Skip to content

Commit

Permalink
Merge pull request #12 from cr9427/master
Browse files Browse the repository at this point in the history 
proposal for improvement to have a better split between data and code
  • Loading branch information
@smoeding
smoeding authored Dec 28, 2024
2 parents 3f5b80a + 8bec9ab commit 4ec2031
Show file tree
Hide file tree
Showing 2 changed files with 285 additions and 0 deletions.
92 changes: 92 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,14 @@ class { 'bind':
allow_recursion => [ 'localhost', ],
}
```
Or with hiera
```puppet
bind::listen_on: 127.0.0.1
bind::listen_on_v6: none
bind::allow_query: localhost
bind::allow_query_cache: localhost
bind::allow_recursion: localhost
```

## Usage

Expand All @@ -60,6 +68,22 @@ bind::acl { 'lan':
address_match_list => [ '192.168.10.0/24' ],
}
```
Or with hiera
```puppet
bind::allow_query:
- localhost
- lan
bind::allow_query_cache:
- localhost
- lan
bind::allow_recursion:
- localhost
- lan
bind::acls:
lan:
address_match_list: 192.168.10.0/24
```

### Caching name server with forwarders

Expand All @@ -73,6 +97,21 @@ class { 'bind':
forwarders => [ '10.0.0.53', '10.1.1.53', ],
}
```
Or with hiera
```puppet
bind::allow_query:
- localhost
- 10/8
bind::allow_query_cache:
- localhost
- 10/8
bind::allow_recursion:
- localhost
- 10/8
bind::forwarders:
- 10.0.0.53
- 10.1.1.53
```

### Manage a primary zone

Expand All @@ -83,6 +122,12 @@ bind::zone::primary { 'example.com':
source => 'puppet:///modules/profile/dns/example.com.zone',
}
```
Or with hiera
```puppet
bind::zone::primaries:
example.com:
source: 'puppet:///modules/profile/dns/example.com.zone'
```

The zone file will be managed on the server as `/var/lib/bind/primary/com/example/db.example.com`. This tree structure is better than a flat directory structure if many zones will be managed by the server.

Expand All @@ -101,6 +146,18 @@ bind::zone::primary { 'example.com':
content => epp("profile/dynamic-zone-template.epp", $params),
}
```
Or with hiera
```puppet
bind::keys:
nsupdate:
secret: TopSecret
keyfile: /etc/bind/nsupdate.key
bind::zone::primaries:
example.com:
update_policy: grant nsupdate zonesub any
content: 'epp("profile/dynamic-zone-template.epp", $params)'
```

If the zone file `/var/lib/bind/primary/com/example/db.example.com` does not exist on the name server, a new file will be created using the specified template. After that the file content can not be managed by Puppet as `named` will periodically need to update the zone file when processing dynamic updates. The `source` or `content` parameters are ignored in this case.

Expand All @@ -122,6 +179,20 @@ bind::zone::primary { 'example.net':
source => 'puppet:///modules/profile/dns/example.net.zone',
}
```
Or with hiera
```puppet
bind::dnssec_policies:
standard:
csk_lifetime: unlimited
csk_algorithm: ecdsap256sha256
bind::zone::primaries:
example.net:
dnssec_policy: standard
inline_signing: true
source: 'puppet:///modules/profile/dns/example.net.zone'
}
```

DNSSEC policies are available with Bind 9.16 and later.

Expand All @@ -138,6 +209,16 @@ bind::view { 'internal':
order => '10',
}
```
Or with hiera
```puppet
bind::views:
internal:
match_clients: localnets
allow_query: localnets
allow_recursion: localnets
recursion: true
order: 10
```

The view `external` is for all other hosts and should only be used for your primary or secondary zones.

Expand All @@ -151,6 +232,17 @@ bind::view { 'external':
order => '20',
}
```
Or with hiera
```puppet
bind::views:
external:
match_clients: any
allow_query: any
recursion: false
localhost_forward_enable: false
localhost_reverse_enable: false
order: 20
```

The defined types `bind::zone::primary` and `bind::zone::secondary` can be used to add zones to this view.

Expand Down
193 changes: 193 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,73 @@
# once a day the DNSSEC trust anchors in use will be transmitted to the zon
# owners. This is enabled by default.
#
# @param bind:acls
# Hash of `bind::acls` resources.
# source the hash of bind::acls and trigger the class bind::acl
#
# @param bind:amls
# Hash of `bind::amls` resources.
# source the hash of bind::amls and trigger the class bind::aml
#
# @param dnssec_policies
# Hash of `bind::dnssec_policies` resources.
# source the hash of bind::dnssec_policies and trigger the class bind::dnssec_policy
#
# @param keys
# Hash of `bind::keys` resources.
# source the hash of bind::keys and trigger the class bind::key
#
# @param views
# Hash of `bind::views` resources.
# source the hash of bind::views and trigger the class bind::view
#
# @param statistics_channels
# Hash of `bind::statistics_channels` resources.
# source the hash of bind::statistics_channels and trigger the class bind::statistics_channel
#
# @param controls_inets
# Hash of `bind::controls::inets` resources.
# source the hash of bind::controls::inets and trigger the class bind::controls::inet
#
# @param controls_unixs
# Hash of `bind::controls::unixs` resources.
# source the hash of bind::controls::unixs and trigger the class bind::controls::unix
#
# @param logging_categories
# Hash of `bind::logging::categories` resources.
# source the hash of bind::logging::categories and trigger the class bind::logging::category
#
# @param logging_channel_files
# Hash of `bind::logging::channel_files` resources.
# source the hash of bind::logging::channel_files and trigger the class bind::logging::channel_file
#
# @param logging_channel_syslogs
# Hash of `bind::logging::channel_syslogs` resources.
# source the hash of bind::logging::channel_syslogs and trigger the class bind::logging::channel_syslog
#
# @param zone_forwards
# Hash of `bind::zone::forwards` resources.
# source the hash of bind::zone::forwards and trigger the class bind::zone::forward
#
# @param zone_hints
# Hash of `bind::zone::hints` resources.
# source the hash of bind::zone::hints and trigger the class bind::zone::hint
#
# @param zone_in_views
# Hash of `bind::zone::in_views` resources.
# source the hash of bind::zone::in_views and trigger the class bind::zone::in_view
#
# @param zone_mirrors
# Hash of `bind::zone::mirrors` resources.
# source the hash of bind::zone::mirrors and trigger the class bind::zone::mirror
#
# @param zone_primaries
# Hash of `bind::zone::primaries` resources.
# source the hash of bind::zone::primaries and trigger the class bind::zone::primary
#
# @param zone_secondaries
# Hash of `bind::zone::secondaries` resources.
# source the hash of bind::zone::secondaries and trigger the class bind::zone::secondary
#
class bind (
Stdlib::Absolutepath $confdir,
Expand Down Expand Up @@ -385,6 +452,24 @@
Optional[String] $report_version = undef,
Optional[Boolean] $querylog_enable = undef,
Optional[Boolean] $trust_anchor_telemetry = undef,
Optional[Hash] $acls = {},
Optional[Hash] $amls = {},
Optional[Hash] $configs = {},
Optional[Hash] $dnssec_policies = {},
Optional[Hash] $keys = {},
Optional[Hash] $statistics_channels = {},
Optional[Hash] $views = {},
Optional[Hash] $controls_inets = lookup(bind::controls::inets, undef, undef, {}),
Optional[Hash] $controls_unixes = lookup(bind::controls::unixes, undef, undef, {}),
Optional[Hash] $logging_categories = lookup(bind::logging::categories, undef, undef, {}),
Optional[Hash] $logging_channel_files = lookup(bind::logging::channel_files, undef, undef, {}),
Optional[Hash] $logging_channel_syslogs = lookup(bind::logging::syslogs, undef, undef, {}),
Optional[Hash] $zone_forwards = lookup(bind::zone::forwards, undef, undef, {}),
Optional[Hash] $zone_hints = lookup(bind::zone::hints, undef, undef, {}),
Optional[Hash] $zone_in_views = lookup(bind::zone::in_views, undef, undef, {}),
Optional[Hash] $zone_mirrors = lookup(bind::zone::mirrors, undef, undef, {}),
Optional[Hash] $zone_primaries = lookup(bind::zone::primaries, undef, undef, {}),
Optional[Hash] $zone_secondaries = lookup(bind::zone::secondaries, undef, undef, {}),
) {
$header_message = '// This file is managed by Puppet. DO NOT EDIT.'

Expand Down Expand Up @@ -844,6 +929,12 @@
before => Service['bind'],
}

$configs.each |$key, $value| {
bind::config { $key:
* => $value,
}
}

#
# Misc zone files
#
Expand Down Expand Up @@ -938,4 +1029,106 @@
name => $service_name,
restart => "${rndc_program} reconfig",
}

$acls.each |$key, $value| {
bind::acl { $key:
* => $value,
}
}

$amls.each |$key, $value| {
bind::aml { $key:
* => $value,
}
}

$dnssec_policies.each |$key, $value| {
bind::dnssec_policy { $key:
* => $value,
}
}

$keys.each |$key, $value| {
bind::key { $key:
* => $value,
}
}

$statistics_channels.each |$key, $value| {
bind::statistics_channel { $key:
* => $value,
}
}

$views.each |$key, $value| {
bind::view { $key:
* => $value,
}
}

$controls_inets.each |$key, $value| {
bind::controls::inet { $key:
* => $value,
}
}

$controls_unixes.each |$key, $value| {
bind::controls::unix { $key:
* => $value,
}
}

$logging_categories.each |$key, $value| {
bind::logging::category { $key:
* => $value,
}
}

$logging_channel_files.each |$key, $value| {
bind::logging::channel_file { $key:
* => $value,
}
}

$logging_channel_syslogs.each |$key, $value| {
bind::logging::channel_syslog { $key:
* => $value,
}
}

$zone_forwards.each |$key, $value| {
bind::zone::forward { $key:
* => $value,
}
}

$zone_hints.each |$key, $value| {
bind::zone::hint { $key:
* => $value,
}
}

$zone_in_views.each |$key, $value| {
bind::zone::in_view { $key:
* => $value,
}
}

$zone_mirrors.each |$key, $value| {
bind::zone::mirror { $key:
* => $value,
}
}

$zone_primaries.each |$key, $value| {
bind::zone::primary { $key:
* => $value,
}
}

$zone_secondaries.each |$key, $value| {
bind::zone::secondary { $key:
* => $value,
}
}
}

0 comments on commit 4ec2031

Please sign in to comment.