From a297501524141d31d142ad09099006dafaadfe3b Mon Sep 17 00:00:00 2001
From: Alex <caskd@420blaze.it>
Date: Thu, 2 Apr 2020 19:48:34 +0200
Subject: [PATCH] Initial commit

---
 files/redxen-dns.conf | 62 +++++++++++++++++++++++++++++++++++++++++++
 files/unbound.conf    | 55 ++++++++++++++++++++++++++++++++++++++
 handlers/main.yml     |  4 +++
 tasks/main.yml        | 18 +++++++++++++
 4 files changed, 139 insertions(+)
 create mode 100644 files/redxen-dns.conf
 create mode 100644 files/unbound.conf
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/main.yml

diff --git a/files/redxen-dns.conf b/files/redxen-dns.conf
new file mode 100644
index 0000000..4b56f4e
--- /dev/null
+++ b/files/redxen-dns.conf
@@ -0,0 +1,62 @@
+server:
+	local-zone: "redxen.eu." static
+	local-data: "redxen.eu. 10800 IN NS ns0.redxen.eu"
+	local-data: "redxen.eu. 10800 IN NS ns1.redxen.eu"
+	local-data: "redxen.eu. 10800 IN NS ns2.redxen.eu"
+	local-data: "redxen.eu. 10800 IN NS ns3.redxen.eu"
+	local-data: "redxen.eu. 10800 IN NS ns4.redxen.eu"
+
+	local-data: "_amazonses.redxen.eu. 86400 IN TXT PAdK+hmtSCYH2lDwBdiCfJDxyhBj2UHJtwQzL7+kh50="
+	local-data: "6jxdve2mevelrsc4lrp5ymhu2pku67v4._domainkey.redxen.eu. 86400 IN CNAME 6jxdve2mevelrsc4lrp5ymhu2pku67v4.dkim.amazonses.com"
+	local-data: "jqo2wv2wek7sh26vmc2tdzc4gdco6uou._domainkey.redxen.eu. 86400 IN CNAME jqo2wv2wek7sh26vmc2tdzc4gdco6uou.dkim.amazonses.com"
+	local-data: "edzxe6qpinwhafgwlt6b44yarhhfn3xl._domainkey.redxen.eu. 86400 IN CNAME edzxe6qpinwhafgwlt6b44yarhhfn3xl.dkim.amazonses.com"
+
+	local-data: "redxen.eu 86400 IN TXT brave-ledger-verification=1f77ffecf7da410af2f4eeb5953ae13c5ee9ddfdfed5cae63458e63003b97444"
+
+	local-data: "_mumble._tcp.redxen.eu. 86400 IN SRV 0 5 2250 redxen.eu."
+	local-data: "_minecraft._tcp.redxen.eu. 86400 IN SRV 0 5 25565 redxen.eu."
+
+	local-data: "redxen.eu. 86400 IN A 88.198.95.52"
+	local-data: "stats.redxen.eu. 86400 IN A 88.198.95.52"
+	local-data: "git.redxen.eu. 86400 IN A 88.198.95.52"
+	local-data: "seed.redxen.eu. 86400 IN A 88.198.95.52"
+	local-data: "sd.redxen.eu. 86400 IN A 88.198.95.52"
+	local-data: "social.redxen.eu. 86400 IN A 88.198.95.52"
+	local-data: "ns0.redxen.eu. 86400 IN A 88.198.95.52"
+	local-data: "nbg0.redxen.eu. 86400 IN A 88.198.95.52"
+
+	local-data: "redxen.eu. 86400 IN A 88.198.95.107"
+	local-data: "stats.redxen.eu. 86400 IN A 88.198.95.107"
+	local-data: "git.redxen.eu. 86400 IN A 88.198.95.107"
+	local-data: "seed.redxen.eu. 86400 IN A 88.198.95.107"
+	local-data: "sd.redxen.eu. 86400 IN A 88.198.95.107"
+	local-data: "social.redxen.eu. 86400 IN A 88.198.95.107"
+	local-data: "ns1.redxen.eu. 86400 IN A 88.198.95.107"
+	local-data: "nbg1.redxen.eu. 86400 IN A 88.198.95.107"
+
+	local-data: "redxen.eu. 86400 IN A 88.198.95.106"
+	local-data: "stats.redxen.eu. 86400 IN A 88.198.95.106"
+	local-data: "git.redxen.eu. 86400 IN A 88.198.95.106"
+	local-data: "seed.redxen.eu. 86400 IN A 88.198.95.106"
+	local-data: "sd.redxen.eu. 86400 IN A 88.198.95.106"
+	local-data: "social.redxen.eu. 86400 IN A 88.198.95.106"
+	local-data: "ns2.redxen.eu. 86400 IN A 88.198.95.106"
+	local-data: "nbg2.redxen.eu. 86400 IN A 88.198.95.106"
+
+	local-data: "redxen.eu. 86400 IN A 88.198.95.100"
+	local-data: "stats.redxen.eu. 86400 IN A 88.198.95.100"
+	local-data: "git.redxen.eu. 86400 IN A 88.198.95.100"
+	local-data: "seed.redxen.eu. 86400 IN A 88.198.95.100"
+	local-data: "sd.redxen.eu. 86400 IN A 88.198.95.100"
+	local-data: "social.redxen.eu. 86400 IN A 88.198.95.100"
+	local-data: "ns3.redxen.eu. 86400 IN A 88.198.95.100"
+	local-data: "nbg3.redxen.eu. 86400 IN A 88.198.95.100"
+
+	local-data: "redxen.eu. 86400 IN A 88.198.95.63"
+	local-data: "stats.redxen.eu. 86400 IN A 88.198.95.63"
+	local-data: "git.redxen.eu. 86400 IN A 88.198.95.63"
+	local-data: "seed.redxen.eu. 86400 IN A 88.198.95.63"
+	local-data: "sd.redxen.eu. 86400 IN A 88.198.95.63"
+	local-data: "social.redxen.eu. 86400 IN A 88.198.95.63"
+	local-data: "ns4.redxen.eu. 86400 IN A 88.198.95.63"
+	local-data: "nbg4.redxen.eu. 86400 IN A 88.198.95.63"
diff --git a/files/unbound.conf b/files/unbound.conf
new file mode 100644
index 0000000..b7b1571
--- /dev/null
+++ b/files/unbound.conf
@@ -0,0 +1,55 @@
+include: "/etc/unbound/redxen-dns.conf"
+server:
+	directory: "/etc/unbound"
+	username: unbound
+	do-not-query-address: 127.0.0.11
+	access-control: 0.0.0.0/0 refuse_non_local
+	# Local Host
+	access-control: 127.0.0.0/24 allow
+	# Docker Host
+	access-control: 172.18.0.1/32 allow
+	# Wireguard Range
+	access-control: 172.22.12.0/24 allow
+	# Allow Loopback connections with public ip as source
+	access-control: 88.198.95.52/32 allow
+	access-control: 88.198.95.107/32 allow
+	access-control: 88.198.95.100/32 allow
+	access-control: 88.198.95.106/32 allow
+	access-control: 88.198.95.63/32 allow
+	# log-replies: yes
+	interface: 0.0.0.0
+	interface: ::0
+	extended-statistics: yes
+	root-hints: root.hints
+	rrset-roundrobin: yes
+	trust-anchor-file: /usr/share/dnssec-root/trusted-key.key
+	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	port: 5353
+	ratelimit: 20
+	prefetch: yes
+	prefetch-key: yes
+	do-daemonize: no
+	logfile: ""
+	cache-min-ttl: 60
+	cache-max-ttl: 960
+	harden-glue: yes
+	aggressive-nsec: yes
+	serve-expired: yes
+	serve-expired-ttl: 86400
+	serve-expired-ttl-reset: yes
+remote-control:
+	control-enable: yes
+	control-use-cert: no
+	control-interface: 0.0.0.0
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	forward-first: yes
+	forward-addr: 2a04:c44:e00:32e0:42a:30ff:fe00:e7d@853#a.cyberiadot.invalid
+	forward-addr: 194.182.165.153@853#a.cyberiadot.invalid
+	forward-addr: 2a01:4f8:1c17:4d9b::853@853#b.cyberiadot.invalid
+	forward-addr: 78.47.220.84@853#b.cyberiadot.invalid
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+	forward-addr: 1.1.1.1@853#cloudflare-dns.com
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..adae4ad
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload unbound
+  service:
+          name: unbound
+          state: reloaded
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..74fd840
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Install Unbound
+  apt:
+        install_recommends: no
+        name: unbound
+        state: present
+        cache_valid_time: 3600
+- name: Copy configuration files
+  copy:
+        follow: yes
+        src: roles/dns/files/
+        dest: /etc/unbound/
+  notify:
+        - reload unbound
+- name: Enable unbound in systemd
+  systemd:
+        name: unbound
+        enabled: yes
+        state: started