Unbound: fw-allow from internal

roles/unbound/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Source nftables handlers
+  import_role:
+    name: 'nftables'
+    tasks_from: 'nop.yml'
+
 - name: Install Unbound
   apt:
     name:
@@ -12,3 +17,17 @@
     - unbound.conf
     - trust-anchor-dn42.zone
   notify: reload unbound
+
+- name: Deploy unbound firewall configuration
+  template:
+    src: 'nftables/{{ item }}.conf.j2'
+    dest: '/etc/nftables/{{ item }}.conf'
+  loop:
+    - filter-input.d/40-unbound
+  notify: reload nftables
+
+- name: Etckeeper - commit
+  import_role:
+    name: etckeeper_commit
+  vars:
+    etckeeper_reason: Configure Unbound recursive DNS resolver

roles/unbound/templates/nftables/filter-input.d/40-unbound.conf.j2

@@ -0,0 +1,3 @@
+{{ ansible_managed | comment }}
+
+iifname $IF_DN42_INTERNAL udp dport 53 accept comment DNS