unbound: make this workaround permanent

This bundle file is here for general consumption and the time it has already taken to debug this issue is not justifiable for pursuing the matter any further. Other approaches regarding chroot and directory sharing are likely going to be much more code which would make another solution more fragile as well. While here remove a strange directory in the chroot that is not even used.
2026-03-13 08:09:41 +00:00 · 2024-12-04 14:40:59 +01:00 · 2024-12-04 14:40:59 +01:00 · f4b9017cd9
commit f4b9017cd9
parent dbeed6fb7e
2 changed files with 1 additions and 3 deletions
--- a/src/etc/inc/plugins.inc.d/unbound.inc
+++ b/src/etc/inc/plugins.inc.d/unbound.inc
@ -135,7 +135,7 @@ function unbound_generate_config()
    $python_dir = "/usr/local/lib/{$pythonv}";
    $chroot_python_dir = "/var/unbound{$python_dir}";

-    $dirs = ['/data', '/dev', '/etc', '/lib', '/run', '/usr', '/usr/local/sbin', '/var/db', '/var/run', $python_dir];
+    $dirs = ['/data', '/dev', '/etc', '/lib', '/run', '/usr', '/var/db', '/var/run', $python_dir];

    foreach ($dirs as $dir) {
        mwexecf('/bin/mkdir -p %s', "/var/unbound{$dir}");
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
@ -39,8 +39,6 @@ forward-zone:
 {%   if all_dots|length > 0 %}
 # Forward zones over TLS
 server:
-  # XXX Unbound only looks for a bundle file when OpenSSL will handle all of it???
-  #tls-system-cert: yes
  tls-cert-bundle: /usr/local/etc/ssl/cert.pem
 {%     for domain, dots in all_dots|groupby("domain", default=".") %}