#!/usr/bin/env bash
# bootstrap-unbound.sh
# One-shot installer / hardener for an Unbound recursive resolver
# Tested on Debian 11+/Ubuntu 22.04+   (systemd-based)

set -euo pipefail
IFS=$'\n\t'

######################### 1.  Settings  ################################

# Where you’ll listen for queries (adjust subnet as needed!)
LISTEN_SUBNET="192.168.0.0/16"
THREADS="$(nproc)"
ROOT_HINTS="/var/lib/unbound/root.hints"
UNBOUND_CONF="/etc/unbound/unbound.conf"

######################### 2.  Install  #################################

echo "📦 Installing Unbound..."
apt-get update -qq
DEBIAN_FRONTEND=noninteractive apt-get install -y unbound curl jq dnsutils

######################### 3.  Root hints  ##############################

echo "🌍 Fetching ICANN root hints..."
curl -sSL https://www.internic.net/domain/named.root -o "$ROOT_HINTS"

######################### 4.  Config file  #############################

echo "🛠  Writing $UNBOUND_CONF ..."
cat > "$UNBOUND_CONF" <<EOF
server:
  interface: 0.0.0.0
  access-control: ${LISTEN_SUBNET} allow
  access-control: 127.0.0.0/8 allow

  # Performance
  num-threads: ${THREADS}
  msg-cache-size: 128m
  rrset-cache-size: 256m
  prefetch: yes
  prefetch-key: yes

  # DNSSEC
  auto-trust-anchor-file: "/var/lib/unbound/root.key"
  val-permissive-mode: no

  # Root servers
  root-hints: "${ROOT_HINTS}"

  # Privacy
  qname-minimisation: yes
  minimal-responses: yes

  # Hardening
  harden-dnssec-stripped: yes
  harden-referral-path: yes

  # Logging (comment out if too chatty)
  log-queries: no
  log-replies:  no

remote-control:
  control-enable: yes
EOF

######################### 5.  Control certs  ###########################

echo "🔑 Generating control-channel certificates..."
unbound-control-setup 

######################### 6.  Enable + start  ##########################

echo "🚀 Enabling & starting Unbound..."
systemctl enable --now unbound

######################### 7.  Smoke tests  #############################

echo -e "\n🔍 Quick DNSSEC validation tests:\n"

GOOD_DOMAIN="cloudflare.com"
BAD_DOMAIN="dnssec-failed.org"
SERVER="127.0.0.1"

good=$(dig +dnssec +adflag "$GOOD_DOMAIN" @"$SERVER" | grep -q "flags:.* ad" && echo "✅ Validated" || echo "❌ FAILED")
bad=$(dig +dnssec +adflag "$BAD_DOMAIN" @"$SERVER" | grep -q "SERVFAIL" && echo "✅ Blocked  " || echo "❌ FAILED")

printf "  %-25s %s\n" "$GOOD_DOMAIN" "$good"
printf "  %-25s %s\n" "$BAD_DOMAIN"  "$bad"

echo -e "\n🎉  All done. Point your LAN’s DNS to this server and enjoy DNSSEC-validated recursion."