From 8efc3cb29ac84aed50f87cc92ad50a6d21a10f8a Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 22 Sep 2019 20:53:33 +0200 Subject: [PATCH] No longer allow nagios to recurse on our binds --- data/common.yaml | 3 --- .../named/templates/named.conf.options.erb | 25 ------------------- 2 files changed, 28 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index e2bb53b60..635f03ecc 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -54,9 +54,6 @@ apt::sources::debian::location: 'https://deb.debian.org/debian/' # all of these should be retired in favour of including the class role # with the host. weasel, 2019-09 roles: - nagiosmaster: - # XXX - only used by bind ACLs - - tchaikovsky.debian.org security_mirror: # XXX used also in ferm me.conf.erb mirror-anu.debian.org: diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb index 83f1f638c..9f0398394 100644 --- a/modules/named/templates/named.conf.options.erb +++ b/modules/named/templates/named.conf.options.erb @@ -3,22 +3,6 @@ // USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git // -acl Nagios { -<%= - roles = scope.lookupvar('deprecated::roles') - str = '' - roles['nagiosmaster'].each do |node| - str += scope.lookupvar('deprecated::allnodeinfo')[node]['ipHostNumber'].collect do |ip| - if ip =~ /:/ - "\t#{ip}/128;\n" - else - "\t#{ip}/32;\n" - end - end.join("") - end - str-%> -}; - options { directory "/var/cache/bind"; @@ -32,15 +16,6 @@ options { blackhole { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; }; <% end -%> -<%= - allowed='Nagios; ' - - str = "\tallow-recursion { " + allowed + " };\n" - str += "\tallow-query { " + allowed + " };\n" - - str --%> - dnssec-enable yes; dnssec-validation yes; -- 2.20.1