modules/unbound/manifests/init.pp

   1 class unbound {
   2     package {
   3         unbound: ensure => installed;
   4     }
   5
   6     exec {
   7         "unbound restart":
   8             path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
   9             refreshonly => true,
  10             ;
  11     }
  12     file {
  13         "/var/lib/unbound":
  14             ensure  => directory,
  15             owner   => unbound,
  16             group   => unbound,
  17             mode    => 775,
  18             ;
  19     }
  20     file {
  21         "/var/lib/unbound/root.key":
  22             ensure  => present,
  23             replace => false,
  24             owner   => unbound,
  25             group   => unbound,
  26             mode    => 644,
  27             source  => [ "puppet:///modules/unbound/root.key" ],
  28             #notify  => Exec["unbound restart"],
  29             ;
  30     }
  31     file {
  32         "/var/lib/unbound/debian.org.key":
  33             ensure  => present,
  34             replace => false,
  35             owner   => unbound,
  36             group   => unbound,
  37             mode    => 644,
  38             source  => [ "puppet:///modules/unbound/debian.org.key" ],
  39             #notify  => Exec["unbound restart"],
  40             ;
  41     }
  42     file {
  43         "/etc/unbound/unbound.conf":
  44             content => template("unbound/unbound.conf.erb"),
  45             require => Package["unbound"],
  46             notify  => Exec["unbound restart"],
  47             owner   => root,
  48             group   => root,
  49             ;
  50     }
  51
  52     case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
  53         true: {
  54             case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
  55                 false: {}
  56                 default: {
  57                     @ferm::rule { "dsa-dns":
  58                         domain          => "ip",
  59                         description     => "Allow nameserver access",
  60                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
  61                     }
  62                     @ferm::rule { "dsa-dns6":
  63                         domain          => "ip6",
  64                         description     => "Allow nameserver access",
  65                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
  66                     }
  67                 }
  68             }
  69         }
  70     }
  71 }
  72
  73 # vim:set et:
  74 # vim:set sts=4 ts=4:
  75 # vim:set shiftwidth=4: