# {{ ansible_managed }}

server:
    # Timestamps use UTC ASCII instead of UNIX epoch.
    log-time-ascii: yes

    # Only log errors.
    verbosity: 0
    log-servfail: yes

    logfile: "/var/log/unbound/unbound.log"

    do-ip4: yes
    do-ip6: yes

    # IP addresses on which to listen.
    #
    # Note: dns_host_suffix is dynamically set in this role's tasks,
    # and changes depending on whether we're handling the main or backup
    # recursive DNS node.
    
    # IPv4
    interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}


    # IPv6
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}

 
    # By default, anything other than localhost is refused.
    # Whitelist some subnets:
    access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
    access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)

    num-threads: {{ ansible_processor_vcpus }}

    # The host cache TTL affects blacklisting of supposedly bogus hosts.
    # The default was 900 (15 minutes).
    infra-host-ttl: 60


    # The following is vital, we were having issues
    # with DNSSEC that turned out to be due to UDP responses that were too
    # large.

    # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
    # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
    edns-buffer-size: {{ mtu }}

    # Maximum UDP response size (not applied to TCP response).
    # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
    max-udp-size: {{ mtu }}