From 3387c2fdcbe74be6767c5abce5beb9e7df2d3f5b Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Sun, 19 Nov 2017 03:15:26 +0100 Subject: space_server: generate DNS, mDNS and dhcp entries ..from the same variables --- .../space_server/templates/unbound/unbound.conf.j2 | 126 +++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 roles/space_server/templates/unbound/unbound.conf.j2 (limited to 'roles/space_server/templates/unbound/unbound.conf.j2') diff --git a/roles/space_server/templates/unbound/unbound.conf.j2 b/roles/space_server/templates/unbound/unbound.conf.j2 new file mode 100644 index 0000000..d2d3aed --- /dev/null +++ b/roles/space_server/templates/unbound/unbound.conf.j2 @@ -0,0 +1,126 @@ +server: + pidfile: "/run/unbound/unbound.pid" + verbosity: 1 + statistics-interval: 0 + statistics-cumulative: no + extended-statistics: yes + num-threads: 1 + + define-tag: "local" + + interface: 127.0.0.1 + interface: ::1 + interface: 185.38.175.0 + interface: 2a01:4260:1ab:: + + outgoing-interface: 185.38.175.0 + outgoing-interface: 2a01:4260:1ab:: + outgoing-port-permit: 32768-60999 + outgoing-port-avoid: 0-32767 + + so-reuseport: yes + ip-transparent: yes + max-udp-size: 3072 + + access-control-tag: 127.0.0.1/32 "local" + access-control-tag: ::1/128 "local" + + access-control: 185.38.175.0/24 allow + access-control: 10.42.0.0/16 allow + access-control-tag: 10.42.0.0/24 "local" + access-control-tag: 10.42.1.0/24 "local" + access-control-tag: 10.42.2.0/24 "local" + # not free wifi 10.42.3.0/24 + access-control-tag: 10.42.4.0/24 "local" + access-control-tag: 10.42.5.0/24 "local" + access-control: 2a01:4260:1ab::/48 allow + access-control-tag: 2a01:4260:1ab:a::/64 "local" + access-control-tag: 2a01:4260:1ab:b::/64 "local" + access-control-tag: 2a01:4260:1ab:c::/64 "local" + # not free wifi 2a01:4260:1ab:d::/64 + access-control-tag: 2a01:4260:1ab:e::/64 "local" + access-control-tag: 2a01:4260:1ab:f::/64 "local" + + chroot: "" + username: "unbound" + directory: "/etc/unbound" + + use-syslog: yes + log-time-ascii: yes + + harden-glue: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-referral-path: yes + qname-minimisation: yes + + prefetch: yes + prefetch-key: yes + rrset-roundrobin: yes + minimal-responses: yes + + module-config: "validator iterator" + + trust-anchor-signaling: yes + + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + val-clean-additional: yes + val-permissive-mode: no + serve-expired: yes + val-log-level: 1 + + local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: s. static + local-zone-tag: s. "local" + local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" + local-data: "s. IN NS space.labitat.dk." + local-data: "s. IN A 10.42.1.1" + local-data: "s. IN AAAA 2a01:4260:1ab::" + local-data: "labitrack.s. IN A 185.38.175.70" + local-data: "labitrack.s. IN AAAA 2a01:4260:1ab::cafe" + local-data: "track.s. IN A 185.38.175.70" + local-data: "track.s. IN AAAA 2a01:4260:1ab::cafe" +{% for host in local_hosts %} +{% for ip in host.ips | ipv4 %} +{% if loop.index <= 1 %} + local-data: "{{ host.name }}.s. IN A {{ ip }}" + local-data-ptr: "{{ ip }} {{ host.name }}.s." +{% endif %} +{% endfor %} +{% for ip in host.ips | ipv6 %} +{% if loop.index <= 1 %} + local-data: "{{ host.name }}.s. IN AAAA {{ ip }}" + local-data-ptr: "{{ ip }} {{ host.name }}.s." +{% endif %} +{% endfor %} +{% endfor %} + +remote-control: + control-enable: yes + control-use-cert: no + control-interface: "/run/unbound/control" -- cgit v1.2.1