From 9f5e227dbdbca0855329a5d2e9a9657a8dcf433d Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Fri, 16 Jul 2021 19:55:33 +0200
Subject: [PATCH] adding luna

---
 host_vars/luna.l3d.ch/vars.yml | 19 +++++++++++++++++++
 hosts.ini                      |  9 +++++++++
 roles/unbound                  |  2 +-
 site.yml                       |  6 +++++-
 4 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 host_vars/luna.l3d.ch/vars.yml

diff --git a/host_vars/luna.l3d.ch/vars.yml b/host_vars/luna.l3d.ch/vars.yml
new file mode 100644
index 0000000..be82ba9
--- /dev/null
+++ b/host_vars/luna.l3d.ch/vars.yml
@@ -0,0 +1,19 @@
+---
+# allow public DNS (in internal network)
+unbound_listen_addresses:
+  - '0.0.0.0@53'
+  - '::0@53'
+unbound_access_control:
+  - 'access-control: 192.168.255.0/24 allow'
+  - 'access-control: fe80::/64 allow'
+  - 'access-control: fd00::/8 allow'
+  - 'access-control: 127.0.0.1 allow'
+  - 'access-control: ::1 allow'
+
+# open firewall for WEB, SSH and DNS
+firewall_allowed_tcp_ports:
+  - "22"
+  - "53"
+  - "80"
+  - "443"
+firewall_allowed_udp_ports: ['53']
diff --git a/hosts.ini b/hosts.ini
index 500c784..19bc908 100644
--- a/hosts.ini
+++ b/hosts.ini
@@ -3,3 +3,12 @@ web01.l3d.space
 
 [mail]
 mail01.l3d.space
+
+[home]
+luna.l3d.ch ansible_host=192.168.255.2
+
+[resolver]
+luna.l3d.ch ansible_host=192.168.255.2
+
+[resolver:children]
+mail
diff --git a/roles/unbound b/roles/unbound
index 6948f13..fbb65b8 160000
--- a/roles/unbound
+++ b/roles/unbound
@@ -1 +1 @@
-Subproject commit 6948f130f37c5c84a09ef5c2e7ce7ab5278c92ad
+Subproject commit fbb65b84e6756b2c98963384e794c50586ef8c43
diff --git a/site.yml b/site.yml
index 3fd46a8..d420872 100644
--- a/site.yml
+++ b/site.yml
@@ -33,10 +33,14 @@
     - {role: do1jlr.gitea, tags: [web, gitea, git]}
     - {role: goaccess, tags: [web, goaccess]}
 
+- name: deploy dns resolver
+  hosts: resolver
+  roles:
+    - {role: unbound, tags: [mail, unbound]}
+
 - name: deploy mail config
   hosts: mail
   roles:
-    - {role: unbound, tags: [mail, unbound]}
     - {role: geerlingguy.mysql, tags: [mail, mysql, mariadb], become: true}
     - {role: do1jlr.webhost, tags: [mail, webhost], become: true}
     - {role: acmetool_fix, tags: [mail, acmetool]}