From 0a74ac02c21d35bc58a0d9bc48c54efcc08133fe Mon Sep 17 00:00:00 2001
From: bitwhisker <bitwhisker@noreply.git.hamburg.ccc.de>
Date: Tue, 26 May 2026 10:06:52 +0200
Subject: [PATCH] unbound(role): use existing deploy_systemd_resolved_config
 role and some reordering

---
 inventories/z9/hosts.yaml                     |  3 +++
 roles/unbound/handlers/main.yml               |  7 ------
 roles/unbound/tasks/main.yml                  | 24 +++----------------
 roles/unbound/tasks/prometheus-exporter.yml   |  8 ++++++-
 .../vars/deploy_systemd_resolved_config.yaml  |  9 +++++++
 5 files changed, 22 insertions(+), 29 deletions(-)
 create mode 100644 roles/unbound/vars/deploy_systemd_resolved_config.yaml

diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index 740c7ba..39fa97b 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -17,6 +17,9 @@ all:
     z9-router:
       ansible_host: z9-router.ccchh.net
       ansible_user: chaos
+base_config_hosts:
+  hosts:
+    z9-router:
 certbot_hosts:
   hosts:
     dooris:
diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml
index e1345bf..222e8c5 100644
--- a/roles/unbound/handlers/main.yml
+++ b/roles/unbound/handlers/main.yml
@@ -18,10 +18,3 @@
     name: prometheus-unbound-exporter.service
     state: restarted
     enabled: true
-
-- name: prometheus-unbound-exporter.enabled
-  become: true
-  ansible.builtin.systemd:
-    name: prometheus-unbound-exporter.service
-    enabled: true
-    daemon_reload: true
diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index 7ed42cb..eb88f93 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -7,11 +7,6 @@
       ansible.builtin.package:
         name: unbound
 
-    - name: install extra dns tooling
-      become: true
-      ansible.builtin.package:
-        name: [ bind ]  # the bind package includes tools like dig in archlinux
-
     - name: ensure correct directory permissions
       become: true
       ansible.builtin.file:
@@ -40,23 +35,10 @@
         enabled: true
 
     - name: disable systemd-resolved
-      become: true
       when: unbound_disable_systemd_networkd
-      ansible.builtin.systemd:
-        name: systemd-resolved.service
-        state: stopped
-        enabled: false
-
-    - name: configure system resolver to point to local unbound
-      become: true
-      when: unbound_disable_systemd_networkd
-      ansible.builtin.copy:
-        src: no-resolved.resolv.conf
-        dest: /etc/resolv.conf
-        owner: unbound
-        group: unbound
-        mode: u=rw,g=r,o=r
-
+      ansible.builtin.include_role:
+        name: deploy_systemd_resolved_config
+        vars_from: deploy_systemd_resolved_config
 
     - name: install and configure prometheus-exporter for unbound
       ansible.builtin.import_tasks: prometheus-exporter.yml
diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml
index d05b838..b794e07 100644
--- a/roles/unbound/tasks/prometheus-exporter.yml
+++ b/roles/unbound/tasks/prometheus-exporter.yml
@@ -3,7 +3,13 @@
   become: true
   ansible.builtin.package:
     name: prometheus-unbound-exporter
-  notify: prometheus-unbound-exporter.enabled
+
+- name: enable unbound prometheus exporter
+  become: true
+  ansible.builtin.systemd:
+    name: prometheus-unbound-exporter.service
+    enabled: true
+    daemon_reload: true
 
 - name: configure unbound exporter
   become: true
diff --git a/roles/unbound/vars/deploy_systemd_resolved_config.yaml b/roles/unbound/vars/deploy_systemd_resolved_config.yaml
new file mode 100644
index 0000000..0da57c1
--- /dev/null
+++ b/roles/unbound/vars/deploy_systemd_resolved_config.yaml
@@ -0,0 +1,9 @@
+---
+deploy_systemd_resolved_config__enable: false
+deploy_systemd_resolved_config__dns:
+  - 127.0.0.1
+deploy_systemd_resolved_config__fallback_dns: # Fux DNS Server
+  - 185.161.128.66
+  - 2a07:c481:0:4::2
+  - 185.161.128.67
+  - 2a07:c481:0:4::3