From: Stephen Gran <steve@lobefin.net>
Date: Sun, 21 Feb 2010 14:52:26 +0000 (+0000)
Subject: reshuffle bind configuration
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=0908741048684a3f0d143144b82fab87095a42a6;p=dsa-puppet.git
reshuffle bind configuration
Signed-off-by: Stephen Gran <steve@lobefin.net>
---
diff --git a/modules/named/files/common/named.conf.acl b/modules/named/files/common/named.conf.acl
new file mode 100644
index 00000000..60a078fe
--- /dev/null
+++ b/modules/named/files/common/named.conf.acl
@@ -0,0 +1,289 @@
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+// Africa
+acl AF {
+ country_AO;
+ country_BF;
+ country_BI;
+ country_BJ;
+ country_BW;
+ country_CD;
+ country_CF;
+ country_CG;
+ country_CI;
+ country_CM;
+ country_CV;
+ country_DJ;
+ country_DZ;
+ country_EG;
+ country_EH;
+ country_ER;
+ country_ET;
+ country_GA;
+ country_GH;
+ country_GM;
+ country_GN;
+ country_GQ;
+ country_GW;
+ country_KE;
+ country_KM;
+ country_LR;
+ country_LS;
+ country_LY;
+ country_MA;
+ country_MG;
+ country_ML;
+ country_MR;
+ country_MU;
+ country_MW;
+ country_MZ;
+ country_NA;
+ country_NE;
+ country_NG;
+ country_RE;
+ country_RW;
+ country_SC;
+ country_SD;
+ country_SH;
+ country_SL;
+ country_SN;
+ country_SO;
+ country_ST;
+ country_SZ;
+ country_TD;
+ country_TG;
+ country_TN;
+ country_TZ;
+ country_UG;
+ country_YT;
+ country_ZA;
+ country_ZM;
+ country_ZW;
+};
+
+// Asia
+acl AS {
+ country_AE;
+ country_AF;
+ country_AM;
+ country_AP; // global region Asia/Pacific
+ country_AZ;
+ country_BD;
+ country_BH;
+ country_BN;
+ country_BT;
+ country_CC;
+ country_CN;
+ country_CX;
+ country_CY;
+ country_GE;
+ country_HK;
+ country_ID;
+ country_IL;
+ country_IN;
+ country_IO;
+ country_IQ;
+ country_IR;
+ country_JO;
+ country_JP;
+ country_KG;
+ country_KH;
+ country_KP;
+ country_KR;
+ country_KW;
+ country_KZ;
+ country_LA;
+ country_LB;
+ country_LK;
+ country_MM;
+ country_MN;
+ country_MO;
+ country_MV;
+ country_MY;
+ country_NP;
+ country_OM;
+ country_PH;
+ country_PK;
+ country_PS;
+ country_QA;
+ country_SA;
+ country_SG;
+ country_SY;
+ country_TH;
+ country_TJ;
+ country_TL;
+ country_TM;
+ country_TW;
+ country_UZ;
+ country_VN;
+ country_YE;
+};
+
+// Europe
+acl EU {
+ country_AD;
+ country_AL;
+ country_AT;
+ country_AX;
+ country_BA;
+ country_BE;
+ country_BG;
+ country_BY;
+ country_CH;
+ country_CZ;
+ country_DE;
+ country_DK;
+ country_EE;
+ country_ES;
+ country_EU; // global region Europe
+ country_FI;
+ country_FO;
+ country_FR;
+ country_GB;
+ country_GG;
+ country_GI;
+ country_GR;
+ country_HR;
+ country_HU;
+ country_IE;
+ country_IM;
+ country_IS;
+ country_IT;
+ country_JE;
+ country_LI;
+ country_LT;
+ country_LU;
+ country_LV;
+ country_MC;
+ country_MD;
+ country_ME;
+ country_MK;
+ country_MT;
+ country_NL;
+ country_NO;
+ country_PL;
+ country_PT;
+ country_RO;
+ country_RS;
+ country_RU;
+ country_SE;
+ country_SI;
+ country_SJ;
+ country_SK;
+ country_SM;
+ country_TR;
+ country_UA;
+ country_VA;
+};
+
+// North America
+acl NA {
+ country_AG;
+ country_AI;
+ country_AN;
+ country_AW;
+ country_BB;
+ country_BL;
+ country_BM;
+ country_BS;
+ country_BZ;
+ country_CA;
+ country_CR;
+ country_CU;
+ country_DM;
+ country_DO;
+ country_GD;
+ country_GL;
+ country_GP;
+ country_GT;
+ country_HN;
+ country_HT;
+ country_JM;
+ country_KN;
+ country_KY;
+ country_LC;
+ country_MF;
+ country_MQ;
+ country_MS;
+ country_MX;
+ country_NI;
+ country_PA;
+ country_PM;
+ country_PR;
+ country_SV;
+ country_TC;
+ country_TT;
+ country_US;
+ country_VC;
+ country_VG;
+ country_VI;
+};
+
+// South America
+acl SA {
+ country_AR;
+ country_BO;
+ country_BR;
+ country_CL;
+ country_CO;
+ country_EC;
+ country_FK;
+ country_GF;
+ country_GY;
+ country_PE;
+ country_PY;
+ country_SR;
+ country_UY;
+ country_VE;
+};
+
+// Oceania
+acl OC {
+ country_AS;
+ country_AU;
+ country_CK;
+ country_FJ;
+ country_FM;
+ country_GU;
+ country_KI;
+ country_MH;
+ country_MP;
+ country_NC;
+ country_NF;
+ country_NR;
+ country_NU;
+ country_NZ;
+ country_PF;
+ country_PG;
+ country_PN;
+ country_PW;
+ country_SB;
+ country_TK;
+ country_TO;
+ country_TV;
+ country_UM;
+ country_VU;
+ country_WF;
+ country_WS;
+};
+
+// Antarctica
+acl AN {
+ country_AQ;
+ country_BV;
+ country_GS;
+ country_HM;
+ country_TF;
+};
+
+acl undef {
+ country_A1;
+ country_A2;
+ 8.8.8.8/32; // Google DNS Server fails with GeoIP
+ 8.8.4.4/32; // Google DNS Server fails with GeoIP
+ 208.67.222.222/32; // OpenDNS fails with GeoIP
+ 208.67.220.220/32; // OpenDNS fails with GeoIP
+};
diff --git a/modules/named/files/common/named.conf.options b/modules/named/files/common/named.conf.options
deleted file mode 100644
index b81be8c8..00000000
--- a/modules/named/files/common/named.conf.options
+++ /dev/null
@@ -1,43 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-options {
- directory "/var/cache/bind";
-
- // If there is a firewall between you and nameservers you want
- // to talk to, you may need to fix the firewall to allow multiple
- // ports to talk. See http://www.kb.cert.org/vuls/id/800113
-
- // If your ISP provided one or more IP addresses for stable
- // nameservers, you probably want to use them as forwarders.
- // Uncomment the following block, and insert the addresses replacing
- // the all-0's placeholder.
-
- // forwarders {
- // 0.0.0.0;
- // };
-
- auth-nxdomain no; # conform to RFC1035
- listen-on-v6 { any; };
- allow-query { any; };
- allow-update { none; };
- allow-transfer { none; };
- allow-recursion { Nagios; };
- blackhole { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; };
-};
-
-logging {
-
- channel queries {
- file "/var/log/bind9/geoip-query.log" versions 4 size 40m;
- print-time yes;
- print-category yes;
- };
- category queries { queries; };
- category lame-servers { null; };
-
-};
-
-
diff --git a/modules/named/files/common/named.conf.options-secondary b/modules/named/files/common/named.conf.options-secondary
deleted file mode 100644
index e95a7286..00000000
--- a/modules/named/files/common/named.conf.options-secondary
+++ /dev/null
@@ -1,28 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-options {
- directory "/var/cache/bind";
-
- allow-recursion { localnets; 192.25.206.33; 206.12.19.118; };
- allow-query { localnets; 192.25.206.33; 206.12.19.118; };
-
- auth-nxdomain no;
- listen-on-v6 { any; };
-
- dnssec-enable yes;
- dnssec-validation yes;
-};
-
-logging {
-
- channel queries {
- file "/var/log/bind9/named-query.log" versions 4 size 40m;
- print-time yes;
- print-category yes;
- };
- category queries { queries; };
- category lame-servers { null; };
-};
diff --git a/modules/named/files/per-host/ravel.debian.org/named.conf.options-secondary b/modules/named/files/per-host/ravel.debian.org/named.conf.options-secondary
deleted file mode 100644
index 58e18dc7..00000000
--- a/modules/named/files/per-host/ravel.debian.org/named.conf.options-secondary
+++ /dev/null
@@ -1,35 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-acl debian-ubcece {
- 127.0.0.0/8;
- 137.82.84.64/27;
- 206.12.19.0/24;
- 192.168.2.0/24;
-};
-
-options {
- directory "/var/cache/bind";
-
- allow-recursion { localnets; debian-ubcece; 192.25.206.33; 206.12.19.118; };
- allow-query { localnets; debian-ubcece; 192.25.206.33; 206.12.19.118; };
-
- auth-nxdomain no;
- listen-on-v6 { any; };
-
- dnssec-enable yes;
- dnssec-validation yes;
-};
-
-logging {
-
- channel queries {
- file "/var/log/bind9/named-query.log" versions 4 size 40m;
- print-time yes;
- print-category yes;
- };
- category queries { queries; };
- category lame-servers { null; };
-};
diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp
index 0754b323..766c5e55 100644
--- a/modules/named/manifests/geodns.pp
+++ b/modules/named/manifests/geodns.pp
@@ -17,15 +17,15 @@ class named::geodns inherits named {
group => root,
;
"/etc/bind/named.conf.acl":
- content => template("named/named.conf.acl.erb"),
+ source => [ "puppet:///named/per-host/$fqdn/named.conf.acl",
+ "puppet:///named/common/named.conf.acl" ],
require => Package["bind9"],
notify => Exec["bind9 restart"],
owner => root,
group => root,
;
"/etc/bind/named.conf.options":
- source => [ "puppet:///named/per-host/$fqdn/named.conf.options",
- "puppet:///named/common/named.conf.options" ],
+ content => template("named/named.conf.options.erb"),
require => Package["bind9"],
notify => Exec["bind9 restart"],
owner => root,
diff --git a/modules/named/manifests/secondary.pp b/modules/named/manifests/secondary.pp
index 3742eec4..87f3d377 100644
--- a/modules/named/manifests/secondary.pp
+++ b/modules/named/manifests/secondary.pp
@@ -5,8 +5,7 @@ class named::secondary inherits named {
notify => Exec["bind9 reload"],
}
file { "/etc/bind/named.conf.options":
- source => [ "puppet:///named/per-host/$fqdn/named.conf.options-secondary",
- "puppet:///named/common/named.conf.options-secondary" ],
+ content => template("named/named.conf.options.erb"),
notify => Exec["bind9 reload"],
}
file { "/etc/bind/named.conf.shared-keys":
diff --git a/modules/named/templates/named.conf.acl.erb b/modules/named/templates/named.conf.acl.erb
deleted file mode 100644
index c35c37e4..00000000
--- a/modules/named/templates/named.conf.acl.erb
+++ /dev/null
@@ -1,302 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-acl Nagios {
-<%=
- str = ''
- localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster']
- keyinfo[node][0]['ipHostNumber'].each do |ip|
- str += "\t" + ip + "/32;\n"
- end
- end
- end
- str%>
-};
-
-// Africa
-acl AF {
- country_AO;
- country_BF;
- country_BI;
- country_BJ;
- country_BW;
- country_CD;
- country_CF;
- country_CG;
- country_CI;
- country_CM;
- country_CV;
- country_DJ;
- country_DZ;
- country_EG;
- country_EH;
- country_ER;
- country_ET;
- country_GA;
- country_GH;
- country_GM;
- country_GN;
- country_GQ;
- country_GW;
- country_KE;
- country_KM;
- country_LR;
- country_LS;
- country_LY;
- country_MA;
- country_MG;
- country_ML;
- country_MR;
- country_MU;
- country_MW;
- country_MZ;
- country_NA;
- country_NE;
- country_NG;
- country_RE;
- country_RW;
- country_SC;
- country_SD;
- country_SH;
- country_SL;
- country_SN;
- country_SO;
- country_ST;
- country_SZ;
- country_TD;
- country_TG;
- country_TN;
- country_TZ;
- country_UG;
- country_YT;
- country_ZA;
- country_ZM;
- country_ZW;
-};
-
-// Asia
-acl AS {
- country_AE;
- country_AF;
- country_AM;
- country_AP; // global region Asia/Pacific
- country_AZ;
- country_BD;
- country_BH;
- country_BN;
- country_BT;
- country_CC;
- country_CN;
- country_CX;
- country_CY;
- country_GE;
- country_HK;
- country_ID;
- country_IL;
- country_IN;
- country_IO;
- country_IQ;
- country_IR;
- country_JO;
- country_JP;
- country_KG;
- country_KH;
- country_KP;
- country_KR;
- country_KW;
- country_KZ;
- country_LA;
- country_LB;
- country_LK;
- country_MM;
- country_MN;
- country_MO;
- country_MV;
- country_MY;
- country_NP;
- country_OM;
- country_PH;
- country_PK;
- country_PS;
- country_QA;
- country_SA;
- country_SG;
- country_SY;
- country_TH;
- country_TJ;
- country_TL;
- country_TM;
- country_TW;
- country_UZ;
- country_VN;
- country_YE;
-};
-
-// Europe
-acl EU {
- country_AD;
- country_AL;
- country_AT;
- country_AX;
- country_BA;
- country_BE;
- country_BG;
- country_BY;
- country_CH;
- country_CZ;
- country_DE;
- country_DK;
- country_EE;
- country_ES;
- country_EU; // global region Europe
- country_FI;
- country_FO;
- country_FR;
- country_GB;
- country_GG;
- country_GI;
- country_GR;
- country_HR;
- country_HU;
- country_IE;
- country_IM;
- country_IS;
- country_IT;
- country_JE;
- country_LI;
- country_LT;
- country_LU;
- country_LV;
- country_MC;
- country_MD;
- country_ME;
- country_MK;
- country_MT;
- country_NL;
- country_NO;
- country_PL;
- country_PT;
- country_RO;
- country_RS;
- country_RU;
- country_SE;
- country_SI;
- country_SJ;
- country_SK;
- country_SM;
- country_TR;
- country_UA;
- country_VA;
-};
-
-// North America
-acl NA {
- country_AG;
- country_AI;
- country_AN;
- country_AW;
- country_BB;
- country_BL;
- country_BM;
- country_BS;
- country_BZ;
- country_CA;
- country_CR;
- country_CU;
- country_DM;
- country_DO;
- country_GD;
- country_GL;
- country_GP;
- country_GT;
- country_HN;
- country_HT;
- country_JM;
- country_KN;
- country_KY;
- country_LC;
- country_MF;
- country_MQ;
- country_MS;
- country_MX;
- country_NI;
- country_PA;
- country_PM;
- country_PR;
- country_SV;
- country_TC;
- country_TT;
- country_US;
- country_VC;
- country_VG;
- country_VI;
-};
-
-// South America
-acl SA {
- country_AR;
- country_BO;
- country_BR;
- country_CL;
- country_CO;
- country_EC;
- country_FK;
- country_GF;
- country_GY;
- country_PE;
- country_PY;
- country_SR;
- country_UY;
- country_VE;
-};
-
-// Oceania
-acl OC {
- country_AS;
- country_AU;
- country_CK;
- country_FJ;
- country_FM;
- country_GU;
- country_KI;
- country_MH;
- country_MP;
- country_NC;
- country_NF;
- country_NR;
- country_NU;
- country_NZ;
- country_PF;
- country_PG;
- country_PN;
- country_PW;
- country_SB;
- country_TK;
- country_TO;
- country_TV;
- country_UM;
- country_VU;
- country_WF;
- country_WS;
-};
-
-// Antarctica
-acl AN {
- country_AQ;
- country_BV;
- country_GS;
- country_HM;
- country_TF;
-};
-
-acl undef {
- country_A1;
- country_A2;
- 8.8.8.8/32; // Google DNS Server fails with GeoIP
- 8.8.4.4/32; // Google DNS Server fails with GeoIP
- 208.67.222.222/32; // OpenDNS fails with GeoIP
- 208.67.220.220/32; // OpenDNS fails with GeoIP
-};
diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb
new file mode 100644
index 00000000..5dec7ba1
--- /dev/null
+++ b/modules/named/templates/named.conf.options.erb
@@ -0,0 +1,63 @@
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+acl Nagios {
+<%=
+ str = ''
+ localinfo.keys.sort.each do |node|
+ if localinfo[node]['nagiosmaster']
+ keyinfo[node][0]['ipHostNumber'].each do |ip|
+ str += "\t" + ip + "/32;\n"
+ end
+ end
+ end
+ str-%>
+};
+
+options {
+ directory "/var/cache/bind";
+
+ auth-nxdomain no; # conform to RFC1035
+ listen-on-v6 { any; };
+
+ allow-transfer { none; };
+ allow-update { none; };
+<%= if classes.include?('named::geodns') -%>
+ blackhole { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; };
+<%= end -%>
+
+<%=
+ allowed='Nagios; '
+ if classes.include?('named::secondary')
+ allowed += 'localnets; '
+ end
+
+ str = "allow-recursion { " + allowed + " };\n"
+ str += "allow-query { " + allowed + " };\n"
+
+ str
+-%>
+
+<%= if classes.include?('named::secondary') -%>
+ dnssec-enable yes;
+ dnssec-validation yes;
+<%= end -%>
+};
+
+logging {
+
+ channel queries {
+<%= if classes.include?('named::geodns') -%>
+ file "/var/log/bind9/geoip-query.log" versions 4 size 40m;
+<%= else -%>
+ file "/var/log/bind9/named-query.log" versions 4 size 40m;
+<%= end -%>
+ print-time yes;
+ print-category yes;
+ };
+ category queries { queries; };
+ category lame-servers { null; };
+};
+