From ee7d91317ec6efd38f8a281c096c68c48425b64b Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 9 Oct 2018 20:00:39 +0200
Subject: [PATCH] Do not put our 29.172.in-addr.arpa zone into unbound configs
 behind fascist firewalls: 1st attempt

---
 hieradata/br.yaml                          | 1 +
 hieradata/ynic.yaml                        | 1 +
 modules/unbound/manifests/init.pp          | 4 ++--
 modules/unbound/templates/unbound.conf.erb | 3 +++
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/hieradata/br.yaml b/hieradata/br.yaml
index 1b254bac8..970c10bd3 100644
--- a/hieradata/br.yaml
+++ b/hieradata/br.yaml
@@ -2,3 +2,4 @@
 nameservers:
   - 200.236.31.1
   - 200.17.202.3
+firewall_blocks_dns: true
diff --git a/hieradata/ynic.yaml b/hieradata/ynic.yaml
index c72073536..89440d44f 100644
--- a/hieradata/ynic.yaml
+++ b/hieradata/ynic.yaml
@@ -3,3 +3,4 @@ nameservers:
   - 144.32.169.74
   - 144.32.169.75
   - 144.32.169.76
+firewall_blocks_dns: true
diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index 88267d152..bb9e4d82b 100644
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -7,9 +7,9 @@
 #   include unbound
 #
 class unbound {
-
 	$is_recursor   = getfromhash($site::nodeinfo, 'misc', 'resolver-recursive')
 	$client_ranges = hiera('allow_dns_query')
+	$firewall_blocks_dns = hiera('firewall_blocks_dns', false)
 	$empty_client_range = empty($client_ranges)
 	$ns            = hiera('nameservers')
 
@@ -54,7 +54,7 @@ class unbound {
 		notify  => Service['unbound']
 	}
 	file { '/var/lib/unbound/29.172.in-addr.arpa.key':
-		ensure  => present,
+		ensure  => $firewall_blocks_dns ? { true  => 'absent', default => 'present' },
 		replace => false,
 		owner   => unbound,
 		group   => unbound,
diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb
index 92766758b..7ffc35fd7 100644
--- a/modules/unbound/templates/unbound.conf.erb
+++ b/modules/unbound/templates/unbound.conf.erb
@@ -48,12 +48,15 @@ server:
 	prefetch: yes
 	prefetch-key: yes
 
+
+<% if not hiera('firewall_blocks_dns', false) %>
 local-zone: "29.172.in-addr.arpa" nodefault
 forward-zone:
 	name: "29.172.in-addr.arpa"
 	forward-host: geo1.debian.org
 	forward-host: geo2.debian.org
 	forward-host: geo3.debian.org
+<% end -%>
 
 # recursive: <%= @is_recursor ? "y" : "n" %>
 <% if not @is_recursor -%>
-- 
2.20.1