update unbound role for IPv6

This commit is contained in:
Yohaï-Eliel BERREBY 2020-08-01 14:32:02 +02:00
parent d54da8d2b9
commit 713c93ac44

View file

@ -11,20 +11,32 @@ server:
logfile: "/var/log/unbound/unbound.log" logfile: "/var/log/unbound/unbound.log"
do-ip4: yes do-ip4: yes
# FIXME: IPv6 deployment... someday... do-ip6: yes
do-ip6: no
# IP addresses on which to listen. # IP addresses on which to listen.
#
# Note: dns_host_suffix is dynamically set in this role's tasks,
# and changes depending on whether we're handling the main or backup
# recursive DNS node.
# IPv4
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
# IPv6
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
# By default, anything other than localhost is refused. # By default, anything other than localhost is refused.
# Whitelist some subnets: # Whitelist some subnets:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :)
num-threads: {{ ansible_processor_vcpus }} num-threads: {{ ansible_processor_vcpus }}