modules/unbound/manifests/init.pp

   1 # = Class: unbound
   2 #
   3 # This class installs and configures unbound
   4 #
   5 # == Sample Usage:
   6 #
   7 #   include unbound
   8 #
   9 class unbound {
  10
  11         $is_recursor   = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
  12         $client_ranges = hiera('allow_dns_query')
  13         $ns            = hiera('nameservers')
  14
  15         package { 'unbound':
  16                 ensure => installed
  17         }
  18
  19         service { 'unbound':
  20                 ensure => running,
  21                 hasstatus => false,
  22                 pattern   => 'unbound',
  23         }
  24
  25         file { '/var/lib/unbound':
  26                 ensure  => directory,
  27                 owner   => unbound,
  28                 group   => unbound,
  29                 require => Package['unbound'],
  30                 mode    => '0775',
  31         }
  32         file { '/var/lib/unbound/root.key':
  33                 ensure  => present,
  34                 replace => false,
  35                 owner   => unbound,
  36                 group   => unbound,
  37                 mode    => '0644',
  38                 source  => 'puppet:///modules/unbound/root.key'
  39         }
  40         file { '/var/lib/unbound/debian.org.key':
  41                 ensure  => present,
  42                 replace => false,
  43                 owner   => unbound,
  44                 group   => unbound,
  45                 mode    => '0644',
  46                 source  => 'puppet:///modules/unbound/debian.org.key'
  47         }
  48         file { '/etc/unbound/unbound.conf':
  49                 content => template('unbound/unbound.conf.erb'),
  50                 require => [
  51                         Package['unbound'],
  52                         File['/var/lib/unbound/root.key'],
  53                         File['/var/lib/unbound/debian.org.key']
  54                 ],
  55                 notify  => Service['unbound']
  56         }
  57
  58         if ($is_recursor and $client_ranges) {
  59                 @ferm::rule { 'dsa-dns':
  60                         domain      => 'ip',
  61                         description => 'Allow nameserver access',
  62                         rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))),
  63                 }
  64                 @ferm::rule { 'dsa-dns6':
  65                         domain      => 'ip6',
  66                         description => 'Allow nameserver access',
  67                         rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))),
  68                 }
  69         }
  70 }