- updates for suse

- moved params from init into params.pp - add firewall support - increase the available params
voxpupuli · Sep 21, 2014 · df87e30 · df87e30
1 parent 055306d
commit df87e30
Show file tree

Hide file tree

Showing 9 changed files with 219 additions and 72 deletions.
diff --git a/Readme.md b/Readme.md
@@ -11,6 +11,7 @@ A puppet module for the Unbound caching resolver.
 * OpenBSD
 * OS X (macports)
 * RHEL clones (with EPEL)
+* openSUSE (local repo or obs://server:dns)
 
 ## Requirements
 The `concat` module must be installed. It can be obtained from Puppet Forge:

diff --git a/manifests/forward.pp b/manifests/forward.pp
@@ -12,7 +12,7 @@
   $config_file = $unbound::params::config_file
 
   concat::fragment { "unbound-forward-${name}":
-    order   => '05',
+    order   => '20',
     target  => $config_file,
     content => template('unbound/forward.erb'),
   }

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -3,58 +3,76 @@
 # Installs and configures Unbound, the caching DNS resolver from NLnet Labs
 #
 class unbound (
-  $verbosity              = 1,
-  $interface              = ['::0','0.0.0.0'],
-  $access                 = ['::1','127.0.0.1/8'],
-  $do_ip4                 = true,
-  $do_ip6                 = true,
-  $interface_automatic    = false,
-  $outgoing_interface     = undef,
-  $extended_statistics    = no,
-  $statistics_interval    = 0,
-  $statistics_cumulative  = false,
-  $control_enable         = false,
-  $num_threads            = 1,
-  $private_domain         = undef,
-  $prefetch               = false,
-  $prefetch_key           = false,
-  $infra_host_ttl         = undef,
-  $edns_buffer_size       = undef,
-  $port                   = 53,
-  $confdir                = $unbound::params::confdir,
-  $config_file            = $unbound::params::config_file,
-  $logdir                 = $unbound::params::logdir,
-  $service_name           = $unbound::params::service_name,
-  $package_name           = $unbound::params::package_name,
-  $package_provider       = $unbound::params::package_provider,
-  $anchor_file            = $unbound::params::anchor_file,
-  $hints_file             = $unbound::params::hints_file,
-  $owner                  = $unbound::params::owner,
-  $fetch_client           = $unbound::params::fetch_client,
-  $root_hints_url         = 'http://www.internic.net/domain/named.root',
-  $msg_cache_slabs        = undef,
-  $rrset_cache_slabs      = undef,
-  $infra_cache_slabs      = undef,
-  $key_cache_slabs        = undef,
-  $rrset_cache_size       = undef,
-  $msg_cache_size         = undef,
-  $key_cache_size         = undef,
-  $num_queries_per_thread = undef,
-  $outgoing_range         = undef,
-  $so_rcvbuf              = undef,
-  $tcp_upstream           = false,
-  $hide_identity          = true,
-  $hide_version           = true,
+  $access                       = $unbound::params::access,
+  $anchor_file                  = $unbound::params::anchor_file,
+  $chroot                       = $unbound::params::chroot,
+  $conf_d                       = $unbound::params::conf_d,
+  $confdir                      = $unbound::params::confdir,
+  $config_file                  = $unbound::params::config_file,
+  $control_enable               = $unbound::params::control_enable,
+  $directory                    = $unbound::params::directory,
+  $dlv_anchor_file              = $unbound::params::dlv_anchor_file,
+  $do_ip4                       = $unbound::params::do_ip4,
+  $do_ip6                       = $unbound::params::do_ip6,
+  $edns_buffer_size             = $unbound::params::edns_buffer_size,
+  $extended_statistics          = $unbound::params::extended_statistics,
+  $fetch_client                 = $unbound::params::fetch_client,
+  $group                        = $unbound::params::group,
+  $harden_below_nxdomain        = $unbound::params::harden_below_nxdomain,
+  $harden_dnssec_stripped       = $unbound::params::harden_dnssec_stripped,
+  $harden_glue                  = $unbound::params::harden_glue,
+  $harden_referral_path         = $unbound::params::harden_referral_path,
+  $hints_file                   = $unbound::params::hints_file,
+  $infra_cache_slabs            = $unbound::params::infra_cache_slabs,
+  $infra_host_ttl               = $unbound::params::infra_host_ttl,
+  $interface                    = $unbound::params::interface,
+  $interface_automatic          = $unbound::params::interface_automatic,
+  $key_cache_size               = $unbound::params::key_cache_size,
+  $key_cache_slabs              = $unbound::params::key_cache_slabs,
+  $keys_d                       = $unbound::params::keys_d,
+  $log_time_ascii               = $unbound::params::log_time_ascii,
+  $logdir                       = $unbound::params::logdir,
+  $module_config                = $unbound::params::module_config,
+  $msg_cache_size               = $unbound::params::msg_cache_size,
+  $msg_cache_slabs              = $unbound::params::msg_cache_slabs,
+  $num_queries_per_thread       = $unbound::params::num_queries_per_thread,
+  $num_threads                  = $unbound::params::num_threads,
+  $outgoing_interface           = $unbound::params::outgoing_interface,
+  $outgoing_port_avoid          = $unbound::params::outgoing_port_avoid,
+  $outgoing_port_permit         = $unbound::params::outgoing_port_permit,
+  $outgoing_range               = $unbound::params::outgoing_range,
+  $owner                        = $unbound::params::owner,
+  $package_name                 = $unbound::params::package_name,
+  $package_provider             = $unbound::params::package_provider,
+  $port                         = $unbound::params::port,
+  $prefetch                     = $unbound::params::prefetch,
+  $prefetch_key                 = $unbound::params::prefetch_key,
+  $private_domain               = $unbound::params::private_domain,
+  $root_hints_url               = $unbound::params::root_hints_url,
+  $rrset_cache_size             = $unbound::params::rrset_cache_size,
+  $rrset_cache_slabs            = $unbound::params::rrset_cache_slabs,
+  $service_name                 = $unbound::params::service_name,
+  $so_rcvbuf                    = $unbound::params::so_rcvbuf,
+  $statistics_cumulative        = $unbound::params::statistics_cumulative,
+  $statistics_interval          = $unbound::params::statistics_interval,
+  $tcp_upstream                 = $unbound::params::tcp_upstream,
+  $trusted_keys_file            = $unbound::params::trusted_keys_file,
+  $unwanted_reply_threshold     = $unbound::params::unwanted_reply_threshold,
+  $use_caps_for_id              = $unbound::params::use_caps_for_id,
+  $val_clean_additional         = $unbound::params::val_clean_additional,
+  $val_log_level                = $unbound::params::val_log_level,
+  $val_permissive_mode          = $unbound::params::val_permissive_mode,
+  $verbosity                    = $unbound::params::verbosity,
 ) inherits unbound::params {
 
   if $package_name {
     package { $package_name:
       ensure   => installed,
       provider => $package_provider,
     }
-    Package["$package_name"] -> Service["$service_name"]
-    Package["$package_name"] -> Concat["$config_file"]
-    Package["$package_name"] -> File["${confdir}/${anchor_file}"]
+    Package[$package_name] -> Service[$service_name]
+    Package[$package_name] -> Concat[$config_file]
+    Package[$package_name] -> File[$anchor_file]
   }
 
   service { $service_name:
@@ -65,13 +83,22 @@
   }
 
   exec { 'download-roothints':
-    command => "${fetch_client} ${confdir}/${hints_file} ${root_hints_url}",
-    creates => "${confdir}/${hints_file}",
+    command => "${fetch_client} ${hints_file} ${root_hints_url}",
+    creates => $hints_file,
     path    => ['/usr/bin','/usr/local/bin'],
     before  => [ Concat::Fragment['unbound-header'] ],
   }
 
-  file { "${confdir}/${hints_file}":
+  file { [
+    $confdir,
+    $conf_d,
+    $keys_d
+    ]:
+    ensure  => directory,
+    require => Package[$package_name],
+  }
+
+  file { $hints_file:
     mode => '0444',
   }
 
@@ -86,11 +113,10 @@
   }
 
   # Initialize the root key file if it doesn't already exist.
-  file { "${confdir}/${anchor_file}":
+  file { $anchor_file:
     owner   => $owner,
     group   => 0,
     content => '. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5',
     replace => false,
   }
-
 }
diff --git a/manifests/local_zone.pp b/manifests/local_zone.pp
@@ -24,7 +24,7 @@
   $config_file = $unbound::params::config_file
 
   concat::fragment { "unbound-localzone-${name}":
-    order   => '00',
+    order   => '06',
     target  => $config_file,
     content => template('unbound/local_zone.erb'),
   }

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -10,7 +10,7 @@
       $logdir       = '/var/log'
       $service_name = 'unbound'
       $package_name = 'unbound'
-      $anchor_file  = 'root.key'
+      $anchor_file  = "${confdir}/root.anchor"
       $owner        = 'unbound'
       $fetch_client = 'wget -O'
     }
@@ -19,7 +19,7 @@
       $logdir       = '/var/log'
       $service_name = 'unbound'
       $package_name = 'unbound'
-      $anchor_file  = 'root.anchor'
+      $anchor_file  = "${confdir}/root.anchor"
       $owner        = 'unbound'
       $fetch_client = 'wget -O'
       }
@@ -29,7 +29,7 @@
       $service_name     = 'org.macports.unbound'
       $package_name     = 'unbound'
       $package_provider = 'macports'
-      $anchor_file      = 'root.key'
+      $anchor_file  = "${confdir}/root.anchor"
       $owner            = 'unbound'
       $fetch_client     = 'curl -o'
     }
@@ -38,7 +38,7 @@
       $logdir       = '/var/log/unbound'
       $service_name = 'unbound'
       $package_name = 'dns/unbound'
-      $anchor_file  = 'root.key'
+      $anchor_file  = "${confdir}/root.anchor"
       $owner        = 'unbound'
       $fetch_client = 'fetch -o'
     }
@@ -51,21 +51,80 @@
       } else {
         $package_name = undef
       }
-      $anchor_file  = 'root.key'
+      $anchor_file  = "${confdir}/root.anchor"
       $owner        = '_unbound'
       $fetch_client = 'ftp -o'
     }
+    'sles', 'opensuse', 'suse': {
+      $confdir        = '/etc/unbound'
+      $logdir         = '/var/log'
+      $service_name   = 'unbound'
+      $package_name   = 'unbound'
+      $anchor_file    = "/var/lib/unbound/root.key"
+      $owner          = 'unbound'
+      $group          = 'unbound'
+      $pidfile        = '/var/run/unbound/unbound.pid'
+    }
     default: {
       $confdir      = '/etc/unbound'
       $logdir       = '/var/log'
       $service_name = 'unbound'
       $package_name = 'unbound'
-      $anchor_file  = 'root.key'
+      $anchor_file  = "${confdir}/root.anchor"
       $owner        = 'unbound'
       $fetch_client = 'wget -O'
     }
   }
 
-  $config_file = "${confdir}/unbound.conf"
-  $hints_file  = 'root.hints'
+  $access                     = ['::1','127.0.0.1/8']
+  $chroot                     = undef
+  $conf_d                     = "${confdir}/conf.d"
+  $config_file                = "${confdir}/unbound.conf"
+  $control_enable             = false
+  $directory                  = "${confdir}"
+  $dlv_anchor_file            = undef
+  $do_ip4                     = true
+  $do_ip6                     = true
+  $edns_buffer_size           = 1280
+  $extended_statistics        = no
+  $harden_below_nxdomain      = true
+  $harden_dnssec_stripped     = true
+  $harden_glue                = true
+  $harden_referral_path       = true
+  $hints_file                 = "${confdir}/root.hints"
+  $infra_cache_slabs          = undef
+  $infra_host_ttl             = undef
+  $interface                  = ['::0','0.0.0.0']
+  $interface_automatic        = false
+  $key_cache_size             = undef
+  $key_cache_slabs            = undef
+  $keys_d                     = "${confdir}/keys.d"
+  $log_time_ascii             = true
+  $module_config              = undef
+  $msg_cache_size             = undef
+  $msg_cache_slabs            = undef
+  $num_queries_per_thread     = undef
+  $num_threads                = 1
+  $outgoing_interface         = undef
+  $outgoing_port_avoid        = "0-32767"
+  $outgoing_port_permit       = "32768-65535"
+  $outgoing_range             = undef
+  $port                       = 53
+  $prefetch                   = false
+  $prefetch_key               = false
+  $private_domain             = undef
+  $root_hints_url             = 'http://www.internic.net/domain/named.root'
+  $rrset_cache_size           = undef
+  $rrset_cache_slabs          = undef
+  $so_rcvbuf                  = undef
+  $statistics_cumulative      = false
+  $statistics_interval        = 0
+  $tcp_upstream               = false
+  $trusted_keys_file          = "${keys_d}/*.key"
+  $unwanted_reply_threshold   = 10000000
+  $use_caps_for_id            = false
+  $val_clean_additional       = true
+  $val_log_level              = 1
+  $val_permissive_mode        = false
+  $verbosity                  = 1
 }
diff --git a/manifests/record.pp b/manifests/record.pp
@@ -23,7 +23,7 @@
   }
 
   concat::fragment { "unbound-stub-${title}-local-record":
-    order   => '02',
+    order   => '07',
     target  => $config_file,
     content => $config,
   }

diff --git a/templates/forward.erb b/templates/forward.erb
@@ -1,7 +1,9 @@
 forward-zone:
   name: "<%= @zone %>"
 <% if @address.is_a? Array -%>
-<% @address.each do |addr| -%><%= "  forward-addr: #{addr}\n" %><% end -%>
+<% @address.each do |addr| -%>
+  forward-addr: <%= addr %>
+<% end -%>
 <% elsif @address != '' -%>
-<%= "  forward-addr:  #{@address}\n" -%>
+  forward-addr: <%= @address}" -%>
 <% end -%>
diff --git a/templates/stub.erb b/templates/stub.erb
@@ -1,7 +1,9 @@
 stub-zone:
   name: "<%= @name %>"
 <% if @address.is_a? Array -%>
-<% @address.each do |addr| -%><%= "  stub-addr: #{addr}\n" %><% end -%>
+<% @address.each do |addr| -%>
+  stub-addr: <%= addr %>
+<% end -%>
 <% elsif @address != '' -%>
-<%= "  stub-addr:  #{@address}\n" -%>
+  stub-addr: <%= @address -%>
 <% end -%>