summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2013-01-16 13:08:24 -0500
committerMicah Anderson <micah@riseup.net>2013-01-16 13:08:24 -0500
commit4e0021dede8aae43760b3e9a4b2317c3ed4c1e0d (patch)
treec089b4373a1f8eca2b7586e4941eaa4d54008a04
parent06757bf230dc616832cf2eb560ee9c1570cc1a07 (diff)
Swtich from bind9 as the local caching resolver to unbound. This will enable us
to do tor lookups over DNS on servers, if tor services are defined. To do this, we remove the bind9 configurations from site_config::resolvconf.pp and replace it with site_config::caching_resolver with a basic unbound configuration that can be used everywhere. The unbound configuration enables a /etc/unbound/conf.d directory for additional config snippits that can be dropped in from other places. This will be used for setting up different interfaces in the vpn gateway, for example. There will be a set of transition package/file absent blocks to clean up providers.
-rw-r--r--puppet/modules/site_config/files/bind98
-rw-r--r--puppet/modules/site_config/files/named.conf.options6
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp35
-rw-r--r--puppet/modules/site_config/manifests/init.pp3
-rw-r--r--puppet/modules/site_config/manifests/resolvconf.pp14
-rw-r--r--puppet/modules/site_unbound/manifests/init.pp19
6 files changed, 42 insertions, 43 deletions
diff --git a/puppet/modules/site_config/files/bind9 b/puppet/modules/site_config/files/bind9
deleted file mode 100644
index 50d8ed14..00000000
--- a/puppet/modules/site_config/files/bind9
+++ /dev/null
@@ -1,8 +0,0 @@
-# managed by puppet
-
-# run resolvconf?
-RESOLVCONF=no
-
-# startup options for the server
-OPTIONS="-u bind -4"
-
diff --git a/puppet/modules/site_config/files/named.conf.options b/puppet/modules/site_config/files/named.conf.options
deleted file mode 100644
index 47df6c5d..00000000
--- a/puppet/modules/site_config/files/named.conf.options
+++ /dev/null
@@ -1,6 +0,0 @@
-options {
- allow-query { 127.0.0.1; };
- allow-transfer { none; };
- listen-on { 127.0.0.1; };
-};
-
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
new file mode 100644
index 00000000..e4374d8f
--- /dev/null
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -0,0 +1,35 @@
+class site_config::caching_resolver {
+
+ # Setup a conf.d directory to place additional unbound configuration files
+ # there must be at least one file in the directory, or unbound will not
+ # start, so create an empty placeholder to ensure this
+ file {
+ '/etc/unbound/conf.d':
+ ensure => directory,
+ owner => root, group => root, mode => '0755';
+
+ '/etc/unbound/conf.d/placeholder':
+ ensure => present,
+ content => '',
+ owner => root, group => root, mode => '0644';
+ }
+
+ class { 'unbound':
+ root_hints => false,
+ anchor => false,
+ ssl => false,
+ require => File['/etc/unbound/conf.d/placeholder'],
+ settings => {
+ server => {
+ verbosity => '1',
+ interface => [ '127.0.0.1', '::1' ],
+ port => '53',
+ hide-identity => 'yes',
+ hide-version => 'yes',
+ harden-glue => 'yes',
+ access-control => [ '127.0.0.0/8 allow', '::1 allow' ],
+ include => '/etc/unbound/conf.d/*'
+ }
+ }
+ }
+}
diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp
index 69ff2523..f05bca1c 100644
--- a/puppet/modules/site_config/manifests/init.pp
+++ b/puppet/modules/site_config/manifests/init.pp
@@ -13,6 +13,9 @@ class site_config {
# configure /etc/resolv.conf
include site_config::resolvconf
+ # configure caching, local resolver
+ include site_config::caching_resolver
+
# configure /etc/hosts
stage { 'initial':
before => Stage['main'],
diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp
index 78f83a62..3579aaf2 100644
--- a/puppet/modules/site_config/manifests/resolvconf.pp
+++ b/puppet/modules/site_config/manifests/resolvconf.pp
@@ -2,28 +2,22 @@ class site_config::resolvconf {
# bind9
package { 'bind9':
- ensure => installed,
+ ensure => absent,
}
service { 'bind9':
- ensure => running,
+ ensure => stopped,
require => Package['bind9'],
}
file { '/etc/default/bind9':
- source => 'puppet:///modules/site_config/bind9',
- require => Package['bind9'],
- notify => Service['bind9'],
+ ensure => absent;
}
file { '/etc/bind/named.conf.options':
- source => 'puppet:///modules/site_config/named.conf.options',
- require => Package['bind9'],
- notify => Service['bind9'],
+ ensure => absent;
}
-
-
$domain_hash = hiera('domain')
$domain_public = $domain_hash['public']
diff --git a/puppet/modules/site_unbound/manifests/init.pp b/puppet/modules/site_unbound/manifests/init.pp
deleted file mode 100644
index a968ac62..00000000
--- a/puppet/modules/site_unbound/manifests/init.pp
+++ /dev/null
@@ -1,19 +0,0 @@
-class site_unbound {
-
- class { 'unbound':
- root_hints => false,
- anchor => false,
- ssl => false,
- settings => {
- server => {
- verbosity => '1',
- interface => [ '127.0.0.1', '::1' ],
- port => '53',
- hide-identity => 'yes',
- hide-version => 'yes',
- harden-glue => 'yes',
- access-control => [ '127.0.0.0/8 allow', '::1 allow' ]
- }
- }
- }
-}