X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fnamed%2Fmanifests%2Fprimary.pp;h=cafefff658d08ba2f2b307e97c1351311674da10;hb=82858a7527e77d5b2605845afbfef9d5c38effb8;hp=f256814156252b5c43e813a3c1daa6daa99fd14f;hpb=29cbe59430d1e7d7d5575579b48513c56227e2f7;p=mirror%2Fdsa-puppet.git

diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index f25681415..cafefff65 100644
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -1,67 +1,70 @@
+# our primary nameserver
+#
+# it will not, by default, open the firewall for requests.
 class named::primary inherits named::authoritative {
-	include dnsextras::entries
+  include dnsextras::entries
 
-	ferm::rule { '01-dsa-bind-4':
-		domain      => '(ip ip6)',
-		description => 'Allow nameserver access',
-		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
-	}
+  concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
+    target  => '/etc/bind/named.conf.puppet-misc',
+    order   => '020',
+    content => @(EOF),
+      include "/etc/bind/named.conf.shared-keys";
+      | EOF
+  }
+  concat::fragment { 'dsa-named-conf-puppet-misc---named.conf.external-secondaries-ACLs':
+    target  => '/etc/bind/named.conf.puppet-misc',
+    order   => '025',
+    content => template('named/named.conf.external-secondaries-ACLs.erb'),
+  }
 
-	concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
-		target => '/etc/bind/named.conf.puppet-misc',
-		order  => '020',
-		content  => @(EOF),
-			include "/etc/bind/named.conf.shared-keys";
-			| EOF
-	}
-	concat::fragment { 'dsa-named-conf-puppet-misc---named.conf.external-secondaries-ACLs':
-		target => '/etc/bind/named.conf.puppet-misc',
-		order  => '025',
-		content => template('named/named.conf.external-secondaries-ACLs.erb'),
-	}
+  concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
+    target  => '/etc/bind/named.conf.puppet-misc',
+    order   => '020',
+    content => @("EOF"/$)
+      // MAINTAIN-KEY: _openpgpkey.debian.org
 
-	concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
-		target => '/etc/bind/named.conf.puppet-misc',
-		order  => '020',
-		content  => @("EOF"/$)
-			// MAINTAIN-KEY: _openpgpkey.debian.org
+      zone "_openpgpkey.debian.org" {
+        type slave;
+        file "db._openpgpkey.debian.org";
+        allow-query { any; };
+        masters {
+          ${ join(getfromhash($deprecated::allnodeinfo, 'kaufmann.debian.org', 'ipHostNumber'), ";") } ;
+        };
+        allow-transfer {
+          127.0.0.1;
+          rcode0-ACL;
+          dnsnode-ACL;
+          dnsnodeapi-ACL;
+        };
+        also-notify {
+          rcode0-masters;
+          dnsnode-masters;
+          dnsnodeapi-masters;
+        };
 
-			zone "_openpgpkey.debian.org" {
-				type slave;
-				file "db._openpgpkey.debian.org";
-				allow-query { any; };
-				masters {
-					${ join(getfromhash($site::allnodeinfo, 'kaufmann.debian.org', 'ipHostNumber'), ";") } ;
-				};
-				allow-transfer {
-					127.0.0.1;
-					rcode0-ACL;
-					dnsnode-ACL;
-					dnsnodeapi-ACL;
-				};
-				also-notify {
-					rcode0-masters;
-					dnsnode-masters;
-					dnsnodeapi-masters;
-				};
+        key-directory "/srv/dns.debian.org/var/keys/_openpgpkey.debian.org";
+        sig-validity-interval 40 25;
+        auto-dnssec maintain;
+        inline-signing yes;
+      };
+      | EOF
+  }
+  @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+    tag         => 'named::keyring::ferm',
+    description => 'Allow primary access to the keyring master',
+    proto       => ['udp', 'tcp'],
+    port        => 'domain',
+    saddr       => $base::public_addresses,
+  }
 
-				key-directory "/srv/dns.debian.org/var/keys/_openpgpkey.debian.org";
-				sig-validity-interval 40 25;
-				auto-dnssec maintain;
-				inline-signing yes;
-			};
-			| EOF
-	}
-
-	concat::fragment { 'dsa-puppet-stuff--nsec3':
-		target => '/etc/cron.d/dsa-puppet-stuff',
-		content  => @(EOF)
-			13 19 4 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.net
-			29 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.org
-			32 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debconf.org
-			36 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) _openpgpkey.debian.org
-
-			| EOF
-	}
+  concat::fragment { 'puppet-crontab--nsec3':
+    target  => '/etc/cron.d/puppet-crontab',
+    content => @(EOF)
+      13 19 4 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.net
+      29 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.org
+      32 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debconf.org
+      36 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) _openpgpkey.debian.org
 
+      | EOF
+  }
 }