[unbound] wtf

roles/unbound/handlers/main.yml

@@ -1,6 +1,11 @@
 ---
-- name: Restart unbound
+- name: systemctl restart unbound.service
   systemd:
     name: unbound
     enabled: true
-    state: restart
+    state: restarted
+  listen: update root trust anchor
+
+- name: run unbound-anchor
+  command: unbound-anchor
+  listen: update root trust anchor

roles/unbound/tasks/main.yml

@@ -11,12 +11,9 @@
 - name: Download the root file
   get_url:
     url: https://www.internic.net/domain/named.root
-    dest: /var/unbound/etc/root.hints
-    mode: "0444"
-  notify: Reload unbound
-
-- name: Fetch the initial keys
-  command: unbound-anchor
+    dest: /etc/unbound/root.hints
+    mode: "0644"
+  notify: update root trust anchor
 
 - name: Deploy the configuration
   template:
@@ -25,7 +22,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Reload unbound
+  notify: systemctl restart unbound.service
 
 - name: Enable and start unbound
   systemd:

roles/unbound/templates/unbound.conf.j2

@@ -12,12 +12,13 @@ server:
 {% endfor %}
 {% endfor %}
 
+	# reply on the same interface that the query came from
+	interface-automatic: yes
+
 	# chroot: "/etc/unbound"
 	# username: "unbound"
 	# directory: "/etc/unbound"
 
-    num-threads: 8
-
 	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""