diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-09 14:38:51 +0200 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-09 14:38:51 +0200 |
| commit | 7b3fed95f91a6877a88758558babf1bc549eeffc (patch) | |
| tree | 85760a3c81ce5c35764140e507fae5d4db1befa9 | |
| parent | Revert extra rndc-keyfile include. (diff) | |
| download | dns-7b3fed95f91a6877a88758558babf1bc549eeffc.tar.gz dns-7b3fed95f91a6877a88758558babf1bc549eeffc.tar.xz | |
Place each zone and key declaration in own file.
This removes the dependency on concat, and allows for non-purging
configurations.
| -rw-r--r-- | manifests/init.pp | 73 | ||||
| -rw-r--r-- | manifests/key.pp | 9 | ||||
| -rw-r--r-- | manifests/zone.pp | 19 | ||||
| -rw-r--r-- | metadata.json | 4 | ||||
| -rw-r--r-- | templates/named-rndc.conf.epp | 5 | ||||
| -rw-r--r-- | templates/named.conf.epp | 15 |
6 files changed, 73 insertions, 52 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 15cdb8a..0afe696 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -34,10 +34,33 @@ # System user which runs the server. # Only used to set permissions for files, so MUST be set to what # the system already expects. +# @param zoneconf_dir +# Directory in which zone declarations (as part of named's +# configuraion) should be placed. +# @param keyconf_dir +# Directory in which key declarations (as part of named's +# configuraion) should be placed. +# @param purge_zoneconf +# Should the zoneconf_dir be purged. If this is true then zones are +# decomissioned by simply removing their (Dns::Zone) resource declaration. +# Otherwise a proper ensure => absent must be used. +# @param purge_zonefiles +# Should the zonefiles stored in ${directory}/zones be +# automatically purged. Also see Dns::Zone. +# @param purge_keyconf +# Should $keyconf_dir be automatically purged. +# Leaving this as true means that decomissioning keys is as simple +# asremoving the Dns::Key declaration, otherwise an explicit +# ensure => absent must be sent. class dns ( String $config_file = '/etc/named.conf', String $config_dir = '/etc/named.d', Boolean $manage_dir = false, + String $zoneconf_dir = "${config_dir}/zones", + String $keyconf_dir = "${config_dir}/keys", + Boolean $purge_zoneconf = true, + Boolean $purge_zonefiles = true, + Boolean $purge_keyconf = true, String $rndc_key_file = '/etc/rndc.key', String $directory = '/var/named', String $checkzone = '/usr/bin/named-checkzone', @@ -67,12 +90,21 @@ class dns ( mode => 'u+rwx', } - file { $dns::zone_directory: - ensure => directory, - recurse => true, - purge => true, - owner => $dns::user, - mode => 'u+rwx', + file { + default: + ensure => directory, + owner => $dns::user, + mode => 'u+rwx', + recurse => true, + ; + $dns::zoneconf_dir: + purge => $purge_zoneconf, + ; + $dns::keyconf_dir: + purge => $purge_keyconf, + ; + $dns::zone_directory: + purge => $purge_zonefiles, } file { $dns::jnl_directory: @@ -104,29 +136,10 @@ class dns ( ensure => file, } - $warn = @(EOF) - # - # File managed by Puppet. Local changes WILL be overwritter', - # - | EOF - - concat { $config_file: - ensure_newline => true, - validate_cmd => "${checkconf} %", - notify => Service[$servicename], - warn => $warn, - require => File[$rndc_key_file], - } - - concat::fragment { 'named.conf main configuration': - target => $config_file, - content => epp("${module_name}/named.conf.epp"), - order => '01', - } - - concat::fragment { 'named.conf rndc configuration': - target => $config_file, - content => epp("${module_name}/named-rndc.conf.epp"), - order => '05', + file { $config_file: + validate_cmd => "${checkconf} %", + notify => Service[$servicename], + require => File[$rndc_key_file], + content => epp("${module_name}/named.conf.epp"), } } diff --git a/manifests/key.pp b/manifests/key.pp index c5bdb55..b36bf35 100644 --- a/manifests/key.pp +++ b/manifests/key.pp @@ -8,13 +8,18 @@ # Secret hash, must match algorithm # @param keyname # Name of key +# @param ensure +# Allows for manual removal of the key. Note that if +# $dns::purge_keyconf is true then simply removing the +# dns::key resource removes the file. define dns::key ( String $algorithm, Variant[String, Sensitive[String]] $secret, String $keyname = $name, + Enum['present', 'absent'] $ensure = 'present', ) { - concat::fragment { "Dns::Key - ${keyname}": - target => $dns::config_file, + file { "${dns::keyconf_dir}/${keyname}.conf": + ensure => $ensure, content => epp("${module_name}/key.epp", { keyname => $keyname, algorithm => $algorithm, diff --git a/manifests/zone.pp b/manifests/zone.pp index 817451b..e6fc397 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -162,22 +162,19 @@ define dns::zone ( ttl => $record['ttl'], } } - } else { dns_zone2 { $zone_: ensure => 'absent', } } - if $ensure == 'present' { - concat::fragment { "Dns::Zone - ${zone_}": - target => $dns::config_file, - content => epp("${module_name}/zoneconf.epp", { - zone => $zone_, - type => $type, - update_policy => $update_policy, - }), - require => Dns_zone2[$zone_], - } + file { "${dns::zoneconf_dir}/${zone_}conf": + ensure => $ensure, + content => epp("${module_name}/zoneconf.epp", { + zone => $zone_, + type => $type, + update_policy => $update_policy, + }), + require => Dns_zone2[$zone_], } } diff --git a/metadata.json b/metadata.json index f2843d8..9451c62 100644 --- a/metadata.json +++ b/metadata.json @@ -9,10 +9,6 @@ { "name": "puppetlabs/stdlib", "version_requirement": ">= 8.1.0 < 9.0.0" - }, - { - "name": "puppetlabs/concat", - "version_requirement": ">= 7.2.0 < 8.0.0" } ], "operatingsystem_support": [ diff --git a/templates/named-rndc.conf.epp b/templates/named-rndc.conf.epp index fd069a5..e69de29 100644 --- a/templates/named-rndc.conf.epp +++ b/templates/named-rndc.conf.epp @@ -1,5 +0,0 @@ -include "<%= $dns::rndc_key_file %>"; - -controls { - inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; -}; diff --git a/templates/named.conf.epp b/templates/named.conf.epp index 9fe10b1..5a57452 100644 --- a/templates/named.conf.epp +++ b/templates/named.conf.epp @@ -1,3 +1,7 @@ +# +# File managed by Puppet. Local changes WILL be overwritter', +# + options { directory "<%= $dns::directory %>"; forwarders { 8.8.8.8; 8.8.4.4; }; @@ -9,3 +13,14 @@ options { allow-recursion { localnets; localhost; }; }; + +<%# Equivalent to what rndc-confgen emits %> +include "<%= $dns::rndc_key_file %>"; + +controls { + inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; +}; + +<%# Include remaining stuff %> +include "<%= $dns::zoneconf_dir %>/*.conf"; +include "<%= $dns::keyconf_dir %>/*.conf"; |