From: Peter Palfrader Date: Mon, 16 Sep 2019 08:53:30 +0000 (+0200) Subject: move 3rd party nameserver info from the ferm template to hiera, retire geodns old... X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=584f12fb4c5f6ce47a187868570f439f543b635d;p=mirror%2Fdsa-puppet.git move 3rd party nameserver info from the ferm template to hiera, retire geodns old-style role --- diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 57ce7a575..c8c0fb899 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -13,6 +13,22 @@ resolv::searchpaths: ['debian.org'] staticsync::user: 'staticsync' staticsync::basedir: '/srv/static.debian.org' +roles::dns_primary::allow_access: + # easydns + - '64.68.200.91' + - '205.210.42.80' + # rcode0 + - '83.136.34.0/27' + - '2a02:850:8::/47' + # netnod + - '192.71.80.0/24' + - '192.36.144.222' + - '192.36.144.218' + - '194.146.105.24' + - '194.146.105.25' + - '2a01:3f0:0:27::24' + - '2a01:3f0:0:28::25' + # other variables allow_dns_query: [] role_config__mirrors: @@ -39,11 +55,6 @@ roles: dns_primary: # XXX - used by ferm templates/defs.conf.erb - denis.debian.org - dns_geo: - # XXX - used by ferm templates/defs.conf.erb - - geo1.debian.org - - geo2.debian.org - - geo3.debian.org extranrpeclient: # XXX - used by ferm templates/defs.conf.erb - denis.debian.org diff --git a/hieradata/nodes/geo1.debian.org.yaml b/hieradata/nodes/geo1.debian.org.yaml new file mode 100644 index 000000000..f7d0989d9 --- /dev/null +++ b/hieradata/nodes/geo1.debian.org.yaml @@ -0,0 +1,3 @@ +--- +classes: + - roles::dns_geodns diff --git a/hieradata/nodes/geo2.debian.org.yaml b/hieradata/nodes/geo2.debian.org.yaml new file mode 100644 index 000000000..f7d0989d9 --- /dev/null +++ b/hieradata/nodes/geo2.debian.org.yaml @@ -0,0 +1,3 @@ +--- +classes: + - roles::dns_geodns diff --git a/hieradata/nodes/geo3.debian.org.yaml b/hieradata/nodes/geo3.debian.org.yaml new file mode 100644 index 000000000..f7d0989d9 --- /dev/null +++ b/hieradata/nodes/geo3.debian.org.yaml @@ -0,0 +1,3 @@ +--- +classes: + - roles::dns_geodns diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb index 8c19cefa7..ff0b14bdd 100644 --- a/modules/ferm/templates/defs.conf.erb +++ b/modules/ferm/templates/defs.conf.erb @@ -24,7 +24,7 @@ allnodeinfo = scope.lookupvar('deprecated::allnodeinfo') roles = scope.lookupvar('deprecated::roles') - %w{mailrelay nagiosmaster extranrpeclient muninmaster dns_geo postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role| + %w{mailrelay nagiosmaster extranrpeclient muninmaster postgres_backup_server syncproxy security_master ftp_master historical_master ports_master mirrormaster dns_primary}.each do |role| rolehost[role] = [] roles[role].each do |node| next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber') @@ -76,13 +76,6 @@ @def $HOST_SYNCPROXY_V4 = ($HOST_SYNCPROXY_V4 128.101.240.216 128.31.0.64 149.20.4.16 209.87.16.40); @def $HOST_SYNCPROXY_V6 = ($HOST_SYNCPROXY_V6 2607:ea00:101:3c0b::1deb:216 2603:400a:ffff:bb8::801f:40 2001:4f8:1:c::16 2607:f8f0:614:1::1274:40); -@def $HOST_DNS_GEO_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_geo']]).uniq.join(' ') %>); -@def $HOST_DNS_GEO_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_geo']]).uniq.join(' ') %>); -@def $HOST_DNS_GEO = ($HOST_DNS_GEO_V4 $HOST_DNS_GEO_V6); -@def $HOST_EASYDNS = (64.68.200.91 205.210.42.80); -@def $HOST_RCODE0 = (83.136.34.0/27 2A02:850:8::/47); -@def $HOST_NETNOD = (192.71.80.0/24 192.36.144.222 192.36.144.218 194.146.105.24 194.146.105.25 2a01:3f0:0:27::24 2a01:3f0:0:28::25); - @def $HOST_DNSPRIMARY_V4 = (<%= scope.function_filter_ipv4([rolehost['dns_primary']]).uniq.join(' ') %>); @def $HOST_DNSPRIMARY_V6 = (<%= scope.function_filter_ipv6([rolehost['dns_primary']]).uniq.join(' ') %>); @def $HOST_DNSPRIMARY = ($HOST_DNSPRIMARY_V4 $HOST_DNSPRIMARY_V6); diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp index 37a906558..49a9663da 100644 --- a/modules/named/manifests/geodns.pp +++ b/modules/named/manifests/geodns.pp @@ -60,12 +60,4 @@ class named::geodns inherits named { proto => ['udp', 'tcp'], port => 'domain', } - - @@ferm::rule::simple { "dsa-bind-from-${::fqdn}": - tag => 'named::primary::ferm', - description => 'Allow geo nameserver access to the primary for the (non-geo) zones that we AXFR', - proto => ['udp', 'tcp'], - port => 'domain', - saddr => $base::public_addresses, - } } diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp index b383ca548..5f3f6beed 100644 --- a/modules/named/manifests/primary.pp +++ b/modules/named/manifests/primary.pp @@ -1,13 +1,9 @@ +# our primary nameserver +# +# it will not, by default, open the firewall for requests. class named::primary inherits named::authoritative { include dnsextras::entries - ferm::rule { '01-dsa-bind-4': - domain => '(ip ip6)', - description => 'Allow nameserver access', - rule => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )', - } - Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>> - concat::fragment { 'dsa-named-conf-puppet-misc---local-shared-keys': target => '/etc/bind/named.conf.puppet-misc', order => '020', diff --git a/modules/roles/manifests/dns_geodns.pp b/modules/roles/manifests/dns_geodns.pp index 80ac29adc..4560fba4f 100644 --- a/modules/roles/manifests/dns_geodns.pp +++ b/modules/roles/manifests/dns_geodns.pp @@ -14,4 +14,12 @@ class roles::dns_geodns { target_user => 'geodnssync', collect_tag => 'geodnssync-node', } + + @@ferm::rule::simple { "dsa-bind-from-${::fqdn}": + tag => 'named::primary::ferm', + description => 'Allow geo nameserver access to the primary for the (non-geo) zones that we AXFR', + proto => ['udp', 'tcp'], + port => 'domain', + saddr => $base::public_addresses, + } } diff --git a/modules/roles/manifests/dns_primary.pp b/modules/roles/manifests/dns_primary.pp index 3e9c5bf40..0c86ec1b0 100644 --- a/modules/roles/manifests/dns_primary.pp +++ b/modules/roles/manifests/dns_primary.pp @@ -1,7 +1,17 @@ # the primary (hidden master) nameserver does bind zone file stuff and letsencrypt cert handling -class roles::dns_primary { +# +# it will not, by default, open the firewall for requests. however, it will +# collect ferm simple rules tagged named::primary::ferm which our own +# secondaries (the geo nodes) and the monitoring infrastructure export. +# Additional networks can be set with allow_access for any 3rd party nodes that +# should have access. +# @param allow_access additional hosts/network that should be allowed to port 53 +class roles::dns_primary( + Array[Stdlib::IP::Address] $allow_access = [], +) { include named::primary + # ssh setup to sync the geonodes ssh::authorized_key_collect { 'dns_primary-dnsadm': target_user => 'dnsadm', collect_tag => 'dns_primary', @@ -23,6 +33,7 @@ class roles::dns_primary { collect_tag => 'geodnssync-node', } + # ssh setup to sync letsencrypt info to puppet ssh::keygen {'letsencrypt': } ssh::authorized_key_add { 'dns_primary::puppetmaster::letsencrypt-certificates': target_user => 'puppet', @@ -30,4 +41,14 @@ class roles::dns_primary { key => $facts['letsencrypt_key'], collect_tag => 'puppetmaster', } + + # firewalling + ferm::rule::simple { 'dsa-bind-from-third-party-secondaries': + description => 'Allow additional (such as 3rd party secondary nameserver) access to the primary', + proto => ['udp', 'tcp'], + port => 'domain', + saddr => $allow_access, + } + Ferm::Rule::Simple <<| tag == 'named::primary::ferm' |>> + } diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 8980ed957..d51a9bc86 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -53,10 +53,6 @@ class roles { include roles::dns_primary } - if has_role('dns_geo') { - include roles::dns_geodns - } - if has_role('postgres_backup_server') { include postgres::backup_server }