nameservers:
- 5.153.231.241
- 5.153.231.242
+allow_dns_query:
+ - 5.153.231.0/24
nameservers: []
searchpaths: []
resolvoptions: []
+allow_dns_query: []
- 192.25.206.57
searchpaths:
- debprivate-ftcollins.debian.org
+allow_dns_query:
+ - 192.25.206.0/24
- 193.62.202.29
searchpaths:
- debprivate-sanger.debian.org
+allow_dns_query:
+ - 193.62.202.24/29
- 86.59.118.148
searchpaths:
- debprivate-sil.debian.org
+allow_dns_query:
+ - 86.59.118.144/28
+ - 2001:858:2:2::/64
- 2607:f8f0:610:4000:21c:c4ff:fee5:e890
searchpaths:
- debprivate-ubc.debian.org
+allow_dns_query:
+ - 137.82.84.64/27
+ - 206.12.19.0/24
+ - 2607:f8f0:610:4000::/64
- 2001:41c8:61::/125
#searchpaths: [debprivate-bytemark.debian.org]
nameservers: [5.153.231.241, 5.153.231.242]
- allow_dns_query: [5.153.231.0/24]
mirror-debian: http://mirror.bm.debian.org/debian
carnet:
netrange:
searchpaths: [debprivate-ftcollins.debian.org]
nameservers: [192.25.206.33, 192.25.206.57]
# only applicable for hosts that are recursive anyway:
- allow_dns_query: [192.25.206.0/24]
grnet:
netrange:
- 194.177.211.192/27
#resolvoptions: [single-request]
nameservers: [193.62.202.28, 193.62.202.29]
searchpaths: [debprivate-sanger.debian.org]
- allow_dns_query: [193.62.202.24/29]
rapidswitch:
netrange:
- 193.201.200.0/23
- 2001:858:2:2::/64
searchpaths: [debprivate-sil.debian.org]
nameservers: [86.59.118.147, 86.59.118.148]
- allow_dns_query: [86.59.118.144/28, 2001:858:2:2::/64]
mirror-debian: http://ftp.at.debian.org/debian/
ubcece:
netrange:
searchpaths: [debprivate-ubc.debian.org]
mirror-debian: http://mirror-ubc.debian.org/debian/
nameservers: [206.12.19.214, 2607:f8f0:610:4000:224:81ff:fea7:e952, 206.12.19.20, 2607:f8f0:610:4000:218:feff:fe76:2ed0, 206.12.19.21, 2607:f8f0:610:4000:21c:c4ff:fee5:e890]
- allow_dns_query: [137.82.84.64/27, 206.12.19.0/24, 2607:f8f0:610:4000::/64]
ugent:
netrange:
- 157.193.0.0/16
end
ns = function_hiera('nameservers')
+ allow_dns_q = function_hiera('allow_dns_query')
if ns.empty?
# no nameservers known for this hoster
nodeinfo['misc']['resolver-recursive'] = true
- if nodeinfo['hoster']['allow_dns_query']
+ if allow_dns_q
raise Puppet::ParseError, "No nameservers listed for #{nodeinfo['hoster']['name']} yet we should answer somebody's queries? That makes no sense."
end
elsif (nodeinfo['misc']['v4addrs'] and (ns & nodeinfo['misc']['v4addrs']).size > 0) or
# this host is listed as a nameserver at this location
nodeinfo['misc']['resolver-recursive'] = true
- if not nodeinfo['hoster']['allow_dns_query'] or nodeinfo['hoster']['allow_dns_query'].empty?
+ if not allow_dns_q or allow_dns_q.empty?
raise Puppet::ParseError, "Host #{host} is listed as a nameserver for #{nodeinfo['hoster']['name']} but no allow_dns_query networks are defined for this location"
end
else
class unbound {
$is_recursor = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
- $client_ranges = getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')
+ $client_ranges = hiera('allow_dns_query')
$ns = hiera('nameservers')
package { 'unbound':
@ferm::rule { 'dsa-dns':
domain => 'ip',
description => 'Allow nameserver access',
- rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+ rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))),
}
@ferm::rule { 'dsa-dns6':
domain => 'ip6',
description => 'Allow nameserver access',
- rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+ rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))),
}
}
}
projects / dsa-puppet.git / commitdiff