X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Funbound%2Fmanifests%2Finit.pp;h=6c58a7d7b7bdc8c5c778224fe2bdc25210817539;hb=103c20fec9e53838c741754d4b80ddb24345e9d4;hp=873ff6c2aa7f0dd2ecf9090dce1002839aa9de81;hpb=7035b685494630a0eb438cd3640c2a708e56458c;p=mirror%2Fdsa-puppet.git

diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index 873ff6c2a..6c58a7d7b 100644
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -22,10 +22,7 @@ class unbound {
             owner   => unbound,
             group   => unbound,
             mode    => 644,
-            # IANA root trust anchor, valid from 2010-07-15T00:00:00+00:00
-            # downloaded from https://data.iana.org/root-anchors/root-anchors.xml
-            content => ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n",
-            notify  => Exec["unbound restart"],
+            source  => [ "puppet:///modules/unbound/root.key" ],
             ;
         "/var/lib/unbound/debian.org.key":
             ensure  => present,
@@ -33,18 +30,36 @@ class unbound {
             owner   => unbound,
             group   => unbound,
             mode    => 644,
-            # debian.org DS record, July 2010'
-            content => "debian.org. IN DS 5283 7 2 3DC987A633914C195D03EA129E92327630D3428E92884A5E97829A55701F9E8A\n",
-            notify  => Exec["unbound restart"],
+            source  => [ "puppet:///modules/unbound/debian.org.key" ],
             ;
         "/etc/unbound/unbound.conf":
             content => template("unbound/unbound.conf.erb"),
-            require => Package["unbound"],
+            require => [ Package["unbound"], File['/var/lib/unbound/root.key'],  File['/var/lib/unbound/debian.org.key'] ],
             notify  => Exec["unbound restart"],
             owner   => root,
             group   => root,
             ;
     }
+
+    case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
+        true: {
+            case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
+                false: {}
+                default: {
+                    @ferm::rule { "dsa-dns":
+                        domain          => "ip",
+                        description     => "Allow nameserver access",
+                        rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+                    }
+                    @ferm::rule { "dsa-dns6":
+                        domain          => "ip6",
+                        description     => "Allow nameserver access",
+                        rule            => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+                    }
+                }
+            }
+        }
+    }
 }
 
 # vim:set et: