From: Stephen Gran <steve@lobefin.net>
Date: Sun, 14 Apr 2013 16:00:32 +0000 (+0100)
Subject: make unbound get forwarders from hiera
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=04ff326f9e84287fa1c944f562a3594a8a5fbbdb;p=mirror%2Fdsa-puppet.git

make unbound get forwarders from hiera

Signed-off-by: Stephen Gran <steve@lobefin.net>
---

diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index f94d4739e..5261009bb 100644
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -8,6 +8,10 @@
 #
 class unbound {
 
+	$is_recursor   = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
+	$client_ranges = getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')
+	$ns            = hiera('nameservers')
+
 	package { 'unbound':
 		ensure => installed
 	}
@@ -51,18 +55,16 @@ class unbound {
 		notify  => Service['unbound']
 	}
 
-	if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') {
-		if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') {
-			@ferm::rule { 'dsa-dns':
-				domain      => 'ip',
-				description => 'Allow nameserver access',
-				rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
-			}
-			@ferm::rule { 'dsa-dns6':
-				domain      => 'ip6',
-				description => 'Allow nameserver access',
-				rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
-			}
+	if ($is_recursor and $client_ranges) {
+		@ferm::rule { 'dsa-dns':
+			domain      => 'ip',
+			description => 'Allow nameserver access',
+			rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+		}
+		@ferm::rule { 'dsa-dns6':
+			domain      => 'ip6',
+			description => 'Allow nameserver access',
+			rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
 		}
 	}
 }
diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index d909f74c9..5dad16318 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -6,26 +6,22 @@
 server:
 	verbosity: 1
 
-<%=
-	out = []
-	if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query']
-		out << "	interface: 0.0.0.0"
-		out << "	interface: ::0"
-		out << ""
-		out << "	interface-automatic: yes"
-
-		out << "	access-control: 0.0.0.0/0 refuse"
-		out << "	access-control: ::0/0 refuse"
-		out << "	access-control: 127.0.0.0/8 allow"
-		out << "	access-control: ::0/0 refuse"
-		out << "	access-control: ::1 allow"
-		out << "	access-control: ::ffff:127.0.0.1 allow"
-		scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query'].each do |net|
-			out << "	access-control: #{net} allow"
-		end
-	end
-	out.join("\n")
-%>
+<% if @is_recursor && @client_ranges -%>
+	interface: 0.0.0.0
+	interface: ::0
+
+	interface-automatic: yes
+
+	access-control: 0.0.0.0/0 refuse
+	access-control: ::0/0 refuse
+	access-control: 127.0.0.0/8 allow
+	access-control: ::0/0 refuse
+	access-control: ::1 allow
+	access-control: ::ffff:127.0.0.1 allow
+<% @client_ranges.to_a.flatten.each do |net| -%>
+	access-control: <%= net -%> allow
+<% end -%>
+<% end -%>
 
 	#chroot: ""
 
@@ -48,23 +44,13 @@ server:
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
 	auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
 
-<%=
-	out = []
-	if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec']
-		forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
-		forwarders ||= []
-
-		out << 'forward-zone:'
-		out << '	name: "."'
-		forwarders.each do |ns|
-			out << "	forward-addr: #{ns}"
-		end
-	end
-
-
-	if hostname == "zappa"
-		out << "edns-buffer-size: 512"
-	end
-
-	out.join("\n")
-%>
+<% if not @is_recursor and not @client_ranges -%>
+forward-zone:
+	name: "."
+<% @ns.to_a.flatten.each do |nms| -%>
+	forward-addr: <%= nms %>
+<% end -%>
+<% end -%>
+<% if hostname == "zappa" -%>
+edns-buffer-size: 512
+<% end -%>