X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Funbound%2Fmanifests%2Finit.pp;h=f01b7fd74a370a889c2cfacdbc7c5eecb3b4b001;hb=6b3c471b442882a3cf8d3f4154d2b1540f82eb85;hp=fb69d1cce8e9bb64c673883d499940ff1e47e30e;hpb=4d2ad7f51ca343010f89868861989e6aa975fc93;p=mirror%2Fdsa-puppet.git diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index fb69d1cce..f01b7fd74 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -14,6 +14,7 @@ class unbound { ensure => directory, owner => unbound, group => unbound, + require => Package["unbound"], mode => 775, ; "/var/lib/unbound/root.key": @@ -23,7 +24,6 @@ class unbound { group => unbound, mode => 644, source => [ "puppet:///modules/unbound/root.key" ], - notify => Exec["unbound restart"], ; "/var/lib/unbound/debian.org.key": ensure => present, @@ -32,16 +32,35 @@ class unbound { group => unbound, mode => 644, source => [ "puppet:///modules/unbound/debian.org.key" ], - notify => Exec["unbound restart"], ; "/etc/unbound/unbound.conf": content => template("unbound/unbound.conf.erb"), - require => Package["unbound"], + require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ], notify => Exec["unbound restart"], owner => root, group => root, ; } + + case getfromhash($nodeinfo, 'misc', 'resolver-recursive') { + true: { + case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') { + false: {} + default: { + @ferm::rule { "dsa-dns": + domain => "ip", + description => "Allow nameserver access", + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + } + @ferm::rule { "dsa-dns6": + domain => "ip6", + description => "Allow nameserver access", + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + } + } + } + } + } } # vim:set et: