fix: unbound interface naming

2025-12-24 17:09:22 +01:00 · 2025-12-24 17:09:22 +01:00 · 3e469fa25e
commit 3e469fa25e
parent 08364cf2c8
3 changed files with 37 additions and 5 deletions
--- a/inventory/host_vars/example.yml
+++ b/inventory/host_vars/example.yml
@ -19,6 +19,33 @@ network_interfaces:
    ipv4:
      address: "{{ podman_gw_gateway }}/10"

+# Unbound DNS resolver configuration
+# ----------------------------------
+# Interface IPs for binding
+unbound_interface_lan: 192.168.1.2
+unbound_interface_vpn: 192.168.20.4
+
+# unbound LAN configuration
+unbound_custom_lan_domain: "example.lan"
+unbound_custom_lan_config_path: "{{ unbound_config_base_path }}/lan.conf"
+unbound_custom_lan_records:
+  "server.example.lan":
+    v4: 192.168.1.2
+    aliases:
+      - "server"
+
+# unbound VPN configuration
+unbound_custom_vpn_config_path: "{{ unbound_config_base_path }}/vpn.conf"
+unbound_custom_vpn_records:
+  "server.example.lan":
+    v4: 192.168.20.4
+    aliases:
+      - "server"
+
+unbound_firewall_allowed_sources:
+  - { src: "192.168.1.0/24", comment: "DNS from LAN" }
+  - { src: "192.168.20.0/27", comment: "DNS from VPN" }
+
 # NTP servers configuration
 # -------------------------
 ntp_pools:
--- a/roles/unbound/defaults/main.yml
+++ b/roles/unbound/defaults/main.yml
@ -9,9 +9,14 @@ unbound_custom_vpn_config_path: "{{ unbound_config_base_path }}/vpn.conf"
 unbound_custom_lan_domain: "example.lan"
 unbound_port: 53
 unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
+
+unbound_interface_lan: 192.168.1.1
+unbound_interface_vpn: 192.168.27.1
+
 unbound_firewall_allowed_sources:
  - { src: "192.168.1.0/24", comment: "DNS from LAN" }
  - { src: "192.168.27.0/27", comment: "DNS from VPN" }
+
 unbound_custom_lan_records:
  "example.lan":
    v4: 192.168.1.2
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@ -8,13 +8,13 @@ server:
    # listening port
    port: {{ unbound_port }}

-    # Allow binding to interfaces that don't exist yet (e.g., WireGuard at boot)
+    # Allow binding to IP addresses that don't exist yet (e.g., WireGuard at boot)
    ip-freebind: yes

-    # Define interfaces binds
-    interface: lo
-    interface: lan0
-    interface: wg0
+    # Define interface binds by IP address
+    interface: 127.0.0.1                      # lo
+    interface: {{ unbound_interface_lan }}    # lan0
+    interface: {{ unbound_interface_vpn }}    # wg0

    # Define access controls (note that ufw might be also configured)
    access-control: 0.0.0.0/0 refuse