From 1e4b776de568a85c4a29c9d9576e8d7e924561d8 Mon Sep 17 00:00:00 2001
From: missytake <missytake@systemli.org>
Date: Tue, 19 Dec 2023 16:48:36 +0100
Subject: [PATCH] unbound: generate root.key manually if it doesn't exist

---
 cmdeploy/src/cmdeploy/__init__.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py
index 4fcf7f26..71db3ce1 100644
--- a/cmdeploy/src/cmdeploy/__init__.py
+++ b/cmdeploy/src/cmdeploy/__init__.py
@@ -399,7 +399,11 @@ def deploy_chatmail(config_path: Path) -> None:
     # to use 127.0.0.1 as the resolver.
     apt.packages(
         name="Install unbound",
-        packages="unbound",
+        packages=["unbound", "unbound-anchor"],
+    )
+    server.shell(
+        name="Generate root keys for validating DNSSEC",
+        commands=["unbound-anchor -a /var/lib/unbound/root.key || true"],
     )
     systemd.service(
         name="Start and enable unbound",