projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
2d15b90
)
Do not put our 29.172.in-addr.arpa zone into unbound configs behind fascist firewalls...
author
Peter Palfrader
<peter@palfrader.org>
Tue, 9 Oct 2018 18:00:39 +0000
(20:00 +0200)
committer
Peter Palfrader
<peter@palfrader.org>
Tue, 9 Oct 2018 18:00:42 +0000
(20:00 +0200)
hieradata/br.yaml
patch
|
blob
|
history
hieradata/ynic.yaml
patch
|
blob
|
history
modules/unbound/manifests/init.pp
patch
|
blob
|
history
modules/unbound/templates/unbound.conf.erb
patch
|
blob
|
history
diff --git
a/hieradata/br.yaml
b/hieradata/br.yaml
index
1b254ba
..
970c10b
100644
(file)
--- a/
hieradata/br.yaml
+++ b/
hieradata/br.yaml
@@
-2,3
+2,4
@@
nameservers:
- 200.236.31.1
- 200.17.202.3
nameservers:
- 200.236.31.1
- 200.17.202.3
+firewall_blocks_dns: true
diff --git
a/hieradata/ynic.yaml
b/hieradata/ynic.yaml
index
c720735
..
89440d4
100644
(file)
--- a/
hieradata/ynic.yaml
+++ b/
hieradata/ynic.yaml
@@
-3,3
+3,4
@@
nameservers:
- 144.32.169.74
- 144.32.169.75
- 144.32.169.76
- 144.32.169.74
- 144.32.169.75
- 144.32.169.76
+firewall_blocks_dns: true
diff --git
a/modules/unbound/manifests/init.pp
b/modules/unbound/manifests/init.pp
index
88267d1
..
bb9e4d8
100644
(file)
--- a/
modules/unbound/manifests/init.pp
+++ b/
modules/unbound/manifests/init.pp
@@
-7,9
+7,9
@@
# include unbound
#
class unbound {
# include unbound
#
class unbound {
-
$is_recursor = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
$client_ranges = hiera('allow_dns_query')
$is_recursor = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
$client_ranges = hiera('allow_dns_query')
+ $firewall_blocks_dns = hiera('firewall_blocks_dns', false)
$empty_client_range = empty($client_ranges)
$ns = hiera('nameservers')
$empty_client_range = empty($client_ranges)
$ns = hiera('nameservers')
@@
-54,7
+54,7
@@
class unbound {
notify => Service['unbound']
}
file { '/var/lib/unbound/29.172.in-addr.arpa.key':
notify => Service['unbound']
}
file { '/var/lib/unbound/29.172.in-addr.arpa.key':
- ensure =>
present
,
+ ensure =>
$firewall_blocks_dns ? { true => 'absent', default => 'present' }
,
replace => false,
owner => unbound,
group => unbound,
replace => false,
owner => unbound,
group => unbound,
diff --git
a/modules/unbound/templates/unbound.conf.erb
b/modules/unbound/templates/unbound.conf.erb
index
9276675
..
7ffc35f
100644
(file)
--- a/
modules/unbound/templates/unbound.conf.erb
+++ b/
modules/unbound/templates/unbound.conf.erb
@@
-48,12
+48,15
@@
server:
prefetch: yes
prefetch-key: yes
prefetch: yes
prefetch-key: yes
+
+<% if not hiera('firewall_blocks_dns', false) %>
local-zone: "29.172.in-addr.arpa" nodefault
forward-zone:
name: "29.172.in-addr.arpa"
forward-host: geo1.debian.org
forward-host: geo2.debian.org
forward-host: geo3.debian.org
local-zone: "29.172.in-addr.arpa" nodefault
forward-zone:
name: "29.172.in-addr.arpa"
forward-host: geo1.debian.org
forward-host: geo2.debian.org
forward-host: geo3.debian.org
+<% end -%>
# recursive: <%= @is_recursor ? "y" : "n" %>
<% if not @is_recursor -%>
# recursive: <%= @is_recursor ? "y" : "n" %>
<% if not @is_recursor -%>