modules/unbound/manifests/init.pp

   1 class unbound {
   2     package {
   3         unbound: ensure => installed;
   4     }
   5
   6     exec {
   7         "unbound restart":
   8             path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
   9             refreshonly => true,
  10             ;
  11     }
  12     file {
  13         "/var/lib/unbound":
  14             ensure  => directory,
  15             owner   => unbound,
  16             group   => unbound,
  17             mode    => 775,
  18             ;
  19         "/var/lib/unbound/root.key":
  20             ensure  => present,
  21             replace => false,
  22             owner   => unbound,
  23             group   => unbound,
  24             mode    => 644,
  25             source  => [ "puppet:///modules/unbound/root.key" ],
  26             ;
  27         "/var/lib/unbound/debian.org.key":
  28             ensure  => present,
  29             replace => false,
  30             owner   => unbound,
  31             group   => unbound,
  32             mode    => 644,
  33             source  => [ "puppet:///modules/unbound/debian.org.key" ],
  34             ;
  35         "/etc/unbound/unbound.conf":
  36             content => template("unbound/unbound.conf.erb"),
  37             require => [ Package["unbound"], File['/var/lib/unbound/root.key'],  File['/var/lib/unbound/debian.org.key'] ],
  38             notify  => Exec["unbound restart"],
  39             owner   => root,
  40             group   => root,
  41             ;
  42     }
  43
  44     case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
  45         true: {
  46             case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
  47                 false: {}
  48                 default: {
  49                     @ferm::rule { "dsa-dns":
  50                         domain          => "ip",
  51                         description     => "Allow nameserver access",
  52                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
  53                     }
  54                     @ferm::rule { "dsa-dns6":
  55                         domain          => "ip6",
  56                         description     => "Allow nameserver access",
  57                         rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
  58                     }
  59                 }
  60             }
  61         }
  62     }
  63 }
  64
  65 # vim:set et:
  66 # vim:set sts=4 ts=4:
  67 # vim:set shiftwidth=4: