1 files changed, 41 insertions, 0 deletions

diff --git a/roles/dns/templates/unbound.conf.j2 b/roles/dns/templates/unbound.conf.j2
new file mode 100644
index 00000000..b02df37e
--- /dev/null
+++ b/roles/dns/templates/unbound.conf.j2
@@ -0,0 +1,41 @@
+server:
+    interface: 127.0.0.1
+{% if inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([])) %}
+    interface: {{ (ocserv_network|default("172.16.16.0/24"))|ansible.utils.nthhost(2) }}
+{% endif %}
+    do-ip6: no
+
+    access-control: 0.0.0.0/0 refuse
+    access-control: 127.0.0.0/8 allow
+{% if inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([])) %}
+    access-control: {{ ocserv_network|default("172.16.16.0/24") }} allow
+{% endif %}
+
+    hide-identity: yes
+    hide-version: yes
+
+    auto-trust-anchor-file: "/var/unbound/db/root.key"
+    val-log-level: 2
+    qname-minimisation: yes
+
+    aggressive-nsec: yes
+    verbosity: 1
+    log-queries: no
+    use-caps-for-id: yes
+
+    cache-min-ttl: 3600
+    cache-max-ttl: 86400
+    prefetch: yes
+    unwanted-reply-threshold: 10000
+    do-not-query-localhost: yes
+    val-clean-additional: yes
+    module-config: "respip validator iterator"
+
+remote-control:
+    control-enable: yes
+
+rpz:
+    name: "unbound-adblock"
+    zonefile: "/var/unbound/db/adblock.rpz"
+    rpz-log: no
+    rpz-log-name: "unbound-adblock"