From 7b3fed95f91a6877a88758558babf1bc549eeffc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Fri, 9 Jun 2023 14:38:51 +0200
Subject: Place each zone and key declaration in own file.

This removes the dependency on concat, and allows for non-purging
configurations.
---
 manifests/init.pp | 73 ++++++++++++++++++++++++++++++++-----------------------
 manifests/key.pp  |  9 +++++--
 manifests/zone.pp | 19 ++++++---------
 3 files changed, 58 insertions(+), 43 deletions(-)

(limited to 'manifests')

diff --git a/manifests/init.pp b/manifests/init.pp
index 15cdb8a..0afe696 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -34,10 +34,33 @@
 #   System user which runs the server.
 #   Only used to set permissions for files, so MUST be set to what
 #   the system already expects.
+# @param zoneconf_dir
+#   Directory in which zone declarations (as part of named's
+#   configuraion) should be placed.
+# @param keyconf_dir
+#   Directory in which key declarations (as part of named's
+#   configuraion) should be placed.
+# @param purge_zoneconf
+#   Should the zoneconf_dir be purged. If this is true then zones are
+#   decomissioned by simply removing their (Dns::Zone) resource declaration.
+#   Otherwise a proper ensure => absent must be used.
+# @param purge_zonefiles
+#   Should the zonefiles stored in ${directory}/zones be
+#   automatically purged. Also see Dns::Zone.
+# @param purge_keyconf
+#   Should $keyconf_dir be automatically purged.
+#   Leaving this as true means that decomissioning keys is as simple
+#   asremoving the Dns::Key declaration, otherwise an explicit
+#   ensure => absent must be sent.
 class dns (
   String $config_file = '/etc/named.conf',
   String $config_dir = '/etc/named.d',
   Boolean $manage_dir = false,
+  String $zoneconf_dir = "${config_dir}/zones",
+  String $keyconf_dir = "${config_dir}/keys",
+  Boolean $purge_zoneconf = true,
+  Boolean $purge_zonefiles = true,
+  Boolean $purge_keyconf = true,
   String $rndc_key_file = '/etc/rndc.key',
   String $directory = '/var/named',
   String $checkzone = '/usr/bin/named-checkzone',
@@ -67,12 +90,21 @@ class dns (
     mode   => 'u+rwx',
   }
 
-  file { $dns::zone_directory:
-    ensure  => directory,
-    recurse => true,
-    purge   => true,
-    owner   => $dns::user,
-    mode    => 'u+rwx',
+  file {
+    default:
+      ensure  => directory,
+      owner   => $dns::user,
+      mode    => 'u+rwx',
+      recurse => true,
+      ;
+    $dns::zoneconf_dir:
+      purge => $purge_zoneconf,
+      ;
+    $dns::keyconf_dir:
+      purge => $purge_keyconf,
+      ;
+    $dns::zone_directory:
+      purge => $purge_zonefiles,
   }
 
   file { $dns::jnl_directory:
@@ -104,29 +136,10 @@ class dns (
     ensure => file,
   }
 
-  $warn = @(EOF)
-    #
-    # File managed by Puppet. Local changes WILL be overwritter',
-    #
-    | EOF
-
-  concat { $config_file:
-    ensure_newline => true,
-    validate_cmd   => "${checkconf} %",
-    notify         => Service[$servicename],
-    warn           => $warn,
-    require        => File[$rndc_key_file],
-  }
-
-  concat::fragment { 'named.conf main configuration':
-    target  => $config_file,
-    content => epp("${module_name}/named.conf.epp"),
-    order   => '01',
-  }
-
-  concat::fragment { 'named.conf rndc configuration':
-    target  => $config_file,
-    content => epp("${module_name}/named-rndc.conf.epp"),
-    order   => '05',
+  file { $config_file:
+    validate_cmd => "${checkconf} %",
+    notify       => Service[$servicename],
+    require      => File[$rndc_key_file],
+    content      => epp("${module_name}/named.conf.epp"),
   }
 }
diff --git a/manifests/key.pp b/manifests/key.pp
index c5bdb55..b36bf35 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -8,13 +8,18 @@
 #   Secret hash, must match algorithm
 # @param keyname
 #   Name of key
+# @param ensure
+#   Allows for manual removal of the key. Note that if
+#   $dns::purge_keyconf is true then simply removing the
+#   dns::key resource removes the file.
 define dns::key (
   String $algorithm,
   Variant[String, Sensitive[String]] $secret,
   String $keyname = $name,
+  Enum['present', 'absent'] $ensure = 'present',
 ) {
-  concat::fragment { "Dns::Key - ${keyname}":
-    target  => $dns::config_file,
+  file { "${dns::keyconf_dir}/${keyname}.conf":
+    ensure  => $ensure,
     content => epp("${module_name}/key.epp", {
         keyname   => $keyname,
         algorithm => $algorithm,
diff --git a/manifests/zone.pp b/manifests/zone.pp
index 817451b..e6fc397 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -162,22 +162,19 @@ define dns::zone (
         ttl   => $record['ttl'],
       }
     }
-
   } else {
     dns_zone2 { $zone_:
       ensure => 'absent',
     }
   }
 
-  if $ensure == 'present' {
-    concat::fragment { "Dns::Zone - ${zone_}":
-      target  => $dns::config_file,
-      content => epp("${module_name}/zoneconf.epp", {
-          zone          => $zone_,
-          type          => $type,
-          update_policy => $update_policy,
-      }),
-      require => Dns_zone2[$zone_],
-    }
+  file { "${dns::zoneconf_dir}/${zone_}conf":
+    ensure  => $ensure,
+    content => epp("${module_name}/zoneconf.epp", {
+        zone          => $zone_,
+        type          => $type,
+        update_policy => $update_policy,
+    }),
+    require => Dns_zone2[$zone_],
   }
 }
-- 
cgit v1.2.3