---
# Unbound DNS Server Playbook
#
# Usage: ansible-playbook -i inventory.ini playbooks/dns.yml
#
# Configures Unbound as a recursive resolver with local DNS records
# for the Nebula overlay network.

- name: Setup Unbound DNS Server
  hosts: dns
  become: true
  tasks:
    - name: Install unbound and bind-tools
      community.general.pacman:
        name:
          - unbound
          - bind  # provides dig for verification
        state: present

    - name: Create unbound config directory
      file:
        path: /etc/unbound
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Deploy main unbound configuration
      template:
        src: ../templates/unbound.conf.j2
        dest: /etc/unbound/unbound.conf
        owner: root
        group: root
        mode: '0644'
      notify: Restart unbound

    - name: Deploy local zones configuration
      template:
        src: ../templates/unbound-local-zones.conf.j2
        dest: /etc/unbound/local-zones.conf
        owner: root
        group: root
        mode: '0644'
      notify: Restart unbound

    - name: Deploy unbound systemd service
      template:
        src: ../templates/unbound.service.j2
        dest: /etc/systemd/system/unbound.service
        owner: root
        group: root
        mode: '0644'
      notify:
        - Reload systemd
        - Restart unbound

    - name: Enable and start unbound
      systemd:
        name: unbound
        state: started
        enabled: true

    - name: Verify unbound is responding
      command: dig @127.0.0.1 dns.nebula +short
      register: dns_test
      changed_when: false
      failed_when: dns_test.stdout != hostvars['dns']['nebula_ip']

  handlers:
    - name: Reload systemd
      systemd:
        daemon_reload: true

    - name: Restart unbound
      systemd:
        name: unbound
        state: restarted