modules/named/manifests/init.pp

   1 class named {
   2         munin::check { 'bind': }
   3
   4         site::aptrepo { 'bind-ratelimit':
   5                 url        => 'http://db.debian.org/debian-admin',
   6                 suite      => 'bind-ratelimit',
   7                 components => 'main',
   8         }
   9
  10         package { 'bind9':
  11                 ensure => installed
  12         }
  13
  14         service { 'bind9':
  15                 ensure => running,
  16         }
  17
  18         @ferm::rule { '00-dsa-bind-no-ddos-any':
  19                 domain      => '(ip ip6)',
  20                 description => 'Allow nameserver access',
  21                 rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
  22         }
  23
  24         if has_role('dns_primary') {
  25                 @ferm::rule { '01-dsa-bind-4':
  26                         domain      => '(ip)',
  27                         description => 'Allow nameserver access',
  28                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 5.153.231.21 ) )',
  29                 }
  30                 @ferm::rule { '01-dsa-bind-6':
  31                         domain      => '(ip6)',
  32                         description => 'Allow nameserver access',
  33                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 2001:41c8:1000:21::21:21 ) )',
  34                 }
  35         } else {
  36                 @ferm::rule { '01-dsa-bind':
  37                         domain      => '(ip ip6)',
  38                         description => 'Allow nameserver access',
  39                         rule        => '&TCP_UDP_SERVICE(53)'
  40                 }
  41         }
  42
  43         @ferm::rule { 'dsa-bind-notrack':
  44                 domain      => '(ip ip6)',
  45                 description => 'NOTRACK for nameserver traffic',
  46                 table       => 'raw',
  47                 chain       => 'PREROUTING',
  48                 rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
  49         }
  50
  51         @ferm::rule { 'dsa-bind-notrack-out':
  52                 domain      => '(ip ip6)',
  53                 description => 'NOTRACK for nameserver traffic',
  54                 table       => 'raw',
  55                 chain       => 'OUTPUT',
  56                 rule        => 'proto (tcp udp) sport 53 jump NOTRACK'
  57         }
  58
  59         file { '/var/log/bind9':
  60                 ensure => directory,
  61                 owner  => bind,
  62                 group  => bind,
  63                 mode   => '0775',
  64         }
  65
  66         file { '/etc/bind/named.conf.puppet-shared-keys':
  67                 mode    => '0640',
  68                 content => template('named/named.conf.puppet-shared-keys.erb'),
  69                 owner   => root,
  70                 group   => bind,
  71                 notify  => Service['bind9'],
  72         }
  73 }