{% for _host in groups['dns_ord'] if hostvars[_host].internal_ip is defined %}
newServer({address="{{ hostvars[_host].internal_ip }}:1053", pool="sdns"})
{% endfor %}

setServerPolicy(leastOutstanding)

pc = newPacketCache(12800, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool("sdns"):setCache(pc)



tls_cert_crt = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydns.gay/mydns.gay.crt"
tls_cert_key = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydns.gay/mydns.gay.key"

--tls_cert_crt = "/run/my-unit/target/certificates/acme-v02.api.letsencrypt.org-directory/mydns.gay/mydns.gay.crt"
--tls_cert_key = "/run/my-unit/target/certificates/acme-v02.api.letsencrypt.org-directory/mydns.gay/mydns.gay.key"

addAction('.', PoolAction("sdns"))

addAction(MaxQPSIPRule(5, 32, 48, 20), DelayAction(100))

webserver("127.0.0.1:6060")
setWebserverConfig({ statsRequireAuthentication=false })
setLocal("0.0.0.0:53")

-- proxied by caddy
addDOHLocal("127.0.0.1:8053", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })

addTLSLocal('0.0.0.0:853', tls_cert_crt, tls_cert_key)
addTLSLocal('[::]:853', tls_cert_crt, tls_cert_key)

addDOQLocal('0.0.0.0:853', tls_cert_crt, tls_cert_key)
addDOQLocal('[::]:853', tls_cert_crt, tls_cert_key)

addACL('0.0.0.0/0')
addACL('::/0')