From 6375cda36fc21687c59095e4750189b65a2c3b52 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:53:09 -0500 Subject: update unbound submodule to fix infinite service restart problem --- puppet/modules/site_openvpn/manifests/resolver.pp | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 puppet/modules/site_openvpn/manifests/resolver.pp (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp new file mode 100644 index 00000000..0f0510c1 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -0,0 +1,8 @@ +class site_openvpn::resolver { + + file { '/etc/unbound/conf.d/vpn_resolver': + content => "interface: $openvpn_gateway_address\n", + owner => root, group => root, mode => '0644', + require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + } +} -- cgit v1.2.3 From 4c649b08e215b229c280d0f15730418033b13fb9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Jan 2013 14:54:49 -0500 Subject: setup openvpn gateway resolver to listen on the udp/tcp virtual network ips so that queries can be made from clients on the vpn --- puppet/modules/site_openvpn/manifests/resolver.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 0f0510c1..eaa765fe 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,8 +1,14 @@ class site_openvpn::resolver { - file { '/etc/unbound/conf.d/vpn_resolver': - content => "interface: $openvpn_gateway_address\n", - owner => root, group => root, mode => '0644', - require => Exec['/usr/local/bin/leap_add_second_ip.sh']; + file { + '/etc/unbound/conf.d/vpn_udp_resolver': + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; + + '/etc/unbound/conf.d/vpn_tcp_resolver': + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + owner => root, group => root, mode => '0644', + require => Service['openvpn']; } } -- cgit v1.2.3 From 03d2b1aec2a9ccd61f4804277c80541698f1dab8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 13:56:47 -0500 Subject: fix unbound access control --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index eaa765fe..57a2d147 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -2,12 +2,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask}\n", + content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask}\n", + content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From ad3da4a59aebb6b7facc2e6616d8b81039b29892 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:17:18 -0500 Subject: unfortunately the version of unbound that is in wheezy does not support wildcard include directives, so this commit works around this by doing something less elegant than before. When we have the newer unbound available, we should switch to that method instead. --- puppet/modules/site_openvpn/manifests/resolver.pp | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 57a2d147..c8ef729c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,25 @@ class site_openvpn::resolver { + # this is an unfortunate way to get around the fact that the version of + # unbound we are working with does not accept a wildcard include directive + # (/etc/unbound/conf.d/*), when it does, these line definitions should + # go away and instead the caching_resolver should be configured to + # include: /etc/unbound/conf.d/* + + line { + 'add_tcp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', + notify => Service['unbound']; + + 'add_udp_resolver': + ensure => present, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', + notify => Service['unbound']; + } + file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", -- cgit v1.2.3 From 7444310ba919a871cbe646501c784af3f81f3d47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:21:15 -0500 Subject: fully qualify the variables that are used in the vpn gateway resolver --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c8ef729c..c695b49a 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${openvpn_udp_network_prefix}.1\naccess-control: ${openvpn_udp_network_prefix}.0/${openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${openvpn_tcp_network_prefix}.1\naccess-control: ${openvpn_tcp_network_prefix}.0/${openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From 9d66c6712028c95212dba7a8d5a870efc70ce204 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:33:22 -0500 Subject: change to using the CIDR notation for unbound access list --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c695b49a..d77fd8b0 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_netmask} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From 1c348dee62a30e33f7e00b9584629c89dcac016a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:35:14 -0500 Subject: fix typo in cidr variable name --- puppet/modules/site_openvpn/manifests/resolver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d77fd8b0..590af8ac 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -22,12 +22,12 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cdr} allow\n", + content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', require => Service['openvpn']; } -- cgit v1.2.3 From fdcc33d4491470d88e1ab7e9869a3236d1e2c5fe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Jan 2013 14:38:11 -0500 Subject: notify unbound when these configuration files change --- puppet/modules/site_openvpn/manifests/resolver.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_openvpn/manifests/resolver.pp') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index 590af8ac..d3963c95 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -23,12 +23,14 @@ class site_openvpn::resolver { file { '/etc/unbound/conf.d/vpn_udp_resolver': content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; '/etc/unbound/conf.d/vpn_tcp_resolver': content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn']; + owner => root, group => root, mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; } } -- cgit v1.2.3