Update configuration and logic. Support ipv6.

Now ipv6 is supported using `public_ipv6` in the `server` block and
refactoring the configuration logic.
Also fix unbound configuration to allow recursive queries from
resolvers.

templates/main_zone.conf.j2

@@ -16,8 +16,14 @@ $TTL {{ main_zone.ttl|default(3600) }}
 				MX{% if record.opts is defined %}		{{ record.opts }}{% endif %}	{{ record.value }}
 {% endfor %}
 {{ server.hostname }}.		IN	A		{{ server.public_ip }}
+{% if server.public_ip6 is defined -%}
+{{ server.hostname }}.		IN	AAAA		{{ server.public_ip6 }}
+{% endif %}
 {% for satellite in satellites %}
 {{ satellite.hostname }}.		 IN	A		{{ satellite.public_ip }}
+{% if satellite.public_ip6 is defined -%}
+{{ satellite.hostname }}.		IN	AAAA		{{ satellite.public_ip6 }}
+{% endif %}
 {% endfor %}
 {% for record in main_zone.records|default([])|json_query('[?type!=`MX`]') %}
 {{ record.name }}		IN	{{ record.type }}{% if record.opts is defined %}		{{ record.opts }}{% endif %}	{{ record.value }}

templates/nsd.conf.j2

@@ -1,10 +1,18 @@
 server:
   server-count: {{ ansible_processor_vcpus|default(2) }}
+  {% if server.nsd_addr is defined -%}
   ip-address: {{ server.nsd_addr }}
+  {% endif -%}
+  {% if server.nsd_addr6 is defined -%}
+  ip-address: {{ server.nsd_addr6 }}
+  {% endif -%}
   ip-address: {{ server.vpn.address }}
+  {% if server.non_local_ip|default(False) -%}
+  ip-freebind: yes
+  {% endif -%}
   port: {{ server.nsd_port }}
-  do-ip4: {{ server.ipv4|default('yes') }}
+  do-ip4: {{ 'yes' if server.nsd_addr is defined else 'no' }}
-  do-ip6: {{ server.ipv6|default('no') }}
+  do-ip6: {{ 'yes' if server.nsd_addr6 is defined else 'no' }}
   hide-version: yes
   refuse-any: {{ server.refuse_any|default('yes') }}
   log-only-syslog: yes

templates/unbound.conf.j2

@@ -6,21 +6,28 @@ server:
   directory: "/etc/unbound"
   username: unbound
   pidfile: "/run/unbound.pid"
+  {% if server.public_ip is defined %}
+  do-ip4: yes
+  interface: 0.0.0.0
+  access-control: 0.0.0.0/0 allow_snoop
+  {% else %}
+  do-ip4: no
+  {% endif -%}
+  {% if server.public_ip6 is defined %}
+  do-ip6: yes
+  interface: ::0
+  access-control: ::0/0 allow_snoop
+  {% else %}
+  do-ip6: no
+  {% endif -%}
   {% if server.verbosity is defined -%}
   verbosity: {{ server.verbosity }}
   {% endif -%}
-  {% for addr in server.bind_addr|default(['0.0.0.0']) -%}
-  interface: {{ addr }}
-  {% endfor -%}
-  {% for addr in server.access_control_allow|default([]) -%}
-  access-control: {{ addr }} allow
-  {% endfor -%}
-  {% for addr in server.access_control_deny|default([]) -%}
-  access-control: {{ addr }} deny
-  {% endfor -%}
 
   {% for zone in zones -%}
   forward-zone:
     name: {{ zone.name }}.
     forward-addr: {{ server.nsd_addr }}@{{ server.nsd_port }}
   {% endfor %}
+
+# vim: set syntax=yaml et sw=0 ts=2 sts=0:

templates/wireguard.conf.j2

@@ -6,7 +6,7 @@ ListenPort = {{ server.vpn.listen_port|default(1194) }}
 
 [Peer]
 AllowedIps = {{ peer.vpn.address }}/32
-Endpoint = {{ peer.public_ip }}:{{ peer.vpn.listen_port|default(1194) }}
+Endpoint = {{ peer.public_ip if peer.public_ip is defined else peer.public_ip6}}:{{ peer.vpn.listen_port|default(1194) }}
 PublicKey = {{ peer.vpn.public_key }}
 {% endfor %}