- name: unbound role main
  tags: [ unbound, dns, dns_resolver ]
  block:

    - name: install unbound dns resolver
      become: true
      ansible.builtin.package:
        name: unbound

    - name: install extra dns tooling
      become: true
      ansible.builtin.package:
        name: [ bind ]  # the bind package includes tools like dig in archlinux

    - name: ensure correct directory permissions
      become: true
      ansible.builtin.file:
        path: /etc/unbound
        state: directory
        mode: u=rwX,g=rX,o=rX
        recurse: true
        owner: unbound
        group: unbound

    - name: configure unbound dns resolver
      become: true
      notify: unbound.restarted
      ansible.builtin.template:
        src: unbound.conf.j2
        dest: /etc/unbound/unbound.conf
        owner: unbound
        group: unbound
        mode: u=rw,g=r,o=r

    - name: ensure unbound is running and enabled
      become: true
      ansible.builtin.systemd:
        name: unbound.service
        state: started
        enabled: true

    - name: disable systemd-resolved
      become: true
      when: unbound_disable_systemd_networkd
      ansible.builtin.systemd:
        name: systemd-resolved.service
        state: stopped
        enabled: false

    - name: configure system resolver to point to local unbound
      become: true
      when: unbound_disable_systemd_networkd
      ansible.builtin.copy:
        src: no-resolved.resolv.conf
        dest: /etc/resolv.conf
        owner: unbound
        group: unbound
        mode: u=rw,g=r,o=r


    - name: install and configure prometheus-exporter for unbound
      ansible.builtin.import_tasks: prometheus-exporter.yml
      when: unbound_install_prometheus_exporter