From 05faa1898f975f27c9ccbec5b4e45ac776d64b4e Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 1 Mar 2011 22:44:16 +0100
Subject: [PATCH] unbound module

---
 modules/unbound/manifests/init.pp          | 52 +++++++++++++++++++
 modules/unbound/templates/unbound.conf.erb | 60 ++++++++++++++++++++++
 2 files changed, 112 insertions(+)
 create mode 100644 modules/unbound/manifests/init.pp
 create mode 100644 modules/unbound/templates/unbound.conf.erb

diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
new file mode 100644
index 00000000..03ae86c0
--- /dev/null
+++ b/modules/unbound/manifests/init.pp
@@ -0,0 +1,52 @@
+class unbouned {
+    package {
+        unbound: ensure => installed;
+    }
+
+    exec {
+        "unbound restart":
+            path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+            refreshonly => true,
+            ;
+    }
+    file {
+        "/var/lib/unbound":
+            ensure  => directory,
+            owner   => unbound,
+            group   => unbound,
+            mode    => 775,
+            ;
+        "/var/lib/unbound/root.key":
+            ensure  => present,
+            replace => false,
+            owner   => unbound,
+            group   => unbound,
+            mode    => 644,
+            # IANA root trust anchor, valid from 2010-07-15T00:00:00+00:00
+            # downloaded from https://data.iana.org/root-anchors/root-anchors.xml
+            content => ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n",
+            notify  => Exec["unbound restart"],
+            ;
+        "/var/lib/unbound/debian.org.key":
+            ensure  => present,
+            replace => false,
+            owner   => unbound,
+            group   => unbound,
+            mode    => 644,
+            # debian.org DS record, July 2010'
+            content => "debian.org. IN DS 5283 7 2 3DC987A633914C195D03EA129E92327630D3428E92884A5E97829A55701F9E8A\n",
+            notify  => Exec["unbound restart"],
+            ;
+        "/etc/unbound/unbound.conf":
+            content => template("unbound/unbound.conf.erb"),
+            require => Package["unbound"],
+            notify  => Exec["unbound restart"],
+            owner   => root,
+            group   => root,
+            ;
+    }
+}
+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
new file mode 100644
index 00000000..35610496
--- /dev/null
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -0,0 +1,60 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+server:
+	verbosity: 1
+
+	# specify the interfaces to answer queries from by ip-address.
+	# The default is to listen to localhost (127.0.0.1 and ::1).
+	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
+	# specify every interface[@port] on a new 'interface:' labelled line.
+	# The listen interfaces are not changed on reload, only on restart.
+	# interface: 192.0.2.153
+	# interface: 192.0.2.154
+	# interface: 192.0.2.154@5003
+	# interface: 2001:DB8::5
+
+	# enable this feature to copy the source address of queries to reply.
+	# Socket options are not supported on all platforms. experimental. 
+	interface-automatic: yes
+
+	# control which clients are allowed to make (recursive) queries
+	# to this server. Specify classless netblocks with /size and action.
+	# By default everything is refused, except for localhost.
+	# Choose deny (drop message), refuse (polite error reply),
+	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+	# access-control: 0.0.0.0/0 refuse
+	# access-control: 127.0.0.0/8 allow
+	# access-control: ::0/0 refuse
+	# access-control: ::1 allow
+	# access-control: ::ffff:127.0.0.1 allow
+
+	#chroot: ""
+
+	hide-identity: yes
+	hide-version: yes
+
+	use-caps-for-id: yes
+
+	# Do not query the following addresses. No DNS queries are sent there.
+	# List one address per entry. List classless netblocks with /size,
+	# do-not-query-address: 127.0.0.1/8
+	# do-not-query-address: ::1
+
+	# if yes, the above default do-not-query-address entries are present.
+	# if no, localhost can be queried (for testing and debugging).
+	# do-not-query-localhost: yes
+
+	# File with trusted keys, kept uptodate using RFC5011 probes,
+	# initial file like trust-anchor-file, then it stores metadata.
+	# Use several entries, one per domain name, to track multiple zones.
+	# auto-trust-anchor-file: ""
+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+	auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+
+#forward-zone:
+#	name: "."
+#	forward-addr: 192.0.2.1
+#	forward-addr: 192.0.2.199
-- 
2.39.5