diff options
author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-05-05 00:31:37 +0200 |
---|---|---|
committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-05-05 00:31:37 +0200 |
commit | eb38e6252b3c52a44d0d33679b3bc3178674c7f8 (patch) | |
tree | b7958e38f9893c347af4c04a53f65a103cef3292 /manifests | |
parent | Initial commit (diff) | |
download | dns-eb38e6252b3c52a44d0d33679b3bc3178674c7f8.tar.gz dns-eb38e6252b3c52a44d0d33679b3bc3178674c7f8.tar.xz |
Everything
Diffstat (limited to '')
-rw-r--r-- | manifests/init.pp | 94 | ||||
-rw-r--r-- | manifests/key.pp | 23 | ||||
-rw-r--r-- | manifests/record.pp | 48 | ||||
-rw-r--r-- | manifests/zone.pp | 122 |
4 files changed, 287 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..ebb161b --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,94 @@ +# @param config_file +# Bind9 configuration file +# @param directory +# Maps to bind9 directory. Base for all relative paths. +# @param checkzone +# Absolute path to named-checkzone binary +# @param checkconf +# Absolute path to named-checkconf binary +# @param packagename +# Name of the bind9 system package +# @param manage_package +# Should the bind9 system package be managed by this module. +# @param rndc +# Absolute path to rndc binary +# @param keys +# Dns::Key resources to create +# @param zones +# Dns::Zones resources to create +# @param rndc_key_file +# Location of rndc key. Note that this doesn't change where it ends up, but rather were we expect it to end up. +# Key will be generated through `rndc-confgen -a`. +# @param servicename +# Name of the system service to manage +# @param rndc_confgen +# Path to rndc-confgen binary +class dns ( + String $config_file = '/etc/named.conf', + # String $config_dir = '/etc/named.d', + String $rndc_key_file = '/etc/rndc.key', + String $directory = '/var/named', + String $checkzone = '/usr/bin/named-checkzone', + String $checkconf = '/usr/bin/named-checkconf', + Array[Dns::Keyentry] $keys = [], + Array[Dns::Zoneentry] $zones = [], + String $packagename = 'bind9', + Boolean $manage_package = true, + String $servicename = 'named', + String $rndc = '/usr/bin/rndc', + String $rndc_confgen = '/usr/bin/rndc-confgen', +) { + $zone_directory = "${directory}/zones" + $jnl_directory = "${directory}/journal" + + file { $zone_directory: + ensure => directory, + recurse => true, + purge => true, + } + + file { $jnl_directory: + ensure => directory, + } + + if $manage_package { + package { $packagename: + ensure => installed, + } + } + + service { $servicename: + ensure => running, + enable => true, + } + + create_resources(dns::key, $keys) + create_resources(dns::zone, $zones) + + # file { $config_dir: + # ensure => directory, + # recurse => true, + # } + + exec { 'Setup rndc key': + cmd => [$rndc_confgen, '-a'], + creates => $rndc_key_file, + } + + concat { $config_file: + ensure_newline => true, + warn => '; File managed by Puppet. Local changes WILL be overwritter', + validate_cmd => "${checkconf} %", + notify => Service[$servicename], + } + + concat::fragment { 'named.conf main configuration': + target => $config_file, + content => epp("${module_name}/named.conf.epp"), + } + + concat::fragment { 'named.conf rndc configuration': + target => $config_file, + content => epp("${module_name}/named-rndc.conf.epp"), + } +} diff --git a/manifests/key.pp b/manifests/key.pp new file mode 100644 index 0000000..866bc70 --- /dev/null +++ b/manifests/key.pp @@ -0,0 +1,23 @@ +# @summary A single dns key (for zone updates and the like) +# +# TODO add stuff to autogenerate these, and insntead dump them to individual files. +# +# @param algorithm +# Algorithm used, must match secret +# @param secret +# Secret hash, must match algorithm +# @param keyname +# Name of key +class dns::key ( + String $algorithm, + Option[String, Sensitive[String]] $secret, + String $keyname = $name, +) { + concat::fragment { "Dns::Key - ${keyname}": + content => epp("${module_name}/key.epp", { + keyname => $keyname, + algorithm => $algorithm, + secret => $secret, + }), + } +} diff --git a/manifests/record.pp b/manifests/record.pp new file mode 100644 index 0000000..83476a0 --- /dev/null +++ b/manifests/record.pp @@ -0,0 +1,48 @@ +# @param type +# Record type (A, AAAA, ...) +# @param class +# DNS class type (IN, HS, CH, HS) +# @param dns_name +# Name of record (example.com.) +# Note that the trailing period **IS** significant +# @param ttl +# TTL for record. +# @param duplicate +# Allow multiple records with the same name and class. +# Most record types only allow one value, but some allow multiple. +# Setting this to true allows for multiple. This value is +# automatically true for TXT & NS. +# @param zone +# Name of the zone this record belongs to. +# @param value +# Record content. +# Syntax depends on `type`. +define dns::record ( + String $zone, + Dns::Rr $type, + String $value, + Dns::Class $class = 'IN', + String $dns_name = $name, + Optional[Dns::Ttl] $ttl = undef, + Boolean $duplicate = false, +) { + $allow_duplicate = case $type { + 'TXT', + 'NS': { + true + } + default: { + false + } + } + + $frag_name = if $allow_duplicate { + "Dns::Record - ${zone} - ${class} ${type} ${dns_name} ${value}" + } else { + "Dns::Record - ${zone} - ${class} ${type} ${dns_name}" + } + + concat::fragment { $frag_name: + target => "${dns::zone_directory}/${zone}.db", + } +} diff --git a/manifests/zone.pp b/manifests/zone.pp new file mode 100644 index 0000000..2226994 --- /dev/null +++ b/manifests/zone.pp @@ -0,0 +1,122 @@ +# @param zone +# Domain this zone controls. +# @param mname +# Primary master +# @param rname +# mail to zone admin +# @param retry +# Retry value for zone +# @param expire +# Expire value for zone +# @param negative_ttl +# Negative ttl for zone +# @param default_ttl +# Default ttl for zone +# @param refresh +# Refresh value for SOA +# @param records +# Hash of records to create. Instanciates Dns::Record resources. +# @param ns +# List of nameservers for this zone. Creates Dns::Record resources +# with NS entries. +# @param type +# Zonetype. master, slave, ... +# @param update_policy +# A bind9 update policy, as a string. +# @param dynamic +# However if this zone should be treated as a dynamic zone. If +# enabled rndc freezes and thaws the zone around static updates. +# Otherwise the zone file will be directly changed, and simply +# reloaded afterwards. +# +# Defaults to true if an update_policy is set. +define dns::zone ( + String $mname, + String $rname, + + Dns::Ttl $refresh, + Dns::Ttl $retry, + Dns::Ttl $expire, + Dns::Ttl $negative_ttl, + Dns::Ttl $default_ttl, + + String $zone = $name, + + Array[Dns::RecordEntry] $records = [], + + Array[String] $ns = [], + + String $type = 'master', + + Optional[String] $update_policy = undef, + Boolean $dynamic = $update_policy != undef, +) { + $zone_ = dns::ensure_ending_period($zone) + + concat { "${dns::zone_directory}/${zone}.db": + validate_cmd => "${dns::checkzone} '${zone}' %", + ensure_newline => true, + require => if $dynamic { Exec["Dns::zone freeze ${zone}"] } else { undef }, + } + + $zone_serial = $facts.get("dns_zone_serial.'${zone_}'", 0) + + concat::fragment { "Dns::Record - ${zone} - SOA": + target => "${dns::zone_directory}/${zone}.db", + order => '01', + content => epp("${module_name}/zone.epp", { + zone => $zone_, + mname => dns::ensure_ending_period($mname), + rname => dns::convert_to_rname($rname), + serial => $zone_serial + 1, + refresh => $refresh, + expire => $expire, + negative_ttl => $negative_ttl, + default_ttl => $default_ttl, + }), + } + + concat::fragment { "Dns::Zone - ${zone}": + target => $dns::config_file, + content => epp("${module_name}/zoneconf.epp", { + zone => $zone_, + type => $type, + update_policy => $update_policy, + }), + } + + $ns.each |$ns| { + dns::record { "Dns::Zore - record - ${zone} NS ${ns}": + type => 'NS', + zone => $zone, + } + } + + $fixed_records = $records.each |$record| { + { "Dns::Zone - record - ${zone} - ${record['class']} ${record['type']} ${record['key']} ${record['value']}" + => $record + { dns_name => $record['key'] } } + } + + create_resources(dns::record, $fixed_records, { + zone => $zone, + }) + + if $dynamic { + exec { "Dns::zone freeze ${zone}": + command => [$dns::rndc, 'freeze', $zone], + refreshonly => true, + } + + exec { "Dns::zone thaw ${zone}": + command => [$dns::rndc, 'thaw', $zone], + refreshonly => true, + subscribe => Concat["${dns::zone_directory}/${zone}.db"], + } + } else { + exec { "Dns::zone reload ${zone}": + command => [$dns::rndc, 'reload', $zone], + refreshonly => true, + subscribe => Concat["${dns::zone_directory}/${zone}.db"], + } + } +} |