# the primary (hidden master) nameserver does bind zone file stuff and letsencrypt cert handling
-class roles::dns_primary {
+#
+# it will not, by default, open the firewall for requests. however, it will
+# collect ferm simple rules tagged named::primary::ferm which our own
+# secondaries (the geo nodes) and the monitoring infrastructure export.
+# Additional networks can be set with allow_access for any 3rd party nodes that
+# should have access.
+# @param allow_access additional hosts/network that should be allowed to port 53
+class roles::dns_primary(
+ Array[Stdlib::IP::Address] $allow_access = [],
+) {
include named::primary
+ # ssh setup to sync the geonodes
ssh::authorized_key_collect { 'dns_primary-dnsadm':
target_user => 'dnsadm',
collect_tag => 'dns_primary',
collect_tag => 'geodnssync-node',
}
+ # ssh setup to sync letsencrypt info to puppet
ssh::keygen {'letsencrypt': }
ssh::authorized_key_add { 'dns_primary::puppetmaster::letsencrypt-certificates':
target_user => 'puppet',
key => $facts['letsencrypt_key'],
collect_tag => 'puppetmaster',
}
+
+ # firewalling
+ ferm::rule::simple { 'dns-from-secondaries':
+ description => 'Allow additional (such as 3rd party secondary nameserver) access to the primary',
+ proto => ['udp', 'tcp'],
+ port => 'domain',
+ saddr => $allow_access,
+ }
+ Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
+
+ # mini-nag does nrpe queries to check if hosts are still up
+ @@ferm::rule::simple { "dsa-nrpe-from-dnsprimary-${::fqdn}":
+ tag => 'nagios-nrpe::server',
+ description => 'Allow dns primary running mini-nag access to the nrpe daemon',
+ port => '5666',
+ saddr => $base::public_addresses,
+ }
+ @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
+ tag => 'nagios-nrpe::server::debianorg.cfg',
+ target => '/etc/nagios/nrpe.d/debianorg.cfg',
+ content => "allowed_hosts=${ $base::public_addresses.join(', ') }",
+ }
}