diff options
Diffstat (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp')
-rw-r--r-- | puppet/modules/site_openvpn/manifests/resolver.pp | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp new file mode 100644 index 00000000..d3963c95 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -0,0 +1,36 @@ +class site_openvpn::resolver { + + # this is an unfortunate way to get around the fact that the version of + # unbound we are working with does not accept a wildcard include directive + # (/etc/unbound/conf.d/*), when it does, these line definitions should + # go away and instead the caching_resolver should be configured to + # include: /etc/unbound/conf.d/* + + line { + 'add_tcp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound']; + + 'add_udp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound']; + } + + file { + '/etc/unbound/conf.d/vpn_udp_resolver': + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + + '/etc/unbound/conf.d/vpn_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } +} |