server:
    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
    num-threads: {{ ansible_processor_cores }}
    msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
    rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
    infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
    key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}

    outgoing-range: {{ ( 1024 / ansible_processor_cores | int - 50 ) | int }}

    interface: {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}@53
    interface: {{ intnet | ansible.utils.ipaddr(10) | ansible.utils.ipaddr('address') }}@853
    interface: {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}@53
    interface: {{ intnet | ansible.utils.ipaddr(11) | ansible.utils.ipaddr('address') }}@853
    interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@53
    interface: {{ intnet | ansible.utils.ipaddr(12) | ansible.utils.ipaddr('address') }}@853

    tls-service-key: {{ tls_private }}/dns.{{ intdomain }}.key
    tls-service-pem: {{ tls_certs }}/dns.{{ intdomain }}.crt
    tls-cert-bundle: {{ tls_bundle }}

    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow
    access-control: {{ intnet | ansible.utils.ipaddr(0) }} allow

    extended-statistics: yes
    verbosity: 1

    hide-identity: yes
    hide-version: yes

    prefetch: yes
    unblock-lan-zones: yes

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google

{% for zone in unbound_zones %}
auth-zone:
    name: "{{ zone }}"
    zonefile: "{{ unbound_zonedir }}/{{ zone }}"
{% endfor %}