update roothints monthly

group_vars/all

@@ -143,6 +143,7 @@ localtime:
 
 unbound:
     tls: True
+    roothints_update: trusted
     nameservers:
         - 1.1.1.1@853#cloudflare-dns.com  # Cloudflare
         - 9.9.9.9@853#dns.quad9.net  # Quad9

roles/unbound/files/roothints.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Unbound Root Hints Update Service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/curl -sS -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

roles/unbound/files/roothints.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Unbound Root Hints Update Timer
+
+[Timer]
+OnCalendar=monthly
+Persistent=true
+RandomizedDelaySec=3600
+Unit=roothints.service
+ 
+[Install]
+WantedBy=timers.target

roles/unbound/handlers/main.yml

@@ -1,3 +1,7 @@
 ---
 - name: restart unbound
   service: name=unbound state=restarted
+
+- name: restart roothints
+  service: name=roothints.timer state=restarted
+  when: unbound.roothints_update == "all"

roles/unbound/tasks/main.yml

@@ -40,3 +40,23 @@
   lineinfile: dest=/etc/resolvconf.conf
               state=present
               line="name_servers=127.0.0.1"
+
+- name: Push Unbound root hits update service file
+  copy:
+    src: roothints.service
+    dest: /etc/systemd/system/roothints.service
+  notify:
+    - reload systemd config
+
+- name: Push Unbound root hits update timer file
+  copy:
+    src: roothints.timer
+    dest: /etc/systemd/system/roothints.timer
+  notify:
+    - reload systemd config
+    - restart roothints
+
+- include_tasks: roles/nmtrust/tasks/unit.yml
+  vars:
+      unit: roothints.timer
+      run_on: "{{ unbound.roothints_update }}"