unbound: Use DNS over TLS for forward zones

roles/unbound/templates/unbound.conf.nms01.home.foo.sh.j2

@@ -13,6 +13,9 @@ server:
     hide-identity: yes
     hide-version: yes
 
+    tls-upstream: yes
+    tls-cert-bundle: {{ tls_bundle }}
+
     chroot: ""
 
     unblock-lan-zones: yes
@@ -23,9 +26,7 @@ remote-control:
 
 forward-zone:
     name: "."
-    forward-addr: 172.20.20.10
+    forward-addr: 172.20.20.10@853#dns.home.foo.sh
-    forward-addr: 172.20.21.1
-    forward-addr: 172.20.21.2
 
 auth-zone:
     name: "oob.foo.sh"

roles/unbound/templates/unbound.conf.print01.home.foo.sh.j2

@@ -13,6 +13,9 @@ server:
     hide-identity: yes
     hide-version: yes
 
+    tls-upstream: yes
+    tls-cert-bundle: {{ tls_bundle }}
+
     chroot: ""
 
     unblock-lan-zones: yes
@@ -23,9 +26,7 @@ remote-control:
 
 forward-zone:
     name: "."
-    forward-addr: 172.20.20.10
+    forward-addr: 172.20.20.10@853#dns.home.foo.sh
-    forward-addr: 172.20.21.1
-    forward-addr: 172.20.21.2
 
 auth-zone:
     name: "print.foo.sh"

roles/unbound/templates/unbound.conf.zm02.home.foo.sh.j2

@@ -13,6 +13,9 @@ server:
     hide-identity: yes
     hide-version: yes
 
+    tls-upstream: yes
+    tls-cert-bundle: {{ tls_bundle }}
+
     chroot: ""
 
     unblock-lan-zones: yes
@@ -23,9 +26,7 @@ remote-control:
 
 forward-zone:
     name: "."
-    forward-addr: 172.20.20.10
+    forward-addr: 172.20.20.10@853#dns.home.foo.sh
-    forward-addr: 172.20.21.1
-    forward-addr: 172.20.21.2
 
 auth-zone:
     name: "cam.foo.sh"