# Generated by edgeguard — do not edit by hand.
# Re-generate via `edgeguard-ctl render-config --only=unbound`.

server:
    verbosity: 1
    use-syslog: yes
    interface-automatic: no

    # Kein chroot — unsere Conf-Datei liegt in /etc/edgeguard/unbound/
    # und ist außerhalb des Distro-chroot (/var/lib/unbound) nicht
    # erreichbar. Distro-Default chrooted; wir deaktivieren das hier
    # explicit. Hardening passiert via systemd-Sandboxing der Unit.
    chroot: ""
    username: "unbound"
{{- range .ListenAddresses}}
    interface: {{.}}@{{$.Settings.ListenPort}}
{{- end}}
    port: {{.Settings.ListenPort}}

    # Access control — wer darf den Resolver benutzen.
{{- range .AccessACLs}}
    access-control: {{.}} allow
{{- end}}
    access-control: 0.0.0.0/0 refuse
    access-control: ::/0 refuse

    # Cache + Resilience
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    cache-min-ttl: {{.Settings.CacheMinTTL}}
    cache-max-ttl: {{.Settings.CacheMaxTTL}}
    msg-cache-size: 64m
    rrset-cache-size: 128m
    num-threads: 2

    # Hardening
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    use-caps-for-id: yes
    qname-minimisation: {{if .Settings.QNameMinimisation}}yes{{else}}no{{end}}
    minimal-responses: yes
    aggressive-nsec: yes
    {{/* DNSSEC trust-anchor wird vom distro-snippet
         /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
         gesetzt — hier keine eigene Zeile, sonst doppelt. Nur die
         val-clean-additional-Option setzen wenn DNSSEC aktiv. */}}
{{- if .Settings.DNSSEC}}
    val-clean-additional: yes
{{- end}}

    # Local zones from operator (zone_type='local')
{{range .LocalZones}}
    local-zone: "{{.Name}}." static
{{- range .Records}}
    local-data: "{{.FQDN}} {{.TTL}} IN {{.RecordType}} {{.Value}}"
{{- end}}
{{end}}

# Forward zones from operator (zone_type='forward')
{{range .ForwardZones}}
forward-zone:
    name: "{{.Name}}."
{{- range $f := .Forwarders}}
    forward-addr: {{$f}}
{{- end}}
{{end}}

# Default upstream forwarders ("." catches everything not local).
forward-zone:
    name: "."
{{- range $f := .Upstreams}}
    forward-addr: {{$f}}
{{- end}}