Puppet Class: profile::dns::auth::config

Defined in:
modules/profile/manifests/dns/auth/config.pp

Overview

Parameters:

  • authdns_addrs (Hash[String, Hash[String, Any]]) (defaults to: lookup('authdns_addrs'))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# File 'modules/profile/manifests/dns/auth/config.pp', line 1

class profile::dns::auth::config(
    Hash[String, Hash[String, Any]] $authdns_addrs = lookup('authdns_addrs'),
) {
    include ::network::constants
    include ::profile::base::firewall

    # Create the loopback IPs used for public service (defined here since we
    # also create the matching listener config here)
    $authdns_addrs.each |$alabel,$adata| {
        unless $adata['skip_loopback'] {
            interface::ip { $alabel:
                address   => $adata['address'],
                interface => 'lo',
            }
        }
    }

    $service_listeners = $authdns_addrs.map |$aspec| { $aspec[1]['address'] }

    ferm::service { 'udp_dns_auth':
        proto   => 'udp',
        notrack => true,
        prio    => '05',
        port    => '53',
        drange  => "(${service_listeners.join(' ')})",
    }

    ferm::service { 'tcp_dns_auth':
        proto   => 'tcp',
        notrack => true,
        prio    => '05',
        port    => '53',
        drange  => "(${service_listeners.join(' ')})",
    }

    $monitor_listeners = [
        # Any-address, both protocols, port 5353, for blended-role monitoring
        '0.0.0.0:5353',
        '[::]:5353',
    ]

    file { '/etc/gdnsd':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }
    file { '/etc/gdnsd/config-options':
        ensure  => 'present',
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('profile/dns/auth/config-options.erb'),
        require => File['/etc/gdnsd'],
        notify  => Service['gdnsd'],
        before  => Exec['authdns-local-update'],
    }
    file { '/etc/gdnsd/zones':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
        before => Exec['authdns-local-update'],
    }

    require ::geoip::data::puppet
    file { '/etc/gdnsd/geoip':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }
    file { '/etc/gdnsd/geoip/GeoIP2-City.mmdb':
        ensure => 'link',
        target => '/usr/share/GeoIP/GeoIP2-City.mmdb',
        before => Exec['authdns-local-update'],
    }

    file { '/etc/gdnsd/secrets':
        ensure => 'directory',
        owner  => 'gdnsd',
        group  => 'gdnsd',
        mode   => '0500',
    }
    file { '/etc/gdnsd/secrets/dnscookies.key':
        ensure    => 'present',
        owner     => 'gdnsd',
        group     => 'gdnsd',
        mode      => '0400',
        content   => secret('dns/dnscookies.key'),
        show_diff => false,
        notify    => Service['gdnsd'],
        before    => Exec['authdns-local-update'],
    }
}