diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index a1e310e..96aa9cd 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,22 +1,18 @@ # ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html # unbound.conf(5) man page server: - {% if unbound_enable_dnssec -%} - # disable chroot because unbound is the only thing running on the VM - # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file - chroot: "" - - # location of the trust anchor file that enables DNSSEC - # this file is generated by the `unbound-anchor` command - auto-trust-anchor-file: "/etc/unbound/trusted-key.key" - {% endif -%} + {% if unbound_enable_dnssec -%} + # location of the trust anchor file that enables DNSSEC + # this file is generated by the `unbound-anchor` command + auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + {% endif -%} # use all CPUs - num-threads: 2 + num-threads: {{ ansible_facts['processor_vcpus'] }} # more cache memory - rrset-cache-size: 60m - msg-cache-size: 30m + rrset-cache-size: 60m + msg-cache-size: 30m # prefetch to keep the cache up to date prefetch: yes @@ -25,49 +21,48 @@ server: prefetch-key: yes # Faster UDP with multithreading (only on Linux). - so-reuseport: yes + so-reuseport: yes # disable special large send buffer handling and just use kernel defaults - so-sndbuf: 0 + so-sndbuf: 0 - # send minimal amount of information to upstream servers to enhance privacy - qname-minimisation: yes + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes - # specify the interface to answer queries from by ip-address. - {% for i in unbound_bind_interfaces -%} - interface: "{{ i }}" - {% endfor %} + # specify the interface to answer queries from by ip-address. + {% for i in unbound_bind_interfaces -%} + interface: "{{ i }}" + {% endfor %} - # addresses from the IP range that are allowed to connect to the resolver - {% for i in unbound_access_control -%} - access-control: {{ i }} - {% endfor -%} + # addresses from the IP range that are allowed to connect to the resolver + {% for i in unbound_access_control -%} + access-control: {{ i }} + {% endfor -%} - {% for i in unbound_private_domain -%} - private-domain: {{ i }} - {% endfor -%} + {% for i in unbound_private_domain -%} + private-domain: {{ i }} + {% endfor -%} - # The number of seconds between printing statistics to the log for every thread. - statistics-interval: 0 + # The number of seconds between printing statistics to the log for every thread. + statistics-interval: 0 - # Extended statistics are printed, Keeping track of more statistics takes time. - extended-statistics: yes + # Extended statistics are printed, Keeping track of more statistics takes time. + extended-statistics: yes remote-control: - control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} - control-interface: /run/unbound-control.sock + control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} + control-interface: /run/unbound-control.sock # configure some zones for which this resolver will act authoritatively # https://www.dns.icann.org/services/axfr/ {% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %} auth-zone: - name: "{{ i }}" - primary: "lax.xfr.dns.icann.org" - primary: "iad.xfr.dns.icann.org" - fallback-enabled: yes - for-downstream: no - for-upstream: yes - + name: "{{ i }}" + primary: "lax.xfr.dns.icann.org" + primary: "iad.xfr.dns.icann.org" + fallback-enabled: yes + for-downstream: no + for-upstream: yes {% endfor %}