diff options
author | Micah <micah@leap.se> | 2016-05-24 10:19:33 -0400 |
---|---|---|
committer | Micah <micah@leap.se> | 2016-05-24 10:19:33 -0400 |
commit | c9be0212c9e45f609d299f5fbdf8f13a63747be6 (patch) | |
tree | 943935add27bb5b1a159cfdb46225f4c1f9014ba /manifests |
Squashed 'puppet/modules/unbound/' content from commit a26b91d
git-subtree-dir: puppet/modules/unbound
git-subtree-split: a26b91dfea3189e6777629fa00d54f51dc41f4d4
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/anchor.pp | 26 | ||||
-rw-r--r-- | manifests/forward.pp | 32 | ||||
-rw-r--r-- | manifests/init.pp | 117 | ||||
-rw-r--r-- | manifests/package.pp | 15 | ||||
-rw-r--r-- | manifests/params.pp | 42 | ||||
-rw-r--r-- | manifests/root_hints.pp | 35 | ||||
-rw-r--r-- | manifests/service.pp | 22 | ||||
-rw-r--r-- | manifests/service/openbsd.pp | 21 | ||||
-rw-r--r-- | manifests/ssl.pp | 25 | ||||
-rw-r--r-- | manifests/stub.pp | 32 |
10 files changed, 367 insertions, 0 deletions
diff --git a/manifests/anchor.pp b/manifests/anchor.pp new file mode 100644 index 00000000..e890722e --- /dev/null +++ b/manifests/anchor.pp @@ -0,0 +1,26 @@ +# == Class: unbound::anchor +# +# The unbound::anchor class manages the "root.key" file, and creates it with +# the unbound-anchor program. +# +# === Examples +# +# include unbound::anchor +# +class unbound::anchor { + include unbound::params + + file { $unbound::params::anchor: + owner => $unbound::params::user, + group => $unbound::params::group, + mode => '0644', + require => Exec[$unbound::params::unbound_anchor], + } + + exec { $unbound::params::unbound_anchor: + command => "${unbound::params::unbound_anchor} -a ${unbound::params::anchor}", + creates => $unbound::params::anchor, + returns => 1, + before => Class['unbound::service'], + } +} diff --git a/manifests/forward.pp b/manifests/forward.pp new file mode 100644 index 00000000..740c004d --- /dev/null +++ b/manifests/forward.pp @@ -0,0 +1,32 @@ +# == Define: unbound::forward +# +# Creates a forward-zone. $settings is a hash containing the settings. +# The name of the resource is used as the 'name' of the zone. +# +# === Parameters +# +# [*settings*] +# Hash containing the settings as key value pairs. +# +# === Examples +# +# unbound::forward { 'example.com': +# settings => { +# forward-addr => '10.0.0.1', +# }, +# } +# +define unbound::forward ( + $settings, +) { + include unbound + + $zone_name = { name => "\"${title}\"" } + $real_settings = { forward-zone => merge($zone_name, $settings) } + + concat::fragment { "unbound ${title}": + target => $unbound::params::config, + content => template('unbound/unbound.conf.erb'), + order => 3, + } +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 00000000..ecb7970a --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,117 @@ +# == Class: unbound +# +# The unbound class manages unbound, the reqursive caching dns resolver. +# It manages the package, service, configuration file, control keys and +# support files. +# +# The configuration file is concatenated from samples of server et. al., +# stub-zone and forward-zone. The latter two are created independently +# from the server settings, by defines which can be used by other classes +# and modules. +# +# Control keys can be created with the unbound-control-setup program, +# and is enabled by default. These are neccessary to be able to control +# unbound (restart, reload etc) with the unbound-control program. +# +# The auto-trust-anchor-file 'root.key' can be created with the unbound-anchor +# program, and is enabled by default. +# +# The root-hints files named.cache can be managed, but have to be provided by +# the user. See the documentation in manifests/root_hints.pp for how to proceede. +# This functionality is not enabled by default. +# +# === Parameters +# +# [*settings*] +# Hash containing the settings as key value pairs. +# +# [*ssl*] +# Mange unbound-control certificates? True or false, true by default. +# +# [*anchor*] +# Manage root.key? True or false, true by default. +# +# [*root_hints*] +# Manage named.cache? True or false, false by default. +# +# === Examples +# +# class { 'unbound': +# root_hints => true, +# settings => { +# server => { +# verbosity => '1', +# interface => [ +# '127.0.0.1', +# '::1', +# $::ipaddress, +# ], +# outgoing-interface => $::ipaddress, +# access-control => [ +# '127.0.0.0/8 allow', +# '::1 allow', +# '10.0.0.0/8 allow', +# ], +# root-hints => '"/var/unbound/etc/named.cache"', +# private-address => [ +# '10.0.0.0/8', +# '172.16.0.0/12', +# '192.168.0.0/16', +# ], +# private-domain => "\"$::domain\"", +# auto-trust-anchor-file => '"/var/unbound/etc/root.key"', +# }, +# python => { }, +# remote-control => { +# control-enable => 'yes', +# control-interface => [ +# '127.0.0.1', +# '::1', +# ], +# }, +# } +# } +# +# See manifests/stub.pp and manifests/forward.pp for examples on how to create +# sub zones and forward zones repectively. +# +class unbound ( + $settings, + $anchor = true, + $root_hints = false, + $ssl = true, +) inherits unbound::params { + + include concat::setup + include unbound::package + include unbound::service + + validate_hash($settings) + validate_bool($anchor) + validate_bool($root_hints) + validate_bool($ssl) + + if $anchor { + include unbound::anchor + } + + if $root_hints { + include unbound::root_hints + } + + if $ssl { + include unbound::ssl + } + + $real_settings = $settings + + concat { $unbound::params::config: + require => Class['unbound::package'], + } + + concat::fragment { 'unbound server': + target => $unbound::params::config, + content => template('unbound/unbound.conf.erb'), + order => 1, + } +} diff --git a/manifests/package.pp b/manifests/package.pp new file mode 100644 index 00000000..b9b44f16 --- /dev/null +++ b/manifests/package.pp @@ -0,0 +1,15 @@ +# == Class: unbound::package +# +# Manages the unbound package. +# +# === Examples +# +# include unbound::package +# +class unbound::package { + include unbound::params + + package { $unbound::params::package: + ensure => installed, + } +} diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 00000000..fc043e24 --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,42 @@ +class unbound::params { + case $::osfamily { + 'OpenBSD': { + $package = 'unbound' + $service = 'unbound' + $hasstatus = true + $dir = '/var/unbound/etc' + $logfile = '/var/unbound/dev/log' + $control_setup = '/usr/local/sbin/unbound-control-setup' + $unbound_anchor = '/usr/local/sbin/unbound-anchor' + $extended_service = 'unbound::service::openbsd' + $unbound_flags = '' + $user = '_unbound' + $group = '_unbound' + } + 'ubuntu', 'debian': { + $package = 'unbound' + $service = 'unbound' + $hasstatus = true + $dir = '/etc/unbound' + $logfile = '' + $control_setup = '/usr/sbin/unbound-control-setup' + $unbound_anchor = '/usr/sbin/unbound-anchor' + $unbound_flags = '' + $user = 'unbound' + $group = 'unbound' + } + default: { + fail("Class[unbound] is not supported by your operating system: ${::operatingsystem}") + } + } + + $config = "${dir}/unbound.conf" + $control_certs = [ + "${dir}/unbound_control.key", + "${dir}/unbound_control.pem", + "${dir}/unbound_server.key", + "${dir}/unbound_server.pem", + ] + $anchor = "${dir}/root.key" + $root_hints = "${dir}/named.cache" +} diff --git a/manifests/root_hints.pp b/manifests/root_hints.pp new file mode 100644 index 00000000..12594956 --- /dev/null +++ b/manifests/root_hints.pp @@ -0,0 +1,35 @@ +# == Class: unbound::root_hints +# +# The unbound::root_hints class manages the root-hints named.cache file. +# The default mount point is /module_data, which should be installed +# and populated with a the named.cache file before implementing this +# class. See unbound.conf(5) or the default configuration file for +# how to retrieve such a file. +# +# === Parameters +# +# [*_mount*] +# Meta parameter for specifying an alternate mount path. +# +# === Examples +# +# class { 'unbound::root_hints': +# $_mount = '/modules/unbound', +# } +# +# include unbound::root_hints +# +class unbound::root_hints ( + $_mount = "/module_data/unbound", +) { + include unbound::params + + file { $unbound::params::root_hints: + ensure => file, + owner => $unbound::params::user, + group => $unbound::params::group, + mode => '0644', + source => "puppet://${_mount}/named.cache", + before => Class['unbound::service'], + } +} diff --git a/manifests/service.pp b/manifests/service.pp new file mode 100644 index 00000000..f96f453e --- /dev/null +++ b/manifests/service.pp @@ -0,0 +1,22 @@ +# == Class: unbound::service +# +# Manages the unbound service. If $unbound::params::extended_service +# is true then OS specific service things are included. +# +# === Examples +# +# include unbound::service +# +class unbound::service { + include unbound::params + + if $unbound::params::extended_service { + class { $unbound::params::extended_service: } + } + + service { $unbound::params::service: + ensure => running, + hasstatus => $unbound::params::hasstatus, + subscribe => File[$unbound::params::config], + } +} diff --git a/manifests/service/openbsd.pp b/manifests/service/openbsd.pp new file mode 100644 index 00000000..916a7ce9 --- /dev/null +++ b/manifests/service/openbsd.pp @@ -0,0 +1,21 @@ +# == Class: unbound::service::openbsd +# +# Service things specific for OpenBSD. Sets the unbound_flags variable in +# /etc/rc.conf.local, and appends the path to the log device to syslogd_flags. +# +# === Examples +# +# include unbound::service::openbsd +# +class unbound::service::openbsd { + rcconf { 'unbound_flags': + value => $unbound::params::unbound_flags, + } + + # syslogd_flags needs one -a dir per chrooted service. Each can be a separate + # line, so don't use rcconf. + file_line { 'unbound syslogd_flags': + path => '/etc/rc.conf.local', + line => "syslogd_flags=\"\${syslogd_flags} -a ${unbound::params::logfile}\""; + } +} diff --git a/manifests/ssl.pp b/manifests/ssl.pp new file mode 100644 index 00000000..e0cff172 --- /dev/null +++ b/manifests/ssl.pp @@ -0,0 +1,25 @@ +# == Class: unbound::ssl +# +# unbound::ssl creates ssl certificates for controlling unbound with unbound-control, +# using the unbound-control-setup program. Furthermore, the class manages the mode and user of the certificates themselves. +# +# === Examples +# +# include unbound::ssl +# +class unbound::ssl { + include unbound::params + + file { $unbound::params::control_certs: + owner => $unbound::params::user, + group => $unbound::params::gruop, + mode => '0440', + require => Exec[$unbound::params::control_setup], + } + + exec { $unbound::params::control_setup: + command => "${unbound::params::control_setup} -d ${unbound::params::dir}", + creates => $unbound::params::control_certs, + before => Class['unbound::service'], + } +} diff --git a/manifests/stub.pp b/manifests/stub.pp new file mode 100644 index 00000000..02797fdb --- /dev/null +++ b/manifests/stub.pp @@ -0,0 +1,32 @@ +# == Define: unbound::stub +# +# Creates a stub-zone. $settings is a hash containing the settings. +# The name of the resource is used as the 'name' of the zone. +# +# === Parameters +# +# [*settings*] +# Hash containing the settings as key value pairs. +# +# === Examples +# +# unbound::stub { $::domain: +# settings => { +# stub-addr => '192.168.1.1', +# }, +# } +# +define unbound::stub ( + $settings, +) { + include unbound::params + + $zone_name = { name => "\"${title}\"" } + $real_settings = { stub-zone => merge($zone_name, $settings) } + + concat::fragment { "unbound ${title}": + target => $unbound::params::config, + content => template('unbound/unbound.conf.erb'), + order => 2, + } +} |