From bb51dfab00ba345f03d2f8cf87b320ccf98c1742 Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Sat, 3 Mar 2018 00:17:53 +0800
Subject: dns: validate unbound and nsd config file before update

---
 roles/dns/tasks/main.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index cc5c07a..efc9669 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -35,6 +35,7 @@
   copy:
     src: unbound.conf
     dest: /usr/local/etc/unbound/unbound.conf
+    validate: "unbound-checkconf %s"
   notify: reload-unbound
 
 - name: unbound - enable and start service
@@ -48,12 +49,6 @@
 #
 # NSD
 #
-- name: NSD - copy configuration
-  template:
-    src: nsd.conf.j2
-    dest: /usr/local/etc/nsd/nsd.conf
-  notify: reload-nsd
-
 - name: NSD - check existence of control key/cert
   stat:
     path: /usr/local/etc/nsd/nsd_control.key
@@ -75,6 +70,13 @@
   # NOTE: `with_fileglob` always operates from `files/`
   with_fileglob:
     - "../templates/zones/*.j2"
+
+# NOTE: requires variable `zonefiles`
+- name: NSD - generate configuration
+  template:
+    src: nsd.conf.j2
+    dest: /usr/local/etc/nsd/nsd.conf
+    validate: "nsd-checkconf %s"
   notify: reload-nsd
 
 - name: NSD - enable and start service
-- 
cgit v1.2.2