summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2013-01-17 14:17:18 -0500
committerMicah Anderson <micah@riseup.net>2013-01-17 14:17:18 -0500
commitad3da4a59aebb6b7facc2e6616d8b81039b29892 (patch)
treee98ceaa4493febcfdad08b4743870d8f3a6e4bbc
parent03d2b1aec2a9ccd61f4804277c80541698f1dab8 (diff)
unfortunately the version of unbound that is in wheezy does not support wildcard
include directives, so this commit works around this by doing something less elegant than before. When we have the newer unbound available, we should switch to that method instead.
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp15
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp20
2 files changed, 30 insertions, 5 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index e4374d8f..ab2f52d1 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -1,8 +1,14 @@
class site_config::caching_resolver {
- # Setup a conf.d directory to place additional unbound configuration files
- # there must be at least one file in the directory, or unbound will not
- # start, so create an empty placeholder to ensure this
+ # Setup a conf.d directory to place additional unbound configuration files.
+ # There must be at least one file in the directory, or unbound will not start,
+ # so create an empty placeholder to ensure this.
+
+ # Note: the version of unbound we are working with does not accept a wildcard
+ # for an include directive, so we are not able to use this. When we can use
+ # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
+ # configuration file
+
file {
'/etc/unbound/conf.d':
ensure => directory,
@@ -27,8 +33,7 @@ class site_config::caching_resolver {
hide-identity => 'yes',
hide-version => 'yes',
harden-glue => 'yes',
- access-control => [ '127.0.0.0/8 allow', '::1 allow' ],
- include => '/etc/unbound/conf.d/*'
+ access-control => [ '127.0.0.0/8 allow', '::1 allow' ]
}
}
}
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index 57a2d147..c8ef729c 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -1,5 +1,25 @@
class site_openvpn::resolver {
+ # this is an unfortunate way to get around the fact that the version of
+ # unbound we are working with does not accept a wildcard include directive
+ # (/etc/unbound/conf.d/*), when it does, these line definitions should
+ # go away and instead the caching_resolver should be configured to
+ # include: /etc/unbound/conf.d/*
+
+ line {
+ 'add_tcp_resolver':
+ ensure => present,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver',
+ notify => Service['unbound'];
+
+ 'add_udp_resolver':
+ ensure => present,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver',
+ notify => Service['unbound'];
+ }
+
file {
'/etc/unbound/conf.d/vpn_udp_resolver':
content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n",