diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 62c93be..47ad938 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -11,20 +11,32 @@ server: logfile: "/var/log/unbound/unbound.log" do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no + do-ip6: yes # IP addresses on which to listen. + # + # Note: dns_host_suffix is dynamically set in this role's tasks, + # and changes depending on whether we're handling the main or backup + # recursive DNS node. + + # IPv4 interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + # IPv6 + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} + # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) num-threads: {{ ansible_processor_vcpus }}