-class unbouned {
+class unbound {
package {
unbound: ensure => installed;
}
owner => unbound,
group => unbound,
mode => 644,
- # IANA root trust anchor, valid from 2010-07-15T00:00:00+00:00
- # downloaded from https://data.iana.org/root-anchors/root-anchors.xml
- content => ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n",
- notify => Exec["unbound restart"],
+ source => [ "puppet:///modules/unbound/root.key" ],
;
"/var/lib/unbound/debian.org.key":
ensure => present,
owner => unbound,
group => unbound,
mode => 644,
- # debian.org DS record, July 2010'
- content => "debian.org. IN DS 5283 7 2 3DC987A633914C195D03EA129E92327630D3428E92884A5E97829A55701F9E8A\n",
- notify => Exec["unbound restart"],
+ source => [ "puppet:///modules/unbound/debian.org.key" ],
;
"/etc/unbound/unbound.conf":
content => template("unbound/unbound.conf.erb"),
notify => Exec["unbound restart"],
owner => root,
group => root,
+ require => [ File[/var/lib/unbound/root.key], File[/var/lib/unbound/debian.org.key] ],
;
}
+
+ case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
+ true: {
+ case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
+ false: {}
+ default: {
+ @ferm::rule { "dsa-dns":
+ domain => "ip",
+ description => "Allow nameserver access",
+ rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ @ferm::rule { "dsa-dns6":
+ domain => "ip6",
+ description => "Allow nameserver access",
+ rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ }
+ }
+ }
+ }
}
# vim:set et: