ansible/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2

server:
    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
    num-threads: {{ ansible_processor_cores }}
    msg-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
    rrset-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
    infra-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}
    key-cache-slabs: {{ ansible_processor_cores | int | pow(2) | int }}

    interface: 172.20.20.10@53
    interface: 172.20.20.10@853
    interface: 172.20.20.11@53
    interface: 172.20.20.11@853
    interface: 172.20.20.12@53
    interface: 172.20.20.12@853
    interface: 172.20.21.2@53

    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
    tls-cert-bundle: {{ tls_bundle }}

    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow
    access-control: 172.20.20.0/22 allow

    extended-statistics: yes

    hide-identity: yes
    hide-version: yes

    prefetch: yes
    unblock-lan-zones: yes

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google

{% for zone in unbound_zones %}
auth-zone:
    name: "{{ zone }}"
    zonefile: "{{ unbound_zonedir }}/{{ zone }}"
{% endfor %}