2 files changed, 30 insertions, 5 deletions

diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index e4374d8f..ab2f52d1 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -1,8 +1,14 @@
 class site_config::caching_resolver {
 
-  # Setup a conf.d directory to place additional unbound configuration files
-  # there must be at least one file in the directory, or unbound will not
-  # start, so create an empty placeholder to ensure this
+  # Setup a conf.d directory to place additional unbound configuration files.
+  # There must be at least one file in the directory, or unbound will not start,
+  # so create an empty placeholder to ensure this.
+
+  # Note: the version of unbound we are working with does not accept a wildcard
+  # for an include directive, so we are not able to use this. When we can use
+  # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
+  # configuration file
+
   file {
     '/etc/unbound/conf.d':
       ensure => directory,
@@ -27,8 +33,7 @@ class site_config::caching_resolver {
         hide-identity  => 'yes',
         hide-version   => 'yes',
         harden-glue    => 'yes',
-        access-control => [ '127.0.0.0/8 allow', '::1 allow' ],
-        include        => '/etc/unbound/conf.d/*'
+        access-control => [ '127.0.0.0/8 allow', '::1 allow' ]
       }
     }
   }
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index 57a2d147..c8ef729c 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -1,5 +1,25 @@
 class site_openvpn::resolver {
 
+  # this is an unfortunate way to get around the fact that the version of
+  # unbound we are working with does not accept a wildcard include directive
+  # (/etc/unbound/conf.d/*), when it does, these line definitions should
+  # go away and instead the caching_resolver should be configured to
+  # include: /etc/unbound/conf.d/*
+
+  line {
+    'add_tcp_resolver':
+      ensure => present,
+      file   => '/etc/unbound/unbound.conf',
+      line   => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver',
+      notify => Service['unbound'];
+
+    'add_udp_resolver':
+      ensure => present,
+      file   => '/etc/unbound/unbound.conf',
+      line   => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver',
+      notify => Service['unbound'];
+  }
+
   file {
     '/etc/unbound/conf.d/vpn_udp_resolver':
       content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n",