jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: BREAKING unbound configuration

Browse Source
This commit is contained in:
Clément Désiles 2026-03-17 23:08:44 +01:00
parent 869727d364
commit e209a93a78
No known key found for this signature in database
3 changed files with 26 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
inventory/host_vars/example.yml
View File

@ -21,12 +21,15 @@ network_interfaces:
# Unbound DNS resolver configuration # Unbound DNS resolver configuration
# ---------------------------------- # ----------------------------------
# Interface IPs for binding
unbound_interface_lan: 192.168.1.2
unbound_interface_vpn: 192.168.20.4
# unbound LAN configuration
unbound_custom_lan_domain: "example.lan" unbound_custom_lan_domain: "example.lan"
unbound_interfaces:
- { address: "192.168.1.2", comment: "lan0" }
- { address: "192.168.20.4", comment: "wg0" }
unbound_access_control:
- { subnet: "192.168.1.0/24", action: "allow", view: "lan", comment: "lan0" }
- { subnet: "192.168.20.0/27", action: "allow", view: "vpn", comment: "wg0" }
unbound_custom_lan_config_path: "{{ unbound_config_base_path }}/lan.conf" unbound_custom_lan_config_path: "{{ unbound_config_base_path }}/lan.conf"
unbound_custom_lan_records: unbound_custom_lan_records:
"server.example.lan": "server.example.lan":

9
roles/unbound/defaults/main.yml
View File

@ -10,8 +10,13 @@ unbound_custom_lan_domain: "example.lan"
unbound_port: 53 unbound_port: 53
unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
unbound_interface_lan: 192.168.1.1 unbound_interfaces:
unbound_interface_vpn: 192.168.27.1 - { address: "192.168.1.1", comment: "lan" }
- { address: "192.168.27.1", comment: "vpn" }
unbound_access_control:
- { subnet: "192.168.1.0/24", action: "allow", view: "lan", comment: "lan" }
- { subnet: "192.168.27.0/27", action: "allow", view: "vpn", comment: "vpn" }
unbound_firewall_allowed_sources: unbound_firewall_allowed_sources:
- { src: "192.168.1.0/24", comment: "DNS from LAN" } - { src: "192.168.1.0/24", comment: "DNS from LAN" }

17
roles/unbound/templates/unbound.conf.j2
View File

@ -14,20 +14,25 @@ server:
# Define interface binds by IP address # Define interface binds by IP address
interface: 127.0.0.1 # lo (IPv4) interface: 127.0.0.1 # lo (IPv4)
interface: ::1 # lo (IPv6) interface: ::1 # lo (IPv6)
interface: {{ unbound_interface_lan }} # lan0 {% for iface in unbound_interfaces %}
interface: {{ unbound_interface_vpn }} # wg0 interface: {{ iface.address }} # {{ iface.comment | default('') }}
{% endfor %}
# Define access controls (note that ufw might be also configured) # Define access controls (note that ufw might be also configured)
access-control: 0.0.0.0/0 refuse access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow # lo interface access-control: 127.0.0.0/8 allow # lo interface
access-control: 192.168.1.0/24 allow # lan0 interface {% for acl in unbound_access_control %}
access-control: 192.168.27.0/27 allow # wg0 interface access-control: {{ acl.subnet }} {{ acl.action }} # {{ acl.comment | default('') }}
{% endfor %}
access-control: ::0/0 refuse access-control: ::0/0 refuse
access-control: ::1 allow access-control: ::1 allow
# Specify custom local answers for each interface by using views: # Specify custom local answers for each interface by using views:
access-control-view: 192.168.1.0/24 lan {% for acl in unbound_access_control %}
access-control-view: 192.168.27.0/27 vpn {% if acl.view is defined %}
access-control-view: {{ acl.subnet }} {{ acl.view }}
{% endif %}
{% endfor %}
do-ip4: yes do-ip4: yes
do-udp: yes do-udp: yes