scripts/hostclass/idm_server/40-unbound


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

#!/bin/sh

unbound_user=unbound
unbound_conf_dir=/usr/local/etc/unbound
unbound_blocklist_dir="${unbound_conf_dir}/blocklists"
unbound_blocklist_url_file="${unbound_conf_dir}/blocklist_urls"

: ${unbound_blocklist_urls:=''}
: ${unbound_cache_max_negative_ttl:='60'}
: ${unbound_rrset_cache_size:='104857600'} # 100 MB
: ${unbound_msg_cache_size:='52428800'} # 50 MB
: ${unbound_slabs:='2'}
: ${unbound_insecure_domains:=''}
: ${unbound_local_zones:=''}
: ${unbound_local_data:=''}
: ${unbound_blocklists:=''}
: ${unbound_threads:="$nproc"}

# Install unbound recursive resolver.
pkg install -y unbound

# Generate unbound configuration.
install_directory -m 0755 -o "$unbound_user" "$unbound_blocklist_dir"
install_template -m 0644 "${unbound_conf_dir}/unbound.conf"

# Download blocklists.
echo "$unbound_blocklists" | tee "$unbound_blocklist_url_file"
install_file -m 0755 /usr/local/libexec/idm-update-unbound-blocklists
su -m "$unbound_user" -c "/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}"

# Enable and start unbound.
sysrc -v unbound_enable=YES
service unbound restart

# Now we are ready to use unbound as the local resolver.
install_template -m 0644 /etc/resolv.conf

# Update blocklists with a cron job.
echo "@daily root su -m ${unbound_user} -c \"/usr/local/libexec/idm-update-unbound-blocklists ${unbound_blocklist_dir} < ${unbound_blocklist_url_file}\" && service unbound reload" \
  | tee /etc/cron.d/idm-update-unbound-blocklists