feat: BREAKING unbound configuration
This commit is contained in:
parent
869727d364
commit
e209a93a78
@ -21,12 +21,15 @@ network_interfaces:
|
|||||||
|
|
||||||
# Unbound DNS resolver configuration
|
# Unbound DNS resolver configuration
|
||||||
# ----------------------------------
|
# ----------------------------------
|
||||||
# Interface IPs for binding
|
|
||||||
unbound_interface_lan: 192.168.1.2
|
|
||||||
unbound_interface_vpn: 192.168.20.4
|
|
||||||
|
|
||||||
# unbound LAN configuration
|
|
||||||
unbound_custom_lan_domain: "example.lan"
|
unbound_custom_lan_domain: "example.lan"
|
||||||
|
|
||||||
|
unbound_interfaces:
|
||||||
|
- { address: "192.168.1.2", comment: "lan0" }
|
||||||
|
- { address: "192.168.20.4", comment: "wg0" }
|
||||||
|
|
||||||
|
unbound_access_control:
|
||||||
|
- { subnet: "192.168.1.0/24", action: "allow", view: "lan", comment: "lan0" }
|
||||||
|
- { subnet: "192.168.20.0/27", action: "allow", view: "vpn", comment: "wg0" }
|
||||||
unbound_custom_lan_config_path: "{{ unbound_config_base_path }}/lan.conf"
|
unbound_custom_lan_config_path: "{{ unbound_config_base_path }}/lan.conf"
|
||||||
unbound_custom_lan_records:
|
unbound_custom_lan_records:
|
||||||
"server.example.lan":
|
"server.example.lan":
|
||||||
|
|||||||
@ -10,8 +10,13 @@ unbound_custom_lan_domain: "example.lan"
|
|||||||
unbound_port: 53
|
unbound_port: 53
|
||||||
unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
|
unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
|
||||||
|
|
||||||
unbound_interface_lan: 192.168.1.1
|
unbound_interfaces:
|
||||||
unbound_interface_vpn: 192.168.27.1
|
- { address: "192.168.1.1", comment: "lan" }
|
||||||
|
- { address: "192.168.27.1", comment: "vpn" }
|
||||||
|
|
||||||
|
unbound_access_control:
|
||||||
|
- { subnet: "192.168.1.0/24", action: "allow", view: "lan", comment: "lan" }
|
||||||
|
- { subnet: "192.168.27.0/27", action: "allow", view: "vpn", comment: "vpn" }
|
||||||
|
|
||||||
unbound_firewall_allowed_sources:
|
unbound_firewall_allowed_sources:
|
||||||
- { src: "192.168.1.0/24", comment: "DNS from LAN" }
|
- { src: "192.168.1.0/24", comment: "DNS from LAN" }
|
||||||
|
|||||||
@ -14,20 +14,25 @@ server:
|
|||||||
# Define interface binds by IP address
|
# Define interface binds by IP address
|
||||||
interface: 127.0.0.1 # lo (IPv4)
|
interface: 127.0.0.1 # lo (IPv4)
|
||||||
interface: ::1 # lo (IPv6)
|
interface: ::1 # lo (IPv6)
|
||||||
interface: {{ unbound_interface_lan }} # lan0
|
{% for iface in unbound_interfaces %}
|
||||||
interface: {{ unbound_interface_vpn }} # wg0
|
interface: {{ iface.address }} # {{ iface.comment | default('') }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
# Define access controls (note that ufw might be also configured)
|
# Define access controls (note that ufw might be also configured)
|
||||||
access-control: 0.0.0.0/0 refuse
|
access-control: 0.0.0.0/0 refuse
|
||||||
access-control: 127.0.0.0/8 allow # lo interface
|
access-control: 127.0.0.0/8 allow # lo interface
|
||||||
access-control: 192.168.1.0/24 allow # lan0 interface
|
{% for acl in unbound_access_control %}
|
||||||
access-control: 192.168.27.0/27 allow # wg0 interface
|
access-control: {{ acl.subnet }} {{ acl.action }} # {{ acl.comment | default('') }}
|
||||||
|
{% endfor %}
|
||||||
access-control: ::0/0 refuse
|
access-control: ::0/0 refuse
|
||||||
access-control: ::1 allow
|
access-control: ::1 allow
|
||||||
|
|
||||||
# Specify custom local answers for each interface by using views:
|
# Specify custom local answers for each interface by using views:
|
||||||
access-control-view: 192.168.1.0/24 lan
|
{% for acl in unbound_access_control %}
|
||||||
access-control-view: 192.168.27.0/27 vpn
|
{% if acl.view is defined %}
|
||||||
|
access-control-view: {{ acl.subnet }} {{ acl.view }}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
do-ip4: yes
|
do-ip4: yes
|
||||||
do-udp: yes
|
do-udp: yes
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user