From: Peter Palfrader <peter@palfrader.org>
Date: Wed, 1 Jan 2014 20:41:15 +0000 (+0100)
Subject: try to rolify dns
X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=commitdiff_plain;h=683ffc212c9c3a4d7e4a4ff98c94fb52a75a02ca

try to rolify dns
---

diff --git a/manifests/site.pp b/manifests/site.pp
index 22326245..eecf27cd 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -86,14 +86,9 @@ node default {
 		include apache2
 	}
 
-	if $::hostname in [ravel,senfl,orff,diamond,rietz,denis] {
-		include named::authoritative
-	} elsif $::hostname in [geo1,geo2,geo3] {
+	if $::hostname in [geo1,geo2,geo3] {
 		include named::geodns
 	}
-	if $::hostname in [denis] {
-		include dnsextras::entries
-	}
 
 	if $::hostname in [diabelli,nono] {
 		include dacs
diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml
index c975cce4..9210978b 100644
--- a/modules/debian-org/misc/local.yaml
+++ b/modules/debian-org/misc/local.yaml
@@ -368,3 +368,10 @@ host_settings:
   buildd_master:
     - grieg.debian.org
     - wuiet.debian.org
+  dns_primary:
+    - denis.debian.org
+  dns_secondary:
+    - ravel.debian.org
+    - senfl.debian.org
+    - diamond.debian.org
+    - orff.debian.org
diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 9f1c7f90..da2313c1 100644
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -1,5 +1,4 @@
 class named {
-
 	munin::check { 'bind': }
 
 	site::aptrepo { 'bind-ratelimit':
@@ -22,10 +21,23 @@ class named {
 		rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
 	}
 
-	@ferm::rule { '01-dsa-bind':
-		domain      => '(ip ip6)',
-		description => 'Allow nameserver access',
-		rule        => '&TCP_UDP_SERVICE(53)'
+	if getfromhash($site::nodeinfo, 'dns_primary') {
+		@ferm::rule { '01-dsa-bind-4':
+			domain      => '(ip)',
+			description => 'Allow nameserver access',
+			rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)',
+		}
+		@ferm::rule { '01-dsa-bind-6':
+			domain      => '(ip6)',
+			description => 'Allow nameserver access',
+			rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)',
+		}
+	} else {
+		@ferm::rule { '01-dsa-bind':
+			domain      => '(ip ip6)',
+			description => 'Allow nameserver access',
+			rule        => '&TCP_UDP_SERVICE(53)'
+		}
 	}
 
 	@ferm::rule { 'dsa-bind-notrack':
diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
new file mode 100644
index 00000000..e16ddb6b
--- /dev/null
+++ b/modules/named/manifests/primary.pp
@@ -0,0 +1,3 @@
+class named::primary inherits named::authoritative {
+	include dnsextras::entries;
+}
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 6b17ea0f..21559a8b 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -99,6 +99,13 @@ class roles {
 		}
 	}
 
+	if getfromhash($site::nodeinfo, 'dns_primary') {
+		include named::primary
+	}
+	if getfromhash($site::nodeinfo, 'dns_secondary') {
+		include named::authoritative
+	}
+
 	if $::hostname in [ravel] {
 		include roles::weblog_destination
 	}