This reduces the chance of a timer executing a time consuming service
close to boot, potentially speeding up boot (or at least making
`systemd-analyze blame` look better).
With this option enabled, if you connect to a local network which claims
to serve DNS for `mycorp.com`, unbound will forward DNS requests for
that domain to the local network DNS resolver.
If you connect to a local network which claims to serve DNS for a domain
like `mynetwork.lan` or `local.mesh`, and you have those domains
whitelisted in the `unbound.private_domains` var, you will be able to
successfully resolve those hostnames.
The `private_interfaces` option prevents forwarding the root zone to the
local network resolver. If the network claims to provide DNS for
`mycorp.com` and everything else, requests for `mycorp.com` will go to
the network's resolver, but requests for every other domain will still go
through unbound to the nameservers specified in the
`unbound.nameservers` var.
Disabling the chroot is apparently needed to allow Unbound to
communicate with the systemd notification service in the new service
file: https://bugs.archlinux.org/task/61163
Arch now uses Unbound's default systemd service file, which includes
hardening that conflicts with Firejail. But theoretically this should
all be good enough so we can just drop Firejail from this role?
Existing users should delete the override.
# rm -r /etc/systemd/system/unbound.service.d
https://bugs.archlinux.org/task/61163
/run/unbound.pid will hold the PID of unbound inside of the jail
(usually something like 2), which is not useful for systemd. It will try
to kill that PID and fail (eventually timing out).
Editing /usr/lib/systemd/system/unbound.service is super lame and should
never be done, but I can't figure out how to clear the PIDFile line just
by editing our unit override.
