---

# This is used to let unbound bind to the right IP addresses.
- name: set dns_host_suffix (main)
  set_fact:
    dns_host_suffix: "{{ dns_host_suffix_main }}"
  when: "'rdns_main' in group_names"

- name: set dns_host_suffix (backup)
  set_fact:
    dns_host_suffix: "{{ dns_host_suffix_backup }}"
  when: "'rdns_backup' in group_names"


- name: install unbound
  apt:
    update_cache: true
    name: unbound
    state: present
  register: unbound_install

- name: check if unbound-control certificate exists
  stat:
    path: /etc/unbound/unbound_control.pem
  register: ubc_control_pem


- name: check if unbound server certificate exists
  stat:
    path: /etc/unbound/unbound_server.pem
  register: ubc_server_pem

- name: run unbound-control-setup if a certificate is missing
  command: unbound-control-setup
  become: yes
  when: ubc_control_pem.stat.exists == False or ubc_server_pem.stat.exists == False

- name: add unbound-control configuration
  template:
    src: unbound-control.conf.j2
    dest: /etc/unbound/unbound.conf.d/unbound-control.conf
    mode: 0644

- name: setup main unbound config file
  template:
    src: unbound.conf.j2
    dest: /etc/unbound/unbound.conf
    mode: 0644

- name: setup recursive DNS server config
  template:
    src: recursive.conf.j2
    dest: /etc/unbound/unbound.conf.d/recursive.conf
    mode: 0644

- name: restart unbound after editing config
  systemd:
    state: restarted
    name: unbound