Puppet Class: profile::dns::auth::dotls

Defined in:
modules/profile/manifests/dns/auth/dotls.pp

Overview

Parameters:

  • authdns_addrs (Hash[String, Hash[String, Any]]) (defaults to: lookup('authdns_addrs'))
  • cert_name (String) (defaults to: lookup('profile::dns::auth::dotls', {default_value => 'dotls-for-authdns'}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# File 'modules/profile/manifests/dns/auth/dotls.pp', line 1

class profile::dns::auth::dotls(
    Hash[String, Hash[String, Any]] $authdns_addrs = lookup('authdns_addrs'),
    String $cert_name = lookup('profile::dns::auth::dotls', {default_value => 'dotls-for-authdns'}),
) {
    include ::profile::prometheus::haproxy_exporter

    # HAProxy needs the full chained cert *and* the private key in a single
    # file, which we're calling the "kchained" variant here:
    $chained_path = "/etc/acmecerts/${cert_name}/live/ec-prime256v1.chained.crt"
    $key_path = "/etc/acmecerts/${cert_name}/live/ec-prime256v1.key"
    $kchained_path = "/etc/acmecerts/${cert_name}/live/ec-prime256v1.kchained.crt"

    # Haproxy also wants the OCSP file to be the full path of the cert (kchained above) + ".ocsp"
    $ocsp_path = "/etc/acmecerts/${cert_name}/live/ec-prime256v1.ocsp"
    $ocsp_full_path = "${kchained_path}.ocsp"

    acme_chief::cert { $cert_name:
        puppet_rsc => Exec['make-haproxy-crt'],
    }

    exec { 'make-haproxy-crt':
        command     => "/bin/cat ${key_path} ${chained_path} >${kchained_path}; /bin/cp ${ocsp_path} ${ocsp_full_path}",
        umask       => '027',
        refreshonly => true,
        notify      => Service['haproxy'],
    }

    file { '/etc/haproxy/haproxy.cfg':
        ensure  => present,
        mode    => '0444',
        owner   => 'root',
        group   => 'root',
        content => template('profile/dns/auth/haproxy.cfg.erb'),
        notify  => Service['haproxy'],
        require => Package['haproxy'],
    }

    package { 'haproxy':
        ensure => present,
    }

    service { 'haproxy':
        ensure  => 'running',
        restart => 'systemctl reload haproxy.service',
        require => Service['gdnsd'],
    }

    # This is the systemd-level glue to ensure haproxy cannot be
    # running unless gdnsd is already running

    $sysd_dir = '/etc/systemd/system/haproxy.service.d'
    $sysd_glue = "${sysd_dir}/dot-needs-auth.conf"
    file { $sysd_dir:
        ensure => directory,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
    }
    file { $sysd_glue:
        ensure => present,
        mode   => '0444',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/profile/dns/auth/dot-needs-auth.conf',
    }
    exec { 'systemd reload for dot-needs-auth glue':
        refreshonly => true,
        command     => '/bin/systemctl daemon-reload',
        subscribe   => File[$sysd_glue],
        before      => Service['haproxy'],
        require     => Service['gdnsd'],
    }

    $service_listeners = $authdns_addrs.map |$aspec| { $aspec[1]['address'] }
    ferm::service { 'tcp_dotls_auth':
        proto   => 'tcp',
        notrack => true,
        prio    => '06',
        port    => '853',
        drange  => "(${service_listeners.join(' ')})",
    }

    # Provides "kdig" command used by check_dotls below
    package { 'knot-dnsutils':
        ensure => present,
    }

    file { '/usr/local/lib/nagios/plugins/check_dotls':
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
        source => 'puppet:///modules/profile/dns/auth/check_dotls',
    }

    nrpe::monitor_service { 'check_dotls':
        description  => 'AuthDNS-over-TLS Works',
        nrpe_command => '/usr/local/lib/nagios/plugins/check_dotls',
        require      => File['/usr/local/lib/nagios/plugins/check_dotls'],
        notes_url    => 'https://wikitech.wikimedia.org/wiki/DNS',
    }
}