]> git.donarmstrong.com Git - dsa-puppet.git/blob - modules/unbound/manifests/init.pp
projects / dsa-puppet.git / blob
? search:


f01b7fd74a370a889c2cfacdbc7c5eecb3b4b001
[dsa-puppet.git] / modules / unbound / manifests / init.pp
1 class unbound {
2     package {
3         unbound: ensure => installed;
4     }
5
6     exec {
7         "unbound restart":
8             path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
9             refreshonly => true,
10             ;
11     }
12     file {
13         "/var/lib/unbound":
14             ensure  => directory,
15             owner   => unbound,
16             group   => unbound,
17             require => Package["unbound"],
18             mode    => 775,
19             ;
20         "/var/lib/unbound/root.key":
21             ensure  => present,
22             replace => false,
23             owner   => unbound,
24             group   => unbound,
25             mode    => 644,
26             source  => [ "puppet:///modules/unbound/root.key" ],
27             ;
28         "/var/lib/unbound/debian.org.key":
29             ensure  => present,
30             replace => false,
31             owner   => unbound,
32             group   => unbound,
33             mode    => 644,
34             source  => [ "puppet:///modules/unbound/debian.org.key" ],
35             ;
36         "/etc/unbound/unbound.conf":
37             content => template("unbound/unbound.conf.erb"),
38             require => [ Package["unbound"], File['/var/lib/unbound/root.key'],  File['/var/lib/unbound/debian.org.key'] ],
39             notify  => Exec["unbound restart"],
40             owner   => root,
41             group   => root,
42             ;
43     }
44
45     case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
46         true: {
47             case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
48                 false: {}
49                 default: {
50                     @ferm::rule { "dsa-dns":
51                         domain          => "ip",
52                         description     => "Allow nameserver access",
53                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
54                     }
55                     @ferm::rule { "dsa-dns6":
56                         domain          => "ip6",
57                         description     => "Allow nameserver access",
58                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
59                     }
60                 }
61             }
62         }
63     }
64 }
65
66 # vim:set et:
67 # vim:set sts=4 ts=4:
68 # vim:set shiftwidth=4:
Unnamed repository; edit this file 'description' to name the repository.