From 05faa1898f975f27c9ccbec5b4e45ac776d64b4e Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Tue, 1 Mar 2011 22:44:16 +0100 Subject: [PATCH] unbound module --- modules/unbound/manifests/init.pp | 52 +++++++++++++++++++ modules/unbound/templates/unbound.conf.erb | 60 ++++++++++++++++++++++ 2 files changed, 112 insertions(+) create mode 100644 modules/unbound/manifests/init.pp create mode 100644 modules/unbound/templates/unbound.conf.erb diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp new file mode 100644 index 000000000..03ae86c09 --- /dev/null +++ b/modules/unbound/manifests/init.pp @@ -0,0 +1,52 @@ +class unbouned { + package { + unbound: ensure => installed; + } + + exec { + "unbound restart": + path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", + refreshonly => true, + ; + } + file { + "/var/lib/unbound": + ensure => directory, + owner => unbound, + group => unbound, + mode => 775, + ; + "/var/lib/unbound/root.key": + ensure => present, + replace => false, + owner => unbound, + group => unbound, + mode => 644, + # IANA root trust anchor, valid from 2010-07-15T00:00:00+00:00 + # downloaded from https://data.iana.org/root-anchors/root-anchors.xml + content => ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n", + notify => Exec["unbound restart"], + ; + "/var/lib/unbound/debian.org.key": + ensure => present, + replace => false, + owner => unbound, + group => unbound, + mode => 644, + # debian.org DS record, July 2010' + content => "debian.org. IN DS 5283 7 2 3DC987A633914C195D03EA129E92327630D3428E92884A5E97829A55701F9E8A\n", + notify => Exec["unbound restart"], + ; + "/etc/unbound/unbound.conf": + content => template("unbound/unbound.conf.erb"), + require => Package["unbound"], + notify => Exec["unbound restart"], + owner => root, + group => root, + ; + } +} + +# vim:set et: +# vim:set sts=4 ts=4: +# vim:set shiftwidth=4: diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb new file mode 100644 index 000000000..35610496c --- /dev/null +++ b/modules/unbound/templates/unbound.conf.erb @@ -0,0 +1,60 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +server: + verbosity: 1 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + interface-automatic: yes + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # access-control: 0.0.0.0/0 refuse + # access-control: 127.0.0.0/8 allow + # access-control: ::0/0 refuse + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow + + #chroot: "" + + hide-identity: yes + hide-version: yes + + use-caps-for-id: yes + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, + # do-not-query-address: 127.0.0.1/8 + # do-not-query-address: ::1 + + # if yes, the above default do-not-query-address entries are present. + # if no, localhost can be queried (for testing and debugging). + # do-not-query-localhost: yes + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # auto-trust-anchor-file: "" + auto-trust-anchor-file: "/var/lib/unbound/root.key" + auto-trust-anchor-file: "/var/lib/unbound/debian.org.key" + +#forward-zone: +# name: "." +# forward-addr: 192.0.2.1 +# forward-addr: 192.0.2.199 -- 2.20.1