summaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2016-05-24 10:19:33 -0400
committerMicah <micah@leap.se>2016-05-24 10:19:33 -0400
commitc9be0212c9e45f609d299f5fbdf8f13a63747be6 (patch)
tree943935add27bb5b1a159cfdb46225f4c1f9014ba /manifests
Squashed 'puppet/modules/unbound/' content from commit a26b91d
git-subtree-dir: puppet/modules/unbound git-subtree-split: a26b91dfea3189e6777629fa00d54f51dc41f4d4
Diffstat (limited to 'manifests')
-rw-r--r--manifests/anchor.pp26
-rw-r--r--manifests/forward.pp32
-rw-r--r--manifests/init.pp117
-rw-r--r--manifests/package.pp15
-rw-r--r--manifests/params.pp42
-rw-r--r--manifests/root_hints.pp35
-rw-r--r--manifests/service.pp22
-rw-r--r--manifests/service/openbsd.pp21
-rw-r--r--manifests/ssl.pp25
-rw-r--r--manifests/stub.pp32
10 files changed, 367 insertions, 0 deletions
diff --git a/manifests/anchor.pp b/manifests/anchor.pp
new file mode 100644
index 00000000..e890722e
--- /dev/null
+++ b/manifests/anchor.pp
@@ -0,0 +1,26 @@
+# == Class: unbound::anchor
+#
+# The unbound::anchor class manages the "root.key" file, and creates it with
+# the unbound-anchor program.
+#
+# === Examples
+#
+# include unbound::anchor
+#
+class unbound::anchor {
+ include unbound::params
+
+ file { $unbound::params::anchor:
+ owner => $unbound::params::user,
+ group => $unbound::params::group,
+ mode => '0644',
+ require => Exec[$unbound::params::unbound_anchor],
+ }
+
+ exec { $unbound::params::unbound_anchor:
+ command => "${unbound::params::unbound_anchor} -a ${unbound::params::anchor}",
+ creates => $unbound::params::anchor,
+ returns => 1,
+ before => Class['unbound::service'],
+ }
+}
diff --git a/manifests/forward.pp b/manifests/forward.pp
new file mode 100644
index 00000000..740c004d
--- /dev/null
+++ b/manifests/forward.pp
@@ -0,0 +1,32 @@
+# == Define: unbound::forward
+#
+# Creates a forward-zone. $settings is a hash containing the settings.
+# The name of the resource is used as the 'name' of the zone.
+#
+# === Parameters
+#
+# [*settings*]
+# Hash containing the settings as key value pairs.
+#
+# === Examples
+#
+# unbound::forward { 'example.com':
+# settings => {
+# forward-addr => '10.0.0.1',
+# },
+# }
+#
+define unbound::forward (
+ $settings,
+) {
+ include unbound
+
+ $zone_name = { name => "\"${title}\"" }
+ $real_settings = { forward-zone => merge($zone_name, $settings) }
+
+ concat::fragment { "unbound ${title}":
+ target => $unbound::params::config,
+ content => template('unbound/unbound.conf.erb'),
+ order => 3,
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 00000000..ecb7970a
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,117 @@
+# == Class: unbound
+#
+# The unbound class manages unbound, the reqursive caching dns resolver.
+# It manages the package, service, configuration file, control keys and
+# support files.
+#
+# The configuration file is concatenated from samples of server et. al.,
+# stub-zone and forward-zone. The latter two are created independently
+# from the server settings, by defines which can be used by other classes
+# and modules.
+#
+# Control keys can be created with the unbound-control-setup program,
+# and is enabled by default. These are neccessary to be able to control
+# unbound (restart, reload etc) with the unbound-control program.
+#
+# The auto-trust-anchor-file 'root.key' can be created with the unbound-anchor
+# program, and is enabled by default.
+#
+# The root-hints files named.cache can be managed, but have to be provided by
+# the user. See the documentation in manifests/root_hints.pp for how to proceede.
+# This functionality is not enabled by default.
+#
+# === Parameters
+#
+# [*settings*]
+# Hash containing the settings as key value pairs.
+#
+# [*ssl*]
+# Mange unbound-control certificates? True or false, true by default.
+#
+# [*anchor*]
+# Manage root.key? True or false, true by default.
+#
+# [*root_hints*]
+# Manage named.cache? True or false, false by default.
+#
+# === Examples
+#
+# class { 'unbound':
+# root_hints => true,
+# settings => {
+# server => {
+# verbosity => '1',
+# interface => [
+# '127.0.0.1',
+# '::1',
+# $::ipaddress,
+# ],
+# outgoing-interface => $::ipaddress,
+# access-control => [
+# '127.0.0.0/8 allow',
+# '::1 allow',
+# '10.0.0.0/8 allow',
+# ],
+# root-hints => '"/var/unbound/etc/named.cache"',
+# private-address => [
+# '10.0.0.0/8',
+# '172.16.0.0/12',
+# '192.168.0.0/16',
+# ],
+# private-domain => "\"$::domain\"",
+# auto-trust-anchor-file => '"/var/unbound/etc/root.key"',
+# },
+# python => { },
+# remote-control => {
+# control-enable => 'yes',
+# control-interface => [
+# '127.0.0.1',
+# '::1',
+# ],
+# },
+# }
+# }
+#
+# See manifests/stub.pp and manifests/forward.pp for examples on how to create
+# sub zones and forward zones repectively.
+#
+class unbound (
+ $settings,
+ $anchor = true,
+ $root_hints = false,
+ $ssl = true,
+) inherits unbound::params {
+
+ include concat::setup
+ include unbound::package
+ include unbound::service
+
+ validate_hash($settings)
+ validate_bool($anchor)
+ validate_bool($root_hints)
+ validate_bool($ssl)
+
+ if $anchor {
+ include unbound::anchor
+ }
+
+ if $root_hints {
+ include unbound::root_hints
+ }
+
+ if $ssl {
+ include unbound::ssl
+ }
+
+ $real_settings = $settings
+
+ concat { $unbound::params::config:
+ require => Class['unbound::package'],
+ }
+
+ concat::fragment { 'unbound server':
+ target => $unbound::params::config,
+ content => template('unbound/unbound.conf.erb'),
+ order => 1,
+ }
+}
diff --git a/manifests/package.pp b/manifests/package.pp
new file mode 100644
index 00000000..b9b44f16
--- /dev/null
+++ b/manifests/package.pp
@@ -0,0 +1,15 @@
+# == Class: unbound::package
+#
+# Manages the unbound package.
+#
+# === Examples
+#
+# include unbound::package
+#
+class unbound::package {
+ include unbound::params
+
+ package { $unbound::params::package:
+ ensure => installed,
+ }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
new file mode 100644
index 00000000..fc043e24
--- /dev/null
+++ b/manifests/params.pp
@@ -0,0 +1,42 @@
+class unbound::params {
+ case $::osfamily {
+ 'OpenBSD': {
+ $package = 'unbound'
+ $service = 'unbound'
+ $hasstatus = true
+ $dir = '/var/unbound/etc'
+ $logfile = '/var/unbound/dev/log'
+ $control_setup = '/usr/local/sbin/unbound-control-setup'
+ $unbound_anchor = '/usr/local/sbin/unbound-anchor'
+ $extended_service = 'unbound::service::openbsd'
+ $unbound_flags = ''
+ $user = '_unbound'
+ $group = '_unbound'
+ }
+ 'ubuntu', 'debian': {
+ $package = 'unbound'
+ $service = 'unbound'
+ $hasstatus = true
+ $dir = '/etc/unbound'
+ $logfile = ''
+ $control_setup = '/usr/sbin/unbound-control-setup'
+ $unbound_anchor = '/usr/sbin/unbound-anchor'
+ $unbound_flags = ''
+ $user = 'unbound'
+ $group = 'unbound'
+ }
+ default: {
+ fail("Class[unbound] is not supported by your operating system: ${::operatingsystem}")
+ }
+ }
+
+ $config = "${dir}/unbound.conf"
+ $control_certs = [
+ "${dir}/unbound_control.key",
+ "${dir}/unbound_control.pem",
+ "${dir}/unbound_server.key",
+ "${dir}/unbound_server.pem",
+ ]
+ $anchor = "${dir}/root.key"
+ $root_hints = "${dir}/named.cache"
+}
diff --git a/manifests/root_hints.pp b/manifests/root_hints.pp
new file mode 100644
index 00000000..12594956
--- /dev/null
+++ b/manifests/root_hints.pp
@@ -0,0 +1,35 @@
+# == Class: unbound::root_hints
+#
+# The unbound::root_hints class manages the root-hints named.cache file.
+# The default mount point is /module_data, which should be installed
+# and populated with a the named.cache file before implementing this
+# class. See unbound.conf(5) or the default configuration file for
+# how to retrieve such a file.
+#
+# === Parameters
+#
+# [*_mount*]
+# Meta parameter for specifying an alternate mount path.
+#
+# === Examples
+#
+# class { 'unbound::root_hints':
+# $_mount = '/modules/unbound',
+# }
+#
+# include unbound::root_hints
+#
+class unbound::root_hints (
+ $_mount = "/module_data/unbound",
+) {
+ include unbound::params
+
+ file { $unbound::params::root_hints:
+ ensure => file,
+ owner => $unbound::params::user,
+ group => $unbound::params::group,
+ mode => '0644',
+ source => "puppet://${_mount}/named.cache",
+ before => Class['unbound::service'],
+ }
+}
diff --git a/manifests/service.pp b/manifests/service.pp
new file mode 100644
index 00000000..f96f453e
--- /dev/null
+++ b/manifests/service.pp
@@ -0,0 +1,22 @@
+# == Class: unbound::service
+#
+# Manages the unbound service. If $unbound::params::extended_service
+# is true then OS specific service things are included.
+#
+# === Examples
+#
+# include unbound::service
+#
+class unbound::service {
+ include unbound::params
+
+ if $unbound::params::extended_service {
+ class { $unbound::params::extended_service: }
+ }
+
+ service { $unbound::params::service:
+ ensure => running,
+ hasstatus => $unbound::params::hasstatus,
+ subscribe => File[$unbound::params::config],
+ }
+}
diff --git a/manifests/service/openbsd.pp b/manifests/service/openbsd.pp
new file mode 100644
index 00000000..916a7ce9
--- /dev/null
+++ b/manifests/service/openbsd.pp
@@ -0,0 +1,21 @@
+# == Class: unbound::service::openbsd
+#
+# Service things specific for OpenBSD. Sets the unbound_flags variable in
+# /etc/rc.conf.local, and appends the path to the log device to syslogd_flags.
+#
+# === Examples
+#
+# include unbound::service::openbsd
+#
+class unbound::service::openbsd {
+ rcconf { 'unbound_flags':
+ value => $unbound::params::unbound_flags,
+ }
+
+ # syslogd_flags needs one -a dir per chrooted service. Each can be a separate
+ # line, so don't use rcconf.
+ file_line { 'unbound syslogd_flags':
+ path => '/etc/rc.conf.local',
+ line => "syslogd_flags=\"\${syslogd_flags} -a ${unbound::params::logfile}\"";
+ }
+}
diff --git a/manifests/ssl.pp b/manifests/ssl.pp
new file mode 100644
index 00000000..e0cff172
--- /dev/null
+++ b/manifests/ssl.pp
@@ -0,0 +1,25 @@
+# == Class: unbound::ssl
+#
+# unbound::ssl creates ssl certificates for controlling unbound with unbound-control,
+# using the unbound-control-setup program. Furthermore, the class manages the mode and user of the certificates themselves.
+#
+# === Examples
+#
+# include unbound::ssl
+#
+class unbound::ssl {
+ include unbound::params
+
+ file { $unbound::params::control_certs:
+ owner => $unbound::params::user,
+ group => $unbound::params::gruop,
+ mode => '0440',
+ require => Exec[$unbound::params::control_setup],
+ }
+
+ exec { $unbound::params::control_setup:
+ command => "${unbound::params::control_setup} -d ${unbound::params::dir}",
+ creates => $unbound::params::control_certs,
+ before => Class['unbound::service'],
+ }
+}
diff --git a/manifests/stub.pp b/manifests/stub.pp
new file mode 100644
index 00000000..02797fdb
--- /dev/null
+++ b/manifests/stub.pp
@@ -0,0 +1,32 @@
+# == Define: unbound::stub
+#
+# Creates a stub-zone. $settings is a hash containing the settings.
+# The name of the resource is used as the 'name' of the zone.
+#
+# === Parameters
+#
+# [*settings*]
+# Hash containing the settings as key value pairs.
+#
+# === Examples
+#
+# unbound::stub { $::domain:
+# settings => {
+# stub-addr => '192.168.1.1',
+# },
+# }
+#
+define unbound::stub (
+ $settings,
+) {
+ include unbound::params
+
+ $zone_name = { name => "\"${title}\"" }
+ $real_settings = { stub-zone => merge($zone_name, $settings) }
+
+ concat::fragment { "unbound ${title}":
+ target => $unbound::params::config,
+ content => template('unbound/unbound.conf.erb'),
+ order => 2,
+ }
+}