summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--puppet/modules/site_apt/manifests/preferences/rsyslog.pp9
-rw-r--r--puppet/modules/site_apt/manifests/preferences/unbound.pp10
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp18
-rw-r--r--puppet/modules/site_config/manifests/default.pp3
-rw-r--r--puppet/modules/site_config/manifests/syslog.pp7
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp58
6 files changed, 47 insertions, 58 deletions
diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
new file mode 100644
index 00000000..132a6e24
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
@@ -0,0 +1,9 @@
+class site_apt::preferences::rsyslog {
+
+ apt::preferences_snippet { 'rsyslog_anon_depends':
+ package => 'libestr0 librelp0 rsyslog*',
+ priority => '999',
+ pin => 'release a=wheezy-backports',
+ before => Class['rsyslog::install']
+ }
+}
diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp
new file mode 100644
index 00000000..6da964f9
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/unbound.pp
@@ -0,0 +1,10 @@
+class site_apt::preferences::unbound {
+
+ apt::preferences_snippet { 'unbound':
+ package => 'libunbound* unbound*',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999,
+ before => Class['unbound::package'];
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 3d7b9206..1b8bd1a2 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -10,16 +10,16 @@ class site_config::caching_resolver {
# the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
# configuration file
+ include site_apt::preferences::unbound
+
file {
+ # cleanup from how we used to do it
'/etc/unbound/conf.d':
- ensure => directory,
- owner => root, group => root, mode => '0755',
- require => Package['unbound'];
+ force => true,
+ ensure => absent;
'/etc/unbound/conf.d/placeholder':
- ensure => present,
- content => '',
- owner => root, group => root, mode => '0644';
+ ensure => absent;
}
class { 'unbound':
@@ -39,4 +39,10 @@ class site_config::caching_resolver {
}
}
}
+
+ concat::fragment { 'unbound glob include':
+ target => $unbound::params::config,
+ content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n",
+ order => 10
+ }
}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 7e421a21..c7352857 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -27,6 +27,9 @@ class site_config::default {
if $::ec2_instance_id {
include site_config::dhclient
}
+ if $::virtual == 'virtualbox' {
+ include site_config::dhclient
+ }
# configure /etc/resolv.conf
include site_config::resolvconf
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
index 8eac4242..26c65f02 100644
--- a/puppet/modules/site_config/manifests/syslog.pp
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -1,11 +1,6 @@
class site_config::syslog {
- apt::preferences_snippet { 'rsyslog_anon_depends':
- package => 'libestr0 librelp0 rsyslog*',
- priority => '999',
- pin => 'release a=wheezy-backports',
- before => Class['rsyslog::install']
- }
+ include site_apt::preferences::rsyslog
class { 'rsyslog::client':
log_remote => false,
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c74fb509..c1367a33 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -3,82 +3,48 @@ class site_openvpn::resolver {
if $site_openvpn::openvpn_allow_unlimited {
$ensure_unlimited = 'present'
file {
- '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_unlimited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': }
}
if $site_openvpn::openvpn_allow_limited {
$ensure_limited = 'present'
file {
- '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_limited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': }
}
-
- # this is an unfortunate way to get around the fact that the version of
- # unbound we are working with does not accept a wildcard include directive
- # (/etc/unbound/conf.d/*), when it does, these line definitions should
- # go away and instead the caching_resolver should be configured to
- # include: /etc/unbound/conf.d/*
-
- file_line {
- 'add_unlimited_tcp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_unlimited_udp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_tcp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_udp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- }
-
}