group => unbound,
mode => 775,
;
+ }
+ file {
"/var/lib/unbound/root.key":
ensure => present,
replace => false,
group => unbound,
mode => 644,
source => [ "puppet:///modules/unbound/root.key" ],
- notify => Exec["unbound restart"],
+ #notify => Exec["unbound restart"],
;
+ }
+ file {
"/var/lib/unbound/debian.org.key":
ensure => present,
replace => false,
group => unbound,
mode => 644,
source => [ "puppet:///modules/unbound/debian.org.key" ],
- notify => Exec["unbound restart"],
+ #notify => Exec["unbound restart"],
;
+ }
+ file {
"/etc/unbound/unbound.conf":
content => template("unbound/unbound.conf.erb"),
require => Package["unbound"],
case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
false: {}
default: {
- @ferm::rule { "dsa-bind":
+ @ferm::rule { "dsa-dns":
domain => "ip",
description => "Allow nameserver access",
- rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+ rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
}
- @ferm::rule { "dsa-bind":
+ @ferm::rule { "dsa-dns6":
domain => "ip6",
description => "Allow nameserver access",
- rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+ rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
}
}
}