X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Funbound%2Ftemplates%2Funbound.conf.erb;h=d909f74c974b8dab45ee15d810318cb36d698b70;hb=a8faece43f89960c6686321309b3082c7a531cac;hp=8c5e0bdda3387d00d3718bdd2083debae6200134;hpb=dfcba76e9b53c3081b7a6dcc7b1ad513e857e285;p=mirror%2Fdsa-puppet.git

diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index 8c5e0bdda..d909f74c9 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -6,38 +6,32 @@
 server:
 	verbosity: 1
 
-	# specify the interfaces to answer queries from by ip-address.
-	# The default is to listen to localhost (127.0.0.1 and ::1).
-	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
-	# specify every interface[@port] on a new 'interface:' labelled line.
-	# The listen interfaces are not changed on reload, only on restart.
-	# interface: 192.0.2.153
-	# interface: 192.0.2.154
-	# interface: 192.0.2.154@5003
-	# interface: 2001:DB8::5
-
-	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental. 
-	interface-automatic: yes
+<%=
+	out = []
+	if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query']
+		out << "	interface: 0.0.0.0"
+		out << "	interface: ::0"
+		out << ""
+		out << "	interface-automatic: yes"
 
-	# control which clients are allowed to make (recursive) queries
-	# to this server. Specify classless netblocks with /size and action.
-	# By default everything is refused, except for localhost.
-	# Choose deny (drop message), refuse (polite error reply),
-	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
-	# access-control: 0.0.0.0/0 refuse
-	# access-control: 127.0.0.0/8 allow
-	# access-control: ::0/0 refuse
-	# access-control: ::1 allow
-	# access-control: ::ffff:127.0.0.1 allow
+		out << "	access-control: 0.0.0.0/0 refuse"
+		out << "	access-control: ::0/0 refuse"
+		out << "	access-control: 127.0.0.0/8 allow"
+		out << "	access-control: ::0/0 refuse"
+		out << "	access-control: ::1 allow"
+		out << "	access-control: ::ffff:127.0.0.1 allow"
+		scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'].each do |net|
+			out << "	access-control: #{net} allow"
+		end
+	end
+	out.join("\n")
+%>
 
 	#chroot: ""
 
 	hide-identity: yes
 	hide-version: yes
 
-	use-caps-for-id: yes
-
 	# Do not query the following addresses. No DNS queries are sent there.
 	# List one address per entry. List classless netblocks with /size,
 	# do-not-query-address: 127.0.0.1/8
@@ -56,8 +50,8 @@ server:
 
 <%=
 	out = []
-	unless nodeinfo['misc']['resolver-recursive']
-		forwarders = nodeinfo['hoster']['nameservers']
+	if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec']
+		forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
 		forwarders ||= []
 
 		out << 'forward-zone:'
@@ -66,5 +60,11 @@ server:
 			out << "	forward-addr: #{ns}"
 		end
 	end
+
+
+	if hostname == "zappa"
+		out << "edns-buffer-size: 512"
+	end
+
 	out.join("\n")
 %>