make unbound get forwarders from hiera

Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index f94d473..5261009 100644 (file)
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -8,6 +8,10 @@
 #
 class unbound {
 
+       $is_recursor   = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
+       $client_ranges = getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')
+       $ns            = hiera('nameservers')
+
        package { 'unbound':
                ensure => installed
        }
@@ -51,18 +55,16 @@ class unbound {
                notify  => Service['unbound']
        }
 
-       if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') {
-               if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') {
-                       @ferm::rule { 'dsa-dns':
-                               domain      => 'ip',
-                               description => 'Allow nameserver access',
-                               rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
-                       }
-                       @ferm::rule { 'dsa-dns6':
-                               domain      => 'ip6',
-                               description => 'Allow nameserver access',
-                               rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
-                       }
+       if ($is_recursor and $client_ranges) {
+               @ferm::rule { 'dsa-dns':
+                       domain      => 'ip',
+                       description => 'Allow nameserver access',
+                       rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+               }
+               @ferm::rule { 'dsa-dns6':
+                       domain      => 'ip6',
+                       description => 'Allow nameserver access',
+                       rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
                }
        }
 }

diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index d909f74..5dad163 100644 (file)
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -6,26 +6,22 @@
 server:
        verbosity: 1
 
-<%=
-       out = []
-       if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query']
-               out << "        interface: 0.0.0.0"
-               out << "        interface: ::0"
-               out << ""
-               out << "        interface-automatic: yes"
-
-               out << "        access-control: 0.0.0.0/0 refuse"
-               out << "        access-control: ::0/0 refuse"
-               out << "        access-control: 127.0.0.0/8 allow"
-               out << "        access-control: ::0/0 refuse"
-               out << "        access-control: ::1 allow"
-               out << "        access-control: ::ffff:127.0.0.1 allow"
-               scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'].each do |net|
-                       out << "        access-control: #{net} allow"
-               end
-       end
-       out.join("\n")
-%>
+<% if @is_recursor && @client_ranges -%>
+       interface: 0.0.0.0
+       interface: ::0
+
+       interface-automatic: yes
+
+       access-control: 0.0.0.0/0 refuse
+       access-control: ::0/0 refuse
+       access-control: 127.0.0.0/8 allow
+       access-control: ::0/0 refuse
+       access-control: ::1 allow
+       access-control: ::ffff:127.0.0.1 allow
+<% @client_ranges.to_a.flatten.each do |net| -%>
+       access-control: <%= net -%> allow
+<% end -%>
+<% end -%>
 
        #chroot: ""
 
@@ -48,23 +44,13 @@ server:
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
 
-<%=
-       out = []
-       if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec']
-               forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
-               forwarders ||= []
-
-               out << 'forward-zone:'
-               out << '        name: "."'
-               forwarders.each do |ns|
-                       out << "        forward-addr: #{ns}"
-               end
-       end
-
-
-       if hostname == "zappa"
-               out << "edns-buffer-size: 512"
-       end
-
-       out.join("\n")
-%>
+<% if not @is_recursor and not @client_ranges -%>
+forward-zone:
+       name: "."
+<% @ns.to_a.flatten.each do |nms| -%>
+       forward-addr: <%= nms %>
+<% end -%>
+<% end -%>
+<% if hostname == "zappa" -%>
+edns-buffer-size: 512
+<% end -%>