diff options
| author | Micah Anderson <micah@leap.se> | 2014-05-22 15:21:06 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@leap.se> | 2014-05-22 15:50:02 -0400 |
| commit | a622e49c5df2150049afb6f6ed47177537b7e6da (patch) | |
| tree | 3a0c4c3dc4e6b49a23368907d402a2870afd0d38 /puppet/modules/site_openvpn | |
| parent | 4c4f8fd55a3d4a9e08ebaf8881b04ada931db007 (diff) | |
Implement #2328: unbound.conf: content changed on every puppetrun
This is done by using the include glob capability that is in the
wheezy-backports and newer unbound to include the
/etc/unbound/unbound.conf.d/* config files.
To do this, we need to transition from our /etc/unbound/conf.d directory
structure to use the one that the debian package uses.
This allows us to clean up the rather ugly way we were configuring the
resolver before.
Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c
Diffstat (limited to 'puppet/modules/site_openvpn')
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/resolver.pp | 58 |
1 files changed, 12 insertions, 46 deletions
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c74fb509..c1367a33 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -3,82 +3,48 @@ class site_openvpn::resolver { if $site_openvpn::openvpn_allow_unlimited { $ensure_unlimited = 'present' file { - '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_unlimited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': } } if $site_openvpn::openvpn_allow_limited { $ensure_limited = 'present' file { - '/etc/unbound/conf.d/vpn_limited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_limited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': } } - - # this is an unfortunate way to get around the fact that the version of - # unbound we are working with does not accept a wildcard include directive - # (/etc/unbound/conf.d/*), when it does, these line definitions should - # go away and instead the caching_resolver should be configured to - # include: /etc/unbound/conf.d/* - - file_line { - 'add_unlimited_tcp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_unlimited_udp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_tcp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_udp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - } - } |