modules/named/manifests/init.pp

   1 class named {
   2         munin::check { 'bind': }
   3
   4         package { 'bind9':
   5                 ensure => installed
   6         }
   7
   8         service { 'bind9':
   9                 ensure => running,
  10         }
  11
  12         ferm::rule { '00-dsa-bind-no-ddos-any':
  13                 domain      => '(ip ip6)',
  14                 description => 'Allow nameserver access',
  15                 rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
  16         }
  17
  18         ferm::rule { 'dsa-bind-notrack':
  19                 domain      => '(ip ip6)',
  20                 description => 'NOTRACK for nameserver traffic',
  21                 table       => 'raw',
  22                 chain       => 'PREROUTING',
  23                 rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
  24         }
  25
  26         ferm::rule { 'dsa-bind-notrack-out':
  27                 domain      => '(ip ip6)',
  28                 description => 'NOTRACK for nameserver traffic',
  29                 table       => 'raw',
  30                 chain       => 'OUTPUT',
  31                 rule        => 'proto (tcp udp) sport 53 jump NOTRACK'
  32         }
  33
  34         file { '/var/log/bind9':
  35                 ensure => directory,
  36                 owner  => bind,
  37                 group  => bind,
  38                 mode   => '0775',
  39         }
  40
  41         file { '/etc/bind/named.conf.options':
  42                 content => template('named/named.conf.options.erb'),
  43                 notify  => Service['bind9'],
  44         }
  45
  46         file { '/etc/bind/named.conf.puppet-shared-keys':
  47                 mode    => '0640',
  48                 content => template('named/named.conf.puppet-shared-keys.erb'),
  49                 owner   => root,
  50                 group   => bind,
  51                 notify  => Service['bind9'],
  52         }
  53
  54         concat { '/etc/bind/named.conf.puppet-misc':
  55                 notify  => Service['bind9'],
  56         }
  57         concat::fragment { 'dsa-named-conf-puppet-misc---header':
  58                 target => '/etc/bind/named.conf.puppet-misc',
  59                 order  => '000',
  60                 content  => @(EOF)
  61                         // THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
  62                         | EOF
  63         }
  64 }