X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fkeyring.pp;h=a411ff5402f43d2f7377c2857a8f874c3e55fd51;hb=e71099e47c57303bb7090e404db84ad3e8d3b75b;hp=eb331e04acb9f27a5aaf0447111eea996e5a617c;hpb=028da476cdb0458bd4fc6f91fdb7a83b44ac98a3;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/keyring.pp b/modules/roles/manifests/keyring.pp
index eb331e04a..a411ff540 100644
--- a/modules/roles/manifests/keyring.pp
+++ b/modules/roles/manifests/keyring.pp
@@ -1,10 +1,42 @@
 class roles::keyring {
 	rsync::site { 'keyring':
-		source => 'puppet:///modules/roles/keyring/rsyncd.conf',
+		source  => 'puppet:///modules/roles/keyring/rsyncd.conf',
+		sslname => 'keyring.debian.org',
 	}
 
 	ssl::service { 'keyring.debian.org':
-		notify => Service['apache2'],
-		key => true,
+		notify   => Exec['service apache2 reload'],
+		key      => true,
+		tlsaport => [443, 1873],
 	}
+
+	include named::authoritative
+
+	$notify_address_bind = join(getfromhash($deprecated::allnodeinfo, 'denis.debian.org', 'ipHostNumber'), "; ")
+
+	ferm::rule { '01-dsa-bind':
+		domain      => '(ip ip6)',
+		description => 'Allow nameserver access',
+		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_NAGIOS $HOST_DNSPRIMARY ) )',
+	}
+
+	concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
+		target => '/etc/bind/named.conf.puppet-misc',
+		order  => '020',
+		content  => @("EOF"),
+			zone "_openpgpkey.debian.org" {
+				type master;
+				file "/srv/keyring.debian.org/_openpgpkey.debian.org.zone";
+				allow-query { any; };
+				allow-transfer {
+					key tsig-denis.debian.org-kaufmann.debian.org ;
+					127.0.0.1;
+				};
+				also-notify {
+					$notify_address_bind;
+				};
+			};
+			| EOF
+	}
+
 }