infra/ansible/roles/unbound/tasks/main.yaml

- name: Install unbound on RedHat family
  package:
    name: unbound
    state: latest
  when: ansible_os_family == "RedHat"

- name: Install unbound on Arch
  community.general.pacman:
    name: unbound
    state: present
  when: ansible_os_family == "Archlinux"

- name: Install unbound.conf
  template:
    src: templates/unbound.conf.j2
    dest: /etc/unbound/unbound.conf
    owner: root
    group: root
    mode: '0644'
  notify: Restart unbound

- name: Enable unbound service
  service:
    name: unbound
    enabled: yes
    state: started

- name: Permit traffic in default zone on port 53/udp
  ansible.posix.firewalld:
    port: 53/udp
    permanent: true
    state: enabled
    immediate: true
    offline: true

- name: Permit traffic in default zone on port 53/tcp
  ansible.posix.firewalld:
    port: 53/tcp
    permanent: true
    state: enabled
    immediate: true
    offline: true