3 # This class installs and configures unbound
11 $is_recursor = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
12 $client_ranges = hiera('allow_dns_query')
13 $ns = hiera('nameservers')
25 file { '/var/lib/unbound':
29 require => Package['unbound'],
32 file { '/var/lib/unbound/root.key':
38 source => 'puppet:///modules/unbound/root.key'
40 file { '/var/lib/unbound/debian.org.key':
46 source => 'puppet:///modules/unbound/debian.org.key'
48 file { '/etc/unbound/unbound.conf':
49 content => template('unbound/unbound.conf.erb'),
52 File['/var/lib/unbound/root.key'],
53 File['/var/lib/unbound/debian.org.key']
55 notify => Service['unbound']
58 if ($is_recursor and not $client_ranges.empty?) {
59 @ferm::rule { 'dsa-dns':
61 description => 'Allow nameserver access',
62 rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))),
64 @ferm::rule { 'dsa-dns6':
66 description => 'Allow nameserver access',
67 rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))),