Update configuration and logic. Support ipv6.

Now ipv6 is supported using `public_ipv6` in the `server` block and refactoring the configuration logic. Also fix unbound configuration to allow recursive queries from resolvers.
2020-08-19 18:47:56 +02:00 · 2020-08-19 18:47:56 +02:00 · 3f58459e78
parent 61211c1996
commit 3f58459e78
4 changed files with 33 additions and 12 deletions
--- a/templates/main_zone.conf.j2
+++ b/templates/main_zone.conf.j2
@ -16,8 +16,14 @@ $TTL {{ main_zone.ttl|default(3600) }}
 				MX{% if record.opts is defined %}		{{ record.opts }}{% endif %}	{{ record.value }}
 {% endfor %}
 {{ server.hostname }}.		IN	A		{{ server.public_ip }}
+{% if server.public_ip6 is defined -%}
+{{ server.hostname }}.		IN	AAAA		{{ server.public_ip6 }}
+{% endif %}
 {% for satellite in satellites %}
 {{ satellite.hostname }}.		 IN	A		{{ satellite.public_ip }}
+{% if satellite.public_ip6 is defined -%}
+{{ satellite.hostname }}.		IN	AAAA		{{ satellite.public_ip6 }}
+{% endif %}
 {% endfor %}
 {% for record in main_zone.records|default([])|json_query('[?type!=`MX`]') %}
 {{ record.name }}		IN	{{ record.type }}{% if record.opts is defined %}		{{ record.opts }}{% endif %}	{{ record.value }}
--- a/templates/nsd.conf.j2
+++ b/templates/nsd.conf.j2
@ -1,10 +1,18 @@
 server:
  server-count: {{ ansible_processor_vcpus|default(2) }}
+  {% if server.nsd_addr is defined -%}
  ip-address: {{ server.nsd_addr }}
+  {% endif -%}
+  {% if server.nsd_addr6 is defined -%}
+  ip-address: {{ server.nsd_addr6 }}
+  {% endif -%}
  ip-address: {{ server.vpn.address }}
+  {% if server.non_local_ip|default(False) -%}
+  ip-freebind: yes
+  {% endif -%}
  port: {{ server.nsd_port }}
-  do-ip4: {{ server.ipv4|default('yes') }}
-  do-ip6: {{ server.ipv6|default('no') }}
+  do-ip4: {{ 'yes' if server.nsd_addr is defined else 'no' }}
+  do-ip6: {{ 'yes' if server.nsd_addr6 is defined else 'no' }}
  hide-version: yes
  refuse-any: {{ server.refuse_any|default('yes') }}
  log-only-syslog: yes
--- a/templates/unbound.conf.j2
+++ b/templates/unbound.conf.j2
@ -6,21 +6,28 @@ server:
  directory: "/etc/unbound"
  username: unbound
  pidfile: "/run/unbound.pid"
+  {% if server.public_ip is defined %}
+  do-ip4: yes
+  interface: 0.0.0.0
+  access-control: 0.0.0.0/0 allow_snoop
+  {% else %}
+  do-ip4: no
+  {% endif -%}
+  {% if server.public_ip6 is defined %}
+  do-ip6: yes
+  interface: ::0
+  access-control: ::0/0 allow_snoop
+  {% else %}
+  do-ip6: no
+  {% endif -%}
  {% if server.verbosity is defined -%}
  verbosity: {{ server.verbosity }}
  {% endif -%}
-  {% for addr in server.bind_addr|default(['0.0.0.0']) -%}
-  interface: {{ addr }}
-  {% endfor -%}
-  {% for addr in server.access_control_allow|default([]) -%}
-  access-control: {{ addr }} allow
-  {% endfor -%}
-  {% for addr in server.access_control_deny|default([]) -%}
-  access-control: {{ addr }} deny
-  {% endfor -%}

  {% for zone in zones -%}
  forward-zone:
    name: {{ zone.name }}.
    forward-addr: {{ server.nsd_addr }}@{{ server.nsd_port }}
  {% endfor %}
+
+# vim: set syntax=yaml et sw=0 ts=2 sts=0:
--- a/templates/wireguard.conf.j2
+++ b/templates/wireguard.conf.j2
@ -6,7 +6,7 @@ ListenPort = {{ server.vpn.listen_port|default(1194) }}

 [Peer]
 AllowedIps = {{ peer.vpn.address }}/32
-Endpoint = {{ peer.public_ip }}:{{ peer.vpn.listen_port|default(1194) }}
+Endpoint = {{ peer.public_ip if peer.public_ip is defined else peer.public_ip6}}:{{ peer.vpn.listen_port|default(1194) }}
 PublicKey = {{ peer.vpn.public_key }}
 {% endfor %}