modules/unbound/manifests/init.pp

   1 # = Class: unbound
   2 #
   3 # This class installs and configures unbound
   4 #
   5 # == Sample Usage:
   6 #
   7 #   include unbound
   8 #
   9 class unbound {
  10
  11         $is_recursor   = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
  12         $client_ranges = hiera('allow_dns_query')
  13         $empty_client_range = empty($client_ranges)
  14         $ns            = hiera('nameservers')
  15
  16         package { 'unbound':
  17                 ensure => installed
  18         }
  19
  20         service { 'unbound':
  21                 ensure => running,
  22                 hasstatus => false,
  23                 pattern   => 'unbound',
  24         }
  25
  26         file { '/etc/init.d/unbound':
  27                 source => 'puppet:///modules/unbound/unbound.init',
  28                 mode   => '0555',
  29                 notify => Exec['systemctl daemon-reload'],
  30         }
  31         file { '/var/lib/unbound':
  32                 ensure  => directory,
  33                 owner   => unbound,
  34                 group   => unbound,
  35                 require => Package['unbound'],
  36                 mode    => '0775',
  37         }
  38         file { '/var/lib/unbound/root.key':
  39                 ensure  => present,
  40                 replace => false,
  41                 owner   => unbound,
  42                 group   => unbound,
  43                 mode    => '0644',
  44                 source  => 'puppet:///modules/unbound/root.key'
  45         }
  46         file { '/var/lib/unbound/debian.org.key':
  47                 ensure  => present,
  48                 replace => false,
  49                 owner   => unbound,
  50                 group   => unbound,
  51                 mode    => '0644',
  52                 source  => 'puppet:///modules/unbound/debian.org.key'
  53         }
  54         file { '/var/lib/unbound/29.172.in-addr.arpa.key':
  55                 ensure  => present,
  56                 replace => false,
  57                 owner   => unbound,
  58                 group   => unbound,
  59                 mode    => '0644',
  60                 source  => 'puppet:///modules/unbound/29.172.in-addr.arpa.key'
  61         }
  62         file { '/etc/unbound/unbound.conf':
  63                 content => template('unbound/unbound.conf.erb'),
  64                 require => [
  65                         Package['unbound'],
  66                         File['/var/lib/unbound/root.key'],
  67                         File['/var/lib/unbound/debian.org.key']
  68                 ],
  69                 notify  => Service['unbound']
  70         }
  71
  72         if ($is_recursor and !$empty_client_range) {
  73                 @ferm::rule { 'dsa-dns':
  74                         domain      => 'ip',
  75                         description => 'Allow nameserver access',
  76                         rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))),
  77                 }
  78                 @ferm::rule { 'dsa-dns6':
  79                         domain      => 'ip6',
  80                         description => 'Allow nameserver access',
  81                         rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))),
  82                 }
  83         }
  84 }