Add default nameserver setting, disabling resolved, copying configuration files first, disable cyberia dns temporarily, enable control, remove max cache, set default port to 53 and change hints and anchor paths

files/internal.conf

@@ -1,5 +1,3 @@
 server:
 	local-zone: "redxen.local." static
-
-	local-data: "_git._tcp.redxen.local. 86400 IN SRV 0 5 2202 nbg0.redxen.local."
-	local-data: "_haproxy._tcp.redxen.local. 86400 IN SRV 0 5 8080 nbg3.redxen.local."
+	local-data: "_gitea._tcp.redxen.local. 86400 IN SRV 0 5 443 nbg0.redxen.eu."

files/unbound.conf

@@ -1,37 +1,27 @@
 include: "/etc/unbound/redxen-dns.conf"
+include: "/etc/unbound/internal.conf"
 server:
 	directory: "/etc/unbound"
-	username: unbound
-	do-not-query-address: 127.0.0.11
 	access-control: 0.0.0.0/0 refuse_non_local
 	# Local Host
 	access-control: 127.0.0.0/24 allow
-	# Docker Host
-	access-control: 172.18.0.1/32 allow
 	# Wireguard Range
 	access-control: 172.22.12.0/24 allow
-	# Allow Loopback connections with public ip as source
-	access-control: 88.198.95.52/32 allow
-	access-control: 88.198.95.107/32 allow
-	access-control: 88.198.95.100/32 allow
-	access-control: 88.198.95.106/32 allow
-	access-control: 88.198.95.63/32 allow
 	# log-replies: yes
 	interface: 0.0.0.0
 	interface: ::0
 	extended-statistics: yes
-	root-hints: root.hints
+	root-hints: /usr/share/dns/root.hints
 	rrset-roundrobin: yes
-	trust-anchor-file: /usr/share/dnssec-root/trusted-key.key
+	trust-anchor-file: /usr/share/dns/root.key
 	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	port: 5353
+	port: 53
 	ratelimit: 20
 	prefetch: yes
 	prefetch-key: yes
 	do-daemonize: no
 	logfile: ""
 	cache-min-ttl: 60
-	cache-max-ttl: 960
 	harden-glue: yes
 	aggressive-nsec: yes
 	serve-expired: yes
@@ -40,15 +30,14 @@ server:
 remote-control:
 	control-enable: yes
 	control-use-cert: no
-	control-interface: 0.0.0.0
+	control-interface: 127.0.0.1
 forward-zone:
 	name: "."
 	forward-tls-upstream: yes
-	forward-first: yes
-	forward-addr: 2a04:c44:e00:32e0:42a:30ff:fe00:e7d@853#a.cyberiadot.invalid
-	forward-addr: 194.182.165.153@853#a.cyberiadot.invalid
-	forward-addr: 2a01:4f8:1c17:4d9b::853@853#b.cyberiadot.invalid
-	forward-addr: 78.47.220.84@853#b.cyberiadot.invalid
+#	forward-addr: 2a04:c44:e00:32e0:42a:30ff:fe00:e7d@853#a.cyberiadot.invalid
+#	forward-addr: 194.182.165.153@853#a.cyberiadot.invalid
+#	forward-addr: 2a01:4f8:1c17:4d9b::853@853#b.cyberiadot.invalid
+#	forward-addr: 78.47.220.84@853#b.cyberiadot.invalid
 	forward-addr: 2620:fe::fe@853#dns.quad9.net
 	forward-addr: 9.9.9.9@853#dns.quad9.net
 	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com

handlers/main.yml

@@ -1,9 +1,22 @@
 - name: Reload unbound
   systemd:
-          name: unbound
-          state: reloaded
+        name: unbound
+        state: reloaded
 - name: Enable unbound
   systemd:
         name: unbound
         enabled: yes
         state: started
+- name: Set unbound as default dns
+  replace:
+        path: /etc/resolv.conf
+        regexp: "^nameserver.*$"
+        replace: "nameserver 127.0.0.1"
+- name: Disable systemd-resolved
+  systemd:
+        name: systemd-resolved
+        enabled: no
+        state: stopped
+  notify:
+        - Enable unbound
+        - Set unbound as default dns

tasks/main.yml

@@ -1,11 +1,3 @@
-- name: Install Unbound
-  apt:
-        install_recommends: no
-        name: unbound
-        state: present
-        cache_valid_time: 3600
-  notify:
-        - Enable unbound
 - name: Copy configuration files
   copy:
         follow: yes
@@ -13,3 +5,10 @@
         dest: /etc/unbound/
   notify:
         - Reload unbound
+- name: Install Unbound
+  apt:
+        install_recommends: no
+        name: unbound
+        state: present
+        cache_valid_time: 3600
+  notify: Disable systemd-resolved