From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 7 Jul 2019 08:53:16 +0000 (+0200)
Subject: Move DNS things from named to named::primary and named::geodns
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=81cae72cc2ebdf139fb0a9d1f3c063c8dcced8bf;p=mirror%2Fdsa-puppet.git

Move DNS things from named to named::primary and named::geodns
---

diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp
index 649268a44..c4c637340 100644
--- a/modules/named/manifests/geodns.pp
+++ b/modules/named/manifests/geodns.pp
@@ -63,4 +63,10 @@ class named::geodns inherits named {
 			@reboot geodnssync sleep 1m && /etc/bind/geodns/trigger > /dev/null
 			| EOF
 	}
+
+	@ferm::rule { '01-dsa-bind':
+		domain      => '(ip ip6)',
+		description => 'Allow nameserver access',
+		rule        => '&TCP_UDP_SERVICE(53)'
+	}
 }
diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 1481f30f0..9b07e10f5 100644
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -15,25 +15,6 @@ class named {
 		rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
 	}
 
-	if has_role('dns_primary') {
-		@ferm::rule { '01-dsa-bind-4':
-			domain      => '(ip)',
-			description => 'Allow nameserver access',
-			rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 $HOST_NETNOD_V4 ) )',
-		}
-		@ferm::rule { '01-dsa-bind-6':
-			domain      => '(ip6)',
-			description => 'Allow nameserver access',
-			rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 $HOST_NETNOD_V6 ) )',
-		}
-	} else {
-		@ferm::rule { '01-dsa-bind':
-			domain      => '(ip ip6)',
-			description => 'Allow nameserver access',
-			rule        => '&TCP_UDP_SERVICE(53)'
-		}
-	}
-
 	@ferm::rule { 'dsa-bind-notrack':
 		domain      => '(ip ip6)',
 		description => 'NOTRACK for nameserver traffic',
diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index 85b0021bb..0c63531f9 100644
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -1,3 +1,14 @@
 class named::primary inherits named::authoritative {
 	include dnsextras::entries
+
+	@ferm::rule { '01-dsa-bind-4':
+		domain      => '(ip)',
+		description => 'Allow nameserver access',
+		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 $HOST_NETNOD_V4 ) )',
+	}
+	@ferm::rule { '01-dsa-bind-6':
+		domain      => '(ip6)',
+		description => 'Allow nameserver access',
+		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 $HOST_NETNOD_V6 ) )',
+	}
 }