aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass/idm_server/40-unbound
diff options
context:
space:
mode:
authorCullum Smith <cullum@sacredheartsc.com>2024-09-24 22:35:45 -0400
committerCullum Smith <cullum@sacredheartsc.com>2024-09-24 22:35:45 -0400
commit6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb (patch)
tree9279f7a330affbb5da6a1f147739b8dfd92d4a19 /scripts/hostclass/idm_server/40-unbound
parentd9c18b3fcb9b036b6cdf69397828b59ab4c53091 (diff)
downloadinfrastructure-6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb.tar.gz
finish up idm_server hostclass
Diffstat (limited to 'scripts/hostclass/idm_server/40-unbound')
-rw-r--r--scripts/hostclass/idm_server/40-unbound40
1 files changed, 40 insertions, 0 deletions
diff --git a/scripts/hostclass/idm_server/40-unbound b/scripts/hostclass/idm_server/40-unbound
new file mode 100644
index 0000000..39f1317
--- /dev/null
+++ b/scripts/hostclass/idm_server/40-unbound
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+unbound_user=unbound
+unbound_conf_dir=/usr/local/etc/unbound
+unbound_blocklist_dir="${unbound_conf_dir}/blocklists"
+unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls"
+
+: ${unbound_blocklist_urls:=''}
+: ${unbound_cache_max_negative_ttl:='60'}
+: ${unbound_rrset_cache_size:='104857600'} # 100 MB
+: ${unbound_msg_cache_size:='52428800'} # 50 MB
+: ${unbound_slabs:='2'}
+: ${unbound_insecure_domains:=''}
+: ${unbound_local_zones:=''}
+: ${unbound_local_data:=''}
+: ${unbound_blocklists:=''}
+: ${unbound_threads:="$nproc"}
+
+# Install unbound recursive resolver.
+pkg install -y unbound
+
+# Generate unbound configuration.
+install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir"
+install_template -m 0644 "${unbound_conf_dir}/unbound.conf"
+
+# Download blocklists.
+echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file"
+install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists
+su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}"
+
+# Enable and start unbound.
+sysrc -v unbound_enable=YES
+service unbound restart
+
+# Now we are ready to us unbound as the local resolver.
+install_template -m 0644 /etc/resolv.conf
+
+# Update blocklists with a cron job.
+echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \
+ | tee /etc/cron.d/idm-update-unbound-blocklists