1 files changed, 44 insertions, 0 deletions

diff --git a/roles/dns/tasks/setup_unbound.yaml b/roles/dns/tasks/setup_unbound.yaml
new file mode 100644
index 00000000..ec6f123e
--- /dev/null
+++ b/roles/dns/tasks/setup_unbound.yaml
@@ -0,0 +1,44 @@
+---
+- name: "template out configs"
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  loop:
+    - src: unbound.conf.j2
+      dest: /var/unbound/etc/unbound.conf
+    - src: resolv.conf.j2
+      dest: /etc/resolv.conf.j2
+    - src: hostname.vether0.j2
+      dest: /etc/hostname.vether0
+      # we need a separate virtual network interface for binding the dns resolver to since ocserv doesn't creates tunnel interface for each separate connected client, it does not create a primary interface
+
+  # unbound will fail if there's nonexisting interface in config
+- name: "create vether0 interface"
+  ansible.builtin.shell: "sh /etc/netstart vether0"
+  when: inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([]))
+
+- name: "setup log file"
+  ansible.builtin.file:
+    path: /var/log/unbound.log
+    state: touch
+    mode: "0600"
+
+  # pure convenience
+- name: "obsd : dns : symlink it to /etc"
+  ansible.builtin.file:
+    src: /var/unbound/etc/unbound.conf
+    dest: /etc/unbound.conf
+    state: link
+
+- name: "obsd : dns : not exists. generate..."
+  ansible.builtin.command: /usr/sbin/unbound-anchor -a /var/unbound/db/root.key
+  args:
+    creates: /var/unbound/db/root.key
+  failed_when: false
+
+- name: "obsd : dns : get root hints"
+  ansible.builtin.command: ftp -o /var/unbound/etc/root.hints https://www.internic.net/domain/named.root
+  args:
+    creates: /var/unbound/db/root.key
+  notify:
+    - restart_unbound