Update configuration and logic. Support ipv6.

Now ipv6 is supported using `public_ipv6` in the `server` block and
refactoring the configuration logic.
Also fix unbound configuration to allow recursive queries from
resolvers.
This commit is contained in:
sfigato 2020-08-19 18:47:56 +02:00
parent 61211c1996
commit 3f58459e78
Signed by: blallo
GPG Key ID: 0CBE577C9B72DC3F
4 changed files with 33 additions and 12 deletions

View File

@ -16,8 +16,14 @@ $TTL {{ main_zone.ttl|default(3600) }}
MX{% if record.opts is defined %} {{ record.opts }}{% endif %} {{ record.value }}
{% endfor %}
{{ server.hostname }}. IN A {{ server.public_ip }}
{% if server.public_ip6 is defined -%}
{{ server.hostname }}. IN AAAA {{ server.public_ip6 }}
{% endif %}
{% for satellite in satellites %}
{{ satellite.hostname }}. IN A {{ satellite.public_ip }}
{% if satellite.public_ip6 is defined -%}
{{ satellite.hostname }}. IN AAAA {{ satellite.public_ip6 }}
{% endif %}
{% endfor %}
{% for record in main_zone.records|default([])|json_query('[?type!=`MX`]') %}
{{ record.name }} IN {{ record.type }}{% if record.opts is defined %} {{ record.opts }}{% endif %} {{ record.value }}

View File

@ -1,10 +1,18 @@
server:
server-count: {{ ansible_processor_vcpus|default(2) }}
{% if server.nsd_addr is defined -%}
ip-address: {{ server.nsd_addr }}
{% endif -%}
{% if server.nsd_addr6 is defined -%}
ip-address: {{ server.nsd_addr6 }}
{% endif -%}
ip-address: {{ server.vpn.address }}
{% if server.non_local_ip|default(False) -%}
ip-freebind: yes
{% endif -%}
port: {{ server.nsd_port }}
do-ip4: {{ server.ipv4|default('yes') }}
do-ip6: {{ server.ipv6|default('no') }}
do-ip4: {{ 'yes' if server.nsd_addr is defined else 'no' }}
do-ip6: {{ 'yes' if server.nsd_addr6 is defined else 'no' }}
hide-version: yes
refuse-any: {{ server.refuse_any|default('yes') }}
log-only-syslog: yes

View File

@ -6,21 +6,28 @@ server:
directory: "/etc/unbound"
username: unbound
pidfile: "/run/unbound.pid"
{% if server.public_ip is defined %}
do-ip4: yes
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow_snoop
{% else %}
do-ip4: no
{% endif -%}
{% if server.public_ip6 is defined %}
do-ip6: yes
interface: ::0
access-control: ::0/0 allow_snoop
{% else %}
do-ip6: no
{% endif -%}
{% if server.verbosity is defined -%}
verbosity: {{ server.verbosity }}
{% endif -%}
{% for addr in server.bind_addr|default(['0.0.0.0']) -%}
interface: {{ addr }}
{% endfor -%}
{% for addr in server.access_control_allow|default([]) -%}
access-control: {{ addr }} allow
{% endfor -%}
{% for addr in server.access_control_deny|default([]) -%}
access-control: {{ addr }} deny
{% endfor -%}
{% for zone in zones -%}
forward-zone:
name: {{ zone.name }}.
forward-addr: {{ server.nsd_addr }}@{{ server.nsd_port }}
{% endfor %}
# vim: set syntax=yaml et sw=0 ts=2 sts=0:

View File

@ -6,7 +6,7 @@ ListenPort = {{ server.vpn.listen_port|default(1194) }}
[Peer]
AllowedIps = {{ peer.vpn.address }}/32
Endpoint = {{ peer.public_ip }}:{{ peer.vpn.listen_port|default(1194) }}
Endpoint = {{ peer.public_ip if peer.public_ip is defined else peer.public_ip6}}:{{ peer.vpn.listen_port|default(1194) }}
PublicKey = {{ peer.vpn.public_key }}
{% endfor %}