From 0a314c11202f57279204f9f0f8e3367126a5f984 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 9 Oct 2018 20:02:34 +0200
Subject: [PATCH] Do not put our 29.172.in-addr.arpa zone into unbound configs
 behind fascist firewalls, 2

---
 modules/unbound/manifests/init.pp          | 2 ++
 modules/unbound/templates/unbound.conf.erb | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index bb9e4d82b..79f172a52 100644
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -7,6 +7,8 @@
 #   include unbound
 #
 class unbound {
+	include stdlib
+
 	$is_recursor   = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
 	$client_ranges = hiera('allow_dns_query')
 	$firewall_blocks_dns = hiera('firewall_blocks_dns', false)
diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index 7ffc35fd7..e33b519c5 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -49,7 +49,7 @@ server:
 	prefetch-key: yes
 
 
-<% if not hiera('firewall_blocks_dns', false) %>
+<% if not @firewall_blocks_dns %>
 local-zone: "29.172.in-addr.arpa" nodefault
 forward-zone:
 	name: "29.172.in-addr.arpa"
-- 
2.20.1