--- /dev/null
+class unbouned {
+ package {
+ unbound: ensure => installed;
+ }
+
+ exec {
+ "unbound restart":
+ path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+ refreshonly => true,
+ ;
+ }
+ file {
+ "/var/lib/unbound":
+ ensure => directory,
+ owner => unbound,
+ group => unbound,
+ mode => 775,
+ ;
+ "/var/lib/unbound/root.key":
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => 644,
+ # IANA root trust anchor, valid from 2010-07-15T00:00:00+00:00
+ # downloaded from https://data.iana.org/root-anchors/root-anchors.xml
+ content => ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n",
+ notify => Exec["unbound restart"],
+ ;
+ "/var/lib/unbound/debian.org.key":
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => 644,
+ # debian.org DS record, July 2010'
+ content => "debian.org. IN DS 5283 7 2 3DC987A633914C195D03EA129E92327630D3428E92884A5E97829A55701F9E8A\n",
+ notify => Exec["unbound restart"],
+ ;
+ "/etc/unbound/unbound.conf":
+ content => template("unbound/unbound.conf.erb"),
+ require => Package["unbound"],
+ notify => Exec["unbound restart"],
+ owner => root,
+ group => root,
+ ;
+ }
+}
+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+server:
+ verbosity: 1
+
+ # specify the interfaces to answer queries from by ip-address.
+ # The default is to listen to localhost (127.0.0.1 and ::1).
+ # specify 0.0.0.0 and ::0 to bind to all available interfaces.
+ # specify every interface[@port] on a new 'interface:' labelled line.
+ # The listen interfaces are not changed on reload, only on restart.
+ # interface: 192.0.2.153
+ # interface: 192.0.2.154
+ # interface: 192.0.2.154@5003
+ # interface: 2001:DB8::5
+
+ # enable this feature to copy the source address of queries to reply.
+ # Socket options are not supported on all platforms. experimental.
+ interface-automatic: yes
+
+ # control which clients are allowed to make (recursive) queries
+ # to this server. Specify classless netblocks with /size and action.
+ # By default everything is refused, except for localhost.
+ # Choose deny (drop message), refuse (polite error reply),
+ # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+ # access-control: 0.0.0.0/0 refuse
+ # access-control: 127.0.0.0/8 allow
+ # access-control: ::0/0 refuse
+ # access-control: ::1 allow
+ # access-control: ::ffff:127.0.0.1 allow
+
+ #chroot: ""
+
+ hide-identity: yes
+ hide-version: yes
+
+ use-caps-for-id: yes
+
+ # Do not query the following addresses. No DNS queries are sent there.
+ # List one address per entry. List classless netblocks with /size,
+ # do-not-query-address: 127.0.0.1/8
+ # do-not-query-address: ::1
+
+ # if yes, the above default do-not-query-address entries are present.
+ # if no, localhost can be queried (for testing and debugging).
+ # do-not-query-localhost: yes
+
+ # File with trusted keys, kept uptodate using RFC5011 probes,
+ # initial file like trust-anchor-file, then it stores metadata.
+ # Use several entries, one per domain name, to track multiple zones.
+ # auto-trust-anchor-file: ""
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+
+#forward-zone:
+# name: "."
+# forward-addr: 192.0.2.1
+# forward-addr: 192.0.2.199
projects / mirror / dsa-puppet.git / commitdiff