1 # the primary (hidden master) nameserver does bind zone file stuff and letsencrypt cert handling
3 # it will not, by default, open the firewall for requests. however, it will
4 # collect ferm simple rules tagged named::primary::ferm which our own
5 # secondaries (the geo nodes) and the monitoring infrastructure export.
6 # Additional networks can be set with allow_access for any 3rd party nodes that
8 # @param allow_access additional hosts/network that should be allowed to port 53
9 class roles::dns_primary(
10 Array[Stdlib::IP::Address] $allow_access = [],
12 include named::primary
14 # ssh setup to sync the geonodes
15 ssh::authorized_key_collect { 'dns_primary-dnsadm':
16 target_user => 'dnsadm',
17 collect_tag => 'dns_primary',
19 ssh::authorized_key_collect { 'dns_primary-letsencrypt':
20 target_user => 'letsencrypt',
21 collect_tag => 'dns_primary',
23 ssh::authorized_key_collect { 'dns_primary-geodnssync':
24 target_user => 'geodnssync',
25 collect_tag => 'dns_primary',
28 ssh::keygen {'dnsadm': }
29 ssh::authorized_key_add { 'dns_primary::geodns':
30 target_user => 'geodnssync',
31 command => '/etc/bind/geodns/trigger',
32 key => $facts['dnsadm_key'],
33 collect_tag => 'geodnssync-node',
36 # ssh setup to sync letsencrypt info to puppet
37 ssh::keygen {'letsencrypt': }
38 ssh::authorized_key_add { 'dns_primary::puppetmaster::letsencrypt-certificates':
39 target_user => 'puppet',
40 command => 'rsync --server -vlogDtprze.iLsfx --delete --partial . /srv/puppet.debian.org/from-letsencrypt',
41 key => $facts['letsencrypt_key'],
42 collect_tag => 'puppetmaster',
46 ferm::rule::simple { 'dns-from-secondaries':
47 description => 'Allow additional (such as 3rd party secondary nameserver) access to the primary',
48 proto => ['udp', 'tcp'],
50 saddr => $allow_access,
52 Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
54 # mini-nag does nrpe queries to check if hosts are still up
55 @@ferm::rule::simple { "dsa-nrpe-from-dnsprimary-${::fqdn}":
56 tag => 'nagios-nrpe::server',
57 description => 'Allow dns primary running mini-nag access to the nrpe daemon',
59 saddr => $base::public_addresses,
61 @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
62 tag => 'nagios-nrpe::server::debianorg.cfg',
63 target => '/etc/nagios/nrpe.d/debianorg.cfg',
64 content => "allowed_hosts=${ $base::public_addresses.join(', ') }",