From 5a880d5d5a56dbbc6e108deb50f287ed833bd7fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Sun, 18 Jan 2026 13:46:16 +0100
Subject: [PATCH] fix: unbound idempotency

---
 roles/unbound/tasks/main.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index 7490b19..0301179 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -107,10 +107,17 @@
       ansible.builtin.file:
         path: /tmp/hosts.txt
         state: absent
+- name: Check if root.key exists
+  ansible.builtin.stat:
+    path: "{{ unbound_anchor_root_key }}"
+  register: root_key_stat
+
 - name: Initialize dnssec trust anchor if missing
   ansible.builtin.command: unbound-anchor -a {{ unbound_anchor_root_key }}
-  args:
-    creates: "{{ unbound_anchor_root_key }}"
+  when: not root_key_stat.stat.exists
+  register: unbound_anchor_result
+  failed_when: unbound_anchor_result.rc != 0 and unbound_anchor_result.rc != 1
+  changed_when: unbound_anchor_result.rc == 0
 
 - name: Ensure root.key has correct ownership and permissions
   ansible.builtin.file: