class named::authoritative inherits named {
- file { '/etc/bind/named.conf.shared-keys':
- mode => '0640',
- owner => root,
- group => bind,
- }
+ file { '/etc/bind/named.conf.shared-keys':
+ mode => '0640',
+ owner => root,
+ group => bind,
+ }
}
class named::geodns inherits named {
- munin::check { 'bind_views':
- script => bind
- }
+ munin::check { 'bind_views':
+ script => bind
+ }
- package { 'geoip-database':
- ensure => installed,
- }
+ package { 'geoip-database':
+ ensure => installed,
+ }
- file { '/etc/bind/':
- ensure => directory,
- group => bind,
- mode => '2755',
- require => Package['bind9'],
- notify => Service['bind9'],
- }
- file { '/etc/bind/geodns':
- ensure => directory,
- mode => '0755',
- }
- file { '/etc/bind/named.conf.local':
- source => 'puppet:///modules/named/common/named.conf.local',
- notify => Service['bind9'],
- }
- if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
- file { '/etc/bind/named.conf.acl':
- source => 'puppet:///modules/named/common/named.conf.acl',
- notify => Service['bind9'],
- }
- } else {
- file { '/etc/bind/named.conf.acl':
- source => 'puppet:///modules/named/common/named.conf.acl.bind99',
- notify => Service['bind9'],
- }
- }
- file { '/etc/bind/geodns/zonefiles':
- ensure => directory,
- owner => geodnssync,
- group => geodnssync,
- mode => '2755',
- }
- file { '/etc/bind/geodns/named.conf.geo':
- source => 'puppet:///modules/named/common/named.conf.geo',
- notify => Service['bind9'],
- }
- file { '/etc/bind/geodns/trigger':
- mode => '0555',
- source => 'puppet:///modules/named/common/trigger',
- }
- file { '/etc/cron.d/dsa-boot-geodnssync': ensure => absent; }
- concat::fragment { 'puppet-crontab--geodns-boot':
- target => '/etc/cron.d/puppet-crontab',
- content => @(EOF)
- @reboot geodnssync sleep 1m && /etc/bind/geodns/trigger > /dev/null
- | EOF
- }
+ file { '/etc/bind/':
+ ensure => directory,
+ group => bind,
+ mode => '2755',
+ require => Package['bind9'],
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/geodns':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/bind/named.conf.local':
+ source => 'puppet:///modules/named/common/named.conf.local',
+ notify => Service['bind9'],
+ }
+ if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
+ file { '/etc/bind/named.conf.acl':
+ source => 'puppet:///modules/named/common/named.conf.acl',
+ notify => Service['bind9'],
+ }
+ } else {
+ file { '/etc/bind/named.conf.acl':
+ source => 'puppet:///modules/named/common/named.conf.acl.bind99',
+ notify => Service['bind9'],
+ }
+ }
+ file { '/etc/bind/geodns/zonefiles':
+ ensure => directory,
+ owner => geodnssync,
+ group => geodnssync,
+ mode => '2755',
+ }
+ file { '/etc/bind/geodns/named.conf.geo':
+ source => 'puppet:///modules/named/common/named.conf.geo',
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/geodns/trigger':
+ mode => '0555',
+ source => 'puppet:///modules/named/common/trigger',
+ }
+ file { '/etc/cron.d/dsa-boot-geodnssync': ensure => absent; }
+ concat::fragment { 'puppet-crontab--geodns-boot':
+ target => '/etc/cron.d/puppet-crontab',
+ content => @(EOF)
+ @reboot geodnssync sleep 1m && /etc/bind/geodns/trigger > /dev/null
+ | EOF
+ }
- ferm::rule { '01-dsa-bind':
- domain => '(ip ip6)',
- description => 'Allow nameserver access',
- rule => '&TCP_UDP_SERVICE(53)'
- }
+ ferm::rule { '01-dsa-bind':
+ domain => '(ip ip6)',
+ description => 'Allow nameserver access',
+ rule => '&TCP_UDP_SERVICE(53)'
+ }
}
class named {
- munin::check { 'bind': }
+ munin::check { 'bind': }
- package { 'bind9':
- ensure => installed
- }
+ package { 'bind9':
+ ensure => installed
+ }
- service { 'bind9':
- ensure => running,
- }
+ service { 'bind9':
+ ensure => running,
+ }
- ferm::rule { '00-dsa-bind-no-ddos-any':
- domain => '(ip ip6)',
- description => 'Allow nameserver access',
- rule => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
- }
+ ferm::rule { '00-dsa-bind-no-ddos-any':
+ domain => '(ip ip6)',
+ description => 'Allow nameserver access',
+ rule => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
+ }
- ferm::rule { 'dsa-bind-notrack':
- domain => '(ip ip6)',
- description => 'NOTRACK for nameserver traffic',
- table => 'raw',
- chain => 'PREROUTING',
- rule => 'proto (tcp udp) dport 53 jump NOTRACK'
- }
+ ferm::rule { 'dsa-bind-notrack':
+ domain => '(ip ip6)',
+ description => 'NOTRACK for nameserver traffic',
+ table => 'raw',
+ chain => 'PREROUTING',
+ rule => 'proto (tcp udp) dport 53 jump NOTRACK'
+ }
- ferm::rule { 'dsa-bind-notrack-out':
- domain => '(ip ip6)',
- description => 'NOTRACK for nameserver traffic',
- table => 'raw',
- chain => 'OUTPUT',
- rule => 'proto (tcp udp) sport 53 jump NOTRACK'
- }
+ ferm::rule { 'dsa-bind-notrack-out':
+ domain => '(ip ip6)',
+ description => 'NOTRACK for nameserver traffic',
+ table => 'raw',
+ chain => 'OUTPUT',
+ rule => 'proto (tcp udp) sport 53 jump NOTRACK'
+ }
- file { '/var/log/bind9':
- ensure => directory,
- owner => bind,
- group => bind,
- mode => '0775',
- }
+ file { '/var/log/bind9':
+ ensure => directory,
+ owner => bind,
+ group => bind,
+ mode => '0775',
+ }
- file { '/etc/bind/named.conf.options':
- content => template('named/named.conf.options.erb'),
- notify => Service['bind9'],
- }
+ file { '/etc/bind/named.conf.options':
+ content => template('named/named.conf.options.erb'),
+ notify => Service['bind9'],
+ }
- file { '/etc/bind/named.conf.puppet-shared-keys':
- mode => '0640',
- content => template('named/named.conf.puppet-shared-keys.erb'),
- owner => root,
- group => bind,
- notify => Service['bind9'],
- }
+ file { '/etc/bind/named.conf.puppet-shared-keys':
+ mode => '0640',
+ content => template('named/named.conf.puppet-shared-keys.erb'),
+ owner => root,
+ group => bind,
+ notify => Service['bind9'],
+ }
- concat { '/etc/bind/named.conf.puppet-misc':
- notify => Service['bind9'],
- }
- concat::fragment { 'dsa-named-conf-puppet-misc---header':
- target => '/etc/bind/named.conf.puppet-misc',
- order => '000',
- content => @(EOF)
- // THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
- | EOF
- }
+ concat { '/etc/bind/named.conf.puppet-misc':
+ notify => Service['bind9'],
+ }
+ concat::fragment { 'dsa-named-conf-puppet-misc---header':
+ target => '/etc/bind/named.conf.puppet-misc',
+ order => '000',
+ content => @(EOF)
+ // THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+ | EOF
+ }
}
class named::primary inherits named::authoritative {
- include dnsextras::entries
+ include dnsextras::entries
- ferm::rule { '01-dsa-bind-4':
- domain => '(ip ip6)',
- description => 'Allow nameserver access',
- rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
- }
+ ferm::rule { '01-dsa-bind-4':
+ domain => '(ip ip6)',
+ description => 'Allow nameserver access',
+ rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
+ }
- concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
- target => '/etc/bind/named.conf.puppet-misc',
- order => '020',
- content => @(EOF),
- include "/etc/bind/named.conf.shared-keys";
- | EOF
- }
- concat::fragment { 'dsa-named-conf-puppet-misc---named.conf.external-secondaries-ACLs':
- target => '/etc/bind/named.conf.puppet-misc',
- order => '025',
- content => template('named/named.conf.external-secondaries-ACLs.erb'),
- }
+ concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
+ target => '/etc/bind/named.conf.puppet-misc',
+ order => '020',
+ content => @(EOF),
+ include "/etc/bind/named.conf.shared-keys";
+ | EOF
+ }
+ concat::fragment { 'dsa-named-conf-puppet-misc---named.conf.external-secondaries-ACLs':
+ target => '/etc/bind/named.conf.puppet-misc',
+ order => '025',
+ content => template('named/named.conf.external-secondaries-ACLs.erb'),
+ }
- concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
- target => '/etc/bind/named.conf.puppet-misc',
- order => '020',
- content => @("EOF"/$)
- // MAINTAIN-KEY: _openpgpkey.debian.org
+ concat::fragment { 'dsa-named-conf-puppet-misc---openpgpkey-zone':
+ target => '/etc/bind/named.conf.puppet-misc',
+ order => '020',
+ content => @("EOF"/$)
+ // MAINTAIN-KEY: _openpgpkey.debian.org
- zone "_openpgpkey.debian.org" {
- type slave;
- file "db._openpgpkey.debian.org";
- allow-query { any; };
- masters {
- ${ join(getfromhash($deprecated::allnodeinfo, 'kaufmann.debian.org', 'ipHostNumber'), ";") } ;
- };
- allow-transfer {
- 127.0.0.1;
- rcode0-ACL;
- dnsnode-ACL;
- dnsnodeapi-ACL;
- };
- also-notify {
- rcode0-masters;
- dnsnode-masters;
- dnsnodeapi-masters;
- };
+ zone "_openpgpkey.debian.org" {
+ type slave;
+ file "db._openpgpkey.debian.org";
+ allow-query { any; };
+ masters {
+ ${ join(getfromhash($deprecated::allnodeinfo, 'kaufmann.debian.org', 'ipHostNumber'), ";") } ;
+ };
+ allow-transfer {
+ 127.0.0.1;
+ rcode0-ACL;
+ dnsnode-ACL;
+ dnsnodeapi-ACL;
+ };
+ also-notify {
+ rcode0-masters;
+ dnsnode-masters;
+ dnsnodeapi-masters;
+ };
- key-directory "/srv/dns.debian.org/var/keys/_openpgpkey.debian.org";
- sig-validity-interval 40 25;
- auto-dnssec maintain;
- inline-signing yes;
- };
- | EOF
- }
+ key-directory "/srv/dns.debian.org/var/keys/_openpgpkey.debian.org";
+ sig-validity-interval 40 25;
+ auto-dnssec maintain;
+ inline-signing yes;
+ };
+ | EOF
+ }
- concat::fragment { 'puppet-crontab--nsec3':
- target => '/etc/cron.d/puppet-crontab',
- content => @(EOF)
- 13 19 4 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.net
- 29 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.org
- 32 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debconf.org
- 36 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) _openpgpkey.debian.org
-
- | EOF
- }
+ concat::fragment { 'puppet-crontab--nsec3':
+ target => '/etc/cron.d/puppet-crontab',
+ content => @(EOF)
+ 13 19 4 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.net
+ 29 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.org
+ 32 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debconf.org
+ 36 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) _openpgpkey.debian.org
+ | EOF
+ }
}
projects / mirror / dsa-puppet.git / commitdiff