# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
-[facts]
- allow *.debian.org
- path /etc/puppet/facts
+#[facts]
+# allow *.debian.org
+# path /etc/puppet/facts
node default {
$localinfo = yamlinfo('*', "/etc/puppet/modules/debian-org/misc/local.yaml")
$nodeinfo = nodeinfo($fqdn, "/etc/puppet/modules/debian-org/misc/local.yaml")
- $hoster = whohosts($nodeinfo, "/etc/puppet/modules/debian-org/misc/hoster.yaml")
- $keyinfo = allnodeinfo("sshRSAHostKey", "ipHostNumber", "purpose")
- $mxinfo = allnodeinfo("mXRecord")
- notice("hoster for ${fqdn} is ${hoster}")
+ $allnodeinfo = allnodeinfo("sshRSAHostKey ipHostNumber", "purpose mXRecord")
+ notice( sprintf("hoster for %s is %s", $fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) )
include munin-node
include syslog-ng
case $kvmdomain {
"true": {
package { acpid: ensure => installed }
- case extractnodeinfo($nodeinfo, 'squeeze') {
+ case getfromhash($nodeinfo, 'squeeze') {
true: { package { acpi-support-base: ensure => installed } }
}
}
case $mta {
"exim4": {
- case extractnodeinfo($nodeinfo, 'heavy_exim') {
+ case getfromhash($nodeinfo, 'heavy_exim') {
true: { include exim::mx }
default: { include exim }
}
}
}
- case extractnodeinfo($nodeinfo, 'puppetmaster') {
+ case getfromhash($nodeinfo, 'puppetmaster') {
true: { include puppetmaster }
}
- case extractnodeinfo($nodeinfo, 'muninmaster') {
+ case getfromhash($nodeinfo, 'muninmaster') {
true: { include munin-node::master }
}
- case extractnodeinfo($nodeinfo, 'nagiosmaster') {
+ case getfromhash($nodeinfo, 'nagiosmaster') {
true: { include nagios::server }
default: { include nagios::client }
}
case $apache2 {
"true": {
- case extractnodeinfo($nodeinfo, 'apache2_security_mirror') {
+ case getfromhash($nodeinfo, 'apache2_security_mirror') {
true: { include apache2::security_mirror }
}
- case extractnodeinfo($nodeinfo, 'apache2_www_mirror') {
+ case getfromhash($nodeinfo, 'apache2_www_mirror') {
true: { include apache2::www_mirror }
}
include apache2
}
- case extractnodeinfo($nodeinfo, 'buildd') {
+ case getfromhash($nodeinfo, 'buildd') {
true: {
include buildd
}
case $hostname {
klecker,ravel,senfl,orff,draghi: { include named::authoritative }
geo1,geo2,geo3: { include named::geodns }
- franck,liszt,master,samosa,schein,spohr,steffani,widor: { include named::recursor }
+ liszt: { include named::recursor }
}
+ case $hostname {
+ franck,master,lobos,samosa,spohr,widor: { include unbound }
+ }
+ case getfromhash($nodeinfo, 'squeeze') {
+ true: { include unbound }
+ }
+ include resolv
case $kernel {
Linux: {
case $brokenhosts {
"true": { include hosts }
}
- case $hoster {
- "ubcece", "darmstadt", "ftcollins", "grnet": { include resolv }
- }
case $portforwarder_user_exists {
"true": { include portforwarder }
}
chain => 'http_limit',
rule => '
mod limit limit-burst 60 limit 15/minute jump ACCEPT;
- jump DROP;
- '
+ jump DROP'
}
@ferm::rule { "dsa-http-soso":
prio => "21",
chain => 'limit_sosospider',
rule => '
mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
- jump http_limit;
- '
+ jump http_limit'
}
@ferm::rule { "dsa-http-yahoo":
prio => "21",
chain => 'limit_yahoo',
rule => '
mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit;
- '
+ jump http_limit'
}
@ferm::rule { "dsa-http-google":
prio => "21",
chain => 'limit_google',
rule => '
mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
- jump http_limit;
- '
+ jump http_limit'
}
@ferm::rule { "dsa-http-bing":
prio => "21",
chain => 'limit_bing',
rule => '
mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit;
- '
+ jump http_limit'
}
@ferm::rule { "dsa-http-rules":
prio => "22",
mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
- mod recent name HTTPDOS set jump log_or_drop;
- '
+ mod recent name HTTPDOS set jump log_or_drop'
}
@ferm::rule { "dsa-http":
prio => "23",
description => "Allow web access",
- rule => "proto tcp dport (http https) jump http;"
+ rule => "proto tcp dport (http https) jump http"
}
}
default: {
<%=
lines = []
- keyinfo.keys.sort.each do |node|
- if keyinfo[node]['purpose'].include?('buildd')
- lines << " # #{keyinfo[node]['hostname'].to_s}"
- keyinfo[node]['ipHostNumber'].each do |addr|
+ allnodeinfo.keys.sort.each do |node|
+ next unless allnodeinfo[node]['purpose']
+ if allnodeinfo[node]['purpose'].include?('buildd')
+ lines << " # #{allnodeinfo[node]['hostname'].to_s}"
+ allnodeinfo[node]['ipHostNumber'].each do |addr|
lines << " allow from #{addr}"
end
end
# vim:set sts=2 ts=2:
# vim:set shiftwidth=2:
%>
-
</Macro>
}
exec { "apt-keys-update":
- command => 'for keyfile in /etc/apt/trusted-keys.d/*; do apt-key add $keyfile; done',
+ command => '/bin/true && for keyfile in /etc/apt/trusted-keys.d/*; do apt-key add $keyfile; done',
refreshonly => true
}
}
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-
-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
+Version: GnuPG v1.4.10 (GNU/Linux)
mQENBEm1IOQBCAC2D/Q3tcB+/zRx8/O4ry4hvP3JTLB+zCXcyAcIyzPdgmxNXQUZ
IOPSIMluiJfh9Dbgwjxm9oWTkP2LobcfVzIlHA9nVonW42rhhaYJd7yQ8xQ6u15g
E8du/UXOL7lCADqjZCPRuwGPwkWp32MbZzwRHP0pRyXttRXTDUQXwM6TUhGaHxsB
A4K5AUsooz4PCpIiUwVmle7kGz+NrI+bbyFNJBGnSxwluxGsJayX9kaqbq9JDhsM
i+nhFOCOXomKSbJAaoQZnpGY4fFhk14UdM7EQ9CsEpvBu2CeZu2CibmDR8hPuGMV
-duy/LOSZsT0=
-=680o
+duy/LOSZsT2JATwEEwECACYCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCTXsW
+bAUJB4hcfAAKCRB8Qxt/+5CUhD+WCACMC2rvx+j17hlez6qvWMgu5GjRzJpYFLuc
+lGIn+BSyiNNChF79OnM/QkRMxy3bIkX01TAToZFlxDIFN8AAdZSSCOjnpcYRmoIx
+d5Tyn/yesRR0v9UuxGzLywhb23NurZj892Mwgo73WEwKkCaTpnRNKtV4TEDRF3i6
+Q0KD9ca/HF2L/hzOx2nJT2fcAAnbeVpwQ7uohSWY8aUn5NNGmcCWngOeaTyap5hj
+3IipYluuwlHJ10uQncXmqSmYJBhlqGpE4f3pQwjDQKAOXpP1GIzUM1Zjy8pA3AOt
+OAjT29bvK+tVmYJtdXFUqbVFazctbFcOyWRR9gYc3V5hNabHFXN1
+=7eUM
-----END PGP PUBLIC KEY BLOCK-----
<% if nodeinfo.has_key?('squeeze') and nodeinfo['squeeze'] %>
deb https://buildd.debian.org/apt/ squeeze main
+deb https://buildd.debian.org/apt/ lenny main
<% else %>
deb https://buildd.debian.org/apt/ lenny main
<% end %>
securiteinfo.hdb
vx.hdb
"
-
+unset mbl_dbs
require => Package["clamav-unofficial-sigs"],
source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.conf" ]
;
+ "/var/lib/clamav/mbl.ndb":
+ ensure => absent,
+ ;
}
}
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
-factpath=$vardir/facts
+factpath=$vardir/lib/facter
pluginsync=true
# This is the default environment for all clients
environment=production
-#!/bin/sh
+#!/bin/bash
##
## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
##
if [ -e /proc/sys/kernel/modules_disabled ]; then
- echo 1 > /proc/sys/kernel/modules_disabled || true
+ ( sleep 60;
+ echo 1 > /proc/sys/kernel/modules_disabled || true
+ ) & disown
fi
FileTest.exist?("/etc/rsyncd.conf")
end
end
+Facter.add("unbound") do
+ setcode do
+ FileTest.exist?("/usr/sbin/unbound") and
+ FileTest.exist?("/var/lib/unbound/root.key")
+ end
+end
"hp-health": ensure => installed;
"arrayprobe": ensure => installed;
}
- case extractnodeinfo($nodeinfo, 'squeeze') {
+ case getfromhash($nodeinfo, 'squeeze') {
true: {}
default: {
package {
---
-1und1-sec:
- - 195.20.242.64/26
- - 212.227.126.32/27
- - 2001:8d8:2:1::/64
1und1:
- - 2001:8d8:81:1520::/64
+ netrange:
+ - 87.106.0.0/16
+ - 2001:8d8:81:1520::/64
+ nameservers_break_dnssec: true
+ nameservers: [87.106.64.251, 195.20.224.99, 195.20.224.234]
+ # for i in `awk '$1=="nameserver" {print $2}' /etc/resolv.conf; [ -e /etc/unbound/unbound.conf ] && awk '$1=="forward-addr:" {print $2}' /etc/unbound/unbound.conf`; do dig +dnssec @$i -t ns . | grep RRSIG || echo BROKEN; echo;echo $i; echo;read; done
+1und1-sec:
+ netrange:
+ - 195.20.242.64/26
+ - 212.227.126.32/27
+ - 2001:8d8:2:1::/64
+ searchpaths: [debprivate-oneandone.debian.org]
+ nameservers_break_dnssec: true
+ nameservers: [195.20.224.99, 195.20.224.234, 87.106.64.251]
+accumu:
+ netrange:
+ - 130.236.0.0/14
+ - 2001:06B0:000E::/48
+ searchpaths: [debprivate-accumu.debian.org]
+ nameservers: [130.239.18.145, 130.239.1.90, 130.239.4.100]
+# Australian National University (ana.edu.au)
+ana:
+ netrange:
+ - 150.203.164.0/24
+ - 2001:388:1034:2900::64
+ nameservers_break_dnssec: true
+ nameservers: [150.203.1.10, 150.203.164.10, 150.203.164.9]
arm:
- - 217.140.96.58/29
+ netrange:
+ - 217.140.96.58/29
+ nameservers_break_dnssec: true
+ nameservers: [158.43.128.1, 217.140.108.113]
+br:
+ # University Federal do Parana (.br)
+ netrange:
+ - 200.17.192.0/19
+ nameservers: [200.17.202.1, 200.17.202.3]
+brainfood:
+ netrange:
+ - 70.103.162.0/24
+ searchpaths: [debprivate-brainfood.debian.org]
+ # all hosts have their own recursor
+ nameservers: []
+brown:
+ netrange:
+ - 128.148.0.0/16
+ # all hosts have their own recursor
+ nameservers: []
+carnet:
+ netrange:
+ - 193.198.0.0/16
+ nameservers_break_dnssec: true
+ nameservers: [161.53.160.3, 161.53.123.3]
csail:
- - 128.31.0.0/24
+ # mit
+ netrange:
+ - 128.31.0.0/24
+ searchpaths: [debprivate-csail.debian.org]
+ nameservers: [128.30.2.24, 128.30.2.25, 128.30.0.125]
+cst:
+ netrange:
+ - 213.188.99.208/28
+ nameservers: [213.157.0.194, 213.157.0.193]
darmstadt:
- - 82.195.75.64/26
- - 82.195.75.32/28
- - 2001:41b8:202:deb::/64
+ netrange:
+ - 82.195.75.64/26
+ - 82.195.75.32/28
+ - 2001:41b8:202:deb::/64
+ searchpaths: [debprivate-darmstadt.debian.org]
+ nameservers: [82.195.75.81, 82.195.66.249, 217.198.242.225]
dgi:
- - 93.94.130.128/26
+ netrange:
+ - 93.94.130.128/26
+ nameservers: [195.49.152.215, 195.49.152.213, 195.49.152.214]
+freenet:
+ netrange:
+ - 62.104.0.0/16
+ nameservers_break_dnssec: true
+ nameservers: [194.97.3.83, 62.104.64.3, 194.97.3.11]
ftcollins:
- - 192.25.206.0/24
+ netrange:
+ - 192.25.206.0/24
+ searchpaths: [debprivate-ftcollins.debian.org]
+ nameservers: [192.25.206.33, 192.25.206.57]
+ # only applicable for hosts that are recursive anyway:
+ allow_dns_query: [192.25.206.0/24]
grnet:
- - 194.177.211.192/27
- - 2001:648:2ffc:deb::/64
-nl:
- - 194.109.137.216/29
- - 2001:888:2000:12::/64
-osousl:
- - 140.211.166.0/25
- - 140.211.15.0/24
+ netrange:
+ - 194.177.211.192/27
+ - 2001:648:2ffc:deb::/64
+ searchpaths: [debprivate-grnet.debian.org]
+ nameservers: [194.177.210.10, 194.177.210.210]
+helsinki:
+ netrange:
+ - 193.167.160.0/23
+ # all hosts have their own recursor
+ nameservers: []
+isc:
+ netrange:
+ - 149.20.0.0/16
+ - 2001:4F8::/32
+ nameservers: [149.20.64.2, 204.152.184.67]
+nmmn:
+ netrange:
+ - 217.114.76.80/29
+ nameservers: [217.114.70.53, 217.114.77.53]
+osuosl:
+ netrange:
+ - 140.211.166.0/25
+ - 140.211.15.0/24
+ nameservers_break_dnssec: true
+ nameservers: [140.211.166.130, 140.211.166.131, 216.165.191.54]
sanger:
- - 193.62.202.24/29
+ netrange:
+ - 193.62.202.24/29
+ # broken with dnssec
+ # nameservers: [193.62.203.96, 193.62.203.97]
+ #resolvoptions: [single-request]
+ nameservers: [193.62.202.28, 193.62.202.29]
+ searchpaths: [debprivate-sanger.debian.org]
+ allow_dns_query: [193.62.202.24/29]
+rapidswitch:
+ netrange:
+ - 193.201.200.0/23
+ nameservers: [87.117.198.200, 87.117.237.100, 87.117.196.200]
sil:
- - 86.59.118.144/28
+ netrange:
+ - 86.59.118.144/28
+ searchpaths: [debprivate-sil.debian.org]
+ nameservers_break_dnssec: true
+ nameservers: [213.129.232.1, 213.129.226.2]
scanplus:
- - 212.211.132.0/26
- - 212.211.132.248/29
- - 2001:a78::/64
+ netrange:
+ - 212.211.132.0/26
+ - 212.211.132.248/29
+ - 2001:a78::/64
+ nameservers_break_dnssec: true
+ nameservers: [212.211.132.4, 212.75.32.4]
+snowman:
+ netrange:
+ - 72.66.115.54
+ nameservers: [10.10.1.1]
+telegrafxs4all:
+ netrange:
+ - 82.94.249.152/29
+ nameservers_break_dnssec: true
+ nameservers: [194.109.6.66]
ubcece:
- - 137.82.84.64/27
- - 206.12.19.0/24
+ netrange:
+ - 137.82.84.64/27
+ - 206.12.19.0/24
+ searchpaths: [debprivate-ubc.debian.org]
+ nameservers: [206.12.19.5, 137.82.1.1, 142.103.1.1]
+ allow_dns_query: [137.82.84.64/27, 206.12.19.0/24]
+ugent:
+ netrange:
+ - 157.193.0.0/16
+ nameservers: [157.193.40.42]
+umn:
+ netrange:
+ - 128.101.240.212
+ nameservers: [128.101.101.101, 134.84.84.84]
+utwente:
+ netrange:
+ - 130.89.0.0/16
+ - 2001:0610:1908::/48
+ # broken with dnssec
+ #nameservers: [130.89.2.2, 130.89.2.3]
+ nameservers: []
+xs4all:
+ netrange:
+ - 194.109.137.216/29
+ - 2001:888:2000:12::/64
ynic:
- - 144.32.168.64/28
----
+ netrange:
+ - 144.32.168.64/28
+ nameservers: [144.32.169.74, 144.32.169.75, 144.32.169.76]
+zivit:
+ netrange:
+ - 80.245.144.0/22
+ nameservers_break_dnssec: true
+ nameservers: [80.245.147.53, 80.245.147.54]
+
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
kassia.debian.org: Kassia (between 805 and 810 - bef. 867)
kaufmann.debian.org: Georg Friedrich Kauffmann (February 14th, 1679 - February 27th, 1735)
klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11th, 2000)
- kokkonen.debian.org: November 13th, 1921 - October 1st, 1996)
+ kokkonen.debian.org: Joonas Kokkonen (November 13th, 1921 - October 1st, 1996)
krenek.debian.org: Ernst Krenek (August 23rd, 1900 - December 22nd, 1991)
lamb.debian.org: John David Lamb (b. 1935)
lafayette.debian.org: Eugenie Lafayette
poulenc.debian.org: Francis Jean Marcel Poulenc (January 7, 1899 - January 30, 1963)
powell.debian.org: Andrew Powell (b. April 18th, 1949)
praetorius.debian.org: Hieronymus Praetorius (August 10th, 1560 - January 27th, 1629)
- quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 ? July 12th 1773)
+ quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 - July 12th, 1773)
raff.debian.org: Joseph Joachim Raff (May 27th, 1822 - June 24th or 25th, 1882)
rautavaara.debian.org: Einojuhani Rautavaara (born October 9th, 1928)
ravel.debian.org: Joseph-Maurice Ravel (March 7th, 1875 - December 28th, 1937)
ries.debian.org: Franz Ries (April 7th, 1846 - January 20th, 1932)
rietz.debian.org: August Wilhelm Julius Rietz (December 28th, 1812 - September 12th, 1877)
rore.debian.org: Cipriano de Rore (occasionally Cypriano) (1515 or 1516 - between September 11 and September 20, 1565)
- rossini.debian.org: Gioachino Rossini (February 29, 1792 - November 13, 1868)
+ rossini.debian.org: Gioachino Rossini (February 29th, 1792 - November 13th, 1868)
saens.debian.org: Charles-Camille Saint-Saëns (October 9th, 1835 - December 16th, 1921)
- salieri.debian.org: Antonio Salieri (Legnago, 18 August 1750 - Vienna, 7 May 1825)
+ salieri.debian.org: Antonio Salieri (August 18th, 1750 - May 7th, 1825)
samosa.debian.org: The samosa is a stuffed pastry and a popular snack in South Asia, Southeast Asia, Central Asia, the Arabian Peninsula, throughout the Mediterranean (Greece), Southwest Asia, the Horn of Africa and North Africa.
+ santoro.debian.org: Cláudio Santoro (November 23rd, 1919 - March 27th, 1989)
scelsi.debian.org: Giacinto Scelsi (January 8th, 1905 - August 9th, 1988)
schein.debian.org: Johann Hermann Schein (January 20th, 1586 - November 19th, 1630)
schroeder.debian.org: Hermann Schroeder (March 26th, 1904 - October 7th, 1984)
schumann.debian.org: Robert Alexander Schumann (June 8th, 1810 - July 29th, 1856)
- schuetz.debian.org: Heinrich Schütz (October 8 (JC), 1585 - November 6, 1672)
+ schuetz.debian.org: Heinrich Schütz (October 8th, 1585 - November 6th, 1672)
senfl.debian.org: Ludwig Senfl (~1490 - ~1543)
sibelius.debian.org: Jean Sibelius (December 8th, 1865 - September 20th, 1957)
smetana.debian.org: Bedřich Smetana (March 2nd, 1824 - May 12th, 1884)
- soler.debian.org: Padre Antonio Soler (December 3, 1729 (baptized) - December 20, 1783)
+ soler.debian.org: Padre Antonio Soler (December 3rd, 1729 (baptized) - December 20th, 1783)
sperger.debian.org: Johannes Matthias Sperger (March 23th, 1750 - May 13th, 1812)
spohr.debian.org: Louis Spohr (April 5th, 1784 - October 22nd, 1859)
spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851)
steffani.debian.org: Agostino Steffani (July 25th, 1653 - February 12th, 1728)
tartini.debian.org: Giuseppe Tartini (April 8th, 1692 - February 26th, 1770)
tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893)
- traetta.debian.org: Tommaso Michele Francesco Saverio Traetta (30 March 1727 - 6 April 1779)
+ traetta.debian.org: Tommaso Michele Francesco Saverio Traetta (March 30th, 1727 - April 6th, 1779)
unger.debian.org: Caroline Unger (October 28th, 1803 - March 23th, 1877)
valente.debian.org: Vincenzo Valente (February 21st, 1855 - September 6th, 1921)
vitry.debian.org: Philippe de Vitry (October 31st, 1291 - June 9th, 1361)
- voltaire.debian.org
- zandonai.debian.org
squeeze:
+ - alkman.debian.org
- arne.debian.org
+ - barber.debian.org
+ - beethoven.debian.org
+ - biber.debian.org
+ - brahms.debian.org
- byrd.debian.org
+ - cilea.debian.org
- danzi.debian.org
+ - dijkstra.debian.org
+ - duarte.debian.org
+ - englund.debian.org
- fano.debian.org
- fasch.debian.org
- field.debian.org
- finzi.debian.org
+ - geo1.debian.org
+ - geo2.debian.org
+ - heininen.debian.org
- kassia.debian.org
+ - kaufmann.debian.org
+ - krenek.debian.org
- lamb.debian.org
+ - lindberg.debian.org
- locke.debian.org
- lotti.debian.org
+ - luchesi.debian.org
+ - merikanto.debian.org
+ - murphy.debian.org
- nono.debian.org
- - quantz.debian.org
- piatti.debian.org
+ - quantz.debian.org
- raff.debian.org
- rautavaara.debian.org
- reger.debian.org
- rem.debian.org
+ - ries.debian.org
+ - rietz.debian.org
- rossini.debian.org
- salieri.debian.org
- santoro.debian.org
- scelsi.debian.org
+ - schein.debian.org
- schuetz.debian.org
- sibelius.debian.org
+ - smetana.debian.org
- spohr.debian.org
- tchaikovsky.debian.org
+ - traetta.debian.org
+ - unger.debian.org
+ - vitry.debian.org
+ - wieck.debian.org
smarthost:
abel.debian.org: mailout.debian.org
agnesi.debian.org: mailout.debian.org
- escher.debian.org
- fano.debian.org
- malo.debian.org
+ entropy_key:
+ - heininen.debian.org
+ - englund.debian.org
+ - rautavaara.debian.org
+ - salieri.debian.org
# reservedaddrs:
# ball.debian.org: "0.0.0.0/8 : 127.0.0.0/8 : 169.254.0.0/16 : 172.16.0.0/12 : 192.0.0.0/17 : 192.168.0.0/16 : 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5"
---
refreshonly => true,
}
- case extractnodeinfo($nodeinfo, 'mail_port') {
+ case getfromhash($nodeinfo, 'mail_port') {
/^(\d+)$/: { $mail_port = $1 }
default: { $mail_port = 'smtp' }
}
end
mxregex = Regexp.new('^\d+\s+(.*)\.$')
-mxinfo.keys.sort.each do |host|
- mxinfo[host]['mXRecord'].each do |mx|
+allnodeinfo.keys.sort.each do |host|
+ next unless allnodeinfo[host]['mXRecord']
+ allnodeinfo[host]['mXRecord'].each do |mx|
mxmatch = mxregex.match(mx)
if mxmatches.include?(mxmatch[1])
route = host + ":\t\t" + host
$munin_ips: script => "ip_";
}
- case extractnodeinfo($nodeinfo, 'buildd') {
+ case getfromhash($nodeinfo, 'buildd') {
true: {
file {
"/etc/ferm/conf.d/load_ftp_conntrack.conf":
}
}
- abel,alwyn: {
+ abel,alwyn,rietz: {
@ferm::rule { "dsa-tftp":
description => "Allow tftp access",
rule => "&SERVICE(udp, 69)"
proto (tcp udp) mod state state (NEW) dport $port ACCEPT;
}
+@def &TCP_UDP_SERVICE_RANGE($port, $srange) = {
+ proto (tcp udp) mod state state (NEW) dport $port @subchain "$port" { saddr ($srange) ACCEPT; }"
+}
+
@def $HOST_MAILRELAY_V4 = (<%=
mailrelay = []
localinfo.keys.sort.each do |node|
if localinfo[node]['mailrelay']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
mailrelay << ip
end
mailrelay = []
localinfo.keys.sort.each do |node|
if localinfo[node]['mailrelay']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
mailrelay << ip
end
nagii = []
localinfo.keys.sort.each do |node|
if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
nagii << ip
end
nagii = []
localinfo.keys.sort.each do |node|
if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
nagii << ip
end
munins = []
localinfo.keys.sort.each do |node|
if localinfo[node]['muninmaster']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
munins << ip
end
munins = []
localinfo.keys.sort.each do |node|
if localinfo[node]['muninmaster']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
munins << ip
end
dbs = []
localinfo.keys.sort.each do |node|
if localinfo[node]['dbmaster']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
dbs << ip
end
dbs = []
localinfo.keys.sort.each do |node|
if localinfo[node]['dbmaster']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
dbs << ip
end
@def $HOST_DEBIAN_V4 = (<%=
dbs = []
- keyinfo.keys.sort.each do |node|
- next unless keyinfo[node].has_key?('ipHostNumber')
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo.keys.sort.each do |node|
+ next unless allnodeinfo[node].has_key?('ipHostNumber')
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
dbs << ip
end
@def $HOST_DEBIAN_V6 = (<%=
dbs = []
- keyinfo.keys.sort.each do |node|
- next unless keyinfo[node].has_key?('ipHostNumber')
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo.keys.sort.each do |node|
+ next unless allnodeinfo[node].has_key?('ipHostNumber')
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
dbs << ip
end
@def $zobel = ($zobel 87.139.82.80/32); # exit.credativ.com
@def $zobel = ($zobel 87.193.134.192/27); # credativ qsc
@def $zobel = ($zobel 78.47.2.104/29); # baldur, bragi, saga
-@def $luca = ();
+@def $luca = (64.71.152.109);
@def $DSA_IPS = ($sgran $weasel $zobel $luca);
@def $sgran6 = (2001:4b10:100b::/48);
str = ''
localinfo.keys.sort.each do |node|
if localinfo[node]['muninmaster']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
str += "allow ^" + ip.split('.').join('\.') + "$\n"
end
end
nagii = []
localinfo.keys.sort.each do |node|
if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- nagii << keyinfo[node]['ipHostNumber']
+ nagii << allnodeinfo[node]['ipHostNumber']
end
end
country_TC;
country_TT;
country_US;
+ country_UY;
country_VC;
country_VG;
country_VI;
country_PE;
country_PY;
country_SR;
- country_UY;
country_VE;
};
str = ''
localinfo.keys.sort.each do |node|
if localinfo[node]['nagiosmaster']
- keyinfo[node]['ipHostNumber'].each do |ip|
+ allnodeinfo[node]['ipHostNumber'].each do |ip|
str += "\t" + ip + "/32;\n"
end
end
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
+<% if classes.include?("named::geodns") -%>
+ listen-on { ! 127.0.0.1; any; };
+ listen-on-v6 { ! ::1; any; };
+<% else -%>
listen-on-v6 { any; };
+<% end -%>
allow-transfer { none; };
allow-update { none; };
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
options lockd nlm_udpport=10003 nlm_tcpport=10003
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
# Number of servers to start up
RPCNFSDCOUNT=8
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
-RPCMOUNTDOPTS="-p 10002"
+RPCMOUNTDOPTS="-p 10002 --manage-gids"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
ensure => directory,
;
}
- case extractnodeinfo($nodeinfo, 'timeserver') {
+ case getfromhash($nodeinfo, 'timeserver') {
true: { }
default: {
file {
if allowed_ports.length > 0
sshkey = getportforwarderkey(sourcehost)
- remote_ip = keyinfo[sourcehost]['ipHostNumber'].join(',')
+ remote_ip = allnodeinfo[sourcehost]['ipHostNumber'].join(',')
local_bind = '127.101.%d.%d'%[ (sourcehost.hash / 256 % 256), sourcehost.hash % 256 ]
lines << "# from #{sourcehost}"
module Puppet::Parser::Functions
- newfunction(:allnodeinfo, :type => :rvalue) do |attributes|
- attributes.unshift('*')
- return (function_ldapinfo(attributes))
+ newfunction(:allnodeinfo, :type => :rvalue) do |args|
+ begin
+ required = args.shift.split()
+ optional = args.shift.split()
+
+ allhosts = function_ldapinfo('*', *(required+optional) )
+ res = {}
+ allhosts.each_pair do |hostname, host|
+ # If a returned value doesn't have all the attributes we're searching for, skip
+ # We'll skip if the array is empty, but we also seem to get back a nil object for empty attributes sometimes
+ next if required.any?{ |a| not host[a] or host[a].empty? }
+ res[hostname] = host
+ end
+
+ return res
+ rescue => e
+ raise Puppet::ParseError, "Error in allnodeinfo: #{e.message}\n#{e.backtrace}"
+ end
end
end
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
+++ /dev/null
-module Puppet::Parser::Functions
- newfunction(:extractnodeinfo, :type => :rvalue) do |args|
-
- nodeinfo = args.shift
-
- ni = nodeinfo
- keys_done = []
-
- args.each do |key|
- raise Puppet::ParseError, "nodeinfo is not a hash at #{keys_done.join('->')}" unless ni.kind_of?(Hash)
- unless ni.has_key?(key)
- ni = false
- break
- end
- ni = ni[key]
- keys_done << key
- end
- return ni
- end
-end
-# vim:set et:
-# vim:set sts=2 ts=2:
-# vim:set shiftwidth=2:
--- /dev/null
+module Puppet::Parser::Functions
+ # given an array of network addresses, return only the ipv4 addresses
+ newfunction(:filter_ipv4, :type => :rvalue) do |args|
+ x = args.shift
+
+ raise Puppet::ParseError, "Argument is not an array." unless x.kind_of?(Array)
+ return x.reject{ |x| x =~ /:/}
+ end
+end
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
--- /dev/null
+module Puppet::Parser::Functions
+ # given an array of network addresses, return only the ipv6 addresses
+ newfunction(:filter_ipv6, :type => :rvalue) do |args|
+ x = args.shift
+
+ raise Puppet::ParseError, "Argument is not an array." unless x.kind_of?(Array)
+ return x.reject{ |x| x !~ /:/}
+ end
+end
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
--- /dev/null
+module Puppet::Parser::Functions
+ newfunction(:getfromhash, :type => :rvalue) do |args|
+ x = args.shift
+ keys = args
+ keys_done = []
+
+ # allows getting of hash[key] or even hash[key1][key2] etc.
+ keys.each do |key|
+ raise Puppet::ParseError, "argument[#{keys_done.join('][')}] is not a hash." unless x.kind_of?(Hash)
+ unless x.has_key?(key)
+ x = false
+ break
+ end
+ x = x[key]
+ keys_done << key
+ end
+
+ return x
+ end
+end
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
--- /dev/null
+module Puppet::Parser::Functions
+ # given an list, join with spaces
+ newfunction(:join_spc, :type => :rvalue) do |args|
+ x = args.shift
+
+ raise Puppet::ParseError, "Argument is not an array." unless x.kind_of?(Array)
+ return x.join(' ')
+ end
+end
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
filter = '(hostname=' + host + ')'
begin
ldap.search2('ou=hosts,dc=debian,dc=org', LDAP::LDAP_SCOPE_SUBTREE, filter, attrs=attributes, false, 0, 0, s_attr="hostname").each do |x|
- # If a returned value doesn't have all the attributes we're searching for, skip
- # We'll skip if the array is empty, but we also seem to get back a nil object for empty attributes sometimes
- unless attributes.include?("*")
- next if attributes.any?{ |a| not x[a] or x[a].empty? }
- end
results[x['hostname'][0]] = x
end
rescue LDAP::ResultError
module Puppet::Parser::Functions
newfunction(:nodeinfo, :type => :rvalue) do |args|
-
host = args[0]
yamlfile = args[1]
+ begin
+
+ require '/var/lib/puppet/lib/puppet/parser/functions/ldapinfo.rb'
+ require '/var/lib/puppet/lib/puppet/parser/functions/whohosts.rb'
- require '/var/lib/puppet/lib/puppet/parser/functions/ldapinfo.rb'
+ nodeinfo = function_yamlinfo(host, yamlfile)
+ nodeinfo['ldap'] = function_ldapinfo(host, '*')
+ unless nodeinfo['ldap']['ipHostNumber']
+ raise Puppet::ParseError, "Host #{host} does not have ipHostNumber values in ldap"
+ end
+ nodeinfo['hoster'] = function_whohosts(nodeinfo['ldap']['ipHostNumber'], "/etc/puppet/modules/debian-org/misc/hoster.yaml")
- results = function_yamlinfo(host, yamlfile)
- results['ldap'] = function_ldapinfo(host, '*')
+ nodeinfo['misc'] = {}
+ fqdn = lookupvar('fqdn')
+ if fqdn and fqdn == host
+ v4ips = lookupvar('v4ips')
+ if v4ips
+ nodeinfo['misc']['v4addrs'] = v4ips.split(',')
- results['misc'] = {}
- fqdn = lookupvar('fqdn')
- if fqdn and fqdn == host
- v4ips = lookupvar('v4ips')
- if v4ips
- # find out if we are behind nat
- v4addrs = v4ips.split(',')
- intersection = v4addrs & results['ldap']['ipHostNumber']
- results['misc']['natted'] = intersection.empty?
+ # find out if we are behind nat
+ intersection = nodeinfo['misc']['v4addrs'] & nodeinfo['ldap']['ipHostNumber']
+ nodeinfo['misc']['natted'] = intersection.empty?
+ end
+
+ v6ips = lookupvar('v6ips')
+ if v6ips and v6ips != "no"
+ nodeinfo['misc']['v6addrs'] = v6ips.split(',')
+ end
end
- end
- return(results)
+ if not nodeinfo['hoster']['nameservers'] or nodeinfo['hoster']['nameservers'].empty?
+ # no nameservers known for this hoster
+ nodeinfo['misc']['resolver-recursive'] = true
+
+ if nodeinfo['hoster']['allow_dns_query']
+ raise Puppet::ParseError, "No nameservers listed for #{nodeinfo['hoster']['name']} yet we should answer somebody's queries? That makes no sense."
+ end
+ elsif (nodeinfo['misc']['v4addrs'] and (nodeinfo['hoster']['nameservers'] & nodeinfo['misc']['v4addrs']).size > 0) or
+ (nodeinfo['misc']['v6addrs'] and (nodeinfo['hoster']['nameservers'] & nodeinfo['misc']['v6addrs']).size > 0)
+ # this host is listed as a nameserver at this location
+ nodeinfo['misc']['resolver-recursive'] = true
+
+ if not nodeinfo['hoster']['allow_dns_query'] or nodeinfo['hoster']['allow_dns_query'].empty?
+ raise Puppet::ParseError, "Host #{host} is listed as a nameserver for #{nodeinfo['hoster']['name']} but no allow_dns_query networks are defined for this location"
+ end
+ else
+ nodeinfo['misc']['resolver-recursive'] = false
+ end
+
+ return(nodeinfo)
+ rescue => e
+ raise Puppet::ParseError, "Error in nodeinfo for node #{host}, yamlfile #{yamlfile}: #{e.message}\n#{e.backtrace}"
+ end
end
end
require 'ipaddr'
require 'yaml'
- nodeinfo = args[0]
+ ipAddrs = args[0]
yamlfile = args[1]
parser.watch_file(yamlfile)
$KCODE = 'utf-8'
- ans = "unknown"
+ ans = {"name" => "unknown"}
yaml = YAML.load_file(yamlfile)
- if (nodeinfo['ldap'].has_key?('ipHostNumber'))
- nodeinfo['ldap']['ipHostNumber'].each do |addr|
- yaml.keys.each do |hoster|
- yaml[hoster].each do |net|
+ ipAddrs.each do |addr|
+ yaml.keys.each do |hoster|
+ if yaml[hoster].kind_of?(Hash) and yaml[hoster].has_key?('netrange')
+ netrange = yaml[hoster]['netrange']
+ else
+ next
+ end
+
+ netrange.each do |net|
+ begin
if IPAddr.new(net).include?(addr)
- ans = hoster
+ ans = yaml[hoster]
+ ans['name'] = hoster
end
+ rescue => e
+ raise Puppet::ParseError, "Error while trying to match addr #{addr} for net #{net}: #{e.message}\n#{e.backtrace}"
end
end
end
return ans
end
end
+# vim:set ts=2:
+# vim:set et:
+# vim:set shiftwidth=2:
<%=
nameservers = []
searchpaths = []
-resolvconf = ''
+options = []
-case hoster
- when "darmstadt" then
- case hostname
- when "draghi", "liszt" then
- nameservers << "127.0.0.1"
- end
- nameservers += ["82.195.75.81", "82.195.66.249", "217.198.242.225"]
- searchpaths << "debprivate-darmstadt.debian.org"
- when "dgi" then
- case hostname
- when "widor" then
- nameserver << "127.0.0.1"
- end
- nameservers += ["195.49.152.215", "195.49.152.213", "195.49.152.214"]
- when "ftcollins" then
- case hostname
- when "spohr", "samosa" then
- nameservers << "127.0.0.1"
- end
- nameservers += ["192.25.206.33", "192.25.206.57"]
- searchpaths << "debprivate-ftcollins.debian.org"
- when "grnet" then
- nameservers += ["194.177.210.10", "194.177.210.210"]
- searchpaths << "debprivate-grnet.debian.org"
- when "osousl" then
- nameserver += ["140.211.166.130","140.211.166.131"]
- when "ubcece" then
- nameservers += ["206.12.19.5", "137.82.1.1", "142.103.1.1" ]
- searchpaths << "debprivate-ubc.debian.org"
+if %w{draghi liszt spohr}.include?(hostname)
+ nameservers << "127.0.0.1"
end
+nameservers += nodeinfo['hoster']['nameservers'] if nodeinfo['hoster']['nameservers']
+searchpaths += nodeinfo['hoster']['searchpaths'] if nodeinfo['hoster']['searchpaths']
+options += nodeinfo['hoster']['resolvoptions'] if nodeinfo['hoster']['resolvoptions']
+
searchpaths << "debian.org"
-if nameservers.empty?
- raise Puppet::ParseError, "Something has gone wrong writing resolv.conf: probably included for wrong hoster"
+resolvconf = ''
+resolvconf += "search " + searchpaths.join(" ") + "\n"
+
+if has_variable?('unbound') and unbound and unbound == "true"
+ resolvconf += "nameserver 127.0.0.1\n"
+else
+ if nameservers.empty?
+ #raise Puppet::ParseError, "Something has gone wrong writing resolv.conf. No nameservers to use!"
+ scope.function_warning(["Something has gone wrong writing resolv.conf. No nameservers to use - using google's!"])
+ nameservers << '8.8.8.8'
+ nameservers << '8.8.4.4'
+ end
+
+ nameservers.each do |ns|
+ resolvconf += "nameserver " + ns + "\n"
+ end
end
-resolvconf += "search " + searchpaths.join(" ") + "\n"
-nameservers.each do |ns|
- resolvconf += "nameserver " + ns + "\n"
+options.each do |opt|
+ resolvconf += "options " + opt + "\n"
end
resolvconf
file=/etc/mtab
file=/etc/ssh_random_seed
file=/etc/asound.conf
-<% case hoster when "ubcece", "darmstadt", "ftcollins", "grnet" then -%>
-<% else -%>
-file=/etc/resolv.conf
-<% end -%>
file=/etc/localtime
file=/etc/ioctl.save
file=/etc/passwd.backup
<% if classes.include?("named") -%>
file=/etc/bind/named.conf.options
<% end -%>
+file=/etc/apache2/conf.d/puppet-builddlist
#
# There are files in /etc that might change, thus changing the directory
##
## This file might be created or removed by the system sometimes.
##
-<% case hoster when "ubcece", "darmstadt", "ftcollins", "grnet" then -%>
file=/etc/resolv.conf
-<% end -%>
<% if nodeinfo['buildd'] -%>
file=/etc/dupload.conf
<% end -%>
# local admin
-<%= hosterkeys = case hoster
+<%= hosterkeys = case nodeinfo['hoster']['name']
when "ubcece" then
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvEEyxznxleAhk98K7SkAeAKWibijL5uFjIl1+tr8rz+XmFsjabTK2+hQXkgzmU+jqQ2+MPp6btfAq9Oe27GQYWUFfsAZMRb907dReFQYPKbPhQZoo5LUfkrCiR3tD0Nm2JfepTV0079K1+Q50EMImttwbI94FfSoSgTxgF4rCoLpUgmF0IHDR1+kTGow7YnuS1Y/I1zKAbofg8KBGXOLArkcZbxArt25Y2wlnE+ZHIb3Rn3pYc3/KmPPvEQy9IkR/uzzkWSaCBVMFJEO0ejjWrV4HR64GlKUPQ0CekSYn1EErY55CF5sWkasXhflluwSf7b+/jedDM1A1Vrp9Z/F8Q== chrisd"
end
<%= machine_keys = case fqdn
when "beethoven.debian.org" then
out = ''
- keyinfo.keys.sort.each do |node|
- out += '# ' + keyinfo[node]['hostname'].to_s + '
-command="/usr/lib/da-backup/da-backup-ssh-wrap ' + keyinfo[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + keyinfo[node]['ipHostNumber'].join(',') + '" ' + keyinfo[node]['sshRSAHostKey'].to_s + '
+ allnodeinfo.keys.sort.each do |node|
+ out += '# ' + allnodeinfo[node]['hostname'].to_s + '
+command="/usr/lib/da-backup/da-backup-ssh-wrap ' + allnodeinfo[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + allnodeinfo[node]['ipHostNumber'].join(',') + '" ' + allnodeinfo[node]['sshRSAHostKey'].to_s + '
'
end
%pkg_maint ALL=(pkg_user) ALL
%planet ALL=(planet) ALL
%popcon ALL=(popcon) ALL
+%search ALL=(search) ALL
%secretary ALL=(secretary) ALL
%sectracker ALL=(sectracker) ALL
%security SECHOSTS=(mail_security) ALL
--- /dev/null
+; debian.org DS record, July 2010'
+debian.org. IN DS 5283 7 2 3DC987A633914C195D03EA129E92327630D3428E92884A5E97829A55701F9E8A
--- /dev/null
+; IANA root trust anchor, valid from 2010-07-15T00:00:00+00:00
+; downloaded from https://data.iana.org/root-anchors/root-anchors.xml
+. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
--- /dev/null
+class unbound {
+ package {
+ unbound: ensure => installed;
+ }
+
+ exec {
+ "unbound restart":
+ path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+ refreshonly => true,
+ ;
+ }
+ file {
+ "/var/lib/unbound":
+ ensure => directory,
+ owner => unbound,
+ group => unbound,
+ mode => 775,
+ ;
+ "/var/lib/unbound/root.key":
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => 644,
+ source => [ "puppet:///modules/unbound/root.key" ],
+ ;
+ "/var/lib/unbound/debian.org.key":
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => 644,
+ source => [ "puppet:///modules/unbound/debian.org.key" ],
+ ;
+ "/etc/unbound/unbound.conf":
+ content => template("unbound/unbound.conf.erb"),
+ require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ],
+ notify => Exec["unbound restart"],
+ owner => root,
+ group => root,
+ ;
+ }
+
+ case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
+ true: {
+ case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
+ false: {}
+ default: {
+ @ferm::rule { "dsa-dns":
+ domain => "ip",
+ description => "Allow nameserver access",
+ rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ @ferm::rule { "dsa-dns6":
+ domain => "ip6",
+ description => "Allow nameserver access",
+ rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ }
+ }
+ }
+ }
+}
+
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+server:
+ verbosity: 1
+
+<%=
+ out = []
+ if nodeinfo['misc']['resolver-recursive'] and nodeinfo['hoster']['allow_dns_query']
+ out << " interface: 0.0.0.0"
+ out << " interface: ::0"
+ out << ""
+ out << " interface-automatic: yes"
+
+ out << " access-control: 0.0.0.0/0 refuse"
+ out << " access-control: ::0/0 refuse"
+ out << " access-control: 127.0.0.0/8 allow"
+ out << " access-control: ::0/0 refuse"
+ out << " access-control: ::1 allow"
+ out << " access-control: ::ffff:127.0.0.1 allow"
+ nodeinfo['hoster']['allow_dns_query'].each do |net|
+ out << " access-control: #{net} allow"
+ end
+ end
+ out.join("\n")
+%>
+
+ #chroot: ""
+
+ hide-identity: yes
+ hide-version: yes
+
+ use-caps-for-id: yes
+
+ # Do not query the following addresses. No DNS queries are sent there.
+ # List one address per entry. List classless netblocks with /size,
+ # do-not-query-address: 127.0.0.1/8
+ # do-not-query-address: ::1
+
+ # if yes, the above default do-not-query-address entries are present.
+ # if no, localhost can be queried (for testing and debugging).
+ # do-not-query-localhost: yes
+
+ # File with trusted keys, kept uptodate using RFC5011 probes,
+ # initial file like trust-anchor-file, then it stores metadata.
+ # Use several entries, one per domain name, to track multiple zones.
+ # auto-trust-anchor-file: ""
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+
+<%=
+ out = []
+ if not nodeinfo['misc']['resolver-recursive'] and not nodeinfo['hoster']['nameservers_break_dnssec']
+ forwarders = nodeinfo['hoster']['nameservers']
+ forwarders ||= []
+
+ out << 'forward-zone:'
+ out << ' name: "."'
+ forwarders.each do |ns|
+ out << " forward-addr: #{ns}"
+ end
+ end
+ out.join("\n")
+%>