diff options
author | Micah Anderson <micah@riseup.net> | 2013-01-17 14:17:18 -0500 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2013-01-17 14:17:18 -0500 |
commit | ad3da4a59aebb6b7facc2e6616d8b81039b29892 (patch) | |
tree | e98ceaa4493febcfdad08b4743870d8f3a6e4bbc | |
parent | 03d2b1aec2a9ccd61f4804277c80541698f1dab8 (diff) |
unfortunately the version of unbound that is in wheezy does not support wildcard
include directives, so this commit works around this by doing something less
elegant than before. When we have the newer unbound available, we should switch
to that method instead.
-rw-r--r-- | puppet/modules/site_config/manifests/caching_resolver.pp | 15 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/resolver.pp | 20 |
2 files changed, 30 insertions, 5 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index e4374d8f..ab2f52d1 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,8 +1,14 @@ class site_config::caching_resolver { - # Setup a conf.d directory to place additional unbound configuration files - # there must be at least one file in the directory, or unbound will not - # start, so create an empty placeholder to ensure this + # Setup a conf.d directory to place additional unbound configuration files. + # There must be at least one file in the directory, or unbound will not start, + # so create an empty placeholder to ensure this. + + # Note: the version of unbound we are working with does not accept a wildcard + # for an include directive, so we are not able to use this. When we can use + # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the + # configuration file + file { '/etc/unbound/conf.d': ensure => directory, @@ -27,8 +33,7 @@ class site_config::caching_resolver { hide-identity => 'yes', hide-version => 'yes', harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ], - include => '/etc/unbound/conf.d/*' + access-control => [ '127.0.0.0/8 allow', '::1 allow' ] } } } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 57a2d147..c8ef729c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,25 @@ class site_openvpn::resolver { + # this is an unfortunate way to get around the fact that the version of + # unbound we are working with does not accept a wildcard include directive + # (/etc/unbound/conf.d/*), when it does, these line definitions should + # go away and instead the caching_resolver should be configured to + # include: /etc/unbound/conf.d/* + + line { + 'add_tcp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound']; + + 'add_udp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound']; + } + file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", |