this is probably more like it
[mirror/dsa-puppet.git] / modules / unbound / manifests / init.pp
1 # = Class: unbound
2 #
3 # This class installs and configures unbound
4 #
5 # == Sample Usage:
6 #
7 #   include unbound
8 #
9 class unbound {
10
11         package { 'unbound':
12                 ensure => installed
13         }
14
15         service { 'unbound':
16                 ensure => running,
17                 hasstatus => false,
18                 pattern   => 'unbound',
19         }
20
21         file { '/var/lib/unbound':
22                 ensure  => directory,
23                 owner   => unbound,
24                 group   => unbound,
25                 require => Package['unbound'],
26                 mode    => '0775',
27         }
28         file { '/var/lib/unbound/root.key':
29                 ensure  => present,
30                 replace => false,
31                 owner   => unbound,
32                 group   => unbound,
33                 mode    => '0644',
34                 source  => 'puppet:///modules/unbound/root.key'
35         }
36         file { '/var/lib/unbound/debian.org.key':
37                 ensure  => present,
38                 replace => false,
39                 owner   => unbound,
40                 group   => unbound,
41                 mode    => '0644',
42                 source  => 'puppet:///modules/unbound/debian.org.key'
43         }
44         file { '/etc/unbound/unbound.conf':
45                 content => template('unbound/unbound.conf.erb'),
46                 require => [
47                         Package['unbound'],
48                         File['/var/lib/unbound/root.key'],
49                         File['/var/lib/unbound/debian.org.key']
50                 ],
51                 notify  => Service['unbound']
52         }
53
54         if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') {
55                 if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') {
56                         @ferm::rule { 'dsa-dns':
57                                 domain      => 'ip',
58                                 description => 'Allow nameserver access',
59                                 rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
60                         }
61                         @ferm::rule { 'dsa-dns6':
62                                 domain      => 'ip6',
63                                 description => 'Allow nameserver access',
64                                 rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
65                         }
66                 }
67         }
68 }