modules/unbound/manifests/init.pp

   1 class unbound {
   2     package {
   3         unbound: ensure => installed;
   4     }
   5
   6     exec {
   7         "unbound restart":
   8             path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
   9             refreshonly => true,
  10             ;
  11     }
  12     file {
  13         "/var/lib/unbound":
  14             ensure  => directory,
  15             owner   => unbound,
  16             group   => unbound,
  17             mode    => 775,
  18             ;
  19         "/var/lib/unbound/root.key":
  20             ensure  => present,
  21             replace => false,
  22             owner   => unbound,
  23             group   => unbound,
  24             mode    => 644,
  25             source  => [ "puppet:///modules/unbound/root.key" ],
  26             notify  => Exec["unbound restart"],
  27             ;
  28         "/var/lib/unbound/debian.org.key":
  29             ensure  => present,
  30             replace => false,
  31             owner   => unbound,
  32             group   => unbound,
  33             mode    => 644,
  34             source  => [ "puppet:///modules/unbound/debian.org.key" ],
  35             notify  => Exec["unbound restart"],
  36             ;
  37         "/etc/unbound/unbound.conf":
  38             content => template("unbound/unbound.conf.erb"),
  39             require => Package["unbound"],
  40             notify  => Exec["unbound restart"],
  41             owner   => root,
  42             group   => root,
  43             ;
  44     }
  45
  46     case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
  47         true: {
  48             case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
  49                 false: {}
  50                 default: {
  51                     @ferm::rule { "dsa-bind":
  52                         domain          => "ip",
  53                         description     => "Allow nameserver access",
  54                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
  55                     }
  56                     @ferm::rule { "dsa-bind":
  57                         domain          => "ip6",
  58                         description     => "Allow nameserver access",
  59                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
  60                     }
  61                 }
  62             }
  63         }
  64     }
  65 }
  66
  67 # vim:set et:
  68 # vim:set sts=4 ts=4:
  69 # vim:set shiftwidth=4: