defaults/main.yml

---
# defaults file for rls.unbound

unbound_packages:
  - unbound
  - dns-root-data

# just change this if you know what you are doing ...
unbound_cfg_dir_main: /etc/unbound
unbound_cfg_dir_incl: "{{ unbound_cfg_dir_main }}/unbound.conf.d"
unbound_cfg_file_main: "{{ unbound_cfg_dir_main }}/unbound.conf"

# this will be removed
unbound_remove_files_incl:
  - root-auto-trust-anchor-file.conf

# list of cfg templates to use
unbound_cfg_templates_incl:
  - 01server.conf
  - rebind.conf

# we keep the defaults minimal,
# so you should ensure to adjust them to your needs
# before you deploy this role
# example:
#  https://raw.githubusercontent.com/NLnetLabs/unbound/master/doc/example.conf.in
undbound_config:
  # server options
  server:
    verbosity: 1
    port: 53
    # interface: "{{ ansible_interfaces }}"  # enable this to use all interfaces defined at deploy
    access-control:
      - 127.0.0.1/8 allow
      - "::1/64 allow"
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    # auto-trust-anchor-file: "/var/lib/unbound/root.key"
  # remote-control options
  remote-control: {}
    # control-enable: "yes"
    # control-interface: 127.0.0.1
  # stub-zone options list, each with a name: and zero or more hostnames or IP addresses
  #   if you use just one list entry, you can define it directly as a dict
  stub-zone: []
  # forward-zone options list, each with a name: and zero or more hostnames or IP addresses
  #   if you use just one list entry, you can define it directly as a dict
  forward-zone: []
  # auth-zone options list, each one must have a name:
  #   if you use just one list entry, you can define it directly as a dict
  auth-zone: []
  # view options list. each with a name: and zero or more local-zone and local-data elements
  #   if you use just one list entry, you can define it directly as a dict
  view: []
  # optional further sections for unbound like
  # python: []
  # dynlib-file: []


# some resources for dnsbl
# https://blocklistproject.github.io/Lists/#versions
# https://justdomains.github.io/blocklists/#using-with-pi-hole
# https://crazymax.dev/WindowsSpyBlocker/blocking-rules/
# https://github.com/StevenBlack/hosts
# https://github.com/AdAway/AdAway/wiki/HostsSources
# https://oisd.nl/

# ad here some lists in order to enable dnsbl
dnsbl_lists: []

# exclude these domains from dnsbl
dnsbl_exclude_domains: []

# match all subdomains matching a dnsbl entry?
# if set to true and you have a list blocking i.e.
# donaldtrump.com, duck.donaldtrump.com, s..., f...
# and all other subdomains will be blocked too
dnsbl_match_subdomains: false

# if dnsbl_match_subdomains == true
# use short syntax using always_null
# see https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-role-unbound/issues/14
dnsbl_use_always_null: true

# update the dnsbl_lists via cron job
dnsbl_update_cron: "{{ dnsbl_update_daily | default(true) }}"
dnsbl_cron_minute: 15
dnsbl_cron_hour: 1
# dnsbl_cron_weekday: optional
# dnsbl_cron_day: optional
# dnsbl_update_daily: true  # this is a legacy entry and should be replaced by dnsbl_update_cron

# optional: you can redirect the output in the cron job to a file if you like
# pls pay attention to the starting space in the definition!
# dnsbl_cron_shell_redirect: " >/var/log/dnsblupdate.log 2>&1"

unbound_packages_dnsbl:
  - python3-requests
  - python3-lockfile

# use lists in plain domain and hosts/bind syntax
dnsbl_lists_available:
  - https://threatfox.abuse.ch/downloads/hostfile
  - https://adaway.org/hosts.txt
  - https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/crypto-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/drugs-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/facebook-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/piracy-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/tiktok-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/torrent-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt
  - https://blocklistproject.github.io/Lists/alt-version/youtube-nl.txt
  - https://big.oisd.nl/domainswild
  - https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt
  - https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt
  - https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt
  - https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt
  - https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list
  - https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list
  - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
  - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
  - https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
  - https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt
  - https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt
  - https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext