From fcbc90c89cb423404d4e2661fc27d0cbf84b1f4c Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@holzmarkt.com>
Date: Tue, 11 Nov 2025 03:34:00 +0100
Subject: [PATCH] Initial commit

---
 defaults/main.yml         | 20 ++++++++++++++++++++
 handlers/main.yml         |  4 ++++
 tasks/main.yml            | 12 ++++++++++++
 templates/unbound.conf.j2 | 36 ++++++++++++++++++++++++++++++++++++
 4 files changed, 72 insertions(+)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/unbound.conf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..362513d
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,20 @@
+unbound_config_raw: ''
+unbound_config_include_conf_d: true
+unbound_config:
+  server:
+    verbosity: 1
+    interface:
+    - 127.0.0.1
+    - ::1
+    access-control:
+    - 127.0.0.1/8 allow
+    - ::1/128 allow
+    private-address:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - 169.254.0.0/16
+    - 127.0.0.0/8
+    - fd00::/8
+    - fe80::/10
+    - ::ffff:0:0/96
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..337b8d4
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart unbound
+  ansible.builtin.service:
+    name: unbound
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..0acf3da
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,12 @@
+- name: install packages
+  ansible.builtin.apt:
+    pkg:
+    - unbound
+    - unbound-anchor
+
+- name: copy unbound config
+  ansible.builtin.template:
+    src: unbound.conf.j2
+    dest: /etc/unbound/unbound.conf
+    mode: "0640"
+  notify: restart unbound
diff --git a/templates/unbound.conf.j2 b/templates/unbound.conf.j2
new file mode 100644
index 0000000..192a904
--- /dev/null
+++ b/templates/unbound.conf.j2
@@ -0,0 +1,36 @@
+#jinja2: lstrip_blocks: True
+{% macro clause_attr(key, value) %}
+{% if value is boolean %}
+  {{ key }}: {{ 'yes' if value else 'no' }}
+{% elif value is iterable and not value is string %}
+{% for item in value %}
+  {{ key }}: {{ item }}
+{% endfor %}
+{% else %}
+  {{ key }}: {{ value }}
+{% endif %}
+{% endmacro %}
+
+{% if unbound_config_include_conf_d %}
+include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
+{% endif %}
+
+{% for clause, clause_items in unbound_config.items() %}
+{% if clause_items.values()|reject('mapping')|length != 0 %}
+{{ clause }}:
+{% for key, value in clause_items.items() %}
+{{ clause_attr(key, value) }}
+{%- endfor %}
+
+{% else %}
+{% for clause_key, clause_instance_items in clause_items.items() %}
+{{ clause }}:
+  name: "{{ clause_key }}"
+{% for key, value in clause_instance_items.items() %}
+{{ clause_attr(key, value) }}
+{%- endfor %}
+
+{% endfor %}
+{% endif %}
+{% endfor %}
+{{ unbound_config_raw }}