summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp20
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp58
2 files changed, 22 insertions, 56 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index b37cf775..1b8bd1a2 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -13,19 +13,13 @@ class site_config::caching_resolver {
include site_apt::preferences::unbound
file {
+ # cleanup from how we used to do it
'/etc/unbound/conf.d':
- ensure => directory,
- owner => root,
- group => root,
- mode => '0755',
- require => Package['unbound'];
+ force => true,
+ ensure => absent;
'/etc/unbound/conf.d/placeholder':
- ensure => present,
- content => '',
- owner => root,
- group => root,
- mode => '0644';
+ ensure => absent;
}
class { 'unbound':
@@ -45,4 +39,10 @@ class site_config::caching_resolver {
}
}
}
+
+ concat::fragment { 'unbound glob include':
+ target => $unbound::params::config,
+ content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n",
+ order => 10
+ }
}
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c74fb509..c1367a33 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -3,82 +3,48 @@ class site_openvpn::resolver {
if $site_openvpn::openvpn_allow_unlimited {
$ensure_unlimited = 'present'
file {
- '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_unlimited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': }
}
if $site_openvpn::openvpn_allow_limited {
$ensure_limited = 'present'
file {
- '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_limited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': }
}
-
- # this is an unfortunate way to get around the fact that the version of
- # unbound we are working with does not accept a wildcard include directive
- # (/etc/unbound/conf.d/*), when it does, these line definitions should
- # go away and instead the caching_resolver should be configured to
- # include: /etc/unbound/conf.d/*
-
- file_line {
- 'add_unlimited_tcp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_unlimited_udp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_tcp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_udp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- }
-
}