bundlewrap/bundles/unbound/metadata.py

from bundlewrap.metadata import atomic

defaults = {
    'apt': {
        'packages': {
            'unbound': {},
            'unbound-anchor': {},
        },
    },
    'nameservers': {
        '127.0.0.1',
    },
    'systemd-timers': {
        'timers': {
            'unbound-refresh-root-hints': {
                'command': 'wget -q -O/etc/unbound/root-hints.txt https://www.internic.net/domain/named.root',
                'when': '{}:{}:00'.format(
                    node.magic_number % 24,
                    node.magic_number % 60,
                ),
            },
            'unbound-auto-restart': {
                'command': '/usr/local/sbin/unbound-auto-restart',
                'when': 'minutely',
            },
        },
    },
    'unbound': {
        'max_ttl': 3600,
        'cache_size': '512M',
    },
}

if node.has_bundle('telegraf'):
    defaults['telegraf'] = {
        'input_plugins': {
            'builtin': {
                'unbound': [{
                    'thread_as_tag': True,
                    'use_sudo': True
                }],
            },
        },
        'sudo_commands': {
            '/usr/sbin/unbound-control',
        },
    }



@metadata_reactor.provides(
    'unbound/threads',
    'unbound/cache_slabs',
)
def cpu_cores_to_config_values(metadata):
    num_cpus = metadata.get('vm/cpu', 1)

    return {
        'unbound': {
            'threads': num_cpus*2,
            'cache_slabs': 2**(num_cpus-1).bit_length(),
        },
    }


@metadata_reactor.provides(
    'firewall/port_rules',
)
def firewall(metadata):
    return {
        'firewall': {
            'port_rules': {
                '53/tcp': atomic(metadata.get('unbound/restrict-to', set())),
                '53/udp': atomic(metadata.get('unbound/restrict-to', set())),
            },
        },
    }