From 052519e85e1896a2cf22fbc02d792af7e71f44ac Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Sun, 20 Nov 2022 20:13:05 +0100
Subject: [PATCH] [unbound] wtf

---
 roles/unbound/handlers/main.yml         |  9 +++-
 roles/unbound/tasks/main.yml            | 11 ++---
 roles/unbound/templates/unbound.conf.j2 | 55 +++++++++++++------------
 3 files changed, 39 insertions(+), 36 deletions(-)

diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml
index b433c429..6931c1ec 100644
--- a/roles/unbound/handlers/main.yml
+++ b/roles/unbound/handlers/main.yml
@@ -1,6 +1,11 @@
 ---
-- name: Restart unbound
+- name: systemctl restart unbound.service
   systemd:
     name: unbound
     enabled: true
-    state: restart
+    state: restarted
+  listen: update root trust anchor
+
+- name: run unbound-anchor
+  command: unbound-anchor
+  listen: update root trust anchor
diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index 11ad0224..f61e4637 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -11,12 +11,9 @@
 - name: Download the root file
   get_url:
     url: https://www.internic.net/domain/named.root
-    dest: /var/unbound/etc/root.hints
-    mode: "0444"
-  notify: Reload unbound
-
-- name: Fetch the initial keys
-  command: unbound-anchor
+    dest: /etc/unbound/root.hints
+    mode: "0644"
+  notify: update root trust anchor
 
 - name: Deploy the configuration
   template:
@@ -25,7 +22,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Reload unbound
+  notify: systemctl restart unbound.service
 
 - name: Enable and start unbound
   systemd:
diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
index 036dcf47..9ba6cb0f 100644
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -1,54 +1,55 @@
 server:
-    verbosity: {{ unbound['verbosity'] | default(1) }}
+	verbosity: {{ unbound['verbosity'] | default(1) }}
 
 {% for adr in unbound['interfaces'] %}
-    interface: {{ adr }}
+	interface: {{ adr }}
 {% endfor %}
 
 {% for ac in unbound['access-control'] %}
-    # {{ ac['name'] }}
+	# {{ ac['name'] }}
 {% for addr in ac['addr'] %}
-    access-control: {{ addr }} {{ ac['policy'] }}
+	access-control: {{ addr }} {{ ac['policy'] }}
 {% endfor %}
 {% endfor %}
 
-    # chroot: "/etc/unbound"
-    # username: "unbound"
-    # directory: "/etc/unbound"
-    
-    num-threads: 8
+	# reply on the same interface that the query came from
+	interface-automatic: yes
 
-    # the log file, "" means log to stderr.
-    # Use of this option sets use-syslog to "no".
-    # logfile: ""
+	# chroot: "/etc/unbound"
+	# username: "unbound"
+	# directory: "/etc/unbound"
 
-    use-syslog: yes
+	# the log file, "" means log to stderr.
+	# Use of this option sets use-syslog to "no".
+	# logfile: ""
 
-    # Log identity to report. if empty, defaults to the name of argv[0]
-    # (usually "unbound").
-    # log-identity: ""
+	use-syslog: yes
 
-    # print UTC timestamp in ascii to logfile, default is epoch in seconds.
-    # log-time-ascii: no
+	# Log identity to report. if empty, defaults to the name of argv[0]
+	# (usually "unbound").
+	# log-identity: ""
 
-    #log-queries: yes
-    #log-replies: yes
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	# log-time-ascii: no
 
-    root-hints: "root.hints"
+	#log-queries: yes
+	#log-replies: yes
 
-    module-config: "validator iterator"
-    auto-trust-anchor-file: "/etc/unbound/root.key"
-    val-log-level: {{ unbound['val-log-level'] | default(2) }}
+	root-hints: "root.hints"
+
+	module-config: "validator iterator"
+	auto-trust-anchor-file: "/etc/unbound/root.key"
+	val-log-level: {{ unbound['val-log-level'] | default(2) }}
 
 
 
 
 python:
-    # ...
+	# ...
 
 dynlib:
-    # ...
+	# ...
 
 # Remote control config section.
 remote-control:
-    # ...
+	# ...