modules/unbound/manifests/init.pp

   1 # = Class: unbound
   2 #
   3 # This class installs and configures unbound
   4 #
   5 # == Sample Usage:
   6 #
   7 #   include unbound
   8 #
   9 class unbound {
  10
  11         package { 'unbound':
  12                 ensure => installed
  13         }
  14
  15         service { 'unbound':
  16                 ensure => running,
  17                 hasstatus => false,
  18                 pattern   => 'unbound',
  19         }
  20
  21         file { '/var/lib/unbound':
  22                 ensure  => directory,
  23                 owner   => unbound,
  24                 group   => unbound,
  25                 require => Package['unbound'],
  26                 mode    => '0775',
  27         }
  28         file { '/var/lib/unbound/root.key':
  29                 ensure  => present,
  30                 replace => false,
  31                 owner   => unbound,
  32                 group   => unbound,
  33                 mode    => '0644',
  34                 source  => 'puppet:///modules/unbound/root.key'
  35         }
  36         file { '/var/lib/unbound/debian.org.key':
  37                 ensure  => present,
  38                 replace => false,
  39                 owner   => unbound,
  40                 group   => unbound,
  41                 mode    => '0644',
  42                 source  => 'puppet:///modules/unbound/debian.org.key'
  43         }
  44         file { '/etc/unbound/unbound.conf':
  45                 content => template('unbound/unbound.conf.erb'),
  46                 require => [
  47                         Package['unbound'],
  48                         File['/var/lib/unbound/root.key'],
  49                         File['/var/lib/unbound/debian.org.key']
  50                 ],
  51                 notify  => Service['unbound']
  52         }
  53
  54         if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') {
  55                 if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') {
  56                         @ferm::rule { 'dsa-dns':
  57                                 domain      => 'ip',
  58                                 description => 'Allow nameserver access',
  59                                 rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
  60                         }
  61                         @ferm::rule { 'dsa-dns6':
  62                                 domain      => 'ip6',
  63                                 description => 'Allow nameserver access',
  64                                 rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
  65                         }
  66                 }
  67         }
  68 }