Puppet Class: profile::wikidough

Defined in:
modules/profile/manifests/wikidough.pp

Overview

Parameters:

  • wikidough_domain (Stdlib::Fqdn) (defaults to: lookup('profile::wikidough::service_domain'))
  • wikidough_ipv4 (Stdlib::IP::Address::V4) (defaults to: lookup('profile::wikidough::service_ipv4'))
  • resolver (Dnsdist::Resolver) (defaults to: lookup('profile::wikidough::dnsdist::resolver'))
  • tls_common (Dnsdist::TLS_common) (defaults to: lookup('profile::wikidough::dnsdist::tls::common'))
  • tls_config_doh (Dnsdist::TLS_config) (defaults to: lookup('profile::wikidough::dnsdist::tls::doh'))
  • tls_config_dot (Dnsdist::TLS_config) (defaults to: lookup('profile::wikidough::dnsdist::tls::dot'))
  • webserver_config (Dnsdist::Webserver_config) (defaults to: lookup('profile::wikidough::dnsdist::webserver', {'merge' => hash}))
  • custom_headers (Dnsdist::Http_headers) (defaults to: lookup('profile::wikidough::dnsdist::custom_headers'))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'modules/profile/manifests/wikidough.pp', line 1

class profile::wikidough (
    Stdlib::Fqdn              $wikidough_domain = lookup('profile::wikidough::service_domain'),
    Stdlib::IP::Address::V4   $wikidough_ipv4   = lookup('profile::wikidough::service_ipv4'),
    Dnsdist::Resolver         $resolver         = lookup('profile::wikidough::dnsdist::resolver'),
    Dnsdist::TLS_common       $tls_common       = lookup('profile::wikidough::dnsdist::tls::common'),
    Dnsdist::TLS_config       $tls_config_doh   = lookup('profile::wikidough::dnsdist::tls::doh'),
    Dnsdist::TLS_config       $tls_config_dot   = lookup('profile::wikidough::dnsdist::tls::dot'),
    Dnsdist::Webserver_config $webserver_config = lookup('profile::wikidough::dnsdist::webserver', {'merge' => hash}),
    Dnsdist::Http_headers     $custom_headers   = lookup('profile::wikidough::dnsdist::custom_headers'),
) {

    include network::constants
    include passwords::wikidough::dnsdist


    motd::script { 'root-commands-warning':
        ensure   => 'present',
        priority => 1,
        content  => template('profile/wikidough/motd.erb'),
    }

    ferm::service { 'wikidough-doh':
        proto   => 'tcp',
        notrack => true,
        port    => 443,
    }

    ferm::service { 'wikidough-dot':
        proto   => 'tcp',
        notrack => true,
        port    => 853,
    }

    ferm::service { 'wikidough-dnsdist-webserver':
        proto  => 'tcp',
        port   => $webserver_config['port'],
        srange => '$PRODUCTION_NETWORKS',
    }

    class { 'dnsrecursor':
        listen_addresses         => [$resolver['host']],
        allow_from               => ['127.0.0.0/8'],
        max_tcp_per_client       => 0,
        client_tcp_timeout       => 5,
        dnssec                   => 'validate',
        allow_forward_zones      => false,
        allow_incoming_ecs       => true,
        allow_qname_minimisation => true,
        allow_dot_to_auth        => true,
        install_from_component   => true,
        allow_edns_padding       => true,
        edns_padding_from        => '127.0.0.0/8',
        edns_padding_mode        => 'padded-queries-only',
    }

    acme_chief::cert { 'wikidough':
        puppet_svc => 'dnsdist',
        key_group  => '_dnsdist',
    }

    class { 'dnsdist':
        resolver         => $resolver,
        tls_common       => $tls_common,
        tls_config_doh   => $tls_config_doh,
        tls_config_dot   => $tls_config_dot,
        enable_console   => true,
        console_key      => $passwords::wikidough::dnsdist::console_key,
        enable_webserver => true,
        webserver        => $webserver_config,
        enable_landing   => true,
        landing_text     => file('profile/wikidough/index.html'),
        custom_headers   => $custom_headers,
        require          => Class['dnsrecursor'],
    }

    monitoring::service { 'check_wikidough_doh':
        description   => 'Wikidough DoH Check',
        check_command => "check_https_url_custom_ip!${wikidough_domain}!${facts['ipaddress']}!/",
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Wikidough',
    }

    monitoring::service { 'check_wikidough_dot':
        description   => 'Wikidough DoT Check',
        check_command => "check_tcp_ssl!${facts['ipaddress']}!853",
        notes_url     => 'https://wikitech.wikimedia.org/wiki/Wikidough',
    }

    class { 'auditd':
        log_to_disk    => false,
        rule_root_cmds => true,
        send_to_syslog => true,
    }

}