lint fixes for the linux module

[mirror/dsa-puppet.git] / modules / named / manifests / init.pp

diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 1a22154..3bf63d0 100644 (file)
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -1,39 +1,64 @@
 class named {
-        activate_munin_check {
-                "bind":;
-        }
-
-        package {
-                bind9: ensure => installed;
-        }
-
-        exec {
-                "bind9 restart":
-                        path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-                        refreshonly => true,
-                        ;
-        }
-        exec {
-                "bind9 reload":
-                        path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
-                        refreshonly => true,
-                        ;
-        }
-        file {
-                "/var/log/bind9":
-                        ensure  => directory,
-                        owner   => bind,
-                        group   => bind,
-                        mode    => 775,
-                        ;
-        }
-        @ferm::rule { "dsa-bind":
-                domain          => "(ip ip6)",
-                description     => "Allow nameserver access",
-                rule            => "&TCP_UDP_SERVICE(53)"
-        }
-}
+  munin::check { 'bind': }
+
+  package { 'bind9':
+    ensure => installed
+  }
+
+  service { 'bind9':
+    ensure => running,
+  }
+
+  ferm::rule { '00-dsa-bind-no-ddos-any':
+    domain      => '(ip ip6)',
+    description => 'Allow nameserver access',
+    rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
+  }
+
+  ferm::rule { 'dsa-bind-notrack':
+    domain      => '(ip ip6)',
+    description => 'NOTRACK for nameserver traffic',
+    table       => 'raw',
+    chain       => 'PREROUTING',
+    rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
+  }
 
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+  ferm::rule { 'dsa-bind-notrack-out':
+    domain      => '(ip ip6)',
+    description => 'NOTRACK for nameserver traffic',
+    table       => 'raw',
+    chain       => 'OUTPUT',
+    rule        => 'proto (tcp udp) sport 53 jump NOTRACK'
+  }
+
+  file { '/var/log/bind9':
+    ensure => directory,
+    owner  => bind,
+    group  => bind,
+    mode   => '0775',
+  }
+
+  file { '/etc/bind/named.conf.options':
+    content => template('named/named.conf.options.erb'),
+    notify  => Service['bind9'],
+  }
+
+  file { '/etc/bind/named.conf.puppet-shared-keys':
+    mode    => '0640',
+    content => template('named/named.conf.puppet-shared-keys.erb'),
+    owner   => root,
+    group   => bind,
+    notify  => Service['bind9'],
+  }
+
+  concat { '/etc/bind/named.conf.puppet-misc':
+    notify => Service['bind9'],
+  }
+  concat::fragment { 'dsa-named-conf-puppet-misc---header':
+    target  => '/etc/bind/named.conf.puppet-misc',
+    order   => '000',
+    content => @(EOF)
+      // THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+      | EOF
+  }
+}