try to rolify dns

diff --git a/manifests/site.pp b/manifests/site.pp
index 2232624..eecf27c 100644 (file)
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -86,14 +86,9 @@ node default {
                include apache2
        }
 
-       if $::hostname in [ravel,senfl,orff,diamond,rietz,denis] {
-               include named::authoritative
-       } elsif $::hostname in [geo1,geo2,geo3] {
+       if $::hostname in [geo1,geo2,geo3] {
                include named::geodns
        }
-       if $::hostname in [denis] {
-               include dnsextras::entries
-       }
 
        if $::hostname in [diabelli,nono] {
                include dacs

diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml
index c975cce..9210978 100644 (file)
--- a/modules/debian-org/misc/local.yaml
+++ b/modules/debian-org/misc/local.yaml
@@ -368,3 +368,10 @@ host_settings:
   buildd_master:
     - grieg.debian.org
     - wuiet.debian.org
+  dns_primary:
+    - denis.debian.org
+  dns_secondary:
+    - ravel.debian.org
+    - senfl.debian.org
+    - diamond.debian.org
+    - orff.debian.org

diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 9f1c7f9..da2313c 100644 (file)
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -1,5 +1,4 @@
 class named {
-
        munin::check { 'bind': }
 
        site::aptrepo { 'bind-ratelimit':
@@ -22,10 +21,23 @@ class named {
                rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
        }
 
-       @ferm::rule { '01-dsa-bind':
-               domain      => '(ip ip6)',
-               description => 'Allow nameserver access',
-               rule        => '&TCP_UDP_SERVICE(53)'
+       if getfromhash($site::nodeinfo, 'dns_primary') {
+               @ferm::rule { '01-dsa-bind-4':
+                       domain      => '(ip)',
+                       description => 'Allow nameserver access',
+                       rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V4)',
+               }
+               @ferm::rule { '01-dsa-bind-6':
+                       domain      => '(ip6)',
+                       description => 'Allow nameserver access',
+                       rule        => '&SERVICE_RANGE(tcp, 5671, $HOST_DEBIAN_V6)',
+               }
+       } else {
+               @ferm::rule { '01-dsa-bind':
+                       domain      => '(ip ip6)',
+                       description => 'Allow nameserver access',
+                       rule        => '&TCP_UDP_SERVICE(53)'
+               }
        }
 
        @ferm::rule { 'dsa-bind-notrack':

diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
new file mode 100644 (file)
index 0000000..e16ddb6
--- /dev/null
+++ b/modules/named/manifests/primary.pp
@@ -0,0 +1,3 @@
+class named::primary inherits named::authoritative {
+       include dnsextras::entries;
+}

diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 6b17ea0..21559a8 100644 (file)
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -99,6 +99,13 @@ class roles {
                }
        }
 
+       if getfromhash($site::nodeinfo, 'dns_primary') {
+               include named::primary
+       }
+       if getfromhash($site::nodeinfo, 'dns_secondary') {
+               include named::authoritative
+       }
+
        if $::hostname in [ravel] {
                include roles::weblog_destination
        }