From: Stephen Gran Date: Wed, 17 Apr 2013 06:06:08 +0000 (+0100) Subject: move allow_dns_query into hiera X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=0260a86f617032bcaa946081bd36dfb43836047c;p=mirror%2Fdsa-puppet.git move allow_dns_query into hiera Signed-off-by: Stephen Gran --- diff --git a/hieradata/bytemark.yaml b/hieradata/bytemark.yaml index a975730dd..cf8caad8e 100644 --- a/hieradata/bytemark.yaml +++ b/hieradata/bytemark.yaml @@ -2,3 +2,5 @@ nameservers: - 5.153.231.241 - 5.153.231.242 +allow_dns_query: + - 5.153.231.0/24 diff --git a/hieradata/common.yaml b/hieradata/common.yaml index c2213a0ce..f1507d9aa 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -2,3 +2,4 @@ nameservers: [] searchpaths: [] resolvoptions: [] +allow_dns_query: [] diff --git a/hieradata/ftcollins.yaml b/hieradata/ftcollins.yaml index 98847223a..9de7f7467 100644 --- a/hieradata/ftcollins.yaml +++ b/hieradata/ftcollins.yaml @@ -4,3 +4,5 @@ nameservers: - 192.25.206.57 searchpaths: - debprivate-ftcollins.debian.org +allow_dns_query: + - 192.25.206.0/24 diff --git a/hieradata/sanger.yaml b/hieradata/sanger.yaml index 186a9a4e2..4efe07b07 100644 --- a/hieradata/sanger.yaml +++ b/hieradata/sanger.yaml @@ -4,3 +4,5 @@ nameservers: - 193.62.202.29 searchpaths: - debprivate-sanger.debian.org +allow_dns_query: + - 193.62.202.24/29 diff --git a/hieradata/sil.yaml b/hieradata/sil.yaml index 03bf7feba..42e66dcbe 100644 --- a/hieradata/sil.yaml +++ b/hieradata/sil.yaml @@ -4,3 +4,6 @@ nameservers: - 86.59.118.148 searchpaths: - debprivate-sil.debian.org +allow_dns_query: + - 86.59.118.144/28 + - 2001:858:2:2::/64 diff --git a/hieradata/ubcece.yaml b/hieradata/ubcece.yaml index 924b187de..96a5f37ed 100644 --- a/hieradata/ubcece.yaml +++ b/hieradata/ubcece.yaml @@ -8,3 +8,7 @@ nameservers: - 2607:f8f0:610:4000:21c:c4ff:fee5:e890 searchpaths: - debprivate-ubc.debian.org +allow_dns_query: + - 137.82.84.64/27 + - 206.12.19.0/24 + - 2607:f8f0:610:4000::/64 diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml index c49d2bff8..3863c9863 100644 --- a/modules/debian-org/misc/hoster.yaml +++ b/modules/debian-org/misc/hoster.yaml @@ -46,7 +46,6 @@ bytemark: - 2001:41c8:61::/125 #searchpaths: [debprivate-bytemark.debian.org] nameservers: [5.153.231.241, 5.153.231.242] - allow_dns_query: [5.153.231.0/24] mirror-debian: http://mirror.bm.debian.org/debian carnet: netrange: @@ -80,7 +79,6 @@ ftcollins: searchpaths: [debprivate-ftcollins.debian.org] nameservers: [192.25.206.33, 192.25.206.57] # only applicable for hosts that are recursive anyway: - allow_dns_query: [192.25.206.0/24] grnet: netrange: - 194.177.211.192/27 @@ -128,7 +126,6 @@ sanger: #resolvoptions: [single-request] nameservers: [193.62.202.28, 193.62.202.29] searchpaths: [debprivate-sanger.debian.org] - allow_dns_query: [193.62.202.24/29] rapidswitch: netrange: - 193.201.200.0/23 @@ -144,7 +141,6 @@ sil: - 2001:858:2:2::/64 searchpaths: [debprivate-sil.debian.org] nameservers: [86.59.118.147, 86.59.118.148] - allow_dns_query: [86.59.118.144/28, 2001:858:2:2::/64] mirror-debian: http://ftp.at.debian.org/debian/ ubcece: netrange: @@ -153,7 +149,6 @@ ubcece: searchpaths: [debprivate-ubc.debian.org] mirror-debian: http://mirror-ubc.debian.org/debian/ nameservers: [206.12.19.214, 2607:f8f0:610:4000:224:81ff:fea7:e952, 206.12.19.20, 2607:f8f0:610:4000:218:feff:fe76:2ed0, 206.12.19.21, 2607:f8f0:610:4000:21c:c4ff:fee5:e890] - allow_dns_query: [137.82.84.64/27, 206.12.19.0/24, 2607:f8f0:610:4000::/64] ugent: netrange: - 157.193.0.0/16 diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb index 303dfd213..f1606dd7d 100644 --- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb +++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb @@ -40,11 +40,12 @@ module Puppet::Parser::Functions end ns = function_hiera('nameservers') + allow_dns_q = function_hiera('allow_dns_query') if ns.empty? # no nameservers known for this hoster nodeinfo['misc']['resolver-recursive'] = true - if nodeinfo['hoster']['allow_dns_query'] + if allow_dns_q raise Puppet::ParseError, "No nameservers listed for #{nodeinfo['hoster']['name']} yet we should answer somebody's queries? That makes no sense." end elsif (nodeinfo['misc']['v4addrs'] and (ns & nodeinfo['misc']['v4addrs']).size > 0) or @@ -52,7 +53,7 @@ module Puppet::Parser::Functions # this host is listed as a nameserver at this location nodeinfo['misc']['resolver-recursive'] = true - if not nodeinfo['hoster']['allow_dns_query'] or nodeinfo['hoster']['allow_dns_query'].empty? + if not allow_dns_q or allow_dns_q.empty? raise Puppet::ParseError, "Host #{host} is listed as a nameserver for #{nodeinfo['hoster']['name']} but no allow_dns_query networks are defined for this location" end else diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index 5261009bb..caf95027d 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -9,7 +9,7 @@ class unbound { $is_recursor = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') - $client_ranges = getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') + $client_ranges = hiera('allow_dns_query') $ns = hiera('nameservers') package { 'unbound': @@ -59,12 +59,12 @@ class unbound { @ferm::rule { 'dsa-dns': domain => 'ip', description => 'Allow nameserver access', - rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))), + rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))), } @ferm::rule { 'dsa-dns6': domain => 'ip6', description => 'Allow nameserver access', - rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))), + rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))), } } }