From 0908741048684a3f0d143144b82fab87095a42a6 Mon Sep 17 00:00:00 2001 From: Stephen Gran Date: Sun, 21 Feb 2010 14:52:26 +0000 Subject: [PATCH] reshuffle bind configuration Signed-off-by: Stephen Gran --- .../common/named.conf.acl} | 13 ---- modules/named/files/common/named.conf.options | 43 ------------- .../files/common/named.conf.options-secondary | 28 --------- .../named.conf.options-secondary | 35 ----------- modules/named/manifests/geodns.pp | 6 +- modules/named/manifests/secondary.pp | 3 +- .../named/templates/named.conf.options.erb | 63 +++++++++++++++++++ 7 files changed, 67 insertions(+), 124 deletions(-) rename modules/named/{templates/named.conf.acl.erb => files/common/named.conf.acl} (93%) delete mode 100644 modules/named/files/common/named.conf.options delete mode 100644 modules/named/files/common/named.conf.options-secondary delete mode 100644 modules/named/files/per-host/ravel.debian.org/named.conf.options-secondary create mode 100644 modules/named/templates/named.conf.options.erb diff --git a/modules/named/templates/named.conf.acl.erb b/modules/named/files/common/named.conf.acl similarity index 93% rename from modules/named/templates/named.conf.acl.erb rename to modules/named/files/common/named.conf.acl index c35c37e4e..60a078fed 100644 --- a/modules/named/templates/named.conf.acl.erb +++ b/modules/named/files/common/named.conf.acl @@ -3,19 +3,6 @@ // USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git // -acl Nagios { -<%= - str = '' - localinfo.keys.sort.each do |node| - if localinfo[node]['nagiosmaster'] - keyinfo[node][0]['ipHostNumber'].each do |ip| - str += "\t" + ip + "/32;\n" - end - end - end - str%> -}; - // Africa acl AF { country_AO; diff --git a/modules/named/files/common/named.conf.options b/modules/named/files/common/named.conf.options deleted file mode 100644 index b81be8c87..000000000 --- a/modules/named/files/common/named.conf.options +++ /dev/null @@ -1,43 +0,0 @@ -// -// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -// - -options { - directory "/var/cache/bind"; - - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing - // the all-0's placeholder. - - // forwarders { - // 0.0.0.0; - // }; - - auth-nxdomain no; # conform to RFC1035 - listen-on-v6 { any; }; - allow-query { any; }; - allow-update { none; }; - allow-transfer { none; }; - allow-recursion { Nagios; }; - blackhole { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; }; -}; - -logging { - - channel queries { - file "/var/log/bind9/geoip-query.log" versions 4 size 40m; - print-time yes; - print-category yes; - }; - category queries { queries; }; - category lame-servers { null; }; - -}; - - diff --git a/modules/named/files/common/named.conf.options-secondary b/modules/named/files/common/named.conf.options-secondary deleted file mode 100644 index e95a7286a..000000000 --- a/modules/named/files/common/named.conf.options-secondary +++ /dev/null @@ -1,28 +0,0 @@ -// -// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -// - -options { - directory "/var/cache/bind"; - - allow-recursion { localnets; 192.25.206.33; 206.12.19.118; }; - allow-query { localnets; 192.25.206.33; 206.12.19.118; }; - - auth-nxdomain no; - listen-on-v6 { any; }; - - dnssec-enable yes; - dnssec-validation yes; -}; - -logging { - - channel queries { - file "/var/log/bind9/named-query.log" versions 4 size 40m; - print-time yes; - print-category yes; - }; - category queries { queries; }; - category lame-servers { null; }; -}; diff --git a/modules/named/files/per-host/ravel.debian.org/named.conf.options-secondary b/modules/named/files/per-host/ravel.debian.org/named.conf.options-secondary deleted file mode 100644 index 58e18dc75..000000000 --- a/modules/named/files/per-host/ravel.debian.org/named.conf.options-secondary +++ /dev/null @@ -1,35 +0,0 @@ -// -// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -// - -acl debian-ubcece { - 127.0.0.0/8; - 137.82.84.64/27; - 206.12.19.0/24; - 192.168.2.0/24; -}; - -options { - directory "/var/cache/bind"; - - allow-recursion { localnets; debian-ubcece; 192.25.206.33; 206.12.19.118; }; - allow-query { localnets; debian-ubcece; 192.25.206.33; 206.12.19.118; }; - - auth-nxdomain no; - listen-on-v6 { any; }; - - dnssec-enable yes; - dnssec-validation yes; -}; - -logging { - - channel queries { - file "/var/log/bind9/named-query.log" versions 4 size 40m; - print-time yes; - print-category yes; - }; - category queries { queries; }; - category lame-servers { null; }; -}; diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp index 0754b323a..766c5e55f 100644 --- a/modules/named/manifests/geodns.pp +++ b/modules/named/manifests/geodns.pp @@ -17,15 +17,15 @@ class named::geodns inherits named { group => root, ; "/etc/bind/named.conf.acl": - content => template("named/named.conf.acl.erb"), + source => [ "puppet:///named/per-host/$fqdn/named.conf.acl", + "puppet:///named/common/named.conf.acl" ], require => Package["bind9"], notify => Exec["bind9 restart"], owner => root, group => root, ; "/etc/bind/named.conf.options": - source => [ "puppet:///named/per-host/$fqdn/named.conf.options", - "puppet:///named/common/named.conf.options" ], + content => template("named/named.conf.options.erb"), require => Package["bind9"], notify => Exec["bind9 restart"], owner => root, diff --git a/modules/named/manifests/secondary.pp b/modules/named/manifests/secondary.pp index 3742eec41..87f3d377e 100644 --- a/modules/named/manifests/secondary.pp +++ b/modules/named/manifests/secondary.pp @@ -5,8 +5,7 @@ class named::secondary inherits named { notify => Exec["bind9 reload"], } file { "/etc/bind/named.conf.options": - source => [ "puppet:///named/per-host/$fqdn/named.conf.options-secondary", - "puppet:///named/common/named.conf.options-secondary" ], + content => template("named/named.conf.options.erb"), notify => Exec["bind9 reload"], } file { "/etc/bind/named.conf.shared-keys": diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb new file mode 100644 index 000000000..5dec7ba1f --- /dev/null +++ b/modules/named/templates/named.conf.options.erb @@ -0,0 +1,63 @@ +// +// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +// + +acl Nagios { +<%= + str = '' + localinfo.keys.sort.each do |node| + if localinfo[node]['nagiosmaster'] + keyinfo[node][0]['ipHostNumber'].each do |ip| + str += "\t" + ip + "/32;\n" + end + end + end + str-%> +}; + +options { + directory "/var/cache/bind"; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + + allow-transfer { none; }; + allow-update { none; }; +<%= if classes.include?('named::geodns') -%> + blackhole { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; }; +<%= end -%> + +<%= + allowed='Nagios; ' + if classes.include?('named::secondary') + allowed += 'localnets; ' + end + + str = "allow-recursion { " + allowed + " };\n" + str += "allow-query { " + allowed + " };\n" + + str +-%> + +<%= if classes.include?('named::secondary') -%> + dnssec-enable yes; + dnssec-validation yes; +<%= end -%> +}; + +logging { + + channel queries { +<%= if classes.include?('named::geodns') -%> + file "/var/log/bind9/geoip-query.log" versions 4 size 40m; +<%= else -%> + file "/var/log/bind9/named-query.log" versions 4 size 40m; +<%= end -%> + print-time yes; + print-category yes; + }; + category queries { queries; }; + category lame-servers { null; }; +}; + -- 2.20.1