unbound: More dynamic config for dna-gw hosts

2025-06-17 20:38:55 +00:00 · 2025-06-17 20:38:55 +00:00 · c4e0029780
commit c4e0029780
parent 1ac05ad5cc
3 changed files with 12 additions and 58 deletions
--- a/group_vars/dnagw.yml
+++ b/group_vars/dnagw.yml
@ -45,7 +45,10 @@ unbound_zones:
  - home.foo.sh

 # use custom firewall config
-firewall_src: pf.conf.gw_home
+firewall_src: pf.conf.gw_home.j2
+
+# unbound config
+unbound_config: unbound.conf.dna.j2

 # ifstated config
 ifstated_config: ifstated-dna.conf.j2
--- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2
+++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2
@ -1,49 +0,0 @@
-server:
-    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
-    num-threads: {{ ansible_processor_cores }}
-    msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-    rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-    infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-    key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
-
-    outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }}
-
-    interface: 172.20.20.10@53
-    interface: 172.20.20.10@853
-    interface: 172.20.20.11@53
-    interface: 172.20.20.11@853
-    interface: 172.20.20.12@53
-    interface: 172.20.20.12@853
-    interface: 172.20.21.2@53
-
-    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
-    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
-    tls-cert-bundle: {{ tls_bundle }}
-
-    access-control: 127.0.0.0/8 allow
-    access-control: ::1 allow
-    access-control: 172.20.20.0/22 allow
-
-    extended-statistics: yes
-
-    hide-identity: yes
-    hide-version: yes
-
-    prefetch: yes
-    unblock-lan-zones: yes
-
-remote-control:
-    control-enable: yes
-    control-interface: /var/run/unbound.sock
-
-forward-zone:
-    name: "."
-    forward-tls-upstream: yes
-    forward-addr: 8.8.8.8@853#dns.google
-    forward-addr: 8.8.4.4@853#dns.google
-
-{% for zone in unbound_zones %}
-auth-zone:
-    name: "{{ zone }}"
-    zonefile: "{{ unbound_zonedir }}/{{ zone }}"
-{% endfor %}
--- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2
+++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2
@ -8,13 +8,12 @@ server:

    outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }}

-    interface: 172.20.20.10@53
-    interface: 172.20.20.10@853
-    interface: 172.20.20.11@53
-    interface: 172.20.20.11@853
-    interface: 172.20.20.12@53
-    interface: 172.20.20.12@853
-    interface: 172.20.21.1@53
+    interface: {{ intnet_prefix }}.10@53
+    interface: {{ intnet_prefix }}.10@853
+    interface: {{ intnet_prefix }}.11@53
+    interface: {{ intnet_prefix }}.11@853
+    interface: {{ intnet_prefix }}.12@53
+    interface: {{ intnet_prefix }}.12@853

    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
@ -22,9 +21,10 @@ server:

    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow
-    access-control: 172.20.20.0/22 allow
+    access-control: {{ intnet_prefix }}.0/{{ (intnet_prefix + '.0/' + intnet_netmask) | ansible.utils.ipaddr('prefix') }} allow

    extended-statistics: yes
+    verbosity: 1

    hide-identity: yes
    hide-version: yes