rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1

- create unbound role - create kea_dhcp role - configure unbound and keadhcp on rt1(z9 host)
2026-05-24 04:01:11 +02:00 · 2026-05-24 04:01:11 +02:00 · 866005c055
commit 866005c055
parent 50cf34e3f3
24 changed files with 1043 additions and 0 deletions
--- a/resources/z9/rt1/kea_dhcp.yaml
+++ b/resources/z9/rt1/kea_dhcp.yaml
@ -0,0 +1,293 @@
+kea_dhcp__dns_servers:
+  v4:
+    - 185.161.129.134
+  v6:
+    - 2a07:c481::1:2
+
+kea_dhcp__dhcp4:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "domain-name-servers"
+      code: 6
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: 10.89.208.0/22
+      pools:
+        - pool: "10.89.208.32 - 10.89.211.250"
+      reservations:
+        - ip-address: 10.89.208.11
+          hostname: beamer
+          hw-address: "ac:87:a3:18:9e:01"
+        - ip-address: 10.89.208.12
+          hostname: Brother-CCCHH
+          hw-address: "00:80:77:04:3a:55"
+        - ip-address: 10.89.208.13
+          hostname: muzak
+          hw-address: "00:11:24:5f:4f:80"
+        - ip-address: 10.89.208.14
+          hostname: Big-Room-Beamer
+          hw-address: "64:d2:c4:db:08:5c"
+        - ip-address: 10.89.208.16
+          hostname: dooris
+          hw-address: "bc:24:11:b3:93:9c"
+        - ip-address: 10.89.208.17
+          hostname: hmdooris-ccu
+          hw-address: "bc:24:11:5f:2d:b1"
+        - ip-address: 10.89.208.27
+          hostname: cisco-slm248p
+          hw-address: "00:23:eb:b0:fc:3f"
+        - ip-address: 10.89.208.47
+          hw-address: "6c:df:fb:0b:34:21"
+        - ip-address: 10.89.208.48
+          hw-address: "6c:df:fb:0d:91:63"
+        - ip-address: 10.89.209.28
+          hostname: hp-color
+          hw-address: "3c:52:82:29:21:79"
+        - ip-address: 10.89.209.29
+          hostname: dooris-ng
+          hw-address: "6c:4b:90:19:21:a1"
+        - ip-address: 10.89.209.166
+          hostname: encoder-ccchh
+          hw-address: "00:4e:01:a2:40:d7"
+        - ip-address: 10.89.209.254
+          hostname: ki10
+          hw-address: "dc:a6:32:a9:ff:82"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.208.1
+    - id: 2
+      subnet: 10.89.212.0/24
+      pools:
+        - pool: "10.89.212.32 - 10.89.212.250"
+      reservations:
+        - ip-address: 10.89.212.3
+          hostname: prusamk3
+          hw-address: "10:9c:70:2e:59:3e"
+        - ip-address: 10.89.212.4
+          hostname: prusamk4
+          hw-address: "10:9c:70:2e:6e:f0"
+        - ip-address: 10.89.212.11
+          hostname: Ziggy
+          hw-address: "44:17:93:53:65:57"
+        - ip-address: 10.89.212.12
+          hostname: legacy
+          hw-address: "00:15:65:a1:ed:98"
+        - ip-address: 10.89.212.23
+          hostname: foobarpay
+          hw-address: "f4:f2:6d:09:a6:73"
+        - ip-address: 10.89.212.24
+          hostname: foobackup
+          hw-address: "bc:24:11:20:1a:a8"
+        - ip-address: 10.89.212.27
+          hostname: ender3v2-sonic-pad
+          hw-address: "fc:ee:91:00:0e:14"
+        - ip-address: 10.89.212.31
+          hostname: octopi
+          hw-address: "b8:27:eb:0f:d8:09"
+        - ip-address: 10.89.212.32
+          hostname: 433mhz-bridge
+          hw-address: "0c:b8:15:fe:e3:34"
+        - ip-address: 10.89.212.33
+          hostname: wled-kueche
+          hw-address: "30:ae:a4:7a:8d:a0"
+        - ip-address: 10.89.212.34
+          hostname: wled-serverschrank
+          hw-address: "18:fe:34:a6:64:76"
+        - ip-address: 10.89.212.35
+          hostname: wled-couch
+          hw-address: "64:b7:08:40:ab:c0"
+        - ip-address: 10.89.212.36
+          hostname: laser
+          hw-address: "b8:27:eb:be:38:fa"
+        - ip-address: 10.89.212.37
+          hostname: laser-eth
+          hw-address: "b8:27:eb:eb:6d:af"
+        - ip-address: 10.89.212.42
+          hostname: t-mix
+          hw-address: "40:a5:ef:d9:eb:93"
+        - ip-address: 10.89.212.86
+          hostname: fritz-fon
+          hw-address: "00:1f:3f:c9:e5:b2"
+        - ip-address: 10.89.212.211
+          hostname: hauptraum-esphome
+          hw-address: "e8:db:84:e8:18:d2"
+        - ip-address: 10.89.212.212
+          hostname: werkstatt-esphome
+          hw-address: "3c:71:bf:26:42:32"
+        - ip-address: 10.89.212.213
+          hostname: ir-bridge-beamer
+          hw-address: "8c:ce:4e:51:93:dd"
+        - ip-address: 10.89.212.215
+          hostname: pi-dmx-werkstatt
+          hw-address: "b8:27:eb:65:e5:31"
+        - ip-address: 10.89.212.227
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:09:bf:55"
+        - ip-address: 10.89.212.230
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:22:33:08"
+        - ip-address: 10.89.212.232
+          hostname: staubi
+          hw-address: "b8:4d:43:98:51:2b"
+        - ip-address: 10.89.212.233
+          hostname: staubiv2
+          hw-address: "70:c9:32:82:25:b2"
+        - ip-address: 10.89.212.234
+          hostname: AtemMini
+          hw-address: "7c:2e:0d:13:72:a8"
+        - ip-address: 10.89.212.235
+          hostname: okilaser
+          hw-address: "2c:ff:65:22:b4:63"
+        - ip-address: 10.89.212.236
+          hw-address: "b8:27:eb:29:bd:77"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.212.1
+    - id: 3
+      subnet: 10.89.213.0/24
+      pools:
+        - pool: "10.89.213.32 - 10.89.213.250"
+      reservations:
+        - ip-address: 10.89.213.2
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: 10.89.213.3
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: 10.89.213.4
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: 10.89.213.5
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: 10.89.213.6
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: 10.89.213.7
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: 10.89.213.8
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: 10.89.213.11
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: 10.89.213.12
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: 10.89.213.13
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: 10.89.213.15
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: 10.89.213.21
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"
+        - ip-address: 10.89.213.22
+          hostname: club-assistant
+          hw-address: "7a:55:61:c3:a2:89"
+        - ip-address: 10.89.213.23
+          hostname: automation
+          hw-address: "f2:20:75:5a:2f:8c"
+        - ip-address: 10.89.213.24
+          hostname: yate
+          hw-address: "bc:24:11:73:3e:f7"
+        - ip-address: 10.89.213.25
+          hostname: ptouch-print-server
+          hw-address: "bc:24:11:f2:cf:8f"
+        - ip-address: 10.89.213.26
+          hostname: mqtt
+          hw-address: "bc:24:11:48:85:73"
+        - ip-address: 10.89.213.27
+          hostname: factorio
+          hw-address: "bc:24:11:a3:43:7f"
+        - ip-address: 10.89.213.28
+          hostname: light
+          hw-address: "72:61:ea:e6:49:e3"
+        - ip-address: 10.89.213.29
+          hostname: homematic
+          hw-address: "fe:3a:42:77:3a:be"
+        - ip-address: 10.89.213.30
+          hostname: proxmox-backup-server
+          hw-address: "8a:48:dd:a3:22:40"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.213.1
+
+kea_dhcp__dhcp6:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "dns-servers"
+      code: 23
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: "2a07:c481:1:33::/64"
+      pools:
+        - pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF"
+    - id: 2
+      subnet: "2a07:c481:1:34::/64"
+      pools:
+        - pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF"
+    - id: 3
+      subnet: "2a07:c481:1:36::/64"
+      pools:
+        - pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF"
+      reservations:
+        - ip-address: "2a07:c481:1:36::2"
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: "2a07:c481:1:36::3"
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: "2a07:c481:1:36::4"
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: "2a07:c481:1:36::5"
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: "2a07:c481:1:36::6"
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: "2a07:c481:1:36::7"
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: "2a07:c481:1:36::8"
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: "2a07:c481:1:36::b"
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: "2a07:c481:1:36::c"
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: "2a07:c481:1:36::d"
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: "2a07:c481:1:36::f"
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: "2a07:c481:1:36::14"
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"
--- a/resources/z9/rt1/nftables/nftables.conf
+++ b/resources/z9/rt1/nftables/nftables.conf
@ -76,6 +76,9 @@ table inet host {

        # Allow DHCP server access.
 		    iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
+
+        # Allow DNS server access from lan_ifs
+        iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs"
    }
 }