modules/unbound/manifests/init.pp

   1 # = Class: unbound
   2 #
   3 # This class installs and configures unbound
   4 #
   5 # == Sample Usage:
   6 #
   7 #   include unbound
   8 #
   9 class unbound {
  10         include stdlib
  11
  12         $is_recursor   = getfromhash($deprecated::nodeinfo, 'misc', 'resolver-recursive')
  13         $client_ranges = hiera('allow_dns_query')
  14         $firewall_blocks_dns = hiera('firewall_blocks_dns', false)
  15         $empty_client_range = empty($client_ranges)
  16         $ns            = hiera('resolv::nameservers')
  17
  18         package { 'unbound':
  19                 ensure => installed
  20         }
  21
  22         service { 'unbound':
  23                 ensure => running,
  24                 hasstatus => false,
  25                 pattern   => 'unbound',
  26         }
  27
  28         file { '/etc/init.d/unbound':
  29                 source => 'puppet:///modules/unbound/unbound.init',
  30                 mode   => '0555',
  31                 notify => Exec['systemctl daemon-reload'],
  32         }
  33         file { '/var/lib/unbound':
  34                 ensure  => directory,
  35                 owner   => unbound,
  36                 group   => unbound,
  37                 require => Package['unbound'],
  38                 mode    => '0775',
  39         }
  40         file { '/var/lib/unbound/root.key':
  41                 ensure  => present,
  42                 replace => false,
  43                 owner   => unbound,
  44                 group   => unbound,
  45                 mode    => '0644',
  46                 source  => 'puppet:///modules/unbound/root.key',
  47                 notify  => Service['unbound']
  48         }
  49         file { '/var/lib/unbound/debian.org.key':
  50                 ensure  => present,
  51                 replace => false,
  52                 owner   => unbound,
  53                 group   => unbound,
  54                 mode    => '0644',
  55                 source  => 'puppet:///modules/unbound/debian.org.key',
  56                 notify  => Service['unbound']
  57         }
  58         file { '/var/lib/unbound/29.172.in-addr.arpa.key':
  59                 ensure  => $firewall_blocks_dns ? { true  => 'absent', default => 'present' },
  60                 replace => $firewall_blocks_dns ? { true  => true, default => false },
  61                 owner   => unbound,
  62                 group   => unbound,
  63                 mode    => '0644',
  64                 source  => 'puppet:///modules/unbound/29.172.in-addr.arpa.key',
  65                 notify  => Service['unbound']
  66         }
  67         file { '/etc/unbound/unbound.conf':
  68                 content => template('unbound/unbound.conf.erb'),
  69                 require => [
  70                         Package['unbound'],
  71                         File['/var/lib/unbound/root.key'],
  72                         File['/var/lib/unbound/debian.org.key']
  73                 ],
  74                 notify  => Service['unbound']
  75         }
  76
  77         if ($is_recursor and !$empty_client_range) {
  78                 ferm::rule { 'dsa-dns':
  79                         domain      => 'ip',
  80                         description => 'Allow nameserver access',
  81                         rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4($client_ranges))),
  82                 }
  83                 ferm::rule { 'dsa-dns6':
  84                         domain      => 'ip6',
  85                         description => 'Allow nameserver access',
  86                         rule        => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6($client_ranges))),
  87                 }
  88         }
  89 }