summaryrefslogtreecommitdiff
path: root/puppet/modules/site_openvpn/manifests
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2013-01-17 14:17:18 -0500
committerMicah Anderson <micah@riseup.net>2013-01-17 14:17:18 -0500
commitad3da4a59aebb6b7facc2e6616d8b81039b29892 (patch)
treee98ceaa4493febcfdad08b4743870d8f3a6e4bbc /puppet/modules/site_openvpn/manifests
parent03d2b1aec2a9ccd61f4804277c80541698f1dab8 (diff)
unfortunately the version of unbound that is in wheezy does not support wildcard
include directives, so this commit works around this by doing something less elegant than before. When we have the newer unbound available, we should switch to that method instead.
Diffstat (limited to 'puppet/modules/site_openvpn/manifests')
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp20
1 files changed, 20 insertions, 0 deletions
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index 57a2d147..c8ef729c 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -1,5 +1,25 @@
class site_openvpn::resolver {
+ # this is an unfortunate way to get around the fact that the version of
+ # unbound we are working with does not accept a wildcard include directive
+ # (/etc/unbound/conf.d/*), when it does, these line definitions should
+ # go away and instead the caching_resolver should be configured to
+ # include: /etc/unbound/conf.d/*
+
+ line {
+ 'add_tcp_resolver':
+ ensure => present,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver',
+ notify => Service['unbound'];
+
+ 'add_udp_resolver':
+ ensure => present,
+ file => '/etc/unbound/unbound.conf',
+ line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver',
+ notify => Service['unbound'];
+ }
+
file {
'/etc/unbound/conf.d/vpn_udp_resolver':
content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n",