From e209a93a78bbcc93b419f7a106a7da1ab75a5dd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Tue, 17 Mar 2026 23:08:44 +0100
Subject: [PATCH] feat: BREAKING unbound configuration

---
 inventory/host_vars/example.yml         | 13 ++++++++-----
 roles/unbound/defaults/main.yml         |  9 +++++++--
 roles/unbound/templates/unbound.conf.j2 | 17 +++++++++++------
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/inventory/host_vars/example.yml b/inventory/host_vars/example.yml
index 9f87cb2..335167a 100644
--- a/inventory/host_vars/example.yml
+++ b/inventory/host_vars/example.yml
@@ -21,12 +21,15 @@ network_interfaces:
 
 # Unbound DNS resolver configuration
 # ----------------------------------
-# Interface IPs for binding
-unbound_interface_lan: 192.168.1.2
-unbound_interface_vpn: 192.168.20.4
-
-# unbound LAN configuration
 unbound_custom_lan_domain: "example.lan"
+
+unbound_interfaces:
+  - { address: "192.168.1.2", comment: "lan0" }
+  - { address: "192.168.20.4", comment: "wg0" }
+
+unbound_access_control:
+  - { subnet: "192.168.1.0/24", action: "allow", view: "lan", comment: "lan0" }
+  - { subnet: "192.168.20.0/27", action: "allow", view: "vpn", comment: "wg0" }
 unbound_custom_lan_config_path: "{{ unbound_config_base_path }}/lan.conf"
 unbound_custom_lan_records:
   "server.example.lan":
diff --git a/roles/unbound/defaults/main.yml b/roles/unbound/defaults/main.yml
index 3f0aaed..7050804 100644
--- a/roles/unbound/defaults/main.yml
+++ b/roles/unbound/defaults/main.yml
@@ -10,8 +10,13 @@ unbound_custom_lan_domain: "example.lan"
 unbound_port: 53
 unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
 
-unbound_interface_lan: 192.168.1.1
-unbound_interface_vpn: 192.168.27.1
+unbound_interfaces:
+  - { address: "192.168.1.1", comment: "lan" }
+  - { address: "192.168.27.1", comment: "vpn" }
+
+unbound_access_control:
+  - { subnet: "192.168.1.0/24", action: "allow", view: "lan", comment: "lan" }
+  - { subnet: "192.168.27.0/27", action: "allow", view: "vpn", comment: "vpn" }
 
 unbound_firewall_allowed_sources:
   - { src: "192.168.1.0/24", comment: "DNS from LAN" }
diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
index dbcb6f2..ed573c6 100644
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -14,20 +14,25 @@ server:
     # Define interface binds by IP address
     interface: 127.0.0.1                      # lo (IPv4)
     interface: ::1                            # lo (IPv6)
-    interface: {{ unbound_interface_lan }}    # lan0
-    interface: {{ unbound_interface_vpn }}    # wg0
+{% for iface in unbound_interfaces %}
+    interface: {{ iface.address }}    # {{ iface.comment | default('') }}
+{% endfor %}
 
     # Define access controls (note that ufw might be also configured)
     access-control: 0.0.0.0/0 refuse
     access-control: 127.0.0.0/8 allow      # lo interface
-    access-control: 192.168.1.0/24 allow   # lan0 interface
-    access-control: 192.168.27.0/27 allow  # wg0 interface
+{% for acl in unbound_access_control %}
+    access-control: {{ acl.subnet }} {{ acl.action }}   # {{ acl.comment | default('') }}
+{% endfor %}
     access-control: ::0/0 refuse
     access-control: ::1 allow
 
     # Specify custom local answers for each interface by using views:
-    access-control-view: 192.168.1.0/24 lan
-    access-control-view: 192.168.27.0/27 vpn
+{% for acl in unbound_access_control %}
+{% if acl.view is defined %}
+    access-control-view: {{ acl.subnet }} {{ acl.view }}
+{% endif %}
+{% endfor %}
 
     do-ip4: yes
     do-udp: yes