modules/unbound/manifests/init.pp

   1 class unbound {
   2
   3         package { 'unbound':
   4                 ensure => installed
   5         }
   6
   7         service { 'unbound':
   8                 ensure => running,
   9         }
  10
  11         file { '/var/lib/unbound':
  12                 ensure  => directory,
  13                 owner   => unbound,
  14                 group   => unbound,
  15                 require => Package['unbound'],
  16                 mode    => '0775',
  17         }
  18         file { '/var/lib/unbound/root.key':
  19                 ensure  => present,
  20                 replace => false,
  21                 owner   => unbound,
  22                 group   => unbound,
  23                 mode    => '0644',
  24                 source  => 'puppet:///modules/unbound/root.key'
  25         }
  26         file { '/var/lib/unbound/debian.org.key':
  27                 ensure  => present,
  28                 replace => false,
  29                 owner   => unbound,
  30                 group   => unbound,
  31                 mode    => '0644',
  32                 source  => 'puppet:///modules/unbound/debian.org.key'
  33         }
  34         file { '/etc/unbound/unbound.conf':
  35                 content => template('unbound/unbound.conf.erb'),
  36                 require => [
  37                         Package['unbound'],
  38                         File['/var/lib/unbound/root.key'],
  39                         File['/var/lib/unbound/debian.org.key']
  40                 ],
  41                 notify  => Service['unbound']
  42         }
  43
  44         if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') {
  45                 if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') {
  46                         @ferm::rule { 'dsa-dns':
  47                                 domain      => 'ip',
  48                                 description => 'Allow nameserver access',
  49                                 rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
  50                         }
  51                         @ferm::rule { 'dsa-dns6':
  52                                 domain      => 'ip6',
  53                                 description => 'Allow nameserver access',
  54                                 rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
  55                         }
  56                 }
  57         }
  58 }