From 0260a86f617032bcaa946081bd36dfb43836047c Mon Sep 17 00:00:00 2001
From: Stephen Gran <steve@lobefin.net>
Date: Wed, 17 Apr 2013 07:06:08 +0100
Subject: [PATCH] move allow_dns_query into hiera

Signed-off-by: Stephen Gran <steve@lobefin.net>
---
 hieradata/bytemark.yaml                                     | 2 ++
 hieradata/common.yaml                                       | 1 +
 hieradata/ftcollins.yaml                                    | 2 ++
 hieradata/sanger.yaml                                       | 2 ++
 hieradata/sil.yaml                                          | 3 +++
 hieradata/ubcece.yaml                                       | 4 ++++
 modules/debian-org/misc/hoster.yaml                         | 5 -----
 .../puppetmaster/lib/puppet/parser/functions/nodeinfo.rb    | 5 +++--
 modules/unbound/manifests/init.pp                           | 6 +++---
 9 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/hieradata/bytemark.yaml b/hieradata/bytemark.yaml
index a975730d..cf8caad8 100644
--- a/hieradata/bytemark.yaml
+++ b/hieradata/bytemark.yaml
@@ -2,3 +2,5 @@
 nameservers:
   - 5.153.231.241
   - 5.153.231.242
+allow_dns_query:
+  - 5.153.231.0/24
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index c2213a0c..f1507d9a 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -2,3 +2,4 @@
 nameservers: []
 searchpaths: []
 resolvoptions: []
+allow_dns_query: []
diff --git a/hieradata/ftcollins.yaml b/hieradata/ftcollins.yaml
index 98847223..9de7f746 100644
--- a/hieradata/ftcollins.yaml
+++ b/hieradata/ftcollins.yaml
@@ -4,3 +4,5 @@ nameservers:
   - 192.25.206.57
 searchpaths:
   - debprivate-ftcollins.debian.org
+allow_dns_query:
+  - 192.25.206.0/24
diff --git a/hieradata/sanger.yaml b/hieradata/sanger.yaml
index 186a9a4e..4efe07b0 100644
--- a/hieradata/sanger.yaml
+++ b/hieradata/sanger.yaml
@@ -4,3 +4,5 @@ nameservers:
   - 193.62.202.29
 searchpaths:
   - debprivate-sanger.debian.org
+allow_dns_query:
+  - 193.62.202.24/29
diff --git a/hieradata/sil.yaml b/hieradata/sil.yaml
index 03bf7feb..42e66dcb 100644
--- a/hieradata/sil.yaml
+++ b/hieradata/sil.yaml
@@ -4,3 +4,6 @@ nameservers:
   - 86.59.118.148
 searchpaths:
   - debprivate-sil.debian.org
+allow_dns_query:
+  - 86.59.118.144/28
+  - 2001:858:2:2::/64
diff --git a/hieradata/ubcece.yaml b/hieradata/ubcece.yaml
index 924b187d..96a5f37e 100644
--- a/hieradata/ubcece.yaml
+++ b/hieradata/ubcece.yaml
@@ -8,3 +8,7 @@ nameservers:
   - 2607:f8f0:610:4000:21c:c4ff:fee5:e890
 searchpaths:
   - debprivate-ubc.debian.org
+allow_dns_query:
+  - 137.82.84.64/27
+  - 206.12.19.0/24
+  - 2607:f8f0:610:4000::/64
diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml
index c49d2bff..3863c986 100644
--- a/modules/debian-org/misc/hoster.yaml
+++ b/modules/debian-org/misc/hoster.yaml
@@ -46,7 +46,6 @@ bytemark:
     - 2001:41c8:61::/125
   #searchpaths: [debprivate-bytemark.debian.org]
   nameservers: [5.153.231.241, 5.153.231.242]
-  allow_dns_query: [5.153.231.0/24]
   mirror-debian: http://mirror.bm.debian.org/debian
 carnet:
   netrange:
@@ -80,7 +79,6 @@ ftcollins:
   searchpaths: [debprivate-ftcollins.debian.org]
   nameservers: [192.25.206.33, 192.25.206.57]
   # only applicable for hosts that are recursive anyway:
-  allow_dns_query: [192.25.206.0/24]
 grnet:
   netrange:
     - 194.177.211.192/27
@@ -128,7 +126,6 @@ sanger:
   #resolvoptions: [single-request]
   nameservers: [193.62.202.28, 193.62.202.29]
   searchpaths: [debprivate-sanger.debian.org]
-  allow_dns_query: [193.62.202.24/29]
 rapidswitch:
   netrange:
     - 193.201.200.0/23
@@ -144,7 +141,6 @@ sil:
     - 2001:858:2:2::/64
   searchpaths: [debprivate-sil.debian.org]
   nameservers: [86.59.118.147, 86.59.118.148]
-  allow_dns_query: [86.59.118.144/28, 2001:858:2:2::/64]
   mirror-debian: http://ftp.at.debian.org/debian/
 ubcece:
   netrange:
@@ -153,7 +149,6 @@ ubcece:
   searchpaths: [debprivate-ubc.debian.org]
   mirror-debian: http://mirror-ubc.debian.org/debian/
   nameservers: [206.12.19.214, 2607:f8f0:610:4000:224:81ff:fea7:e952, 206.12.19.20, 2607:f8f0:610:4000:218:feff:fe76:2ed0, 206.12.19.21, 2607:f8f0:610:4000:21c:c4ff:fee5:e890]
-  allow_dns_query: [137.82.84.64/27, 206.12.19.0/24, 2607:f8f0:610:4000::/64]
 ugent:
   netrange:
     - 157.193.0.0/16
diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
index 303dfd21..f1606dd7 100644
--- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
+++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
@@ -40,11 +40,12 @@ module Puppet::Parser::Functions
       end
 
       ns = function_hiera('nameservers')
+      allow_dns_q = function_hiera('allow_dns_query')
       if ns.empty?
         # no nameservers known for this hoster
         nodeinfo['misc']['resolver-recursive'] = true
 
-        if nodeinfo['hoster']['allow_dns_query']
+        if allow_dns_q
           raise Puppet::ParseError, "No nameservers listed for #{nodeinfo['hoster']['name']} yet we should answer somebody's queries?  That makes no sense."
         end
       elsif (nodeinfo['misc']['v4addrs'] and (ns & nodeinfo['misc']['v4addrs']).size > 0) or
@@ -52,7 +53,7 @@ module Puppet::Parser::Functions
         # this host is listed as a nameserver at this location
         nodeinfo['misc']['resolver-recursive'] = true
 
-        if not nodeinfo['hoster']['allow_dns_query'] or nodeinfo['hoster']['allow_dns_query'].empty?
+        if not allow_dns_q or allow_dns_q.empty?
           raise Puppet::ParseError, "Host #{host} is listed as a nameserver for #{nodeinfo['hoster']['name']} but no allow_dns_query networks are defined for this location"
         end
       else
diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index 5261009b..caf95027 100644
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -9,7 +9,7 @@
 class unbound {
 
 	$is_recursor   = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
-	$client_ranges = getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')
+	$client_ranges = hiera('allow_dns_query')
 	$ns            = hiera('nameservers')
 
 	package { 'unbound':
@@ -59,12 +59,12 @@ class unbound {
 		@ferm::rule { 'dsa-dns':
 			domain      => 'ip',
 			description => 'Allow nameserver access',
-			rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+			rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))),
 		}
 		@ferm::rule { 'dsa-dns6':
 			domain      => 'ip6',
 			description => 'Allow nameserver access',
-			rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+			rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))),
 		}
 	}
 }
-- 
2.39.5