Everything

4 files changed, 287 insertions, 0 deletions

diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..ebb161b
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,94 @@
+# @param config_file
+#   Bind9 configuration file
+# @param directory
+#   Maps to bind9 directory. Base for all relative paths.
+# @param checkzone
+#   Absolute path to named-checkzone binary
+# @param checkconf
+#   Absolute path to named-checkconf binary
+# @param packagename
+#   Name of the bind9 system package
+# @param manage_package
+#   Should the bind9 system package be managed by this module.
+# @param rndc
+#   Absolute path to rndc binary
+# @param keys
+#   Dns::Key resources to create
+# @param zones
+#   Dns::Zones resources to create
+# @param rndc_key_file
+#   Location of rndc key. Note that this doesn't change where it ends up, but rather were we expect it to end up.
+#   Key will be generated through `rndc-confgen -a`.
+# @param servicename
+#   Name of the system service to manage
+# @param rndc_confgen
+#   Path to rndc-confgen binary
+class dns (
+  String $config_file = '/etc/named.conf',
+  # String $config_dir = '/etc/named.d',
+  String $rndc_key_file = '/etc/rndc.key',
+  String $directory = '/var/named',
+  String $checkzone = '/usr/bin/named-checkzone',
+  String $checkconf = '/usr/bin/named-checkconf',
+  Array[Dns::Keyentry] $keys = [],
+  Array[Dns::Zoneentry] $zones = [],
+  String $packagename = 'bind9',
+  Boolean $manage_package = true,
+  String $servicename = 'named',
+  String $rndc = '/usr/bin/rndc',
+  String $rndc_confgen = '/usr/bin/rndc-confgen',
+) {
+  $zone_directory = "${directory}/zones"
+  $jnl_directory = "${directory}/journal"
+
+  file { $zone_directory:
+    ensure  => directory,
+    recurse => true,
+    purge   => true,
+  }
+
+  file { $jnl_directory:
+    ensure => directory,
+  }
+
+  if $manage_package {
+    package { $packagename:
+      ensure => installed,
+    }
+  }
+
+  service { $servicename:
+    ensure => running,
+    enable => true,
+  }
+
+  create_resources(dns::key, $keys)
+  create_resources(dns::zone, $zones)
+
+  # file { $config_dir:
+  #   ensure  => directory,
+  #   recurse => true,
+  # }
+
+  exec { 'Setup rndc key':
+    cmd     => [$rndc_confgen, '-a'],
+    creates => $rndc_key_file,
+  }
+
+  concat { $config_file:
+    ensure_newline => true,
+    warn           => '; File managed by Puppet. Local changes WILL be overwritter',
+    validate_cmd   => "${checkconf} %",
+    notify         => Service[$servicename],
+  }
+
+  concat::fragment { 'named.conf main configuration':
+    target  => $config_file,
+    content => epp("${module_name}/named.conf.epp"),
+  }
+
+  concat::fragment { 'named.conf rndc configuration':
+    target  => $config_file,
+    content => epp("${module_name}/named-rndc.conf.epp"),
+  }
+}
diff --git a/manifests/key.pp b/manifests/key.pp
new file mode 100644
index 0000000..866bc70
--- /dev/null
+++ b/manifests/key.pp
@@ -0,0 +1,23 @@
+# @summary A single dns key (for zone updates and the like)
+# 
+# TODO add stuff to autogenerate these, and insntead dump them to individual files.
+#
+# @param algorithm
+#   Algorithm used, must match secret
+# @param secret
+#   Secret hash, must match algorithm
+# @param keyname
+#   Name of key
+class dns::key (
+  String $algorithm,
+  Option[String, Sensitive[String]] $secret,
+  String $keyname = $name,
+) {
+  concat::fragment { "Dns::Key - ${keyname}":
+    content => epp("${module_name}/key.epp", {
+        keyname   => $keyname,
+        algorithm => $algorithm,
+        secret    => $secret,
+    }),
+  }
+}
diff --git a/manifests/record.pp b/manifests/record.pp
new file mode 100644
index 0000000..83476a0
--- /dev/null
+++ b/manifests/record.pp
@@ -0,0 +1,48 @@
+# @param type
+#   Record type (A, AAAA, ...)
+# @param class
+#   DNS class type (IN, HS, CH, HS)
+# @param dns_name
+#   Name of record (example.com.)
+#   Note that the trailing period **IS** significant
+# @param ttl
+#   TTL for record.
+# @param duplicate
+#   Allow multiple records with the same name and class.
+#   Most record types only allow one value, but some allow multiple.
+#   Setting this to true allows for multiple. This value is
+#   automatically true for TXT & NS.
+# @param zone
+#   Name of the zone this record belongs to.
+# @param value
+#   Record content.
+#   Syntax depends on `type`.
+define dns::record (
+  String $zone,
+  Dns::Rr $type,
+  String $value,
+  Dns::Class $class = 'IN',
+  String $dns_name = $name,
+  Optional[Dns::Ttl] $ttl = undef,
+  Boolean $duplicate = false,
+) {
+  $allow_duplicate = case $type {
+    'TXT',
+    'NS': {
+      true
+    }
+    default: {
+      false
+    }
+  }
+
+  $frag_name = if $allow_duplicate {
+    "Dns::Record - ${zone} - ${class} ${type} ${dns_name} ${value}"
+  } else {
+    "Dns::Record - ${zone} - ${class} ${type} ${dns_name}"
+  }
+
+  concat::fragment { $frag_name:
+    target => "${dns::zone_directory}/${zone}.db",
+  }
+}
diff --git a/manifests/zone.pp b/manifests/zone.pp
new file mode 100644
index 0000000..2226994
--- /dev/null
+++ b/manifests/zone.pp
@@ -0,0 +1,122 @@
+# @param zone
+#   Domain this zone controls.
+# @param mname
+#   Primary master
+# @param rname
+#   mail to zone admin
+# @param retry
+#   Retry value for zone
+# @param expire
+#   Expire value for zone
+# @param negative_ttl
+#   Negative ttl for zone
+# @param default_ttl
+#   Default ttl for zone
+# @param refresh
+#   Refresh value for SOA
+# @param records
+#   Hash of records to create. Instanciates Dns::Record resources.
+# @param ns
+#   List of nameservers for this zone. Creates Dns::Record resources
+#   with NS entries.
+# @param type
+#   Zonetype. master, slave, ...
+# @param update_policy
+#   A bind9 update policy, as a string.
+# @param dynamic
+#   However if this zone should be treated as a dynamic zone. If
+#   enabled rndc freezes and thaws the zone around static updates.
+#   Otherwise the zone file will be directly changed, and simply
+#   reloaded afterwards.
+#
+#   Defaults to true if an update_policy is set.
+define dns::zone (
+  String $mname,
+  String $rname,
+
+  Dns::Ttl $refresh,
+  Dns::Ttl $retry,
+  Dns::Ttl $expire,
+  Dns::Ttl $negative_ttl,
+  Dns::Ttl $default_ttl,
+
+  String $zone = $name,
+
+  Array[Dns::RecordEntry] $records = [],
+
+  Array[String] $ns = [],
+
+  String $type = 'master',
+
+  Optional[String] $update_policy = undef,
+  Boolean $dynamic = $update_policy != undef,
+) {
+  $zone_ = dns::ensure_ending_period($zone)
+
+  concat { "${dns::zone_directory}/${zone}.db":
+    validate_cmd   => "${dns::checkzone} '${zone}' %",
+    ensure_newline => true,
+    require        => if $dynamic { Exec["Dns::zone freeze ${zone}"] } else { undef },
+  }
+
+  $zone_serial = $facts.get("dns_zone_serial.'${zone_}'", 0)
+
+  concat::fragment { "Dns::Record - ${zone} - SOA":
+    target  => "${dns::zone_directory}/${zone}.db",
+    order   => '01',
+    content => epp("${module_name}/zone.epp", {
+        zone         => $zone_,
+        mname        => dns::ensure_ending_period($mname),
+        rname        => dns::convert_to_rname($rname),
+        serial       => $zone_serial + 1,
+        refresh      => $refresh,
+        expire       => $expire,
+        negative_ttl => $negative_ttl,
+        default_ttl  => $default_ttl,
+    }),
+  }
+
+  concat::fragment { "Dns::Zone - ${zone}":
+    target  => $dns::config_file,
+    content => epp("${module_name}/zoneconf.epp", {
+        zone          => $zone_,
+        type          => $type,
+        update_policy => $update_policy,
+    }),
+  }
+
+  $ns.each |$ns| {
+    dns::record { "Dns::Zore - record - ${zone} NS ${ns}":
+      type => 'NS',
+      zone => $zone,
+    }
+  }
+
+  $fixed_records = $records.each |$record| {
+    { "Dns::Zone - record - ${zone} - ${record['class']} ${record['type']} ${record['key']} ${record['value']}"
+    => $record + { dns_name => $record['key'] } }
+  }
+
+  create_resources(dns::record, $fixed_records, {
+      zone => $zone,
+  })
+
+  if $dynamic {
+    exec { "Dns::zone freeze ${zone}":
+      command     => [$dns::rndc, 'freeze', $zone],
+      refreshonly => true,
+    }
+
+    exec { "Dns::zone thaw ${zone}":
+      command     => [$dns::rndc, 'thaw', $zone],
+      refreshonly => true,
+      subscribe   => Concat["${dns::zone_directory}/${zone}.db"],
+    }
+  } else {
+    exec { "Dns::zone reload ${zone}":
+      command     => [$dns::rndc, 'reload', $zone],
+      refreshonly => true,
+      subscribe   => Concat["${dns::zone_directory}/${zone}.db"],
+    }
+  }
+}