projects / mirror / dsa-puppet.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
move coccia to ubc
[mirror/dsa-puppet.git] / modules / roles / manifests / dns_primary.pp
diff --git a/modules/roles/manifests/dns_primary.pp b/modules/roles/manifests/dns_primary.pp
index 193cf61..8dd0f00 100644 (file)
--- a/modules/roles/manifests/dns_primary.pp
+++ b/modules/roles/manifests/dns_primary.pp
@@ -1,7 +1,17 @@
 # the primary (hidden master) nameserver does bind zone file stuff and letsencrypt cert handling
-class roles::dns_primary {
+#
+# it will not, by default, open the firewall for requests.  however, it will
+# collect ferm simple rules tagged named::primary::ferm which our own
+# secondaries (the geo nodes) and the monitoring infrastructure export.
+# Additional networks can be set with allow_access for any 3rd party nodes that
+# should have access.
+# @param allow_access additional hosts/network that should be allowed to port 53
+class roles::dns_primary(
+  Array[Stdlib::IP::Address] $allow_access = [],
+) {
   include named::primary
 
+  # ssh setup to sync the geonodes
   ssh::authorized_key_collect { 'dns_primary-dnsadm':
     target_user => 'dnsadm',
     collect_tag => 'dns_primary',
@@ -10,12 +20,47 @@ class roles::dns_primary {
     target_user => 'letsencrypt',
     collect_tag => 'dns_primary',
   }
-  ssh::keygen {'dnsadm': }
+  ssh::authorized_key_collect { 'dns_primary-geodnssync':
+    target_user => 'geodnssync',
+    collect_tag => 'dns_primary',
+  }
 
+  ssh::keygen {'dnsadm': }
   ssh::authorized_key_add { 'dns_primary::geodns':
     target_user => 'geodnssync',
     command     => '/etc/bind/geodns/trigger',
     key         => $facts['dnsadm_key'],
     collect_tag => 'geodnssync-node',
   }
+
+  # ssh setup to sync letsencrypt info to puppet
+  ssh::keygen {'letsencrypt': }
+  ssh::authorized_key_add { 'dns_primary::puppetmaster::letsencrypt-certificates':
+    target_user => 'puppet',
+    command     => 'rsync --server -vlogDtprze.iLsfx --delete --partial . /srv/puppet.debian.org/from-letsencrypt',
+    key         => $facts['letsencrypt_key'],
+    collect_tag => 'puppetmaster',
+  }
+
+  # firewalling
+  ferm::rule::simple { 'dns-from-secondaries':
+    description => 'Allow additional (such as 3rd party secondary nameserver) access to the primary',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $allow_access,
+  }
+  Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
+
+  # mini-nag does nrpe queries to check if hosts are still up
+  @@ferm::rule::simple { "dsa-nrpe-from-dnsprimary-${::fqdn}":
+    tag         => 'nagios-nrpe::server',
+    description => 'Allow dns primary running mini-nag access to the nrpe daemon',
+    port        => '5666',
+    saddr       => $base::public_addresses,
+  }
+  @@concat::fragment { "nrpe-debian-allow-${::fqdn}":
+    tag     => 'nagios-nrpe::server::debianorg.cfg',
+    target  => '/etc/nagios/nrpe.d/debianorg.cfg',
+    content => "allowed_hosts=${ $base::public_addresses.join(', ') }",
+  }
 }
Unnamed repository; edit this file 'description' to name the repository.