staticsync::user: 'staticsync'
staticsync::basedir: '/srv/static.debian.org'
+roles::dns_primary::allow_access:
+ # easydns
+ - '64.68.200.91'
+ - '205.210.42.80'
+ # rcode0
+ - '83.136.34.0/27'
+ - '2a02:850:8::/47'
+ # netnod
+ - '192.71.80.0/24'
+ - '192.36.144.222'
+ - '192.36.144.218'
+ - '194.146.105.24'
+ - '194.146.105.25'
+ - '2a01:3f0:0:27::24'
+ - '2a01:3f0:0:28::25'
+
# other variables
allow_dns_query: []
role_config__mirrors:
dns_primary:
# XXX - used by ferm templates/defs.conf.erb
- denis.debian.org
- dns_geo:
- # XXX - used by ferm templates/defs.conf.erb
- - geo1.debian.org
- - geo2.debian.org
- - geo3.debian.org
extranrpeclient:
# XXX - used by ferm templates/defs.conf.erb
- denis.debian.org
--- /dev/null
+---
+classes:
+ - roles::dns_geodns
--- /dev/null
+---
+classes:
+ - roles::dns_geodns
--- /dev/null
+---
+classes:
+ - roles::dns_geodns
allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
roles = scope.lookupvar('deprecated::roles')
- %w{mailrelay nagiosmaster extranrpeclient muninmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
+ %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role|
rolehost[role] = []
roles[role].each do |node|
next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
@def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 128.101.240.216 128.31.0.64 149.20.4.16 209.87.16.40);
@def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2607:ea00:101:3c0b::1deb:216 2603:400a:ffff:bb8::801f:40 2001:4f8:1:c::16 2607:f8f0:614:1::1274:40);
-@def $HOST_DNS_GEO_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_geo']]).uniq.join(' ') %>);
-@def $HOST_DNS_GEO_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_geo']]).uniq.join(' ') %>);
-@def $HOST_DNS_GEO = ($HOST_DNS_GEO_V4 $HOST_DNS_GEO_V6);
-@def $HOST_EASYDNS = (64.68.200.91 205.210.42.80);
-@def $HOST_RCODE0 = (83.136.34.0/27 2A02:850:8::/47);
-@def $HOST_NETNOD = (192.71.80.0/24 192.36.144.222 192.36.144.218 194.146.105.24 194.146.105.25 2a01:3f0:0:27::24 2a01:3f0:0:28::25);
-
@def $HOST_DNSPRIMARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_primary']]).uniq.join(' ') %>);
@def $HOST_DNSPRIMARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_primary']]).uniq.join(' ') %>);
@def $HOST_DNSPRIMARY = ($HOST_DNSPRIMARY_V4 $HOST_DNSPRIMARY_V6);
proto => ['udp', 'tcp'],
port => 'domain',
}
-
- @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
- tag => 'named::primary::ferm',
- description => 'Allow geo nameserver access to the primary for the (non-geo) zones that we AXFR',
- proto => ['udp', 'tcp'],
- port => 'domain',
- saddr => $base::public_addresses,
- }
}
+# our primary nameserver
+#
+# it will not, by default, open the firewall for requests.
class named::primary inherits named::authoritative {
include dnsextras::entries
- ferm::rule { '01-dsa-bind-4':
- domain => '(ip ip6)',
- description => 'Allow nameserver access',
- rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
- }
- Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
-
concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys':
target => '/etc/bind/named.conf.puppet-misc',
order => '020',
target_user => 'geodnssync',
collect_tag => 'geodnssync-node',
}
+
+ @@ferm::rule::simple { "dsa-bind-from-${::fqdn}":
+ tag => 'named::primary::ferm',
+ description => 'Allow geo nameserver access to the primary for the (non-geo) zones that we AXFR',
+ proto => ['udp', 'tcp'],
+ port => 'domain',
+ saddr => $base::public_addresses,
+ }
}
# the primary (hidden master) nameserver does bind zone file stuff and letsencrypt cert handling
-class roles::dns_primary {
+#
+# it will not, by default, open the firewall for requests. however, it will
+# collect ferm simple rules tagged named::primary::ferm which our own
+# secondaries (the geo nodes) and the monitoring infrastructure export.
+# Additional networks can be set with allow_access for any 3rd party nodes that
+# should have access.
+# @param allow_access additional hosts/network that should be allowed to port 53
+class roles::dns_primary(
+ Array[Stdlib::IP::Address] $allow_access = [],
+) {
include named::primary
+ # ssh setup to sync the geonodes
ssh::authorized_key_collect { 'dns_primary-dnsadm':
target_user => 'dnsadm',
collect_tag => 'dns_primary',
collect_tag => 'geodnssync-node',
}
+ # ssh setup to sync letsencrypt info to puppet
ssh::keygen {'letsencrypt': }
ssh::authorized_key_add { 'dns_primary::puppetmaster::letsencrypt-certificates':
target_user => 'puppet',
key => $facts['letsencrypt_key'],
collect_tag => 'puppetmaster',
}
+
+ # firewalling
+ ferm::rule::simple { 'dsa-bind-from-third-party-secondaries':
+ description => 'Allow additional (such as 3rd party secondary nameserver) access to the primary',
+ proto => ['udp', 'tcp'],
+ port => 'domain',
+ saddr => $allow_access,
+ }
+ Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>>
+
}
include roles::dns_primary
}
- if has_role('dns_geo') {
- include roles::dns_geodns
- }
-
if has_role('postgres_backup_server') {
include postgres::backup_server
}
projects / mirror / dsa-puppet.git / commitdiff