defaults = { 'apt': { 'packages': { 'unbound': {}, 'unbound-anchor': {}, }, }, 'cron': { 'unbound_refresh_root-hints': '{} {} * * {} root wget -q -O/etc/unbound/root-hints.txt https://www.internic.net/domain/named.root'.format( node.magic_number%60, node.magic_number%24, node.magic_number%7, ), }, 'nameservers': { '127.0.0.1', }, 'unbound': { 'max_ttl': 3600, 'cache_size': '512M', }, } @metadata_reactor.provides( 'unbound/threads', 'unbound/cache_slabs', ) def cpu_cores_to_config_values(metadata): num_cpus = metadata.get('vm/cpu', 1) return { 'unbound': { 'threads': num_cpus*2, 'cache_slabs': 2**(num_cpus-1).bit_length(), }, } @metadata_reactor.provides( 'iptables/bundle_rules/unbound', ) def iptables(metadata): identifiers = metadata.get('unbound/restrict-to', set()) rules = set() if identifiers: for identifier in sorted(identifiers): resolved = repo.libs.tools.resolve_identifier(repo, identifier) for address in resolved['ipv4']: rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT') rules.add(f'iptables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT') for address in resolved['ipv6']: rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT') rules.add(f'ip6tables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT') return { 'iptables': { 'bundle_rules': { 'unbound': list(sorted(rules)), }, }, }