diff options
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/modules/site_config/manifests/caching_resolver.pp | 20 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/resolver.pp | 58 |
2 files changed, 22 insertions, 56 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index b37cf775..1b8bd1a2 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -13,19 +13,13 @@ class site_config::caching_resolver { include site_apt::preferences::unbound file { + # cleanup from how we used to do it '/etc/unbound/conf.d': - ensure => directory, - owner => root, - group => root, - mode => '0755', - require => Package['unbound']; + force => true, + ensure => absent; '/etc/unbound/conf.d/placeholder': - ensure => present, - content => '', - owner => root, - group => root, - mode => '0644'; + ensure => absent; } class { 'unbound': @@ -45,4 +39,10 @@ class site_config::caching_resolver { } } } + + concat::fragment { 'unbound glob include': + target => $unbound::params::config, + content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n", + order => 10 + } } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c74fb509..c1367a33 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -3,82 +3,48 @@ class site_openvpn::resolver { if $site_openvpn::openvpn_allow_unlimited { $ensure_unlimited = 'present' file { - '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_unlimited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': } } if $site_openvpn::openvpn_allow_limited { $ensure_limited = 'present' file { - '/etc/unbound/conf.d/vpn_limited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_limited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': } } - - # this is an unfortunate way to get around the fact that the version of - # unbound we are working with does not accept a wildcard include directive - # (/etc/unbound/conf.d/*), when it does, these line definitions should - # go away and instead the caching_resolver should be configured to - # include: /etc/unbound/conf.d/* - - file_line { - 'add_unlimited_tcp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_unlimited_udp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_tcp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_udp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - } - } |