From dcf6246255e41960c3dac49176abf77915a8b9c6 Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Mon, 27 Sep 2021 13:31:09 +0200
Subject: space_server: use local_hosts where possible

..to make sure we keep ip addresses in sync everywhere
---
 roles/space_server/files/nftables.conf             | 332 ---------------------
 roles/space_server/tasks/nftables.yml              |   4 +-
 roles/space_server/templates/nftables.conf.j2      | 332 +++++++++++++++++++++
 .../space_server/templates/radius/clients.conf.j2  |   4 +-
 roles/space_server/templates/s.zone.j2             |   4 +-
 roles/space_server/vars/main.yml                   |   2 +
 6 files changed, 340 insertions(+), 338 deletions(-)
 delete mode 100644 roles/space_server/files/nftables.conf
 create mode 100644 roles/space_server/templates/nftables.conf.j2

(limited to 'roles/space_server')

diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
deleted file mode 100644
index 93ecc25..0000000
--- a/roles/space_server/files/nftables.conf
+++ /dev/null
@@ -1,332 +0,0 @@
-# our hosts
-define ap1 = 10.42.0.5
-define ap2 = 10.42.0.6
-define labitat = 185.38.172.72
-define jumbotron_ip4 = 10.42.1.36
-define jumbotron_ip6 = 2a01:4262:1ab:b:ba27:ebff:fed3:c162
-
-# internal stuff
-define ext_if    = wan
-define ext_ip4   = 185.38.175.0
-define ext_ip6   = 2a01:4262:1ab::
-define int_net4  = 10.42.0.0/16
-define ext_net4  = 185.38.175.0/24
-define ext_net6  = 2a01:4262:1ab::/48
-define link_net4 = 193.106.167.40/29
-define link_net6 = 2a03:5440:1:2935:1ab::/80
-
-define adm_if    = lan10
-define adm_ip4   = 10.42.0.1
-define adm_net4  = 10.42.0.0/24
-
-define wire_if   = lan11
-define wire_ip4  = 10.42.1.1
-define wire_net4 = 10.42.1.0/24
-define wire_net6 = 2a01:4262:1ab:b::/64
-
-define priv_if   = lan12
-define priv_ip4  = 10.42.2.1
-define priv_net4 = 10.42.2.0/24
-define priv_net6 = 2a01:4262:1ab:c::/64
-
-define free_if   = lan13
-define free_ip4  = 10.42.3.1
-define free_nat  = 185.38.175.1
-define free_net4 = 10.42.3.0/24
-define free_net6 = 2a01:4262:1ab:d::/64
-
-define pass_if   = lan14
-define pass_ip4  = 10.42.4.1
-define pass_net4 = 10.42.4.0/24
-define pass_net6 = 2a01:4262:1ab:e::/64
-
-define futu_if   = lan15
-define futu_net6 = 2a01:4262:1ab:f::/64
-
-define nat64_if   = nat64
-define nat64_net4 = 10.42.128.0/17
-
-define colo_if   = lan20
-
-define tor_if     = lan21
-define tor_net4   = 185.38.175.128/28
-define tor_net6   = 2a01:4262:1ab:ffff::/64
-
-define local_ip4  = { $ext_ip4, $adm_ip4, $wire_ip4, $priv_ip4, $free_ip4, $pass_ip4 }
-define local_ip6  = { $ext_ip6 }
-define local_net4 = { $ext_ip4, $free_nat, $int_net4 }
-define local_net6 = 2a01:4262:1ab::/52
-
-define avahi_ifs = { $wire_if, $priv_if, $pass_if }
-
-table ip filter {
-	chain prerouting {
-		type filter hook prerouting priority 0;
-
-		# colo reverse path filtering
-		# find route to saddr on iif, get oif, drop if route is missing
-		iif $colo_if fib saddr . iif oif missing drop;
-	}
-
-	chain input {
-		type filter hook input priority 0;
-
-		ct state established,related accept
-		ct state invalid drop
-
-		# no ping floods
-		ip protocol icmp limit rate 100/second accept
-		ip protocol icmp drop
-
-		iif lo accept
-
-		# drop incoming spoofed packages
-		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
-
-		# bird etc. on fiberby link
-		iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
-
-		# bgp
-		iif $colo_if tcp dport bgp accept
-
-		# dhcp
-		udp sport bootpc udp dport bootps iif != $ext_if counter accept
-
-		# radius
-		iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept
-
-		# tftp
-		iif $wire_if ip saddr $wire_net4 udp dport 69 accept
-
-		# ssh
-		tcp dport 22 accept
-
-		# dns
-		tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept
-		udp dport 53 ip saddr { $int_net4, $ext_net4 } accept
-
-		# ntp
-		udp dport 123 ip saddr { $int_net4, $ext_net4 } accept
-
-		# avahi
-		ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
-		ip protocol igmp iif $avahi_ifs accept
-
-		# http cert validation
-		tcp dport 80 ip daddr $ext_ip4 accept
-
-		## debugging
-		#iif $ext_if counter drop
-		#udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream
-		#udp sport 17500 udp dport 17500 drop # Dropbox LANsync
-		#ip protocol igmp drop                # IGMP
-		#counter log prefix "in4: " drop
-		drop
-	}
-
-	chain forward {
-		type filter hook forward priority 0;
-
-		# handle tor traffic - before ct
-		iif $tor_if ip saddr $tor_net4 ip daddr != $local_net4 accept
-		oif $tor_if ip daddr $tor_net4 ip saddr != $local_net4 accept
-
-		ct state established,related accept
-		ct state invalid drop
-
-		# drop incoming spoofed packages
-		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
-
-		# jumbotron webhook
-		ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
-
-		# no traffic to admin net
-		ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
-		ip daddr $adm_net4 drop
-
-		# local traffic
-		iif $adm_if  ip saddr $adm_net4  accept
-		iif $wire_if ip saddr $wire_net4 accept
-		iif $priv_if ip saddr $priv_net4 accept
-		iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
-		iif $pass_if ip saddr $pass_net4 accept
-		iif $nat64_if ip saddr $nat64_net4 accept
-		iif $colo_if ip daddr != $int_net4 accept
-		oif $colo_if accept
-
-		## debugging
-		#iif $ext_if counter drop
-		#counter log prefix "fw4: " drop
-		drop
-	}
-}
-
-table ip6 filter {
-	chain prerouting {
-		type filter hook prerouting priority 0;
-
-		# colo reverse path filtering
-		# find route to saddr on iif, get oif, drop if route is missing
-		iif $colo_if fib saddr . iif oif missing drop;
-	}
-
-	chain input {
-		type filter hook input priority 0;
-
-		ct state established,related accept
-		ct state invalid drop
-
-		# no ping floods
-		ip6 nexthdr ipv6-icmp limit rate 100/second accept
-		ip6 nexthdr ipv6-icmp drop
-
-		iif lo accept
-
-		# drop incoming spoofed packages
-		iif $ext_if ip6 saddr $ext_net6 drop
-
-		iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
-
-		# bird etc. on fiberby link
-		iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
-
-		# bgp
-		iif $colo_if tcp dport bgp accept
-
-		# tftp
-		iif $wire_if ip6 saddr $wire_net6 udp dport 69 accept
-
-		# ssh
-		tcp dport 22 accept
-
-		# dns
-		tcp dport 53 ip6 saddr $ext_net6 accept
-		udp dport 53 ip6 saddr $ext_net6 accept
-
-		# ntp
-		udp dport 123 ip6 saddr $ext_net6 accept
-
-		# avahi
-		ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
-
-		# http cert validation
-		tcp dport 80 ip6 daddr $ext_ip6 accept
-
-		## debugging
-		#counter log prefix "in6: " drop
-		drop
-	}
-
-	chain forward {
-		type filter hook forward priority 0;
-
-		# handle tor traffic - before ct
-		iif $tor_if ip6 saddr $tor_net6 ip6 daddr != $local_net6 accept
-		oif $tor_if ip6 daddr $tor_net6 ip6 saddr != $local_net6 accept
-
-		ct state established,related accept
-		ct state invalid drop
-
-		# drop incoming spoofed packages
-		iif $ext_if ip6 saddr $ext_net6 drop
-
-		# jumbotron webhook
-		ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept
-
-		iif $wire_if ip6 saddr $wire_net6 accept
-		iif $priv_if ip6 saddr $priv_net6 accept
-		iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
-		iif $pass_if ip6 saddr $pass_net6 accept
-		iif $futu_if ip6 saddr $futu_net6 accept
-		iif $colo_if ip6 daddr != $ext_net6 accept
-		oif $colo_if accept
-
-		## debugging
-		#counter log prefix "fw6: " drop
-		drop
-	}
-}
-
-table ip nat {
-	chain portforward {
-		ip daddr $ext_ip4 tcp dport 17380 dnat $jumbotron_ip4 # jumbotron webhook
-	}
-
-	chain prerouting {
-		type nat hook prerouting priority -150;
-		goto portforward
-	}
-
-	chain output {
-		type nat hook output priority -150;
-		goto portforward
-	}
-
-	chain input {
-		type nat hook input priority -150;
-		# this chain is needed to make dnat from the output chain work
-	}
-
-	chain postrouting {
-		type nat hook postrouting priority -150;
-		oif $ext_if ip saddr $free_net4 snat $free_nat
-		oif $ext_if ip saddr $int_net4 snat $ext_ip4
-        }
-}
-
-table ip6 nat {
-	chain portforward {
-		ip6 daddr $ext_ip6 tcp dport 17380 dnat $jumbotron_ip6 # jumbotron webhook
-	}
-
-	chain prerouting {
-		type nat hook prerouting priority -150;
-		goto portforward
-	}
-
-	chain output {
-		type nat hook output priority -150;
-		goto portforward
-	}
-
-	#chain input {
-	#	type nat hook input priority -150;
-	#	# this chain is needed to make dnat from the output chain work
-	#}
-
-	#chain postrouting {
-	#	type nat hook postrouting priority -150;
-	#}
-}
-
-table ip raw {
-	chain prerouting {
-		type filter hook prerouting priority -300; policy accept
-
-		iif lo accept
-
-		# always do connection tracking for local IP's
-		ip saddr $local_ip4 accept
-		ip daddr $local_ip4 accept
-
-		# avoid connection tracking for most Tor traffic
-		ip saddr $tor_net4 ip daddr != $local_net4 notrack
-		ip daddr $tor_net4 ip saddr != $local_net4 notrack
-	}
-}
-
-table ip6 raw {
-	chain prerouting {
-		type filter hook prerouting priority -300; policy accept
-
-		iif lo accept
-
-		# always do connection tracking for local IP's
-		ip6 saddr $local_ip6 accept
-		ip6 daddr $local_ip6 accept
-
-		# avoid connection tracking for most Tor traffic
-		ip6 saddr $tor_net6 ip6 daddr != $local_net6 notrack
-		ip6 daddr $tor_net6 ip6 saddr != $local_net6 notrack
-	}
-}
diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml
index 9c56714..df1ec85 100644
--- a/roles/space_server/tasks/nftables.yml
+++ b/roles/space_server/tasks/nftables.yml
@@ -8,9 +8,9 @@
     mode: 0644
 
 - name: Configure nftables
-  copy:
+  template:
     dest: '/etc/nftables.conf'
-    src: nftables.conf
+    src: nftables.conf.j2
     owner: root
     group: root
     mode: 0644
diff --git a/roles/space_server/templates/nftables.conf.j2 b/roles/space_server/templates/nftables.conf.j2
new file mode 100644
index 0000000..412270c
--- /dev/null
+++ b/roles/space_server/templates/nftables.conf.j2
@@ -0,0 +1,332 @@
+# our hosts
+define ap1 = {{ local_hosts['ap1'].ipv4[0] }}
+define ap2 = {{ local_hosts['ap2'].ipv4[0] }}
+define labitat = 185.38.172.72
+define jumbotron_ip4 = {{ local_hosts['jumbotron'].ipv4[0] }}
+define jumbotron_ip6 = {{ local_hosts['jumbotron'].ipv6[0] }}
+
+# internal stuff
+define ext_if    = wan
+define ext_ip4   = 185.38.175.0
+define ext_ip6   = 2a01:4262:1ab::
+define int_net4  = 10.42.0.0/16
+define ext_net4  = 185.38.175.0/24
+define ext_net6  = 2a01:4262:1ab::/48
+define link_net4 = 193.106.167.40/29
+define link_net6 = 2a03:5440:1:2935:1ab::/80
+
+define adm_if    = lan10
+define adm_ip4   = 10.42.0.1
+define adm_net4  = 10.42.0.0/24
+
+define wire_if   = lan11
+define wire_ip4  = 10.42.1.1
+define wire_net4 = 10.42.1.0/24
+define wire_net6 = 2a01:4262:1ab:b::/64
+
+define priv_if   = lan12
+define priv_ip4  = 10.42.2.1
+define priv_net4 = 10.42.2.0/24
+define priv_net6 = 2a01:4262:1ab:c::/64
+
+define free_if   = lan13
+define free_ip4  = 10.42.3.1
+define free_nat  = 185.38.175.1
+define free_net4 = 10.42.3.0/24
+define free_net6 = 2a01:4262:1ab:d::/64
+
+define pass_if   = lan14
+define pass_ip4  = 10.42.4.1
+define pass_net4 = 10.42.4.0/24
+define pass_net6 = 2a01:4262:1ab:e::/64
+
+define futu_if   = lan15
+define futu_net6 = 2a01:4262:1ab:f::/64
+
+define nat64_if   = nat64
+define nat64_net4 = 10.42.128.0/17
+
+define colo_if   = lan20
+
+define tor_if     = lan21
+define tor_net4   = 185.38.175.128/28
+define tor_net6   = 2a01:4262:1ab:ffff::/64
+
+define local_ip4  = { $ext_ip4, $adm_ip4, $wire_ip4, $priv_ip4, $free_ip4, $pass_ip4 }
+define local_ip6  = { $ext_ip6 }
+define local_net4 = { $ext_ip4, $free_nat, $int_net4 }
+define local_net6 = 2a01:4262:1ab::/52
+
+define avahi_ifs = { $wire_if, $priv_if, $pass_if }
+
+table ip filter {
+	chain prerouting {
+		type filter hook prerouting priority 0;
+
+		# colo reverse path filtering
+		# find route to saddr on iif, get oif, drop if route is missing
+		iif $colo_if fib saddr . iif oif missing drop;
+	}
+
+	chain input {
+		type filter hook input priority 0;
+
+		ct state established,related accept
+		ct state invalid drop
+
+		# no ping floods
+		ip protocol icmp limit rate 100/second accept
+		ip protocol icmp drop
+
+		iif lo accept
+
+		# drop incoming spoofed packages
+		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
+		# bird etc. on fiberby link
+		iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
+
+		# bgp
+		iif $colo_if tcp dport bgp accept
+
+		# dhcp
+		udp sport bootpc udp dport bootps iif != $ext_if counter accept
+
+		# radius
+		iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept
+
+		# tftp
+		iif $wire_if ip saddr $wire_net4 udp dport 69 accept
+
+		# ssh
+		tcp dport 22 accept
+
+		# dns
+		tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept
+		udp dport 53 ip saddr { $int_net4, $ext_net4 } accept
+
+		# ntp
+		udp dport 123 ip saddr { $int_net4, $ext_net4 } accept
+
+		# avahi
+		ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept
+		ip protocol igmp iif $avahi_ifs accept
+
+		# http cert validation
+		tcp dport 80 ip daddr $ext_ip4 accept
+
+		## debugging
+		#iif $ext_if counter drop
+		#udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream
+		#udp sport 17500 udp dport 17500 drop # Dropbox LANsync
+		#ip protocol igmp drop                # IGMP
+		#counter log prefix "in4: " drop
+		drop
+	}
+
+	chain forward {
+		type filter hook forward priority 0;
+
+		# handle tor traffic - before ct
+		iif $tor_if ip saddr $tor_net4 ip daddr != $local_net4 accept
+		oif $tor_if ip daddr $tor_net4 ip saddr != $local_net4 accept
+
+		ct state established,related accept
+		ct state invalid drop
+
+		# drop incoming spoofed packages
+		iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
+		# jumbotron webhook
+		ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
+
+		# no traffic to admin net
+		ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
+		ip daddr $adm_net4 drop
+
+		# local traffic
+		iif $adm_if  ip saddr $adm_net4  accept
+		iif $wire_if ip saddr $wire_net4 accept
+		iif $priv_if ip saddr $priv_net4 accept
+		iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
+		iif $pass_if ip saddr $pass_net4 accept
+		iif $nat64_if ip saddr $nat64_net4 accept
+		iif $colo_if ip daddr != $int_net4 accept
+		oif $colo_if accept
+
+		## debugging
+		#iif $ext_if counter drop
+		#counter log prefix "fw4: " drop
+		drop
+	}
+}
+
+table ip6 filter {
+	chain prerouting {
+		type filter hook prerouting priority 0;
+
+		# colo reverse path filtering
+		# find route to saddr on iif, get oif, drop if route is missing
+		iif $colo_if fib saddr . iif oif missing drop;
+	}
+
+	chain input {
+		type filter hook input priority 0;
+
+		ct state established,related accept
+		ct state invalid drop
+
+		# no ping floods
+		ip6 nexthdr ipv6-icmp limit rate 100/second accept
+		ip6 nexthdr ipv6-icmp drop
+
+		iif lo accept
+
+		# drop incoming spoofed packages
+		iif $ext_if ip6 saddr $ext_net6 drop
+
+		iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
+
+		# bird etc. on fiberby link
+		iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
+
+		# bgp
+		iif $colo_if tcp dport bgp accept
+
+		# tftp
+		iif $wire_if ip6 saddr $wire_net6 udp dport 69 accept
+
+		# ssh
+		tcp dport 22 accept
+
+		# dns
+		tcp dport 53 ip6 saddr $ext_net6 accept
+		udp dport 53 ip6 saddr $ext_net6 accept
+
+		# ntp
+		udp dport 123 ip6 saddr $ext_net6 accept
+
+		# avahi
+		ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept
+
+		# http cert validation
+		tcp dport 80 ip6 daddr $ext_ip6 accept
+
+		## debugging
+		#counter log prefix "in6: " drop
+		drop
+	}
+
+	chain forward {
+		type filter hook forward priority 0;
+
+		# handle tor traffic - before ct
+		iif $tor_if ip6 saddr $tor_net6 ip6 daddr != $local_net6 accept
+		oif $tor_if ip6 daddr $tor_net6 ip6 saddr != $local_net6 accept
+
+		ct state established,related accept
+		ct state invalid drop
+
+		# drop incoming spoofed packages
+		iif $ext_if ip6 saddr $ext_net6 drop
+
+		# jumbotron webhook
+		ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept
+
+		iif $wire_if ip6 saddr $wire_net6 accept
+		iif $priv_if ip6 saddr $priv_net6 accept
+		iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
+		iif $pass_if ip6 saddr $pass_net6 accept
+		iif $futu_if ip6 saddr $futu_net6 accept
+		iif $colo_if ip6 daddr != $ext_net6 accept
+		oif $colo_if accept
+
+		## debugging
+		#counter log prefix "fw6: " drop
+		drop
+	}
+}
+
+table ip nat {
+	chain portforward {
+		ip daddr $ext_ip4 tcp dport 17380 dnat $jumbotron_ip4 # jumbotron webhook
+	}
+
+	chain prerouting {
+		type nat hook prerouting priority -150;
+		goto portforward
+	}
+
+	chain output {
+		type nat hook output priority -150;
+		goto portforward
+	}
+
+	chain input {
+		type nat hook input priority -150;
+		# this chain is needed to make dnat from the output chain work
+	}
+
+	chain postrouting {
+		type nat hook postrouting priority -150;
+		oif $ext_if ip saddr $free_net4 snat $free_nat
+		oif $ext_if ip saddr $int_net4 snat $ext_ip4
+        }
+}
+
+table ip6 nat {
+	chain portforward {
+		ip6 daddr $ext_ip6 tcp dport 17380 dnat $jumbotron_ip6 # jumbotron webhook
+	}
+
+	chain prerouting {
+		type nat hook prerouting priority -150;
+		goto portforward
+	}
+
+	chain output {
+		type nat hook output priority -150;
+		goto portforward
+	}
+
+	#chain input {
+	#	type nat hook input priority -150;
+	#	# this chain is needed to make dnat from the output chain work
+	#}
+
+	#chain postrouting {
+	#	type nat hook postrouting priority -150;
+	#}
+}
+
+table ip raw {
+	chain prerouting {
+		type filter hook prerouting priority -300; policy accept
+
+		iif lo accept
+
+		# always do connection tracking for local IP's
+		ip saddr $local_ip4 accept
+		ip daddr $local_ip4 accept
+
+		# avoid connection tracking for most Tor traffic
+		ip saddr $tor_net4 ip daddr != $local_net4 notrack
+		ip daddr $tor_net4 ip saddr != $local_net4 notrack
+	}
+}
+
+table ip6 raw {
+	chain prerouting {
+		type filter hook prerouting priority -300; policy accept
+
+		iif lo accept
+
+		# always do connection tracking for local IP's
+		ip6 saddr $local_ip6 accept
+		ip6 daddr $local_ip6 accept
+
+		# avoid connection tracking for most Tor traffic
+		ip6 saddr $tor_net6 ip6 daddr != $local_net6 notrack
+		ip6 daddr $tor_net6 ip6 saddr != $local_net6 notrack
+	}
+}
diff --git a/roles/space_server/templates/radius/clients.conf.j2 b/roles/space_server/templates/radius/clients.conf.j2
index 0e82666..805e419 100644
--- a/roles/space_server/templates/radius/clients.conf.j2
+++ b/roles/space_server/templates/radius/clients.conf.j2
@@ -1,12 +1,12 @@
 client ap1 {
-	ipaddr = 10.42.0.5
+	ipaddr = {{ local_hosts['ap1'].ipv4[0] }}
 	netmask = 32
 	secret = {{ radius_passwords.ap1 }}
 	nas_type = other
 }
 
 client ap2 {
-	ipaddr = 10.42.0.6
+	ipaddr = {{ local_hosts['ap2'].ipv4[0] }}
 	netmask = 32
 	secret = {{ radius_passwords.ap2 }}
 	nas_type = other
diff --git a/roles/space_server/templates/s.zone.j2 b/roles/space_server/templates/s.zone.j2
index 0394e98..6fee322 100644
--- a/roles/space_server/templates/s.zone.j2
+++ b/roles/space_server/templates/s.zone.j2
@@ -1,8 +1,8 @@
 s.              600    IN   SOA     space.labitat.dk. esmil.labitat.dk. 2019040101 7200 3600 604800 86400
 s.              600    IN   NS      space.labitat.dk.
 
-s.              600    IN   A       10.42.1.1
-s.              600    IN   AAAA    2a01:4260:1ab::
+s.              600    IN   A       {{ local_hosts['space'].ipv4[0] }}
+s.              600    IN   AAAA    {{ local_hosts['space'].ipv6[0] }}
 
 labitrack.s.    600    IN   A     185.38.175.70
 labitrack.s.    600    IN   AAAA  2a01:4262:1ab::cafe
diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml
index 93fca5f..e942984 100644
--- a/roles/space_server/vars/main.yml
+++ b/roles/space_server/vars/main.yml
@@ -166,6 +166,8 @@ local_hosts:
     mac: b8:27:eb:d3:c1:62
     ipv4:
     - 10.42.1.36
+    ipv6:
+    - 2a01:4262:1ab:b:ba27:ebff:fed3:c162
   hplaserjet:
     mac: 94:57:a5:ce:e2:6c
     mdns: false
-- 
cgit v1.2.1