jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: unbound ad filtering

Browse Source
This commit is contained in:
Clément Désiles
2025-12-14 00:41:32 +01:00
parent e003f30889
commit b35fbe63ee
5 changed files with 37 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/unbound/templates/custom-lan.conf.j2
+15 -4
View File
@@ -1,9 +1,20 @@
# {{ ansible_managed }}
view:
name: "lan"
view-first: yes
{% for host, ips in unbound_custom_lan_records.items() %}
local-data: "{{ host }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %}
local-data: "{{ host }}. IN AAAA {{ ips.v6 }}"
{% endif %}
local-data: "{{ host }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %}
local-data: "{{ host }}. IN AAAA {{ ips.v6 }}"
{% endif %}
{% if ips.aliases is defined %}
{% for alias in ips.aliases %}
local-data: "{{ alias }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %}
local-data: "{{ alias }}. IN AAAA {{ ips.v6 }}"
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
include: "{{ unbound_ad_servers_config_path }}"
roles/unbound/templates/custom-vpn.conf.j2
+3
View File
@@ -1,9 +1,12 @@
# {{ ansible_managed }}
view:
name: "vpn"
view-first: yes
{% for host, ips in unbound_custom_vpn_records.items() %}
local-data: "{{ host }}. IN A {{ ips.v4 }}"
{% if ips.v6 is defined %}
local-data: "{{ host }}. IN AAAA {{ ips.v6 }}"
{% endif %}
{% endfor %}
include: "{{ unbound_ad_servers_config_path }}"
roles/unbound/templates/unbound.conf.j2
+4 -2
View File
@@ -15,6 +15,7 @@ server:
# Define access controls (note that ufw might be also configured)
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow # lo interface
access-control: 192.168.1.0/24 allow # lan0 interface
access-control: 192.168.27.0/27 allow # wg0 interface
access-control: ::0/0 refuse
@@ -80,7 +81,9 @@ server:
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# NOTE: Disabled because prefetch doesn't work with subnet module (views)
# see: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-prefetch
prefetch: no
# One thread should be sufficient, can be increased on beefy machines.
# In reality for most users running on small networks or on a single machine,
@@ -105,6 +108,5 @@ server:
# Enable DNSSEC
auto-trust-anchor-file: "{{ unbound_anchor_root_key }}"
include: "{{ unbound_ad_servers_config_path }}"
include: "{{ unbound_custom_lan_config_path }}"
include: "{{ unbound_custom_vpn_config_path }}"