diff --git a/group_vars/all b/group_vars/all index de454ee..4f3ec2b 100644 --- a/group_vars/all +++ b/group_vars/all @@ -143,6 +143,7 @@ localtime: unbound: tls: True + roothints_update: trusted nameservers: - 1.1.1.1@853#cloudflare-dns.com # Cloudflare - 9.9.9.9@853#dns.quad9.net # Quad9 diff --git a/roles/unbound/files/roothints.service b/roles/unbound/files/roothints.service new file mode 100644 index 0000000..dece9e8 --- /dev/null +++ b/roles/unbound/files/roothints.service @@ -0,0 +1,6 @@ +[Unit] +Description=Unbound Root Hints Update Service +After=network.target + +[Service] +ExecStart=/usr/bin/curl -sS -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache diff --git a/roles/unbound/files/roothints.timer b/roles/unbound/files/roothints.timer new file mode 100644 index 0000000..43db237 --- /dev/null +++ b/roles/unbound/files/roothints.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Unbound Root Hints Update Timer + +[Timer] +OnCalendar=monthly +Persistent=true +RandomizedDelaySec=3600 +Unit=roothints.service + +[Install] +WantedBy=timers.target diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml index 4dc0a6c..b0d9051 100644 --- a/roles/unbound/handlers/main.yml +++ b/roles/unbound/handlers/main.yml @@ -1,3 +1,7 @@ --- - name: restart unbound service: name=unbound state=restarted + +- name: restart roothints + service: name=roothints.timer state=restarted + when: unbound.roothints_update == "all" diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 0812c7c..0563766 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -40,3 +40,23 @@ lineinfile: dest=/etc/resolvconf.conf state=present line="name_servers=127.0.0.1" + +- name: Push Unbound root hits update service file + copy: + src: roothints.service + dest: /etc/systemd/system/roothints.service + notify: + - reload systemd config + +- name: Push Unbound root hits update timer file + copy: + src: roothints.timer + dest: /etc/systemd/system/roothints.timer + notify: + - reload systemd config + - restart roothints + +- include_tasks: roles/nmtrust/tasks/unit.yml + vars: + unit: roothints.timer + run_on: "{{ unbound.roothints_update }}"