diff --git a/manifests/acl.pp b/manifests/acl.pp index 3737d94..40a2cc5 100644 --- a/manifests/acl.pp +++ b/manifests/acl.pp @@ -2,6 +2,8 @@ define bind::acl ( $addresses, + $geoip_type = undef, + $geoip_location = undef, ) { concat::fragment { "bind-acl-${name}": diff --git a/manifests/init.pp b/manifests/init.pp index ec31384..f5e50ca 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,133 +1,151 @@ # ex: syntax=puppet si ts=4 sw=4 et class bind ( - $forwarders = undef, - $forward = undef, - $dnssec = undef, - $filter_ipv6 = undef, - $version = undef, - $statistics_port = undef, - $auth_nxdomain = undef, - $include_default_zones = true, - $include_local = false, - $tkey_gssapi_credential = undef, - $tkey_domain = undef, - $chroot = false, - $chroot_class = $::bind::defaults::chroot_class, - $chroot_dir = $::bind::defaults::chroot_dir, - # NOTE: we need to be able to override this parameter when declaring class, - # especially when not using hiera (i.e. when using Foreman as ENC): - $default_zones_include = $::bind::defaults::default_zones_include, + $forwarders = undef, + $forward = undef, + $dnssec = undef, + $filter_ipv6 = undef, + $version = undef, + $statistics_port = undef, + $auth_nxdomain = undef, + $include_default_zones = true, + $include_local = false, + $tkey_gssapi_credential = undef, + $tkey_domain = undef, + $chroot = false, + $chroot_class = $::bind::defaults::chroot_class, + $chroot_dir = $::bind::defaults::chroot_dir, + # NOTE: we need to be able to override this parameter when declaring class, + # especially when not using hiera (i.e. when using Foreman as ENC): + $default_zones_include = $::bind::defaults::default_zones_include, + $transfer_format = undef, + $check_names_type = '', #master, slave or response + $check_names_handling = '', #warn, fail or ignore + $geoip_directory = undef, ) inherits bind::defaults { - if $chroot and !$::bind::defaults::chroot_supported { - fail('Chroot for bind is not supported on your OS') - } - File { - ensure => present, - owner => 'root', - group => $::bind::defaults::bind_group, - mode => '0644', - require => Package['bind'], - notify => Service['bind'], - } - - include ::bind::updater + if $chroot and !$::bind::defaults::chroot_supported { + fail('Chroot for bind is not supported on your OS') + } + File { + ensure => present, + owner => 'root', + group => $::bind::defaults::bind_group, + mode => '0644', + require => Package['bind'], + notify => Exec['bind-config-test'], + } - package { 'bind': - ensure => latest, - name => $::bind::defaults::bind_package, - } + include ::bind::updater - if $chroot and $::bind::defaults::chroot_class { - # When using a dedicated chroot class, service declaration is dedicated to this class - class { $::bind::defaults::chroot_class : } - } + package { 'bind': + ensure => latest, + name => $::bind::defaults::bind_package, + } - if $dnssec { - file { '/usr/local/bin/dnssec-init': - ensure => present, - owner => 'root', - group => 'root', - mode => '0755', - source => 'puppet:///modules/bind/dnssec-init', - } - } + if $chroot and $::bind::defaults::chroot_class { + # When using a dedicated chroot class, service declaration is dedicated to this class + class { $::bind::defaults::chroot_class: } + } - # rndc only supports HMAC-MD5 - bind::key { 'rndc-key': - algorithm => 'hmac-md5', - secret_bits => '512', - keydir => $bind::defaults::confdir, - keyfile => 'rndc.key', - include => false, + if $dnssec { + file { '/usr/local/bin/dnssec-init': + ensure => present, + owner => 'root', + group => 'root', + mode => '0755', + source => 'puppet:///modules/bind/dnssec-init', } + } - file { '/usr/local/bin/rndc-helper': - ensure => present, - owner => 'root', - group => 'root', - mode => '0755', - content => template('bind/rndc-helper.erb'), - } + # rndc only supports HMAC-MD5 + bind::key { 'rndc-key': + algorithm => 'hmac-md5', + secret_bits => '512', + keydir => $bind::defaults::confdir, + keyfile => 'rndc.key', + include => false, + } - file { "${::bind::defaults::confdir}/zones": - ensure => directory, - mode => '2755', - } + file { + '/usr/local/bin/rndc-helper': + ensure => present, + owner => 'root', + group => 'root', + mode => '0755', + content => template('bind/rndc-helper.erb'), + ; + "${::bind::defaults::confdir}/zones": + ensure => directory, + mode => '2755', + purge => true, + force => true, + ; + "${::bind::defaults::confdir}/zones/geo": + ensure => directory, + mode => '2755', + purge => true, + force => true, + ; + $::bind::defaults::namedconf: + content => template('bind/named.conf.erb'), + } - file { $::bind::defaults::namedconf: - content => template('bind/named.conf.erb'), + if $include_default_zones and $::bind::defaults::default_zones_source { + file { $default_zones_include: + source => $::bind::defaults::default_zones_source, } + } - if $include_default_zones and $::bind::defaults::default_zones_source { - file { $default_zones_include: - source => $::bind::defaults::default_zones_source, - } - } + class { '::bind::keydir': + keydir => "${::bind::defaults::confdir}/keys", + } - class { '::bind::keydir': - keydir => "${::bind::defaults::confdir}/keys", - } + concat { [ + "${::bind::defaults::confdir}/acls.conf", + "${::bind::defaults::confdir}/keys.conf", + "${::bind::defaults::confdir}/views.conf", + "${::bind::defaults::confdir}/servers.conf", + "${::bind::defaults::confdir}/logging.conf", + "${::bind::defaults::confdir}/view-mappings.txt", + "${::bind::defaults::confdir}/domain-mappings.txt", + ]: + owner => 'root', + group => $::bind::defaults::bind_group, + mode => '0644', + warn => true, + require => Package['bind'], + notify => Exec['bind-config-test'], + } - concat { [ - "${::bind::defaults::confdir}/acls.conf", - "${::bind::defaults::confdir}/keys.conf", - "${::bind::defaults::confdir}/views.conf", - "${::bind::defaults::confdir}/servers.conf", - "${::bind::defaults::confdir}/logging.conf", - "${::bind::defaults::confdir}/view-mappings.txt", - "${::bind::defaults::confdir}/domain-mappings.txt", - ]: - owner => 'root', - group => $::bind::defaults::bind_group, - mode => '0644', - warn => true, - require => Package['bind'], - notify => Service['bind'], - } + concat::fragment { 'bind-logging-header': + order => '00-header', + target => "${::bind::defaults::confdir}/logging.conf", + content => "logging {\n"; + } - concat::fragment { 'bind-logging-header': - order => '00-header', - target => "${::bind::defaults::confdir}/logging.conf", - content => "logging {\n"; - } + concat::fragment { 'bind-logging-footer': + order => '99-footer', + target => "${::bind::defaults::confdir}/logging.conf", + content => "};\n"; + } - concat::fragment { 'bind-logging-footer': - order => '99-footer', - target => "${::bind::defaults::confdir}/logging.conf", - content => "};\n"; + # DO NOT declare a bind service when chrooting bind with bind::chroot::package class, + # because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL) + # AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED. + if !$chroot or ($chroot and $::bind::defaults::chroot_class == 'bind::chroot::manual') { + exec { 'bind-config-test': + path => '/usr/sbin', + command => "named-checkconf ${::bind::defaults::namedconf} > ${::bind::defaults::confdir}/named-checkconf.output 2>&1", + refreshonly => true, + notify => Service['bind'], } - # DO NOT declare a bind service when chrooting bind with bind::chroot::package class, - # because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL) - # AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED. - if !$chroot or ($chroot and $::bind::defaults::chroot_class == 'bind::chroot::manual') { - service { 'bind': - ensure => running, - name => $::bind::defaults::bind_service, - enable => true, - hasrestart => true, - hasstatus => true, - } + service { 'bind': + ensure => running, + name => $::bind::defaults::bind_service, + enable => true, + hasrestart => true, + hasstatus => true, } + } } diff --git a/manifests/logging/channel.pp b/manifests/logging/channel.pp index db0a5cd..05f4143 100644 --- a/manifests/logging/channel.pp +++ b/manifests/logging/channel.pp @@ -4,6 +4,7 @@ $destination = 'file', $file_path = $::bind::defaults::logdir, $file_name = '', + $file_options = '', $syslog_facility = '', $severity = '', $print_category = true, diff --git a/manifests/server.pp b/manifests/server.pp index 0bf9412..392c9b8 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,16 +1,17 @@ # ex: syntax=puppet si ts=4 sw=4 et define bind::server ( - $bogus = false, - $edns = true, - $key = undef, - $transfers = undef, + $bogus = false, + $edns = true, + $key = undef, + $transfers = undef, + $transfer_format = undef, ) { - include ::bind + include ::bind - concat::fragment { "bind-server-${name}": - order => 10, - target => "${::bind::confdir}/servers.conf", - content => template('bind/server.erb'), - } + concat::fragment { "bind-server-${name}": + order => 10, + target => "${::bind::confdir}/servers.conf", + content => template('bind/server.erb'), + } } diff --git a/manifests/view.pp b/manifests/view.pp index c5fc9ad..4a4e57f 100644 --- a/manifests/view.pp +++ b/manifests/view.pp @@ -19,6 +19,10 @@ $empty_zones = '', $order = '10', $minimal_responses = false, + $transfer_format = '', + $check_names_type = '', #master, slave or response + $check_names_handling = '', #warn, fail or ignore + $geo_zones = [], ) { $confdir = $::bind::confdir $default_zones_include = $::bind::default_zones_include diff --git a/manifests/zone.pp b/manifests/zone.pp index dd51ecf..7e20b60 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -20,6 +20,10 @@ $forward = '', $source = '', $forwarders_port = 53, + $transfer_format = '', + $check_names = '', + $deploy_file = true, + $in_view = '', ) { # where there is a zone, there is a server include ::bind @@ -81,6 +85,10 @@ fail("source may only be provided for bind::zone resources with zone_type 'master' or 'hint'") } + unless !($check_names != '' and ! member(['warn', 'fail', 'ignore'], $check_names)) { + fail("check_names must be 'warn', 'fail' or 'ignore'") + } + $zone_file_mode = $zone_type ? { 'master' => $dynamic ? { true => 'init', @@ -149,14 +157,26 @@ } } - file { "${::bind::confdir}/zones/${name}.conf": - ensure => present, - owner => 'root', - group => $bind_group, - mode => '0644', - content => template('bind/zone.conf.erb'), - notify => Service['bind'], - require => Package['bind'], + if $in_view != '' { + file { "${::bind::confdir}/zones/geo/${name}.conf": + ensure => present, + owner => 'root', + group => $bind_group, + mode => '0644', + content => template('bind/zone.conf.erb'), + notify => Exec['bind-config-test'], + require => Package['bind'], + } + } else { + file { "${::bind::confdir}/zones/${name}.conf": + ensure => present, + owner => 'root', + group => $bind_group, + mode => '0644', + content => template('bind/zone.conf.erb'), + notify => Exec['bind-config-test'], + require => Package['bind'], + } } concat::fragment { "bind-zone-mapping-${name}": diff --git a/metadata.json b/metadata.json index 8c8e9c1..a43b7bf 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "inkblot-bind", - "version": "7.4.0", + "version": "7.4.0-a", "author": "inkblot", "license": "Apache-2.0", "summary": "ISC BIND name server", diff --git a/templates/acl.erb b/templates/acl.erb index 7400909..44ef74c 100644 --- a/templates/acl.erb +++ b/templates/acl.erb @@ -3,4 +3,15 @@ acl <%= @name %> { <%- Array(@addresses).each do |address| -%> <%= address %>; <%- end -%> +<%- if @geoip_type and @geoip_location and @geoip_type == 'city' -%> + geoip <%= @geoip_type %> "<%= @geoip_location %>"; +<%- elsif @geoip_type and @geoip_location -%> + <%- if @geoip_location.is_a?(Array) -%> + <%- Array(@geoip_location).each do |geo_loc| -%> + geoip <%= @geoip_type %> <%= geo_loc %>; + <%- end -%> + <%- else -%> + geoip <%= @geoip_type %> <%= @geoip_location %>; + <%- end -%> +<%- end -%> }; diff --git a/templates/logging_channel.erb b/templates/logging_channel.erb index e20e5a7..4e2c93c 100644 --- a/templates/logging_channel.erb +++ b/templates/logging_channel.erb @@ -1,7 +1,7 @@ channel <%= @name %> { <%- case @destination -%> <%- when "file" -%> - file "<%= @file_path %>/<%= @file_name %>"; + file "<%= @file_path %>/<%= @file_name %>" <%= @file_options %>; <%- when "syslog" -%> syslog <%= @syslog_facility %>; <%- when "stderr" -%> diff --git a/templates/named.conf.erb b/templates/named.conf.erb index a69f4ef..fd44098 100644 --- a/templates/named.conf.erb +++ b/templates/named.conf.erb @@ -34,7 +34,6 @@ options { <%- end -%> <%- if @dnssec -%> dnssec-validation yes; - dnssec-lookaside auto; <%- if @isc_bind_keys -%> bindkeys-file "<%= @isc_bind_keys %>"; <%- end -%> @@ -48,6 +47,15 @@ options { <%- if @tkey_domain -%> tkey-domain "<%= @tkey_domain %>"; <%- end -%> +<%- if @transfer_format -%> + transfer-format <%= @transfer_format %>; +<%- end -%> +<%- if @check_names_type != '' and @check_names_handling != '' -%> + check-names <%= @check_names_type %> <%= @check_names_handling %>; +<%- end -%> +<%- if @geoip_directory and @geoip_directory != '' -%> + geoip-directory "<%= @geoip_directory %>"; +<%- end -%> }; <%- if @include_local -%> diff --git a/templates/server.erb b/templates/server.erb index 6e2499d..8e38405 100644 --- a/templates/server.erb +++ b/templates/server.erb @@ -7,4 +7,7 @@ server <%= @name %> { <%- if @transfers -%> transfers <%= @transfers %>; <%- end -%> +<%- if @transfer_format -%> + transfer-format <%= @transfer_format %>; +<%- end -%> }; diff --git a/templates/view.erb b/templates/view.erb index 6478900..04fc2c8 100644 --- a/templates/view.erb +++ b/templates/view.erb @@ -69,6 +69,12 @@ view "<%= @name %>" { <%- end -%> }; <%- end -%> +<%- if @transfer_format and @transfer_format != '' -%> + transfer-format <%= @transfer_format %>; +<%- end -%> +<%- if @check_names_type != '' and @check_names_handling != '' -%> + check-names <%= @check_names_type %> <%= @check_names_handling %>; +<%- end -%> <%- if @empty_zones != '' -%> empty-zones-enable <%= @empty_zones ? 'yes' : 'no' %>; <%- end -%> @@ -102,4 +108,7 @@ view "<%= @name %>" { <%- Array(@zones).each do |zone| -%> include "<%= @confdir %>/zones/<%= zone %>.conf"; <%- end -%> +<%- Array(@geo_zones).each do |geo_zone| -%> + include "<%= @confdir %>/zones/geo/<%= geo_zone %>.conf"; +<%- end -%> }; diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb index 8a36dd7..e426542 100644 --- a/templates/zone.conf.erb +++ b/templates/zone.conf.erb @@ -1,6 +1,9 @@ # This file managed by puppet - changes will be lost zone "<%= @_domain %>" { +<%- if @in_view != '' -%> + in-view "<%= @in_view %>"; +<%- else -%> type <%= @zone_type %>; <%- if @dnssec -%> auto-dnssec maintain; @@ -10,9 +13,13 @@ zone "<%= @_domain %>" { key-directory "<%= @cachedir %>/<%= @name %>"; <%- end -%> file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>.signed"; -<%- elsif %w(init managed allowed).include? @zone_file_mode -%> +<%- elsif %w(init managed allowed).include? @zone_file_mode and @deploy_file -%> +<%- if @source and @source != '' -%> + file "<%= @source %>"; +<%- else -%> file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>"; <%- end -%> +<%- end -%> <%- if %w(master slave).include? @zone_type if (@ns_notify == 'explicit') -%> notify explicit; @@ -80,4 +87,11 @@ zone "<%= @_domain %>" { <%- end -%> }; <%- end -%> +<%- if @transfer_format and @transfer_format != '' -%> + transfer-format <%= @transfer_format %>; +<%- end -%> +<%- if @check_names and @check_names != ''-%> + check-names <%= @check_names %>; +<%- end -%> +<%- end -%> };