- draghi.debian.org
dns_primary:
- denis.debian.org
- dns_secondary:
- - orff.debian.org
dns_geo:
- geo1.debian.org
- geo2.debian.org
allnodeinfo = scope.lookupvar('site::allnodeinfo')
roles = scope.lookupvar('site::roles')
- %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_secondary dns_geo}.each do |role|
+ %w{mailrelay nagiosmaster extranrpeclient muninmaster dbmaster static_mirror static_source static_master dns_geo}.each do |role|
rolehost[role] = []
roles[role].each do |node|
rolehost[role] << allnodeinfo[node]['ipHostNumber']
@def $HOST_STATIC_V4 = (<%= scope.function_filter_ipv4([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
@def $HOST_STATIC_V6 = (<%= scope.function_filter_ipv6([rolehost['static_mirror'] + rolehost['static_source'] + rolehost['static_master']]).uniq.join(' ') %>);
-@def $HOST_DNS_SECONDARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_secondary']]).uniq.join(' ') %>);
-@def $HOST_DNS_SECONDARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_secondary']]).uniq.join(' ') %>);
@def $HOST_DNS_GEO_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_geo']]).uniq.join(' ') %>);
@def $HOST_DNS_GEO_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_geo']]).uniq.join(' ') %>);
@def $HOST_EASYDNS_V4 = (64.68.200.91);
@ferm::rule { '01-dsa-bind-4':
domain => '(ip)',
description => 'Allow nameserver access',
- rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V4 $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 5.153.231.21 ) )',
+ rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 5.153.231.21 ) )',
}
@ferm::rule { '01-dsa-bind-6':
domain => '(ip6)',
description => 'Allow nameserver access',
- rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_SECONDARY_V6 $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 2001:41c8:1000:21::21:21 ) )',
+ rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 2001:41c8:1000:21::21:21 ) )',
}
} else {
@ferm::rule { '01-dsa-bind':
dnssec-validation yes;
<% end -%>
-<% if scope.function_has_role(['dns_secondary']) -%>
- rate-limit {
- responses-per-second 25;
- window 5;
- slip 5;
- qps-scale 250;
- };
-<% end -%>
-
// Defaults are 100 and 10, causing lots and lots of tiny updates.
// This way, I hope, we'll get fewer (and thus bigger) updates. -- weasel
sig-signing-nodes 5000;
if has_role('dns_primary') {
include named::primary
}
- if has_role('dns_secondary') {
- include named::authoritative
- }
if has_role('weblog_destination') {
include roles::weblog_destination
projects / dsa-puppet.git / commitdiff