# {{ ansible_managed }}
{#
This template is for the TripleO base Unbound configuration file.

No service specific settings should be made in this file.

It will be placed in the /etc/unbound/conf.d directory and will override the
configuration settings provided in the base Unbound package from the
distribution.
#}
#
# These settings are made by TripleO, do not modify directly.
# The settings in this file will override the package provided settings.
#

{% import 'unbound_build_vars.j2' as unbound_vars with context %}

server:

{# The interface unbound should listen on. x.x.x.x x::x #}
{% for interface in unbound_vars.tripleo_unbound_listen_ips %}
    interface: {{ interface }}
{% endfor %}
{# We are in a container, stay in the foreground #}
    do-daemonize: no

{#
Define CIDRs that are allowed to use this resolver.
Note: This is a security feature. Do not open the resolver to the world or
      it can be used for DDoS amplification attacks.
#}
# Allow cloud internal subnet CIDRs.
{% for cidr in unbound_vars.tripleo_unbound_allowed_internal_cidrs %}
    access-control: {{ cidr }} allow
{% endfor %}

# Allow cloud external subnet CIDRs.
{% for cidr in unbound_vars.tripleo_unbound_allowed_external_cidrs %}
    access-control: {{ cidr }} allow
{% endfor %}

# Allow deployment configured CIDRs.
{% for cidr in tripleo_unbound_allowed_cidrs %}
    access-control: {{ cidr }} allow
{% endfor %}

{# Set the container log file name and location. #}
    logfile: /var/log/unbound/unbound.log

{#
Only log queries if the user has enabled it.
This can generate very large log files.
#}
{% if tripleo_unbound_log_queries %}
    log-queries: yes
{% else %}
    log-queries: no
{% endif %}

{# Set various security hardening settings. This defaults to on. #}
{% if tripleo_unbound_security_harden %}
    hide-identity: yes
    hide-version: yes
    hide-trustanchor: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
{% endif %}

{# Allow PTR lookups for private IP address spaces. #}
    unblock-lan-zones: yes

{# Do not try to DNSSEC validate private IP address spaces. #}
    insecure-lan-zones: yes
{# Setup the TLS endpoint for TCP queries. #}
{# Not implemented yet
    tls-service-key: <tls key file>
    tls-service-pem: <tls pem file>
    tls-port: 853
#}
{#
Optimize the cache for cloud usage.
https://www.nlnetlabs.nl/documentation/unbound/howto-optimise/
#}
    rrset-cache-size: 100m
    msg-cache-size: 50m

{#
The remote control interface is not needed until we startcollecting metrics.
#}
remote-control:
    control-enable: no