From 4e0021dede8aae43760b3e9a4b2317c3ed4c1e0d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 13:08:24 -0500 Subject: Swtich from bind9 as the local caching resolver to unbound. This will enable us to do tor lookups over DNS on servers, if tor services are defined. To do this, we remove the bind9 configurations from site_config::resolvconf.pp and replace it with site_config::caching_resolver with a basic unbound configuration that can be used everywhere. The unbound configuration enables a /etc/unbound/conf.d directory for additional config snippits that can be dropped in from other places. This will be used for setting up different interfaces in the vpn gateway, for example. There will be a set of transition package/file absent blocks to clean up providers. --- .../site_config/manifests/caching_resolver.pp | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 puppet/modules/site_config/manifests/caching_resolver.pp (limited to 'puppet/modules/site_config/manifests/caching_resolver.pp') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp new file mode 100644 index 00000000..e4374d8f --- /dev/null +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -0,0 +1,35 @@ +class site_config::caching_resolver { + + # Setup a conf.d directory to place additional unbound configuration files + # there must be at least one file in the directory, or unbound will not + # start, so create an empty placeholder to ensure this + file { + '/etc/unbound/conf.d': + ensure => directory, + owner => root, group => root, mode => '0755'; + + '/etc/unbound/conf.d/placeholder': + ensure => present, + content => '', + owner => root, group => root, mode => '0644'; + } + + class { 'unbound': + root_hints => false, + anchor => false, + ssl => false, + require => File['/etc/unbound/conf.d/placeholder'], + settings => { + server => { + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ], + include => '/etc/unbound/conf.d/*' + } + } + } +} -- cgit v1.2.3 From ad3da4a59aebb6b7facc2e6616d8b81039b29892 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:17:18 -0500 Subject: unfortunately the version of unbound that is in wheezy does not support wildcard include directives, so this commit works around this by doing something less elegant than before. When we have the newer unbound available, we should switch to that method instead. --- puppet/modules/site_config/manifests/caching_resolver.pp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_config/manifests/caching_resolver.pp') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index e4374d8f..ab2f52d1 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,8 +1,14 @@ class site_config::caching_resolver { - # Setup a conf.d directory to place additional unbound configuration files - # there must be at least one file in the directory, or unbound will not - # start, so create an empty placeholder to ensure this + # Setup a conf.d directory to place additional unbound configuration files. + # There must be at least one file in the directory, or unbound will not start, + # so create an empty placeholder to ensure this. + + # Note: the version of unbound we are working with does not accept a wildcard + # for an include directive, so we are not able to use this. When we can use + # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the + # configuration file + file { '/etc/unbound/conf.d': ensure => directory, @@ -27,8 +33,7 @@ class site_config::caching_resolver { hide-identity => 'yes', hide-version => 'yes', harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ], - include => '/etc/unbound/conf.d/*' + access-control => [ '127.0.0.0/8 allow', '::1 allow' ] } } } -- cgit v1.2.3 From cde779720059965b4caf968c132c315821dd9b66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 23 Jan 2013 10:39:34 -0500 Subject: require that the unbound package is installed before attempting to make sub-directories under /etc/unbound (#1412) --- puppet/modules/site_config/manifests/caching_resolver.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_config/manifests/caching_resolver.pp') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index ab2f52d1..922c394f 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -12,7 +12,8 @@ class site_config::caching_resolver { file { '/etc/unbound/conf.d': ensure => directory, - owner => root, group => root, mode => '0755'; + owner => root, group => root, mode => '0755', + require => Package['unbound']; '/etc/unbound/conf.d/placeholder': ensure => present, -- cgit v1.2.3