From 7087a6bf3454a4e88a82cf7194c29a1b10737d7f Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Tue, 18 Mar 2025 04:09:36 +0100
Subject: [PATCH] ansible: allow DNS from the IoT network

We're sticking it all in the dnssec disable config file, because that's easier.
---
 .../roles/domotica/templates/disable_dnssec_validation.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ansible/roles/domotica/templates/disable_dnssec_validation.conf b/ansible/roles/domotica/templates/disable_dnssec_validation.conf
index 9ca4352..8c1262d 100644
--- a/ansible/roles/domotica/templates/disable_dnssec_validation.conf
+++ b/ansible/roles/domotica/templates/disable_dnssec_validation.conf
@@ -1,2 +1,8 @@
 server:
 	val-permissive-mode: yes
+	access-control: 0.0.0.0/0 refuse
+	access-control: ::/0 refuse
+	access-control: 127.0.0.0/8 allow
+	access-control: ::1/128 allow
+	access-control: 172.30.2.0/24 allow
+	interface: 172.30.2.1
-- 
2.51.0