache
356 | #
357 | # packetcache-servfail-ttl=60
358 |
359 | #################################
360 | # packetcache-ttl maximum number of seconds to keep a cached entry in packetcache
361 | #
362 | # packetcache-ttl=3600
363 |
364 | #################################
365 | # pdns-distributes-queries If PowerDNS itself should distribute queries over threads
366 | #
367 | # pdns-distributes-queries=yes
368 |
369 | #################################
370 | # processes Launch this number of processes (EXPERIMENTAL, DO NOT CHANGE)
371 | #
372 | # processes=1
373 |
374 | #################################
375 | # query-local-address Source IP address for sending queries
376 | #
377 | # query-local-address=0.0.0.0
378 |
379 | #################################
380 | # query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
381 | #
382 | # query-local-address6=
383 |
384 | #################################
385 | # quiet Suppress logging of questions and answers
386 | #
387 | # quiet=
388 |
389 | #################################
390 | # reuseport Enable SO_REUSEPORT allowing multiple recursors processes to listen to 1 address
391 | #
392 | # reuseport=no
393 |
394 | #################################
395 | # root-nx-trust If set, believe that an NXDOMAIN from the root means the TLD does not exist
396 | #
397 | # root-nx-trust=yes
398 |
399 | #################################
400 | # security-poll-suffix Domain name from which to query security update notifications
401 | #
402 | # security-poll-suffix=secpoll.powerdns.com.
403 |
404 | #################################
405 | # serve-rfc1918 If we should be authoritative for RFC 1918 private IP space
406 | #
407 | # serve-rfc1918=yes
408 |
409 | #################################
410 | # server-down-max-fails Maximum number of consecutive timeouts (and unreachables) to mark a server as down ( 0 => disabled )
411 | #
412 | # server-down-max-fails=64
413 |
414 | #################################
415 | # server-down-throttle-time Number of seconds to throttle all queries to a server after being marked as down
416 | #
417 | # server-down-throttle-time=60
418 |
419 | #################################
420 | # server-id Returned when queried for 'id.server' TXT or NSID, defaults to hostname
421 | #
422 | # server-id=
423 |
424 | #################################
425 | # setgid If set, change group id to this gid for more security
426 | #
427 | # setgid=
428 |
429 | #################################
430 | # setuid If set, change user id to this uid for more security
431 | #
432 | # setuid=
433 |
434 | #################################
435 | # signature-inception-skew Allow the signture inception to be off by this number of seconds
436 | #
437 | # signature-inception-skew=0
438 |
439 | #################################
440 | # single-socket If set, only use a single socket for outgoing queries
441 | #
442 | # single-socket=off
443 |
444 | #################################
445 | # snmp-agent If set, register as an SNMP agent
446 | #
447 | # snmp-agent=no
448 |
449 | #################################
450 | # snmp-master-socket If set and snmp-agent is set, the socket to use to register to the SNMP master
451 | #
452 | # snmp-master-socket=
453 |
454 | #################################
455 | # soa-minimum-ttl Don't change
456 | #
457 | # soa-minimum-ttl=0
458 |
459 | #################################
460 | # socket-dir Where the controlsocket will live, /var/run when unset and not chrooted
461 | #
462 | # socket-dir=
463 |
464 | #################################
465 | # socket-group Group of socket
466 | #
467 | # socket-group=
468 |
469 | #################################
470 | # socket-mode Permissions for socket
471 | #
472 | # socket-mode=
473 |
474 | #################################
475 | # socket-owner Owner of socket
476 | #
477 | # socket-owner=
478 |
479 | #################################
480 | # spoof-nearmiss-max If non-zero, assume spoofing after this many near misses
481 | #
482 | # spoof-nearmiss-max=20
483 |
484 | #################################
485 | # stack-size stack size per mthread
486 | #
487 | # stack-size=200000
488 |
489 | #################################
490 | # statistics-interval Number of seconds between printing of recursor statistics, 0 to disable
491 | #
492 | # statistics-interval=1800
493 |
494 | #################################
495 | # stats-ringbuffer-entries maximum number of packets to store statistics for
496 | #
497 | # stats-ringbuffer-entries=10000
498 |
499 | #################################
500 | # tcp-fast-open Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size
501 | #
502 | # tcp-fast-open=0
503 |
504 | #################################
505 | # threads Launch this number of threads
506 | #
507 | # threads=2
508 |
509 | #################################
510 | # trace if we should output heaps of logging. set to 'fail' to only log failing domains
511 | #
512 | # trace=off
513 |
514 | #################################
515 | # udp-truncation-threshold Maximum UDP response size before we truncate
516 | #
517 | # udp-truncation-threshold=1680
518 |
519 | #################################
520 | # use-incoming-edns-subnet Pass along received EDNS Client Subnet information
521 | #
522 | # use-incoming-edns-subnet=no
523 |
524 | #################################
525 | # version-string string reported on version.pdns or version.bind
526 | #
527 | # version-string=PowerDNS Recursor 4.1.12 (built Jul 1 2019 23:30:39 by pbulk@pkgsrc-pbulk-2014Q4-1.local.)
528 |
529 | #################################
530 | # webserver Start a webserver (for REST API)
531 | #
532 | # webserver=no
533 |
534 | #################################
535 | # webserver-address IP Address of webserver to listen on
536 | #
537 | # webserver-address=127.0.0.1
538 |
539 | #################################
540 | # webserver-allow-from Webserver access is only allowed from these subnets
541 | #
542 | # webserver-allow-from=127.0.0.1,::1
543 |
544 | #################################
545 | # webserver-password Password required for accessing the webserver
546 | #
547 | # webserver-password=
548 |
549 | #################################
550 | # webserver-port Port of webserver to listen on
551 | #
552 | # webserver-port=8082
553 |
554 | #################################
555 | # write-pid Write a PID file
556 | #
557 | # write-pid=yes
558 |
559 |
560 |
--------------------------------------------------------------------------------
/roles/postgresql/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | postgresql:
3 | server: postgresql12-server
4 | recordsize: 16k
5 | config:
6 | #------------------------------------------------------------------------------
7 | # FILE LOCATIONS
8 | #------------------------------------------------------------------------------
9 |
10 | # The default values of these variables are driven from the -D command-line
11 | # option or PGDATA environment variable, represented here as ConfigDir.
12 | #
13 | #data_directory = 'ConfigDir' # use data in another directory
14 | # # (change requires restart)
15 | #hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
16 | # # (change requires restart)
17 | #ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
18 | # # (change requires restart)
19 | #
20 | # If external_pid_file is not explicitly set, no extra PID file is written.
21 | #external_pid_file = '' # write an extra PID file
22 | # # (change requires restart)
23 |
24 | #------------------------------------------------------------------------------
25 | # CONNECTIONS AND AUTHENTICATION
26 | #------------------------------------------------------------------------------
27 |
28 | # - Connection Settings -
29 |
30 | #listen_addresses = 'localhost' # what IP address(es) to listen on;
31 | # # comma-separated list of addresses;
32 | # # defaults to 'localhost'; use '*' for all
33 | # # (change requires restart)
34 | #port = 5432 # (change requires restart)
35 | max_connections: 100
36 | #superuser_reserved_connections = 3 # (change requires restart)
37 | #unix_socket_directories = '/tmp' # comma-separated list of directories
38 | # # (change requires restart)
39 | #unix_socket_group = '' # (change requires restart)
40 | #unix_socket_permissions = 0777 # begin with 0 to use octal notation
41 | # # (change requires restart)
42 | #bonjour = off # advertise server via Bonjour
43 | # # (change requires restart)
44 | #bonjour_name = '' # defaults to the computer name
45 | # # (change requires restart)
46 |
47 | # - TCP settings -
48 | # see "man tcp" for details
49 |
50 | #tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
51 | # # 0 selects the system default
52 | #tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
53 | # # 0 selects the system default
54 | #tcp_keepalives_count = 0 # TCP_KEEPCNT;
55 | # # 0 selects the system default
56 | #tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
57 | # # 0 selects the system default
58 |
59 | # - Authentication -
60 |
61 | #authentication_timeout = 1min # 1s-600s
62 | #password_encryption = md5 # md5 or scram-sha-256
63 | #db_user_namespace = off
64 |
65 | # GSSAPI using Kerberos
66 | #krb_server_keyfile = ''
67 | #krb_caseins_users = off
68 |
69 | # - SSL -
70 |
71 | #ssl = off
72 | #ssl_ca_file = ''
73 | #ssl_cert_file = 'server.crt'
74 | #ssl_crl_file = ''
75 | #ssl_key_file = 'server.key'
76 | #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
77 | #ssl_prefer_server_ciphers = on
78 | #ssl_ecdh_curve = 'prime256v1'
79 | #ssl_min_protocol_version = 'TLSv1.2'
80 | #ssl_max_protocol_version = ''
81 | #ssl_dh_params_file = ''
82 | #ssl_passphrase_command = ''
83 | #ssl_passphrase_command_supports_reload = off
84 |
85 |
86 | #------------------------------------------------------------------------------
87 | # RESOURCE USAGE (except WAL)
88 | #------------------------------------------------------------------------------
89 |
90 | # - Memory -
91 | shared_buffers: 128MB
92 | # # (change requires restart)
93 | #huge_pages = try # on, off, or try
94 | # # (change requires restart)
95 | #temp_buffers = 8MB # min 800kB
96 | #max_prepared_transactions = 0 # zero disables the feature
97 | # # (change requires restart)
98 | # Caution: it is not advisable to set max_prepared_transactions nonzero unless
99 | # you actively intend to use prepared transactions.
100 | #work_mem = 4MB # min 64kB
101 | #hash_mem_multiplier = 1.0 # 1-1000.0 multiplier on hash table work_mem
102 | #maintenance_work_mem = 64MB # min 1MB
103 | #autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
104 | #logical_decoding_work_mem = 64MB # min 64kB
105 | #max_stack_depth = 2MB # min 100kB
106 | #shared_memory_type = mmap # the default is the first option
107 | # # supported by the operating system:
108 | # # mmap
109 | # # sysv
110 | # # windows
111 | # # (change requires restart)
112 | dynamic_shared_memory_type: posix
113 | # # supported by the operating system:
114 | # # posix
115 | # # sysv
116 | # # windows
117 | # # mmap
118 | # # (change requires restart)
119 |
120 | # - Disk -
121 |
122 | #temp_file_limit = -1 # limits per-process temp file space
123 | # # in kilobytes, or -1 for no limit
124 |
125 | # - Kernel Resources -
126 |
127 | #max_files_per_process = 1000 # min 64
128 | # # (change requires restart)
129 |
130 | # - Cost-Based Vacuum Delay -
131 |
132 | #vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
133 | #vacuum_cost_page_hit = 1 # 0-10000 credits
134 | #vacuum_cost_page_miss = 10 # 0-10000 credits
135 | #vacuum_cost_page_dirty = 20 # 0-10000 credits
136 | #vacuum_cost_limit = 200 # 1-10000 credits
137 |
138 | # - Background Writer -
139 |
140 | #bgwriter_delay = 200ms # 10-10000ms between rounds
141 | #bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
142 | #bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
143 | #bgwriter_flush_after = 0 # measured in pages, 0 disables
144 |
145 | # - Asynchronous Behavior -
146 |
147 | #effective_io_concurrency = 0 # 1-1000; 0 disables prefetching
148 | #maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching
149 | #max_worker_processes = 8 # (change requires restart)
150 | #max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
151 | #max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
152 | #parallel_leader_participation = on
153 | #max_parallel_workers = 8 # maximum number of max_worker_processes that
154 | # # can be used in parallel operations
155 | #old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
156 | # # (change requires restart)
157 | #backend_flush_after = 0 # measured in pages, 0 disables
158 |
159 |
160 | #------------------------------------------------------------------------------
161 | # WRITE-AHEAD LOG
162 | #------------------------------------------------------------------------------
163 |
164 | # - Settings -
165 |
166 | #wal_level = replica # minimal, replica, or logical
167 | # # (change requires restart)
168 | #fsync = on # flush data to disk for crash safety
169 | # # (turning this off can cause
170 | # # unrecoverable data corruption)
171 | #synchronous_commit = on # synchronization level;
172 | # # off, local, remote_write, remote_apply, or on
173 | #wal_sync_method = fsync # the default is the first option
174 | # # supported by the operating system:
175 | # # open_datasync
176 | # # fdatasync (default on Linux)
177 | # # fsync
178 | # # fsync_writethrough
179 | # # open_sync
180 | full_page_writes: "off"
181 | #wal_compression = off # enable compression of full-page writes
182 | #wal_log_hints = off # also do full page writes of non-critical updates
183 | # # (change requires restart)
184 | #wal_init_zero = on # zero-fill new WAL files
185 | #wal_recycle = on # recycle WAL files
186 | #wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
187 | # # (change requires restart)
188 | #wal_writer_delay = 200ms # 1-10000 milliseconds
189 | #wal_writer_flush_after = 1MB # measured in pages, 0 disables
190 | #wal_skip_threshold = 2MB
191 |
192 | #commit_delay = 0 # range 0-100000, in microseconds
193 | #commit_siblings = 5 # range 1-1000
194 |
195 | # - Checkpoints -
196 |
197 | #checkpoint_timeout = 5min # range 30s-1d
198 | max_wal_size: 1GB
199 | min_wal_size: 80MB
200 | #checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
201 | #checkpoint_flush_after = 0 # measured in pages, 0 disables
202 | #checkpoint_warning = 30s # 0 disables
203 |
204 | # - Archiving -
205 |
206 | #archive_mode = off # enables archiving; off, on, or always
207 | # # (change requires restart)
208 | #archive_command = '' # command to use to archive a logfile segment
209 | # # placeholders: %p = path of file to archive
210 | # # %f = file name only
211 | # # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
212 | #archive_timeout = 0 # force a logfile segment switch after this
213 | # # number of seconds; 0 disables
214 |
215 | # - Archive Recovery -
216 |
217 | # These are only used in recovery mode.
218 |
219 | #restore_command = '' # command to use to restore an archived logfile segment
220 | # # placeholders: %p = path of file to restore
221 | # # %f = file name only
222 | # # e.g. 'cp /mnt/server/archivedir/%f %p'
223 | # # (change requires restart)
224 | #archive_cleanup_command = '' # command to execute at every restartpoint
225 | #recovery_end_command = '' # command to execute at completion of recovery
226 |
227 | # - Recovery Target -
228 |
229 | # Set these only when performing a targeted recovery.
230 |
231 | #recovery_target = '' # 'immediate' to end recovery as soon as a
232 | # # consistent state is reached
233 | # # (change requires restart)
234 | #recovery_target_name = '' # the named restore point to which recovery will proceed
235 | # # (change requires restart)
236 | #recovery_target_time = '' # the time stamp up to which recovery will proceed
237 | # # (change requires restart)
238 | #recovery_target_xid = '' # the transaction ID up to which recovery will proceed
239 | # # (change requires restart)
240 | #recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
241 | # # (change requires restart)
242 | #recovery_target_inclusive = on # Specifies whether to stop:
243 | # # just after the specified recovery target (on)
244 | # # just before the recovery target (off)
245 | # # (change requires restart)
246 | #recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
247 | # # (change requires restart)
248 | #recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
249 | # # (change requires restart)
250 |
251 |
252 | #------------------------------------------------------------------------------
253 | # REPLICATION
254 | #------------------------------------------------------------------------------
255 |
256 | # - Sending Servers -
257 |
258 | # Set these on the master and on any standby that will send replication data.
259 |
260 | #max_wal_senders = 10 # max number of walsender processes
261 | # # (change requires restart)
262 | #wal_keep_size = 0 # in megabytes; 0 disables
263 | #max_slot_wal_keep_size = -1 # in megabytes; -1 disables
264 | #wal_sender_timeout = 60s # in milliseconds; 0 disables
265 |
266 | #max_replication_slots = 10 # max number of replication slots
267 | # # (change requires restart)
268 | #track_commit_timestamp = off # collect timestamp of transaction commit
269 | # # (change requires restart)
270 |
271 | # - Master Server -
272 |
273 | # These settings are ignored on a standby server.
274 |
275 | #synchronous_standby_names = '' # standby servers that provide sync rep
276 | # # method to choose sync standbys, number of sync standbys,
277 | # # and comma-separated list of application_name
278 | # # from standby(s); '*' = all
279 | #vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
280 |
281 | # - Standby Servers -
282 |
283 | # These settings are ignored on a master server.
284 |
285 | #primary_conninfo = '' # connection string to sending server
286 | #primary_slot_name = '' # replication slot on sending server
287 | #promote_trigger_file = '' # file name whose presence ends recovery
288 | #hot_standby = on # "off" disallows queries during recovery
289 | # # (change requires restart)
290 | #max_standby_archive_delay = 30s # max delay before canceling queries
291 | # # when reading WAL from archive;
292 | # # -1 allows indefinite delay
293 | #max_standby_streaming_delay = 30s # max delay before canceling queries
294 | # # when reading streaming WAL;
295 | # # -1 allows indefinite delay
296 | #wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name
297 | # # is not set
298 | #wal_receiver_status_interval = 10s # send replies at least this often
299 | # # 0 disables
300 | #hot_standby_feedback = off # send info from standby to prevent
301 | # # query conflicts
302 | #wal_receiver_timeout = 60s # time that receiver waits for
303 | # # communication from master
304 | # # in milliseconds; 0 disables
305 | #wal_retrieve_retry_interval = 5s # time to wait before retrying to
306 | # # retrieve WAL after a failed attempt
307 | #recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
308 |
309 | # - Subscribers -
310 |
311 | # These settings are ignored on a publisher.
312 |
313 | #max_logical_replication_workers = 4 # taken from max_worker_processes
314 | # # (change requires restart)
315 | #max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
316 |
317 |
318 | #------------------------------------------------------------------------------
319 | # QUERY TUNING
320 | #------------------------------------------------------------------------------
321 |
322 | # - Planner Method Configuration -
323 |
324 | #enable_bitmapscan = on
325 | #enable_hashagg = on
326 | #enable_hashjoin = on
327 | #enable_indexscan = on
328 | #enable_indexonlyscan = on
329 | #enable_material = on
330 | #enable_mergejoin = on
331 | #enable_nestloop = on
332 | #enable_parallel_append = on
333 | #enable_seqscan = on
334 | #enable_sort = on
335 | #enable_incremental_sort = on
336 | #enable_tidscan = on
337 | #enable_partitionwise_join = off
338 | #enable_partitionwise_aggregate = off
339 | #enable_parallel_hash = on
340 | #enable_partition_pruning = on
341 |
342 | # - Planner Cost Constants -
343 |
344 | #seq_page_cost = 1.0 # measured on an arbitrary scale
345 | #random_page_cost = 4.0 # same scale as above
346 | #cpu_tuple_cost = 0.01 # same scale as above
347 | #cpu_index_tuple_cost = 0.005 # same scale as above
348 | #cpu_operator_cost = 0.0025 # same scale as above
349 | #parallel_tuple_cost = 0.1 # same scale as above
350 | #parallel_setup_cost = 1000.0 # same scale as above
351 |
352 | #jit_above_cost = 100000 # perform JIT compilation if available
353 | # # and query more expensive than this;
354 | # # -1 disables
355 | #jit_inline_above_cost = 500000 # inline small functions if query is
356 | # # more expensive than this; -1 disables
357 | #jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
358 | # # query is more expensive than this;
359 | # # -1 disables
360 |
361 | #min_parallel_table_scan_size = 8MB
362 | #min_parallel_index_scan_size = 512kB
363 | #effective_cache_size = 4GB
364 |
365 | # - Genetic Query Optimizer -
366 |
367 | #geqo = on
368 | #geqo_threshold = 12
369 | #geqo_effort = 5 # range 1-10
370 | #geqo_pool_size = 0 # selects default based on effort
371 | #geqo_generations = 0 # selects default based on effort
372 | #geqo_selection_bias = 2.0 # range 1.5-2.0
373 | #geqo_seed = 0.0 # range 0.0-1.0
374 |
375 | # - Other Planner Options -
376 |
377 | #default_statistics_target = 100 # range 1-10000
378 | #constraint_exclusion = partition # on, off, or partition
379 | #cursor_tuple_fraction = 0.1 # range 0.0-1.0
380 | #from_collapse_limit = 8
381 | #join_collapse_limit = 8 # 1 disables collapsing of explicit
382 | # # JOIN clauses
383 | #force_parallel_mode = off
384 | #jit = on # allow JIT compilation
385 | #plan_cache_mode = auto # auto, force_generic_plan or
386 | # # force_custom_plan
387 |
388 |
389 | #------------------------------------------------------------------------------
390 | # REPORTING AND LOGGING
391 | #------------------------------------------------------------------------------
392 |
393 | # - Where to Log -
394 |
395 | #log_destination = 'stderr' # Valid values are combinations of
396 | # # stderr, csvlog, syslog, and eventlog,
397 | # # depending on platform. csvlog
398 | # # requires logging_collector to be on.
399 |
400 | # This is used when logging to stderr:
401 | #logging_collector = off # Enable capturing of stderr and csvlog
402 | # # into log files. Required to be on for
403 | # # csvlogs.
404 | # # (change requires restart)
405 |
406 | # These are only used if logging_collector is on:
407 | #log_directory = 'log' # directory where log files are written,
408 | # # can be absolute or relative to PGDATA
409 | #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
410 | # # can include strftime() escapes
411 | #log_file_mode = 0600 # creation mode for log files,
412 | # # begin with 0 to use octal notation
413 | #log_truncate_on_rotation = off # If on, an existing log file with the
414 | # # same name as the new log file will be
415 | # # truncated rather than appended to.
416 | # # But such truncation only occurs on
417 | # # time-driven rotation, not on restarts
418 | # # or size-driven rotation. Default is
419 | # # off, meaning append to existing files
420 | # # in all cases.
421 | #log_rotation_age = 1d # Automatic rotation of logfiles will
422 | # # happen after that time. 0 disables.
423 | #log_rotation_size = 10MB # Automatic rotation of logfiles will
424 | # # happen after that much log output.
425 | # # 0 disables.
426 |
427 | # These are relevant when logging to syslog:
428 | #syslog_facility = 'LOCAL0'
429 | #syslog_ident = 'postgres'
430 | #syslog_sequence_numbers = on
431 | #syslog_split_messages = on
432 |
433 | # This is only relevant when logging to eventlog (win32):
434 | # (change requires restart)
435 | #event_source = 'PostgreSQL'
436 |
437 | # - When to Log -
438 |
439 | #log_min_messages = warning # values in order of decreasing detail:
440 | # # debug5
441 | # # debug4
442 | # # debug3
443 | # # debug2
444 | # # debug1
445 | # # info
446 | # # notice
447 | # # warning
448 | # # error
449 | # # log
450 | # # fatal
451 | # # panic
452 |
453 | #log_min_error_statement = error # values in order of decreasing detail:
454 | # # debug5
455 | # # debug4
456 | # # debug3
457 | # # debug2
458 | # # debug1
459 | # # info
460 | # # notice
461 | # # warning
462 | # # error
463 | # # log
464 | # # fatal
465 | # # panic (effectively off)
466 |
467 | #log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
468 | # # and their durations, > 0 logs only
469 | # # statements running at least this number
470 | # # of milliseconds
471 |
472 | #log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements
473 | # # and their durations, > 0 logs only a sample of
474 | # # statements running at least this number
475 | # # of milliseconds;
476 | # # sample fraction is determined by log_statement_sample_rate
477 |
478 | #log_statement_sample_rate = 1.0 # fraction of logged statements exceeding
479 | # # log_min_duration_sample to be logged;
480 | # # 1.0 logs all such statements, 0.0 never logs
481 |
482 |
483 | #log_transaction_sample_rate = 0.0 # fraction of transactions whose statements
484 | # # are logged regardless of their duration; 1.0 logs all
485 | # # statements from all transactions, 0.0 never logs
486 |
487 | # - What to Log -
488 |
489 | #debug_print_parse = off
490 | #debug_print_rewritten = off
491 | #debug_print_plan = off
492 | #debug_pretty_print = on
493 | #log_checkpoints = off
494 | #log_connections = off
495 | #log_disconnections = off
496 | #log_duration = off
497 | #log_error_verbosity = default # terse, default, or verbose messages
498 | #log_hostname = off
499 | #log_line_prefix = '%m [%p] ' # special values:
500 | # # %a = application name
501 | # # %u = user name
502 | # # %d = database name
503 | # # %r = remote host and port
504 | # # %h = remote host
505 | # # %b = backend type
506 | # # %p = process ID
507 | # # %t = timestamp without milliseconds
508 | # # %m = timestamp with milliseconds
509 | # # %n = timestamp with milliseconds (as a Unix epoch)
510 | # # %i = command tag
511 | # # %e = SQL state
512 | # # %c = session ID
513 | # # %l = session line number
514 | # # %s = session start timestamp
515 | # # %v = virtual transaction ID
516 | # # %x = transaction ID (0 if none)
517 | # # %q = stop here in non-session
518 | # # processes
519 | # # %% = '%'
520 | # # e.g. '<%u%%%d> '
521 | #log_lock_waits = off # log lock waits >= deadlock_timeout
522 | #log_parameter_max_length = -1 # when logging statements, limit logged
523 | # # bind-parameter values to N bytes;
524 | # # -1 means print in full, 0 disables
525 | #log_parameter_max_length_on_error = 0 # when logging an error, limit logged
526 | # # bind-parameter values to N bytes;
527 | # # -1 means print in full, 0 disables
528 | #log_statement = 'none' # none, ddl, mod, all
529 | #log_replication_commands = off
530 | #log_temp_files = -1 # log temporary files equal or larger
531 | # # than the specified size in kilobytes;
532 | # # -1 disables, 0 logs all temp files
533 | log_timezone: 'UTC'
534 |
535 | #------------------------------------------------------------------------------
536 | # PROCESS TITLE
537 | #------------------------------------------------------------------------------
538 |
539 | #cluster_name = '' # added to process titles if nonempty
540 | # # (change requires restart)
541 | #update_process_title = on
542 |
543 |
544 | #------------------------------------------------------------------------------
545 | # STATISTICS
546 | #------------------------------------------------------------------------------
547 |
548 | # - Query and Index Statistics Collector -
549 |
550 | #track_activities = on
551 | #track_counts = on
552 | #track_io_timing = off
553 | #track_functions = none # none, pl, all
554 | #track_activity_query_size = 1024 # (change requires restart)
555 | #stats_temp_directory = 'pg_stat_tmp'
556 |
557 |
558 | # - Monitoring -
559 |
560 | #log_parser_stats = off
561 | #log_planner_stats = off
562 | #log_executor_stats = off
563 | #log_statement_stats = off
564 |
565 |
566 | #------------------------------------------------------------------------------
567 | # AUTOVACUUM
568 | #------------------------------------------------------------------------------
569 |
570 | #autovacuum = on # Enable autovacuum subprocess? 'on'
571 | # # requires track_counts to also be on.
572 | #log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
573 | # # their durations, > 0 logs only
574 | # # actions running at least this number
575 | # # of milliseconds.
576 | #autovacuum_max_workers = 3 # max number of autovacuum subprocesses
577 | # # (change requires restart)
578 | #autovacuum_naptime = 1min # time between autovacuum runs
579 | #autovacuum_vacuum_threshold = 50 # min number of row updates before
580 | # # vacuum
581 | #autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts
582 | # # before vacuum; -1 disables insert
583 | # # vacuums
584 | #autovacuum_analyze_threshold = 50 # min number of row updates before
585 | # # analyze
586 | #autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
587 | #autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table
588 | # # size before insert vacuum
589 | #autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
590 | #autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
591 | # # (change requires restart)
592 | #autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
593 | # # before forced vacuum
594 | # # (change requires restart)
595 | #autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
596 | # # autovacuum, in milliseconds;
597 | # # -1 means use vacuum_cost_delay
598 | #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
599 | # # autovacuum, -1 means use
600 | # # vacuum_cost_limit
601 |
602 |
603 | #------------------------------------------------------------------------------
604 | # CLIENT CONNECTION DEFAULTS
605 | #------------------------------------------------------------------------------
606 |
607 | # - Statement Behavior -
608 |
609 | #client_min_messages = notice # values in order of decreasing detail:
610 | # # debug5
611 | # # debug4
612 | # # debug3
613 | # # debug2
614 | # # debug1
615 | # # log
616 | # # notice
617 | # # warning
618 | # # error
619 | #search_path = '"$user", public' # schema names
620 | #row_security = on
621 | #default_tablespace = '' # a tablespace name, '' uses the default
622 | #temp_tablespaces = '' # a list of tablespace names, '' uses
623 | # # only default tablespace
624 | #default_table_access_method = 'heap'
625 | #check_function_bodies = on
626 | #default_transaction_isolation = 'read committed'
627 | #default_transaction_read_only = off
628 | #default_transaction_deferrable = off
629 | #session_replication_role = 'origin'
630 | #statement_timeout = 0 # in milliseconds, 0 is disabled
631 | #lock_timeout = 0 # in milliseconds, 0 is disabled
632 | #idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
633 | #vacuum_freeze_min_age = 50000000
634 | #vacuum_freeze_table_age = 150000000
635 | #vacuum_multixact_freeze_min_age = 5000000
636 | #vacuum_multixact_freeze_table_age = 150000000
637 | #vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
638 | # # before index cleanup, 0 always performs
639 | # # index cleanup
640 | #bytea_output = 'hex' # hex, escape
641 | #xmlbinary = 'base64'
642 | #xmloption = 'content'
643 | #gin_fuzzy_search_limit = 0
644 | #gin_pending_list_limit = 4MB
645 |
646 | # - Locale and Formatting -
647 |
648 | datestyle: "'iso, mdy'"
649 | #intervalstyle = 'postgres'
650 | timezone: "'UTC'"
651 | #timezone_abbreviations = 'Default' # Select the set of available time zone
652 | # # abbreviations. Currently, there are
653 | # # Default
654 | # # Australia (historical usage)
655 | # # India
656 | # # You can create your own file in
657 | # # share/timezonesets/.
658 | #extra_float_digits = 1 # min -15, max 3; any value >0 actually
659 | # # selects precise output mode
660 | #client_encoding = sql_ascii # actually, defaults to database
661 | # # encoding
662 |
663 | # These settings are initialized by initdb, but they can be changed.
664 | lc_messages: "'en_US.UTF-8'"
665 | lc_monetary: "'en_US.UTF-8'"
666 | lc_numeric: "'en_US.UTF-8'"
667 | lc_time: "'en_US.UTF-8'"
668 |
669 | # default configuration for text search
670 | default_text_search_config: "'pg_catalog.english'"
671 |
672 | # - Shared Library Preloading -
673 |
674 | #shared_preload_libraries = '' # (change requires restart)
675 | #local_preload_libraries = ''
676 | #session_preload_libraries = ''
677 | #jit_provider = 'llvmjit' # JIT library to use
678 |
679 | # - Other Defaults -
680 |
681 | #dynamic_library_path = '$libdir'
682 |
683 |
684 | #------------------------------------------------------------------------------
685 | # LOCK MANAGEMENT
686 | #------------------------------------------------------------------------------
687 |
688 | #deadlock_timeout = 1s
689 | #max_locks_per_transaction = 64 # min 10
690 | # # (change requires restart)
691 | #max_pred_locks_per_transaction = 64 # min 10
692 | # # (change requires restart)
693 | #max_pred_locks_per_relation = -2 # negative values mean
694 | # # (max_pred_locks_per_transaction
695 | # # / -max_pred_locks_per_relation) - 1
696 | #max_pred_locks_per_page = 2 # min 0
697 |
698 |
699 | #------------------------------------------------------------------------------
700 | # VERSION AND PLATFORM COMPATIBILITY
701 | #------------------------------------------------------------------------------
702 |
703 | # - Previous PostgreSQL Versions -
704 |
705 | #array_nulls = on
706 | #backslash_quote = safe_encoding # on, off, or safe_encoding
707 | #escape_string_warning = on
708 | #lo_compat_privileges = off
709 | #operator_precedence_warning = off
710 | #quote_all_identifiers = off
711 | #standard_conforming_strings = on
712 | #synchronize_seqscans = on
713 |
714 | # - Other Platforms and Clients -
715 |
716 | #transform_null_equals = off
717 |
718 |
719 | #------------------------------------------------------------------------------
720 | # ERROR HANDLING
721 | #------------------------------------------------------------------------------
722 |
723 | #exit_on_error = off # terminate session on any error?
724 | #restart_after_crash = on # reinitialize after backend crash?
725 | #data_sync_retry = off # retry or panic on failure to fsync
726 | # # data?
727 | # # (change requires restart)
728 | hba:
729 | - type: local
730 | database: all
731 | user: postgres
732 | method: peer
733 | options: map=postgres-user
734 | - type: local
735 | database: all
736 | user: all
737 | method: scram-sha-256
738 | ident:
739 | - mapname: postgres-user
740 | system_username: root
741 | postgres_username: postgres
742 | - mapname: postgres-user
743 | system_username: postgres
744 | postgres_username: postgres
745 |
--------------------------------------------------------------------------------
/roles/dhcpdns/templates/unbound.conf:
--------------------------------------------------------------------------------
1 | {{ configuration_header }}
2 | # See unbound.conf(5) man page, version 1.10.0.
3 |
4 | server:
5 | # verbosity number, 0 is least verbose. 1 is default.
6 | verbosity: 1
7 |
8 | # print statistics to the log (for every thread) every N seconds.
9 | # Set to "" or 0 to disable. Default is disabled.
10 | # statistics-interval: 0
11 |
12 | # enable shm for stats, default no. if you enable also enable
13 | # statistics-interval, every time it also writes stats to the
14 | # shared memory segment keyed with shm-key.
15 | # shm-enable: no
16 |
17 | # shm for stats uses this key, and key+1 for the shared mem segment.
18 | # shm-key: 11777
19 |
20 | # enable cumulative statistics, without clearing them after printing.
21 | # statistics-cumulative: no
22 |
23 | # enable extended statistics (query types, answer codes, status)
24 | # printed from unbound-control. default off, because of speed.
25 | # extended-statistics: no
26 |
27 | # number of threads to create. 1 disables threading.
28 | # num-threads: 1
29 |
30 | # specify the interfaces to answer queries from by ip-address.
31 | # The default is to listen to localhost (127.0.0.1 and ::1).
32 | # specify 0.0.0.0 and ::0 to bind to all available interfaces.
33 | # specify every interface[@port] on a new 'interface:' labelled line.
34 | # The listen interfaces are not changed on reload, only on restart.
35 | # interface: 192.0.2.153
36 | # interface: 192.0.2.154
37 | # interface: 192.0.2.154@5003
38 | # interface: 2001:DB8::5
39 |
40 | # enable this feature to copy the source address of queries to reply.
41 | # Socket options are not supported on all platforms. experimental.
42 | # interface-automatic: no
43 |
44 | # port to answer queries from
45 | # port: 53
46 |
47 | # specify the interfaces to send outgoing queries to authoritative
48 | # server from by ip-address. If none, the default (all) interface
49 | # is used. Specify every interface on a 'outgoing-interface:' line.
50 | # outgoing-interface: 192.0.2.153
51 | # outgoing-interface: 2001:DB8::5
52 | # outgoing-interface: 2001:DB8::6
53 |
54 | # Specify a netblock to use remainder 64 bits as random bits for
55 | # upstream queries. Uses freebind option (Linux).
56 | # outgoing-interface: 2001:DB8::/64
57 | # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
58 | # And: ip -6 route add local 2001:db8::/64 dev lo
59 | # And set prefer-ip6: yes to use the ip6 randomness from a netblock.
60 | # Set this to yes to prefer ipv6 upstream servers over ipv4.
61 | # prefer-ip6: no
62 |
63 | # number of ports to allocate per thread, determines the size of the
64 | # port range that can be open simultaneously. About double the
65 | # num-queries-per-thread, or, use as many as the OS will allow you.
66 | # outgoing-range: 4096
67 |
68 | # permit unbound to use this port number or port range for
69 | # making outgoing queries, using an outgoing interface.
70 | # outgoing-port-permit: 32768
71 |
72 | # deny unbound the use this of port number or port range for
73 | # making outgoing queries, using an outgoing interface.
74 | # Use this to make sure unbound does not grab a UDP port that some
75 | # other server on this computer needs. The default is to avoid
76 | # IANA-assigned port numbers.
77 | # If multiple outgoing-port-permit and outgoing-port-avoid options
78 | # are present, they are processed in order.
79 | # outgoing-port-avoid: "3200-3208"
80 |
81 | # number of outgoing simultaneous tcp buffers to hold per thread.
82 | # outgoing-num-tcp: 10
83 |
84 | # number of incoming simultaneous tcp buffers to hold per thread.
85 | # incoming-num-tcp: 10
86 |
87 | # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
88 | # 0 is system default. Use 4m to catch query spikes for busy servers.
89 | # so-rcvbuf: 0
90 |
91 | # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
92 | # 0 is system default. Use 4m to handle spikes on very busy servers.
93 | # so-sndbuf: 0
94 |
95 | # use SO_REUSEPORT to distribute queries over threads.
96 | # at extreme load it could be better to turn it off to distribute even.
97 | # so-reuseport: yes
98 |
99 | # use IP_TRANSPARENT so the interface: addresses can be non-local
100 | # and you can config non-existing IPs that are going to work later on
101 | # (uses IP_BINDANY on FreeBSD).
102 | # ip-transparent: no
103 |
104 | # use IP_FREEBIND so the interface: addresses can be non-local
105 | # and you can bind to nonexisting IPs and interfaces that are down.
106 | # Linux only. On Linux you also have ip-transparent that is similar.
107 | # ip-freebind: no
108 |
109 | # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
110 | # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
111 | # edns-buffer-size: 4096
112 |
113 | # Maximum UDP response size (not applied to TCP response).
114 | # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
115 | # max-udp-size: 4096
116 |
117 | # max memory to use for stream(tcp and tls) waiting result buffers.
118 | # stream-wait-size: 4m
119 |
120 | # buffer size for handling DNS data. No messages larger than this
121 | # size can be sent or received, by UDP or TCP. In bytes.
122 | # msg-buffer-size: 65552
123 |
124 | # the amount of memory to use for the message cache.
125 | # plain value in bytes or you can append k, m or G. default is "4Mb".
126 | # msg-cache-size: 4m
127 |
128 | # the number of slabs to use for the message cache.
129 | # the number of slabs must be a power of 2.
130 | # more slabs reduce lock contention, but fragment memory usage.
131 | # msg-cache-slabs: 4
132 |
133 | # the number of queries that a thread gets to service.
134 | # num-queries-per-thread: 1024
135 |
136 | # if very busy, 50% queries run to completion, 50% get timeout in msec
137 | # jostle-timeout: 200
138 |
139 | # msec to wait before close of port on timeout UDP. 0 disables.
140 | # delay-close: 0
141 |
142 | # msec for waiting for an unknown server to reply. Increase if you
143 | # are behind a slow satellite link, to eg. 1128.
144 | # unknown-server-time-limit: 376
145 |
146 | # the amount of memory to use for the RRset cache.
147 | # plain value in bytes or you can append k, m or G. default is "4Mb".
148 | # rrset-cache-size: 4m
149 |
150 | # the number of slabs to use for the RRset cache.
151 | # the number of slabs must be a power of 2.
152 | # more slabs reduce lock contention, but fragment memory usage.
153 | # rrset-cache-slabs: 4
154 |
155 | # the time to live (TTL) value lower bound, in seconds. Default 0.
156 | # If more than an hour could easily give trouble due to stale data.
157 | # cache-min-ttl: 0
158 |
159 | # the time to live (TTL) value cap for RRsets and messages in the
160 | # cache. Items are not cached for longer. In seconds.
161 | # cache-max-ttl: 86400
162 |
163 | # the time to live (TTL) value cap for negative responses in the cache
164 | # cache-max-negative-ttl: 3600
165 |
166 | # the time to live (TTL) value for cached roundtrip times, lameness and
167 | # EDNS version information for hosts. In seconds.
168 | # infra-host-ttl: 900
169 |
170 | # minimum wait time for responses, increase if uplink is long. In msec.
171 | # infra-cache-min-rtt: 50
172 |
173 | # the number of slabs to use for the Infrastructure cache.
174 | # the number of slabs must be a power of 2.
175 | # more slabs reduce lock contention, but fragment memory usage.
176 | # infra-cache-slabs: 4
177 |
178 | # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
179 | # infra-cache-numhosts: 10000
180 |
181 | # define a number of tags here, use with local-zone, access-control.
182 | # repeat the define-tag statement to add additional tags.
183 | # define-tag: "tag1 tag2 tag3"
184 |
185 | # Enable IPv4, "yes" or "no".
186 | # do-ip4: yes
187 |
188 | # Enable IPv6, "yes" or "no".
189 | # do-ip6: yes
190 |
191 | # Enable UDP, "yes" or "no".
192 | # do-udp: yes
193 |
194 | # Enable TCP, "yes" or "no".
195 | # do-tcp: yes
196 |
197 | # upstream connections use TCP only (and no UDP), "yes" or "no"
198 | # useful for tunneling scenarios, default no.
199 | # tcp-upstream: no
200 |
201 | # upstream connections also use UDP (even if do-udp is no).
202 | # useful if if you want UDP upstream, but don't provide UDP downstream.
203 | # udp-upstream-without-downstream: no
204 |
205 | # Maximum segment size (MSS) of TCP socket on which the server
206 | # responds to queries. Default is 0, system default MSS.
207 | # tcp-mss: 0
208 |
209 | # Maximum segment size (MSS) of TCP socket for outgoing queries.
210 | # Default is 0, system default MSS.
211 | # outgoing-tcp-mss: 0
212 |
213 | # Idle TCP timeout, connection closed in milliseconds
214 | # tcp-idle-timeout: 30000
215 |
216 | # Enable EDNS TCP keepalive option.
217 | # edns-tcp-keepalive: no
218 |
219 | # Timeout for EDNS TCP keepalive, in msec.
220 | # edns-tcp-keepalive-timeout: 120000
221 |
222 | # Use systemd socket activation for UDP, TCP, and control sockets.
223 | # use-systemd: no
224 |
225 | # Detach from the terminal, run in background, "yes" or "no".
226 | # Set the value to "no" when unbound runs as systemd service.
227 | # do-daemonize: yes
228 |
229 | # control which clients are allowed to make (recursive) queries
230 | # to this server. Specify classless netblocks with /size and action.
231 | # By default everything is refused, except for localhost.
232 | # Choose deny (drop message), refuse (polite error reply),
233 | # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
234 | # allow_snoop (recursive and nonrecursive ok)
235 | # deny_non_local (drop queries unless can be answered from local-data)
236 | # refuse_non_local (like deny_non_local but polite error reply).
237 | # access-control: 0.0.0.0/0 refuse
238 | # access-control: 127.0.0.0/8 allow
239 | # access-control: ::0/0 refuse
240 | # access-control: ::1 allow
241 | # access-control: ::ffff:127.0.0.1 allow
242 |
243 | # tag access-control with list of tags (in "" with spaces between)
244 | # Clients using this access control element use localzones that
245 | # are tagged with one of these tags.
246 | # access-control-tag: 192.0.2.0/24 "tag2 tag3"
247 |
248 | # set action for particular tag for given access control element
249 | # if you have multiple tag values, the tag used to lookup the action
250 | # is the first tag match between access-control-tag and local-zone-tag
251 | # where "first" comes from the order of the define-tag values.
252 | # access-control-tag-action: 192.0.2.0/24 tag3 refuse
253 |
254 | # set redirect data for particular tag for access control element
255 | # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
256 |
257 | # Set view for access control element
258 | # access-control-view: 192.0.2.0/24 viewname
259 |
260 | # if given, a chroot(2) is done to the given directory.
261 | # i.e. you can chroot to the working directory, for example,
262 | # for extra security, but make sure all files are in that directory.
263 | #
264 | # If chroot is enabled, you should pass the configfile (from the
265 | # commandline) as a full path from the original root. After the
266 | # chroot has been performed the now defunct portion of the config
267 | # file path is removed to be able to reread the config after a reload.
268 | #
269 | # All other file paths (working dir, logfile, roothints, and
270 | # key files) can be specified in several ways:
271 | # o as an absolute path relative to the new root.
272 | # o as a relative path to the working directory.
273 | # o as an absolute path relative to the original root.
274 | # In the last case the path is adjusted to remove the unused portion.
275 | #
276 | # The pid file can be absolute and outside of the chroot, it is
277 | # written just prior to performing the chroot and dropping permissions.
278 | #
279 | # Additionally, unbound may need to access /dev/urandom (for entropy).
280 | # How to do this is specific to your OS.
281 | #
282 | # If you give "" no chroot is performed. The path must not end in a /.
283 | # chroot: "/opt/local/etc/unbound"
284 |
285 | # if given, user privileges are dropped (after binding port),
286 | # and the given username is assumed. Default is user "unbound".
287 | # If you give "" no privileges are dropped.
288 | # username: "unbound"
289 |
290 | # the working directory. The relative files in this config are
291 | # relative to this directory. If you give "" the working directory
292 | # is not changed.
293 | # If you give a server: directory: dir before include: file statements
294 | # then those includes can be relative to the working directory.
295 | # directory: "/opt/local/etc/unbound"
296 |
297 | # the log file, "" means log to stderr.
298 | # Use of this option sets use-syslog to "no".
299 | # logfile: ""
300 |
301 | # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
302 | # log to. If yes, it overrides the logfile.
303 | # use-syslog: yes
304 |
305 | # Log identity to report. if empty, defaults to the name of argv[0]
306 | # (usually "unbound").
307 | # log-identity: ""
308 |
309 | # print UTC timestamp in ascii to logfile, default is epoch in seconds.
310 | # log-time-ascii: no
311 |
312 | # print one line with time, IP, name, type, class for every query.
313 | # log-queries: no
314 |
315 | # print one line per reply, with time, IP, name, type, class, rcode,
316 | # timetoresolve, fromcache and responsesize.
317 | # log-replies: no
318 |
319 | # log with tag 'query' and 'reply' instead of 'info' for
320 | # filtering log-queries and log-replies from the log.
321 | # log-tag-queryreply: no
322 |
323 | # log the local-zone actions, like local-zone type inform is enabled
324 | # also for the other local zone types.
325 | # log-local-actions: no
326 |
327 | # print log lines that say why queries return SERVFAIL to clients.
328 | # log-servfail: no
329 |
330 | # the pid file. Can be an absolute path outside of chroot/work dir.
331 | # pidfile: "/var/run/unbound/unbound.pid"
332 |
333 | # file to read root hints from.
334 | # get one from https://www.internic.net/domain/named.cache
335 | # root-hints: ""
336 |
337 | # enable to not answer id.server and hostname.bind queries.
338 | # hide-identity: no
339 |
340 | # enable to not answer version.server and version.bind queries.
341 | # hide-version: no
342 |
343 | # enable to not answer trustanchor.unbound queries.
344 | # hide-trustanchor: no
345 |
346 | # the identity to report. Leave "" or default to return hostname.
347 | # identity: ""
348 |
349 | # the version to report. Leave "" or default to return package version.
350 | # version: ""
351 |
352 | # the target fetch policy.
353 | # series of integers describing the policy per dependency depth.
354 | # The number of values in the list determines the maximum dependency
355 | # depth the recursor will pursue before giving up. Each integer means:
356 | # -1 : fetch all targets opportunistically,
357 | # 0: fetch on demand,
358 | # positive value: fetch that many targets opportunistically.
359 | # Enclose the list of numbers between quotes ("").
360 | # target-fetch-policy: "3 2 1 0 0"
361 |
362 | # Harden against very small EDNS buffer sizes.
363 | # harden-short-bufsize: no
364 |
365 | # Harden against unseemly large queries.
366 | # harden-large-queries: no
367 |
368 | # Harden against out of zone rrsets, to avoid spoofing attempts.
369 | # harden-glue: yes
370 |
371 | # Harden against receiving dnssec-stripped data. If you turn it
372 | # off, failing to validate dnskey data for a trustanchor will
373 | # trigger insecure mode for that zone (like without a trustanchor).
374 | # Default on, which insists on dnssec data for trust-anchored zones.
375 | # harden-dnssec-stripped: yes
376 |
377 | # Harden against queries that fall under dnssec-signed nxdomain names.
378 | # harden-below-nxdomain: yes
379 |
380 | # Harden the referral path by performing additional queries for
381 | # infrastructure data. Validates the replies (if possible).
382 | # Default off, because the lookups burden the server. Experimental
383 | # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
384 | # harden-referral-path: no
385 |
386 | # Harden against algorithm downgrade when multiple algorithms are
387 | # advertised in the DS record. If no, allows the weakest algorithm
388 | # to validate the zone.
389 | # harden-algo-downgrade: no
390 |
391 | # Sent minimum amount of information to upstream servers to enhance
392 | # privacy. Only sent minimum required labels of the QNAME and set QTYPE
393 | # to A when possible.
394 | # qname-minimisation: yes
395 |
396 | # QNAME minimisation in strict mode. Do not fall-back to sending full
397 | # QNAME to potentially broken nameservers. A lot of domains will not be
398 | # resolvable when this option in enabled.
399 | # This option only has effect when qname-minimisation is enabled.
400 | # qname-minimisation-strict: no
401 |
402 | # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
403 | # and other denials, using information from previous NXDOMAINs answers.
404 | # aggressive-nsec: no
405 |
406 | # Use 0x20-encoded random bits in the query to foil spoof attempts.
407 | # This feature is an experimental implementation of draft dns-0x20.
408 | # use-caps-for-id: no
409 |
410 | # Domains (and domains in them) without support for dns-0x20 and
411 | # the fallback fails because they keep sending different answers.
412 | # caps-whitelist: "licdn.com"
413 | # caps-whitelist: "senderbase.org"
414 |
415 | # Enforce privacy of these addresses. Strips them away from answers.
416 | # It may cause DNSSEC validation to additionally mark it as bogus.
417 | # Protects against 'DNS Rebinding' (uses browser as network proxy).
418 | # Only 'private-domain' and 'local-data' names are allowed to have
419 | # these private addresses. No default.
420 | # private-address: 10.0.0.0/8
421 | # private-address: 172.16.0.0/12
422 | # private-address: 192.168.0.0/16
423 | # private-address: 169.254.0.0/16
424 | # private-address: fd00::/8
425 | # private-address: fe80::/10
426 | # private-address: ::ffff:0:0/96
427 |
428 | # Allow the domain (and its subdomains) to contain private addresses.
429 | # local-data statements are allowed to contain private addresses too.
430 | # private-domain: "example.com"
431 |
432 | # If nonzero, unwanted replies are not only reported in statistics,
433 | # but also a running total is kept per thread. If it reaches the
434 | # threshold, a warning is printed and a defensive action is taken,
435 | # the cache is cleared to flush potential poison out of it.
436 | # A suggested value is 10000000, the default is 0 (turned off).
437 | # unwanted-reply-threshold: 0
438 |
439 | # Do not query the following addresses. No DNS queries are sent there.
440 | # List one address per entry. List classless netblocks with /size,
441 | # do-not-query-address: 127.0.0.1/8
442 | # do-not-query-address: ::1
443 |
444 | # if yes, the above default do-not-query-address entries are present.
445 | # if no, localhost can be queried (for testing and debugging).
446 | # do-not-query-localhost: yes
447 |
448 | # if yes, perform prefetching of almost expired message cache entries.
449 | # prefetch: no
450 |
451 | # if yes, perform key lookups adjacent to normal lookups.
452 | # prefetch-key: no
453 |
454 | # deny queries of type ANY with an empty response.
455 | # deny-any: no
456 |
457 | # if yes, Unbound rotates RRSet order in response.
458 | # rrset-roundrobin: no
459 |
460 | # if yes, Unbound doesn't insert authority/additional sections
461 | # into response messages when those sections are not required.
462 | # minimal-responses: yes
463 |
464 | # true to disable DNSSEC lameness check in iterator.
465 | # disable-dnssec-lame-check: no
466 |
467 | # module configuration of the server. A string with identifiers
468 | # separated by spaces. Syntax: "[dns64] [validator] iterator"
469 | # most modules have to be listed at the beginning of the line,
470 | # except cachedb(just before iterator), and python (at the beginning,
471 | # or, just before the iterator).
472 | # module-config: "validator iterator"
473 |
474 | # File with trusted keys, kept uptodate using RFC5011 probes,
475 | # initial file like trust-anchor-file, then it stores metadata.
476 | # Use several entries, one per domain name, to track multiple zones.
477 | #
478 | # If you want to perform DNSSEC validation, run unbound-anchor before
479 | # you start unbound (i.e. in the system boot scripts). And enable:
480 | # Please note usage of unbound-anchor root anchor is at your own risk
481 | # and under the terms of our LICENSE (see that file in the source).
482 | # auto-trust-anchor-file: "/opt/local/etc/unbound/root.key"
483 |
484 | # trust anchor signaling sends a RFC8145 key tag query after priming.
485 | # trust-anchor-signaling: yes
486 |
487 | # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
488 | # root-key-sentinel: yes
489 |
490 | # File with DLV trusted keys. Same format as trust-anchor-file.
491 | # There can be only one DLV configured, it is trusted from root down.
492 | # DLV is going to be decommissioned. Please do not use it any more.
493 | # dlv-anchor-file: "dlv.isc.org.key"
494 |
495 | # File with trusted keys for validation. Specify more than one file
496 | # with several entries, one file per entry.
497 | # Zone file format, with DS and DNSKEY entries.
498 | # Note this gets out of date, use auto-trust-anchor-file please.
499 | # trust-anchor-file: ""
500 |
501 | # Trusted key for validation. DS or DNSKEY. specify the RR on a
502 | # single line, surrounded by "". TTL is ignored. class is IN default.
503 | # Note this gets out of date, use auto-trust-anchor-file please.
504 | # (These examples are from August 2007 and may not be valid anymore).
505 | # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
506 | # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
507 |
508 | # File with trusted keys for validation. Specify more than one file
509 | # with several entries, one file per entry. Like trust-anchor-file
510 | # but has a different file format. Format is BIND-9 style format,
511 | # the trusted-keys { name flag proto algo "key"; }; clauses are read.
512 | # you need external update procedures to track changes in keys.
513 | # trusted-keys-file: ""
514 |
515 | # Ignore chain of trust. Domain is treated as insecure.
516 | # domain-insecure: "example.com"
517 |
518 | # Override the date for validation with a specific fixed date.
519 | # Do not set this unless you are debugging signature inception
520 | # and expiration. "" or "0" turns the feature off. -1 ignores date.
521 | # val-override-date: ""
522 |
523 | # The time to live for bogus data, rrsets and messages. This avoids
524 | # some of the revalidation, until the time interval expires. in secs.
525 | # val-bogus-ttl: 60
526 |
527 | # The signature inception and expiration dates are allowed to be off
528 | # by 10% of the signature lifetime (expir-incep) from our local clock.
529 | # This leeway is capped with a minimum and a maximum. In seconds.
530 | # val-sig-skew-min: 3600
531 | # val-sig-skew-max: 86400
532 |
533 | # Should additional section of secure message also be kept clean of
534 | # unsecure data. Useful to shield the users of this validator from
535 | # potential bogus data in the additional section. All unsigned data
536 | # in the additional section is removed from secure messages.
537 | # val-clean-additional: yes
538 |
539 | # Turn permissive mode on to permit bogus messages. Thus, messages
540 | # for which security checks failed will be returned to clients,
541 | # instead of SERVFAIL. It still performs the security checks, which
542 | # result in interesting log files and possibly the AD bit in
543 | # replies if the message is found secure. The default is off.
544 | # val-permissive-mode: no
545 |
546 | # Ignore the CD flag in incoming queries and refuse them bogus data.
547 | # Enable it if the only clients of unbound are legacy servers (w2008)
548 | # that set CD but cannot validate themselves.
549 | # ignore-cd-flag: no
550 |
551 | # Serve expired responses from cache, with serve-expired-reply-ttl in
552 | # the response, and then attempt to fetch the data afresh.
553 | # serve-expired: no
554 | #
555 | # Limit serving of expired responses to configured seconds after
556 | # expiration. 0 disables the limit.
557 | # serve-expired-ttl: 0
558 | #
559 | # Set the TTL of expired records to the serve-expired-ttl value after a
560 | # failed attempt to retrieve the record from upstream. This makes sure
561 | # that the expired records will be served as long as there are queries
562 | # for it.
563 | # serve-expired-ttl-reset: no
564 | #
565 | # TTL value to use when replying with expired data.
566 | # serve-expired-reply-ttl: 30
567 | #
568 | # Time in milliseconds before replying to the client with expired data.
569 | # This essentially enables the serve-stale behavior as specified in
570 | # draft-ietf-dnsop-serve-stale-10 that first tries to resolve before
571 | # immediately responding with expired data. 0 disables this behavior.
572 | # A recommended value is 1800.
573 | # serve-expired-client-timeout: 0
574 |
575 | # Have the validator log failed validations for your diagnosis.
576 | # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
577 | # val-log-level: 0
578 |
579 | # It is possible to configure NSEC3 maximum iteration counts per
580 | # keysize. Keep this table very short, as linear search is done.
581 | # A message with an NSEC3 with larger count is marked insecure.
582 | # List in ascending order the keysize and count values.
583 | # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
584 |
585 | # instruct the auto-trust-anchor-file probing to add anchors after ttl.
586 | # add-holddown: 2592000 # 30 days
587 |
588 | # instruct the auto-trust-anchor-file probing to del anchors after ttl.
589 | # del-holddown: 2592000 # 30 days
590 |
591 | # auto-trust-anchor-file probing removes missing anchors after ttl.
592 | # If the value 0 is given, missing anchors are not removed.
593 | # keep-missing: 31622400 # 366 days
594 |
595 | # debug option that allows very small holddown times for key rollover,
596 | # otherwise the RFC mandates probe intervals must be at least 1 hour.
597 | # permit-small-holddown: no
598 |
599 | # the amount of memory to use for the key cache.
600 | # plain value in bytes or you can append k, m or G. default is "4Mb".
601 | # key-cache-size: 4m
602 |
603 | # the number of slabs to use for the key cache.
604 | # the number of slabs must be a power of 2.
605 | # more slabs reduce lock contention, but fragment memory usage.
606 | # key-cache-slabs: 4
607 |
608 | # the amount of memory to use for the negative cache (used for DLV).
609 | # plain value in bytes or you can append k, m or G. default is "1Mb".
610 | # neg-cache-size: 1m
611 |
612 | # By default, for a number of zones a small default 'nothing here'
613 | # reply is built-in. Query traffic is thus blocked. If you
614 | # wish to serve such zone you can unblock them by uncommenting one
615 | # of the nodefault statements below.
616 | # You may also have to use domain-insecure: zone to make DNSSEC work,
617 | # unless you have your own trust anchors for this zone.
618 | # local-zone: "localhost." nodefault
619 | # local-zone: "127.in-addr.arpa." nodefault
620 | # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
621 | # local-zone: "onion." nodefault
622 | # local-zone: "test." nodefault
623 | # local-zone: "invalid." nodefault
624 | # local-zone: "10.in-addr.arpa." nodefault
625 | # local-zone: "16.172.in-addr.arpa." nodefault
626 | # local-zone: "17.172.in-addr.arpa." nodefault
627 | # local-zone: "18.172.in-addr.arpa." nodefault
628 | # local-zone: "19.172.in-addr.arpa." nodefault
629 | # local-zone: "20.172.in-addr.arpa." nodefault
630 | # local-zone: "21.172.in-addr.arpa." nodefault
631 | # local-zone: "22.172.in-addr.arpa." nodefault
632 | # local-zone: "23.172.in-addr.arpa." nodefault
633 | # local-zone: "24.172.in-addr.arpa." nodefault
634 | # local-zone: "25.172.in-addr.arpa." nodefault
635 | # local-zone: "26.172.in-addr.arpa." nodefault
636 | # local-zone: "27.172.in-addr.arpa." nodefault
637 | # local-zone: "28.172.in-addr.arpa." nodefault
638 | # local-zone: "29.172.in-addr.arpa." nodefault
639 | # local-zone: "30.172.in-addr.arpa." nodefault
640 | # local-zone: "31.172.in-addr.arpa." nodefault
641 | # local-zone: "168.192.in-addr.arpa." nodefault
642 | # local-zone: "0.in-addr.arpa." nodefault
643 | # local-zone: "254.169.in-addr.arpa." nodefault
644 | # local-zone: "2.0.192.in-addr.arpa." nodefault
645 | # local-zone: "100.51.198.in-addr.arpa." nodefault
646 | # local-zone: "113.0.203.in-addr.arpa." nodefault
647 | # local-zone: "255.255.255.255.in-addr.arpa." nodefault
648 | # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
649 | # local-zone: "d.f.ip6.arpa." nodefault
650 | # local-zone: "8.e.f.ip6.arpa." nodefault
651 | # local-zone: "9.e.f.ip6.arpa." nodefault
652 | # local-zone: "a.e.f.ip6.arpa." nodefault
653 | # local-zone: "b.e.f.ip6.arpa." nodefault
654 | # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
655 | # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
656 |
657 | # Add example.com into ipset
658 | # local-zone: "example.com" ipset
659 |
660 | # If unbound is running service for the local host then it is useful
661 | # to perform lan-wide lookups to the upstream, and unblock the
662 | # long list of local-zones above. If this unbound is a dns server
663 | # for a network of computers, disabled is better and stops information
664 | # leakage of local lan information.
665 | # unblock-lan-zones: no
666 |
667 | # The insecure-lan-zones option disables validation for
668 | # these zones, as if they were all listed as domain-insecure.
669 | # insecure-lan-zones: no
670 |
671 | # a number of locally served zones can be configured.
672 | # local-zone:
673 | # local-data: ""
674 | # o deny serves local data (if any), else, drops queries.
675 | # o refuse serves local data (if any), else, replies with error.
676 | # o static serves local data, else, nxdomain or nodata answer.
677 | # o transparent gives local data, but resolves normally for other names
678 | # o redirect serves the zone data for any subdomain in the zone.
679 | # o nodefault can be used to normally resolve AS112 zones.
680 | # o typetransparent resolves normally for other types and other names
681 | # o inform acts like transparent, but logs client IP address
682 | # o inform_deny drops queries and logs client IP address
683 | # o inform_redirect redirects queries and logs client IP address
684 | # o always_transparent, always_refuse, always_nxdomain, resolve in
685 | # that way but ignore local data for that name
686 | # o noview breaks out of that view towards global local-zones.
687 | #
688 | # defaults are localhost address, reverse for 127.0.0.1 and ::1
689 | # and nxdomain for AS112 zones. If you configure one of these zones
690 | # the default content is omitted, or you can omit it with 'nodefault'.
691 | #
692 | # If you configure local-data without specifying local-zone, by
693 | # default a transparent local-zone is created for the data.
694 | #
695 | # You can add locally served data with
696 | # local-zone: "local." static
697 | # local-data: "mycomputer.local. IN A 192.0.2.51"
698 | # local-data: 'mytext.local TXT "content of text record"'
699 | #
700 | # You can override certain queries with
701 | # local-data: "adserver.example.com A 127.0.0.1"
702 | #
703 | # You can redirect a domain to a fixed address with
704 | # (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
705 | # local-zone: "example.com" redirect
706 | # local-data: "example.com A 192.0.2.3"
707 | #
708 | # Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
709 | # You can also add PTR records using local-data directly, but then
710 | # you need to do the reverse notation yourself.
711 | # local-data-ptr: "192.0.2.3 www.example.com"
712 |
713 | # tag a localzone with a list of tag names (in "" with spaces between)
714 | # local-zone-tag: "example.com" "tag2 tag3"
715 |
716 | # add a netblock specific override to a localzone, with zone type
717 | # local-zone-override: "example.com" 192.0.2.0/24 refuse
718 |
719 | # service clients over TLS (on the TCP sockets), with plain DNS inside
720 | # the TLS stream. Give the certificate to use and private key.
721 | # default is "" (disabled). requires restart to take effect.
722 | # tls-service-key: "path/to/privatekeyfile.key"
723 | # tls-service-pem: "path/to/publiccertfile.pem"
724 | # tls-port: 853
725 |
726 | # cipher setting for TLSv1.2
727 | # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
728 | # cipher setting for TLSv1.3
729 | # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
730 |
731 | # Add the secret file for TLS Session Ticket.
732 | # Secret file must be 80 bytes of random data.
733 | # First key use to encrypt and decrypt TLS session tickets.
734 | # Other keys use to decrypt only.
735 | # requires restart to take effect.
736 | # tls-session-ticket-keys: "path/to/secret_file1"
737 | # tls-session-ticket-keys: "path/to/secret_file2"
738 |
739 | # request upstream over TLS (with plain DNS inside the TLS stream).
740 | # Default is no. Can be turned on and off with unbound-control.
741 | # tls-upstream: no
742 |
743 | # Certificates used to authenticate connections made upstream.
744 | # tls-cert-bundle: ""
745 |
746 | # Add system certs to the cert bundle, from the Windows Cert Store
747 | # tls-win-cert: no
748 |
749 | # Also serve tls on these port numbers (eg. 443, ...), by listing
750 | # tls-additional-port: portno for each of the port numbers.
751 |
752 | # DNS64 prefix. Must be specified when DNS64 is use.
753 | # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
754 | # dns64-prefix: 64:ff9b::0/96
755 |
756 | # DNS64 ignore AAAA records for these domains and use A instead.
757 | # dns64-ignore-aaaa: "example.com"
758 |
759 | # ratelimit for uncached, new queries, this limits recursion effort.
760 | # ratelimiting is experimental, and may help against randomqueryflood.
761 | # if 0(default) it is disabled, otherwise state qps allowed per zone.
762 | # ratelimit: 0
763 |
764 | # ratelimits are tracked in a cache, size in bytes of cache (or k,m).
765 | # ratelimit-size: 4m
766 | # ratelimit cache slabs, reduces lock contention if equal to cpucount.
767 | # ratelimit-slabs: 4
768 |
769 | # 0 blocks when ratelimited, otherwise let 1/xth traffic through
770 | # ratelimit-factor: 10
771 |
772 | # override the ratelimit for a specific domain name.
773 | # give this setting multiple times to have multiple overrides.
774 | # ratelimit-for-domain: example.com 1000
775 | # override the ratelimits for all domains below a domain name
776 | # can give this multiple times, the name closest to the zone is used.
777 | # ratelimit-below-domain: com 1000
778 |
779 | # global query ratelimit for all ip addresses.
780 | # feature is experimental.
781 | # if 0(default) it is disabled, otherwise states qps allowed per ip address
782 | # ip-ratelimit: 0
783 |
784 | # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
785 | # ip-ratelimit-size: 4m
786 | # ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
787 | # ip-ratelimit-slabs: 4
788 |
789 | # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
790 | # ip-ratelimit-factor: 10
791 |
792 | # Limit the number of connections simultaneous from a netblock
793 | # tcp-connection-limit: 192.0.2.0/24 12
794 |
795 | # select from the fastest servers this many times out of 1000. 0 means
796 | # the fast server select is disabled. prefetches are not sped up.
797 | # fast-server-permil: 0
798 | # the number of servers that will be used in the fast server selection.
799 | # fast-server-num: 3
800 |
801 | # Specific options for ipsecmod. unbound needs to be configured with
802 | # --enable-ipsecmod for these to take effect.
803 | #
804 | # Enable or disable ipsecmod (it still needs to be defined in
805 | # module-config above). Can be used when ipsecmod needs to be
806 | # enabled/disabled via remote-control(below).
807 | # ipsecmod-enabled: yes
808 | #
809 | # Path to executable external hook. It must be defined when ipsecmod is
810 | # listed in module-config (above).
811 | # ipsecmod-hook: "./my_executable"
812 | #
813 | # When enabled unbound will reply with SERVFAIL if the return value of
814 | # the ipsecmod-hook is not 0.
815 | # ipsecmod-strict: no
816 | #
817 | # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
818 | # ipsecmod-max-ttl: 3600
819 | #
820 | # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
821 | # testing.
822 | # ipsecmod-ignore-bogus: no
823 | #
824 | # Domains for which ipsecmod will be triggered. If not defined (default)
825 | # all domains are treated as being whitelisted.
826 | # ipsecmod-whitelist: "example.com"
827 | # ipsecmod-whitelist: "nlnetlabs.nl"
828 |
829 |
830 | # Python config section. To enable:
831 | # o use --with-pythonmodule to configure before compiling.
832 | # o list python in the module-config string (above) to enable.
833 | # It can be at the start, it gets validated results, or just before
834 | # the iterator and process before DNSSEC validation.
835 | # o and give a python-script to run.
836 | python:
837 | # Script file to load
838 | # python-script: "/opt/local/etc/unbound/ubmodule-tst.py"
839 |
840 | # Remote control config section.
841 | remote-control:
842 | # Enable remote control with unbound-control(8) here.
843 | # set up the keys and certificates with unbound-control-setup.
844 | # control-enable: no
845 |
846 | # what interfaces are listened to for remote control.
847 | # give 0.0.0.0 and ::0 to listen to all interfaces.
848 | # set to an absolute path to use a unix local name pipe, certificates
849 | # are not used for that, so key and cert files need not be present.
850 | # control-interface: 127.0.0.1
851 | # control-interface: ::1
852 |
853 | # port number for remote control operations.
854 | # control-port: 8953
855 |
856 | # for localhost, you can disable use of TLS by setting this to "no"
857 | # For local sockets this option is ignored, and TLS is not used.
858 | # control-use-cert: "yes"
859 |
860 | # unbound server key file.
861 | # server-key-file: "/opt/local/etc/unbound/unbound_server.key"
862 |
863 | # unbound server certificate file.
864 | # server-cert-file: "/opt/local/etc/unbound/unbound_server.pem"
865 |
866 | # unbound-control key file.
867 | # control-key-file: "/opt/local/etc/unbound/unbound_control.key"
868 |
869 | # unbound-control certificate file.
870 | # control-cert-file: "/opt/local/etc/unbound/unbound_control.pem"
871 |
872 | # Stub zones.
873 | # Create entries like below, to make all queries for 'example.com' and
874 | # 'example.org' go to the given list of nameservers. list zero or more
875 | # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
876 | # the list is treated as priming hints (default is no).
877 | # With stub-first yes, it attempts without the stub if it fails.
878 | # Consider adding domain-insecure: name and local-zone: name nodefault
879 | # to the server: section if the stub is a locally served zone.
880 | # stub-zone:
881 | # name: "example.com"
882 | # stub-addr: 192.0.2.68
883 | # stub-prime: no
884 | # stub-first: no
885 | # stub-tls-upstream: no
886 | # stub-no-cache: no
887 | # stub-zone:
888 | # name: "example.org"
889 | # stub-host: ns.example.com.
890 |
891 | # Forward zones
892 | # Create entries like below, to make all queries for 'example.com' and
893 | # 'example.org' go to the given list of servers. These servers have to handle
894 | # recursion to other nameservers. List zero or more nameservers by hostname
895 | # or by ipaddress. Use an entry with name "." to forward all queries.
896 | # If you enable forward-first, it attempts without the forward if it fails.
897 | # forward-zone:
898 | # name: "example.com"
899 | # forward-addr: 192.0.2.68
900 | # forward-addr: 192.0.2.73@5355 # forward to port 5355.
901 | # forward-first: no
902 | # forward-tls-upstream: no
903 | # forward-no-cache: no
904 | # forward-zone:
905 | # name: "example.org"
906 | # forward-host: fwd.example.com
907 |
908 | # Authority zones
909 | # The data for these zones is kept locally, from a file or downloaded.
910 | # The data can be served to downstream clients, or used instead of the
911 | # upstream (which saves a lookup to the upstream). The first example
912 | # has a copy of the root for local usage. The second serves example.org
913 | # authoritatively. zonefile: reads from file (and writes to it if you also
914 | # download it), master: fetches with AXFR and IXFR, or url to zonefile.
915 | # With allow-notify: you can give additional (apart from masters) sources of
916 | # notifies.
917 | # auth-zone:
918 | # name: "."
919 | # master: 199.9.14.201 # b.root-servers.net
920 | # master: 192.33.4.12 # c.root-servers.net
921 | # master: 199.7.91.13 # d.root-servers.net
922 | # master: 192.5.5.241 # f.root-servers.net
923 | # master: 192.112.36.4 # g.root-servers.net
924 | # master: 193.0.14.129 # k.root-servers.net
925 | # master: 192.0.47.132 # xfr.cjr.dns.icann.org
926 | # master: 192.0.32.132 # xfr.lax.dns.icann.org
927 | # master: 2001:500:200::b # b.root-servers.net
928 | # master: 2001:500:2::c # c.root-servers.net
929 | # master: 2001:500:2d::d # d.root-servers.net
930 | # master: 2001:500:2f::f # f.root-servers.net
931 | # master: 2001:500:12::d0d # g.root-servers.net
932 | # master: 2001:7fd::1 # k.root-servers.net
933 | # master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
934 | # master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org
935 | # fallback-enabled: yes
936 | # for-downstream: no
937 | # for-upstream: yes
938 | # auth-zone:
939 | # name: "example.org"
940 | # for-downstream: yes
941 | # for-upstream: yes
942 | # zonefile: "example.org.zone"
943 |
944 | # Views
945 | # Create named views. Name must be unique. Map views to requests using
946 | # the access-control-view option. Views can contain zero or more local-zone
947 | # and local-data options. Options from matching views will override global
948 | # options. Global options will be used if no matching view is found.
949 | # With view-first yes, it will try to answer using the global local-zone and
950 | # local-data elements if there is no view specific match.
951 | # view:
952 | # name: "viewname"
953 | # local-zone: "example.com" redirect
954 | # local-data: "example.com A 192.0.2.3"
955 | # local-data-ptr: "192.0.2.3 www.example.com"
956 | # view-first: no
957 | # view:
958 | # name: "anotherview"
959 | # local-zone: "example.com" refuse
960 |
961 | # DNSCrypt
962 | # Caveats:
963 | # 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
964 | # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
965 | # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
966 | # listen on `dnscrypt-port` with the follo0wing snippet:
967 | # server:
968 | # interface: 0.0.0.0@443
969 | # interface: ::0@443
970 | #
971 | # Finally, `dnscrypt` config has its own section.
972 | # dnscrypt:
973 | # dnscrypt-enable: yes
974 | # dnscrypt-port: 443
975 | # dnscrypt-provider: 2.dnscrypt-cert.example.com.
976 | # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
977 | # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
978 | # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
979 | # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
980 |
981 | # CacheDB
982 | # Enable external backend DB as auxiliary cache. Specify the backend name
983 | # (default is "testframe", which has no use other than for debugging and
984 | # testing) and backend-specific options. The 'cachedb' module must be
985 | # included in module-config, just before the iterator module.
986 | # cachedb:
987 | # backend: "testframe"
988 | # # secret seed string to calculate hashed keys
989 | # secret-seed: "default"
990 | #
991 | # # For "redis" backend:
992 | # # redis server's IP address or host name
993 | # redis-server-host: 127.0.0.1
994 | # # redis server's TCP port
995 | # redis-server-port: 6379
996 | # # timeout (in ms) for communication with the redis server
997 | # redis-timeout: 100
998 |
999 | # IPSet
1000 | # Add specify domain into set via ipset.
1001 | # Note: To enable ipset needs run unbound as root user.
1002 | # ipset:
1003 | # # set name for ip v4 addresses
1004 | # name-v4: "list-v4"
1005 | # # set name for ip v6 addresses
1006 | # name-v6: "list-v6"
1007 | #
1008 |
1009 | # Response Policy Zones
1010 | # RPZ policies. Applied in order of configuration. QNAME and Response IP
1011 | # Address trigger are the only supported triggers. Supported actions are:
1012 | # NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
1013 | # file, using zone transfer, or using HTTP. The respip module needs to be added
1014 | # to the module-config, e.g.: module-config: "respip validator iterator".
1015 | # rpz:
1016 | # name: "rpz.example.com"
1017 | # zonefile: "rpz.example.com"
1018 | # master: 192.0.2.0
1019 | # allow-notify: 192.0.2.0/32
1020 | # url: http://www.example.com/rpz.example.org.zone
1021 | # rpz-action-override: cname
1022 | # rpz-cname-override: www.example.org
1023 | # rpz-log: yes
1024 | # rpz-log-name: "example policy"
1025 | # tags: "example"
1026 |
--------------------------------------------------------------------------------