X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Funbound%2Fmanifests%2Finit.pp;h=6c58a7d7b7bdc8c5c778224fe2bdc25210817539;hb=a3dc39e898c946c2390908ef90ed35bfcda1a76f;hp=fb69d1cce8e9bb64c673883d499940ff1e47e30e;hpb=4d2ad7f51ca343010f89868861989e6aa975fc93;p=mirror%2Fdsa-puppet.git diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index fb69d1cce..6c58a7d7b 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -23,7 +23,6 @@ class unbound { group => unbound, mode => 644, source => [ "puppet:///modules/unbound/root.key" ], - notify => Exec["unbound restart"], ; "/var/lib/unbound/debian.org.key": ensure => present, @@ -32,16 +31,35 @@ class unbound { group => unbound, mode => 644, source => [ "puppet:///modules/unbound/debian.org.key" ], - notify => Exec["unbound restart"], ; "/etc/unbound/unbound.conf": content => template("unbound/unbound.conf.erb"), - require => Package["unbound"], + require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ], notify => Exec["unbound restart"], owner => root, group => root, ; } + + case getfromhash($nodeinfo, 'misc', 'resolver-recursive') { + true: { + case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') { + false: {} + default: { + @ferm::rule { "dsa-dns": + domain => "ip", + description => "Allow nameserver access", + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + } + @ferm::rule { "dsa-dns6": + domain => "ip6", + description => "Allow nameserver access", + rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))), + } + } + } + } + } } # vim:set et: