ansible/roles/unbound/tasks/main.yml

---

# This is used to let unbound bind to the right IP addresses.
- name: set dns_host_suffix (main)
  set_fact:
    dns_host_suffix: "{{ dns_host_suffix_main }}"
  when: "'backup' not in inventory_hostname"

- name: set dns_host_suffix (backup)
  set_fact:
    dns_host_suffix: "{{ dns_host_suffix_backup }}"
  when: "'backup' in inventory_hostname"


- name: install unbound
  apt:
    update_cache: true
    name: unbound
    state: present
  register: unbound_install

- name: ensure unbound log directory exists
  file:
    path: /var/log/unbound
    state: directory
    mode: '0755'
    owner: unbound
    group: unbound
  notify: restart unbound

- name: add unbound-control configuration
  template:
    src: unbound-control.conf.j2
    dest: /etc/unbound/unbound.conf.d/unbound-control.conf
    mode: 0644
  notify: restart unbound

- name: setup main unbound config file
  template:
    src: unbound.conf.j2
    dest: /etc/unbound/unbound.conf
    mode: 0644
  notify: restart unbound


- name: ask apparmor to allow unbound to write to log file
  template:
    src: unbound-apparmor-config
    dest: /etc/apparmor.d/local/usr.sbin.unbound
    mode: '0644'
  notify: read unbound apparmor config

- name: setup unbound log rotation
  template:
    src: unbound-logrotate.j2
    dest: /etc/logrotate.d/unbound
    mode: 0644

- name: setup recursive DNS server config
  template:
    src: recursive.conf.j2
    dest: /etc/unbound/unbound.conf.d/recursive.conf
    mode: 0644
  notify: restart unbound