X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Funbound%2Fmanifests%2Finit.pp;h=6c58a7d7b7bdc8c5c778224fe2bdc25210817539;hb=103c20fec9e53838c741754d4b80ddb24345e9d4;hp=8e5d31d0310490a2fa368371be4028ea8cdd5cc8;hpb=e8b3bd0ebf1fc5f3e3c091b0a993eba74adfaea9;p=mirror%2Fdsa-puppet.git diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index 8e5d31d03..6c58a7d7b 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -23,7 +23,6 @@ class unbound { group => unbound, mode => 644, source => [ "puppet:///modules/unbound/root.key" ], - notify => Exec["unbound restart"], ; "/var/lib/unbound/debian.org.key": ensure => present, @@ -32,11 +31,10 @@ class unbound { group => unbound, mode => 644, source => [ "puppet:///modules/unbound/debian.org.key" ], - notify => Exec["unbound restart"], ; "/etc/unbound/unbound.conf": content => template("unbound/unbound.conf.erb"), - require => Package["unbound"], + require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ], notify => Exec["unbound restart"], owner => root, group => root, @@ -48,15 +46,15 @@ class unbound { case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') { false: {} default: { - @ferm::rule { "dsa-bind": + @ferm::rule { "dsa-dns": domain => "ip", description => "Allow nameserver access", - rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), } - @ferm::rule { "dsa-bind": + @ferm::rule { "dsa-dns6": domain => "ip6", description => "Allow nameserver access", - rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, %s)", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), } } }