From a69958f319233d63fb958ad1d5f1eb991e8bd678 Mon Sep 17 00:00:00 2001 From: John Bond Date: Tue, 20 Apr 2021 21:59:28 +0200 Subject: [PATCH] move defaults to class so that puppet-strings can build better docs * I also updated the defaults for arrays to [] * I also updated the defaults for hash to {} * Add some types to make init.pp a bit more readable --- data/common.yaml | 208 ------------------ data/os/OpenBSD.yaml | 3 +- hiera.yaml | 2 - manifests/init.pp | 406 +++++++++++++++++------------------ manifests/stub.pp | 10 +- templates/interfaces.txt.erb | 2 +- templates/remote.erb | 4 - templates/unbound.conf.erb | 30 ++- types/chroot.pp | 1 + types/hints_file.pp | 1 + 10 files changed, 226 insertions(+), 441 deletions(-) delete mode 100644 data/common.yaml create mode 100644 types/chroot.pp create mode 100644 types/hints_file.pp diff --git a/data/common.yaml b/data/common.yaml deleted file mode 100644 index d0cf38d5..00000000 --- a/data/common.yaml +++ /dev/null @@ -1,208 +0,0 @@ ---- -unbound::verbosity: 1 -unbound::statistics_interval: ~ -unbound::statistics_cumulative: false -unbound::extended_statistics: false -unbound::num_threads: 1 -unbound::port: 53 -unbound::interface: ~ -unbound::interface_automatic: false -unbound::outgoing_interface: ~ -unbound::outgoing_range: ~ -unbound::outgoing_port_permit: '32768-65535' -unbound::outgoing_port_avoid: '0-32767' -unbound::outgoing_port_permit_first: true -unbound::outgoing_num_tcp: ~ -unbound::incoming_num_tcp: ~ -unbound::edns_buffer_size: 1280 -unbound::max_udp_size: ~ -unbound::stream_wait_size: ~ -unbound::msg_buffer_size: ~ -unbound::msg_cache_size: ~ -unbound::msg_cache_slabs: ~ -unbound::num_queries_per_thread: ~ -unbound::jostle_timeout: ~ -unbound::delay_close: ~ -unbound::unknown_server_time_limit: ~ -unbound::so_rcvbuf: ~ -unbound::so_sndbuf: ~ -unbound::so_reuseport: false -unbound::ip_transparent: false -unbound::ip_freebind: false -unbound::rrset_cache_size: ~ -unbound::rrset_cache_slabs: ~ -unbound::cache_max_ttl: ~ -unbound::cache_max_negative_ttl: ~ -unbound::cache_min_ttl: ~ -unbound::infra_host_ttl: ~ -unbound::infra_cache_numhosts: ~ -unbound::infra_cache_slabs: ~ -unbound::infra_cache_min_rtt: ~ -unbound::define_tag: ~ -unbound::do_ip4: true -unbound::do_ip6: true -unbound::prefer_ip6: false -unbound::do_udp: true -unbound::do_tcp: true -unbound::tcp_mss: ~ -unbound::outgoing_tcp_mss: ~ -unbound::tcp_idle_timeout: ~ -unbound::edns_tcp_keepalive: false -unbound::edns_tcp_keepalive_timeout: ~ -unbound::tcp_upstream: false -unbound::udp_upstream_without_downstream: false -unbound::tls_cert_bundle: ~ -unbound::tls_upstream: false -unbound::ssl_upstream: false -unbound::ssl_service_key: ~ -unbound::ssl_service_pem: ~ -unbound::ssl_port: ~ -unbound::tls_ciphers: ~ -unbound::tls_ciphersuites: ~ -unbound::use_systemd: false -unbound::do_daemonize: true -unbound::access_control: ~ -unbound::chroot: ~ -unbound::username: "%{hiera('unbound::owner')}" -unbound::directory: "%{hiera('unbound::confdir')}" -unbound::logfile: ~ -unbound::log_identity: ~ -unbound::log_time_ascii: false -unbound::log_queries: false -unbound::log_replies: false -unbound::log_tag_queryreply: false -unbound::log_local_actions: false -unbound::log_servfail: false -unbound::pidfile: '/var/run/unbound/unbound.pid' -unbound::hide_identity: true -unbound::identity: ~ -unbound::hide_version: true -unbound::version: ~ -unbound::hide_trustanchor: true -unbound::target_fetch_policy: ~ -unbound::harden_short_bufsize: false -unbound::harden_large_queries: false -unbound::harden_glue: true -unbound::harden_dnssec_stripped: true -unbound::harden_below_nxdomain: true -unbound::harden_referral_path: false -unbound::harden_algo_downgrade: false -unbound::use_caps_for_id: false -unbound::caps_whitlist: ~ -unbound::qname_minimisation: false -unbound::qname_minimisation_strict: false -unbound::private_address: ~ -unbound::private_domain: ~ -unbound::unwanted_reply_threshold: 10000000 -unbound::do_not_query_address: ~ -unbound::do_not_query_localhost: true -unbound::prefetch: false -unbound::prefetch_key: false -unbound::deny_any: false -unbound::rrset_roundrobin: false -unbound::minimal_responses: false -unbound::disable_dnssec_lame_check: false -unbound::trust_anchor_file: ~ -unbound::auto_trust_anchor_file: "%{hiera('unbound::runtime_dir')}/root.key" -unbound::trust_anchor: ~ -unbound::trusted_keys_file: "%{hiera('unbound::keys_d')}/*.key" -unbound::trust_anchor_signaling: true -unbound::domain_insecure: ~ -unbound::val_sig_skew_min: ~ -unbound::val_sig_skew_max: ~ -unbound::val_bogus_ttl: ~ -unbound::val_clean_additional: true -unbound::val_log_level: ~ -unbound::val_permissive_mode: false -unbound::ignore_cd_flag: false -unbound::serve_expired: false -unbound::serve_expired_ttl: ~ -unbound::serve_expired_ttl_reset: false -unbound::serve_expired_reply_ttl: ~ -unbound::serve_expired_client_timeout: ~ -unbound::val_nsec3_keysize_iterations: ~ -unbound::add_holddown: ~ -unbound::del_holddown: ~ -unbound::keep_missing: ~ -unbound::permit_small_holddown: false -unbound::key_cache_size: ~ -unbound::key_cache_slabs: ~ -unbound::neg_cache_size: ~ -unbound::unblock_lan_zones: false -unbound::insecure_lan_zones: false -unbound::local_zone: ~ -unbound::local_data: ~ -unbound::local_data_ptr: ~ -unbound::local_zone_tag: ~ -unbound::local_zone_override: ~ -unbound::ratelimit: ~ -unbound::ratelimit_size: ~ -unbound::ratelimit_slabs: ~ -unbound::ratelimit_factor: ~ -unbound::ratelimit_for_domain: ~ -unbound::ratelimit_below_domain: ~ -unbound::ip_ratelimit: ~ -unbound::ip_ratelimit_size: ~ -unbound::ip_ratelimit_slabs: ~ -unbound::ip_ratelimit_factor: ~ -unbound::fast_server_permil: ~ -unbound::fast_server_num: ~ - -unbound::confdir: '/etc/unbound' -unbound::service_name: 'unbound' -unbound::service_hasstatus: true -unbound::service_enable: true -unbound::service_ensure: 'running' -unbound::package_name: 'unbound' -unbound::package_ensure: 'installed' -unbound::package_provider: ~ -unbound::runtime_dir: "%{hiera('unbound::confdir')}" -unbound::owner: 'unbound' -unbound::validate_cmd: '/usr/sbin/unbound-checkconf %' -unbound::restart_cmd: "/bin/systemctl restart %{hiera('unbound::service_name')}" - -unbound::forward: {} -unbound::stub: {} -unbound::record: {} - -unbound::access: - - '::1' - - '127.0.0.1/8' -unbound::anchor_fetch_command: "unbound-anchor -a %{hiera('unbound::auto_trust_anchor_file')}" -unbound::conf_d: "%{hiera('unbound::confdir')}/conf.d" -unbound::config_file: "%{hiera('unbound::confdir')}/unbound.conf" -unbound::control_enable: false -unbound::control_setup_path: '/usr/sbin/unbound-control-setup' -unbound::control_path: '/usr/sbin/unbound-control' -unbound::fetch_client: 'wget -O' -unbound::group: 'unbound' -unbound::keys_d: "%{hiera('unbound::confdir')}/keys.d" -unbound::module_config: ~ -unbound::root_hints_url: 'https://www.internic.net/domain/named.root' -unbound::custom_server_conf: [] -unbound::skip_roothints_download: false -unbound::python_script: ~ -unbound::dns64_prefix: '64:ff9b::/96' -unbound::dns64_synthall: false -unbound::send_client_subnet: ~ -unbound::client_subnet_zone: ~ -unbound::client_subnet_always_forward: false -unbound::max_client_subnet_ipv6: 56 -unbound::max_client_subnet_ipv4: 24 -unbound::min_client_subnet_ipv6: ~ -unbound::min_client_subnet_ipv4: ~ -unbound::max_ecs_tree_size_ipv4: ~ -unbound::max_ecs_tree_size_ipv6: ~ -unbound::ipsecmod_enabled: true -unbound::ipsecmod_hook: ~ -unbound::ipsecmod_strict: false -unbound::ipsecmod_max_ttl: 3600 -unbound::ipsecmod_ignore_bogus: false -unbound::ipsecmod_whitelist: ~ -unbound::backend: ~ -unbound::secret_seed: default -unbound::redis_server_host: 127.0.0.1 -unbound::redis_server_port: 6379 -unbound::redis_timeout: 100 -unbound::unbound_conf_d: "%{hiera('unbound::confdir')}/unbound.conf.d" -unbound::purge_unbound_conf_d: false diff --git a/data/os/OpenBSD.yaml b/data/os/OpenBSD.yaml index d7790e35..6cdae701 100644 --- a/data/os/OpenBSD.yaml +++ b/data/os/OpenBSD.yaml @@ -4,7 +4,8 @@ unbound::pidfile: '/var/run/unbound.pid' unbound::logdir: '/var/log/unbound' unbound::owner: '_unbound' unbound::group: '_unbound' +unbound::service_name: 'unbound' unbound::fetch_client: 'ftp -o' unbound::validate_cmd: '/usr/sbin/unbound-checkconf %' unbound::package_name: '' -unbound::restart_cmd: "/usr/sbin/rcctl restart %{hiera('unbound::service_name')}" +unbound::restart_cmd: "/usr/sbin/rcctl restart %{lookup('unbound::service_name')}" diff --git a/hiera.yaml b/hiera.yaml index 4088d3f9..592c1d9b 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -10,6 +10,4 @@ hierarchy: path: "os/%{facts.os.family}/%{facts.os.name}.yaml" - name: "family" path: "os/%{facts.os.family}.yaml" - - name: "common" - path: "common.yaml" diff --git a/manifests/init.pp b/manifests/init.pp index 59760600..bf9f0b53 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,209 +7,209 @@ # @param hints_file_content # Contents of the root hints file, if it's not remotely fetched. class unbound ( - Integer[0,5] $verbosity, - Optional[Integer] $statistics_interval, - Boolean $statistics_cumulative, - Boolean $extended_statistics, - Integer[1] $num_threads, - Integer[0, 65535] $port, - Optional[Array[String]] $interface, - Boolean $interface_automatic, - Optional[Array[String]] $outgoing_interface, # version 1.5.10 - Optional[Integer[1]] $outgoing_range, - Unbound::Range $outgoing_port_permit, - Unbound::Range $outgoing_port_avoid, - Boolean $outgoing_port_permit_first, - Optional[Integer[0]] $outgoing_num_tcp, - Optional[Integer[0]] $incoming_num_tcp, - Integer[0,4096] $edns_buffer_size, - Optional[Integer[0,65536]] $max_udp_size, - Optional[Unbound::Size] $stream_wait_size, # version 1.9.0 - Optional[Unbound::Size] $msg_cache_size, - Optional[Integer] $msg_cache_slabs, - Optional[Integer] $num_queries_per_thread, - Optional[Integer[1]] $jostle_timeout, - Optional[Integer[0]] $delay_close, - Optional[Integer[1]] $unknown_server_time_limit, # version 1.8.2 - Optional[Unbound::Size] $so_rcvbuf, - Optional[Unbound::Size] $so_sndbuf, - Boolean $so_reuseport, # Version 1.4.22 - Boolean $ip_transparent, # version 1.5.4 - Boolean $ip_freebind, # version 1.5.9 - Optional[Unbound::Size] $rrset_cache_size, - Optional[Integer] $rrset_cache_slabs, - Optional[Integer] $cache_max_ttl, - Optional[Integer] $cache_max_negative_ttl, - Optional[Integer] $cache_min_ttl, - Optional[Integer] $infra_host_ttl, - Optional[Integer] $infra_cache_numhosts, - Optional[Integer] $infra_cache_slabs, - Optional[Integer] $infra_cache_min_rtt, - Optional[Array[String]] $define_tag, # version 1.5.10 - Boolean $do_ip4, - Boolean $do_ip6, - Boolean $prefer_ip6, # version 1.5.10 - Boolean $do_udp, - Boolean $do_tcp, - Optional[Integer[0]] $tcp_mss, # version 1.5.8 - Optional[Stdlib::Absolutepath] $tls_cert_bundle, # version 1.7.0 - Boolean $tls_upstream, # version 1.7.0 - Optional[Integer[0]] $outgoing_tcp_mss, # version 1.5.8 - Optional[Integer[0]] $tcp_idle_timeout, # version 1.8.0 - Boolean $edns_tcp_keepalive, # version 1.8.0 - Optional[Integer[0]] $edns_tcp_keepalive_timeout, # version 1.8.0 - Boolean $tcp_upstream, - Boolean $udp_upstream_without_downstream, - Boolean $ssl_upstream, # version 1.7.0 - Optional[Stdlib::Absolutepath] $ssl_service_key, # version 1.7.0 - Optional[Stdlib::Absolutepath] $ssl_service_pem, # version 1.7.0 - Optional[Integer[0,65535]] $ssl_port, # version 1.7.0 - Optional[String] $tls_ciphers, # version 1.9.0 - Optional[String] $tls_ciphersuites, # version 1.9.0 - Boolean $use_systemd, # version 1.6.1 - Boolean $do_daemonize, - Optional[Hash[String, Unbound::Access_control]] $access_control, # version 1.5.10 - Optional[Variant[Enum[''],Stdlib::Absolutepath]] $chroot, - Optional[String] $username, - Stdlib::Absolutepath $directory, - Optional[Stdlib::Absolutepath] $logfile, - Optional[String] $log_identity, # version 1.6.0 - Boolean $log_time_ascii, - Boolean $log_queries, - Boolean $log_replies, # version 1.6.1 - Boolean $log_tag_queryreply, # version 1.9.0 - Boolean $log_local_actions, # version 1.8.0 - Boolean $log_servfail, # version 1.8.0 - Optional[Stdlib::Absolutepath] $pidfile, - Boolean $hide_identity, - Optional[String] $identity, - Boolean $hide_version, - Optional[String] $version, - Boolean $hide_trustanchor, # version 1.6.2 - Optional[Array[Integer]] $target_fetch_policy, - Boolean $harden_short_bufsize, - Boolean $harden_large_queries, - Boolean $harden_glue, - Boolean $harden_dnssec_stripped, - Boolean $harden_below_nxdomain, - Boolean $harden_referral_path, - Boolean $harden_algo_downgrade, # Version 1.5.3 - Boolean $use_caps_for_id, - Optional[Array[String]] $caps_whitlist, - Boolean $qname_minimisation, # version 1.5.7 - Boolean $qname_minimisation_strict, # version 1.6.0 - Optional[Array[String]] $private_address, - Optional[Array[String]] $private_domain, - Integer[0] $unwanted_reply_threshold, - Optional[Array[String]] $do_not_query_address, - Boolean $do_not_query_localhost, - Boolean $prefetch, - Boolean $prefetch_key, - Boolean $deny_any, # version 1.8.2 - Boolean $rrset_roundrobin, - Boolean $minimal_responses, - Boolean $disable_dnssec_lame_check, # version 1.5.9 - Optional[Stdlib::Absolutepath] $trust_anchor_file, - Stdlib::Absolutepath $auto_trust_anchor_file, - Optional[Array[String]] $trust_anchor, - Stdlib::Absolutepath $trusted_keys_file, - Boolean $trust_anchor_signaling, # version 1.6.4 - Optional[Array[String]] $domain_insecure, - Optional[Integer[1]] $val_sig_skew_min, - Optional[Integer[1]] $val_sig_skew_max, - Optional[Integer[1]] $val_bogus_ttl, - Boolean $val_clean_additional, - Optional[Integer[0,2]] $val_log_level, - Boolean $val_permissive_mode, - Boolean $ignore_cd_flag, - Boolean $serve_expired, # version 1.6.0 - Optional[Integer[0]] $serve_expired_ttl, # version 1.8.0 - Boolean $serve_expired_ttl_reset, # version 1.8.0 - Optional[Integer[0]] $serve_expired_reply_ttl, # version 1.8.0 - Optional[Integer[0]] $serve_expired_client_timeout, # version 1.8.0 - Optional[Array[Integer[1]]] $val_nsec3_keysize_iterations, - Optional[Integer[0]] $add_holddown, - Optional[Integer[0]] $del_holddown, - Optional[Integer[0]] $keep_missing, - Boolean $permit_small_holddown, # Version 1.5.5 - Optional[Unbound::Size] $key_cache_size, - Optional[Integer] $key_cache_slabs, - Optional[Unbound::Size] $neg_cache_size, - Boolean $unblock_lan_zones, - Boolean $insecure_lan_zones, # version 1.5.8 - Optional[Unbound::Local_zone] $local_zone, - Optional[Array[String]] $local_data, - Optional[Array[String]] $local_data_ptr, - Optional[Hash[String, Array[String]]] $local_zone_tag, # version 1.5.10 - Optional[Hash[String, Unbound::Local_zone_override]] $local_zone_override, # version 1.5.10 - Optional[Integer[0]] $ratelimit, - Optional[Unbound::Size] $ratelimit_size, - Optional[Integer[0]] $ratelimit_slabs, - Optional[Integer[0]] $ratelimit_factor, - Optional[Hash[String,Integer[0]]] $ratelimit_for_domain, - Optional[Hash[String,Integer[0]]] $ratelimit_below_domain, - Optional[Integer[0]] $ip_ratelimit, # version 1.6.1 - Optional[Unbound::Size] $ip_ratelimit_size, # version 1.6.1 - Optional[Integer[0]] $ip_ratelimit_slabs, # version 1.6.1 - Optional[Integer[0]] $ip_ratelimit_factor, - Optional[Integer[0,1000]] $fast_server_permil, # version 1.8.2 - Optional[Integer[1]] $fast_server_num, # version 1.8.2 - Hash $forward, - Hash $stub, - Hash $record, - Array $access, - String $anchor_fetch_command, - String $conf_d, - String $confdir, - String $config_file, - Boolean $control_enable, - String $control_setup_path, - String $control_path, - String $fetch_client, - String $group, - String $keys_d, - Optional[Array[Unbound::Module]] $module_config, - String $owner, - String $package_name, - Optional[String] $package_provider, - String $package_ensure, - Boolean $purge_unbound_conf_d, - String $root_hints_url, - Stdlib::Absolutepath $runtime_dir, - String $service_name, - Boolean $service_hasstatus, - Enum['running', 'stopped'] $service_ensure, - Boolean $service_enable, - String $validate_cmd, - String $restart_cmd, - Array[String] $custom_server_conf, - Boolean $skip_roothints_download, - Optional[Stdlib::Absolutepath] $python_script, - Optional[String] $dns64_prefix, - Boolean $dns64_synthall, - Optional[Array[String]] $send_client_subnet, - Optional[Array[String]] $client_subnet_zone, - Boolean $client_subnet_always_forward, - Integer[0,128] $max_client_subnet_ipv6, - Integer[0,32] $max_client_subnet_ipv4, - Optional[Integer[0,128]] $min_client_subnet_ipv6, # version 1.8.2 - Optional[Integer[0,32]] $min_client_subnet_ipv4, # version 1.8.2 - Optional[Integer[0]] $max_ecs_tree_size_ipv4, # version 1.8.2 - Optional[Integer[0]] $max_ecs_tree_size_ipv6, # version 1.8.2 - Boolean $ipsecmod_enabled, - Optional[Stdlib::Absolutepath] $ipsecmod_hook, - Boolean $ipsecmod_strict, - Integer[1] $ipsecmod_max_ttl, - Boolean $ipsecmod_ignore_bogus, - Optional[Array[String]] $ipsecmod_whitelist, - Optional[String] $backend, - String $secret_seed, - String $redis_server_host, - Integer[1,65536] $redis_server_port, - Integer[1] $redis_timeout, - Stdlib::Absolutepath $unbound_conf_d, - Variant[Enum['builtin'], Stdlib::Absolutepath] $hints_file = "${confdir}/root.hints", - Optional[String[1]] $hints_file_content = undef, + Integer[0,5] $verbosity = 1, + Optional[Integer] $statistics_interval = undef, + Boolean $statistics_cumulative = false, + Boolean $extended_statistics = false, + Integer[1] $num_threads = 1, + Integer[0, 65535] $port = 53, + Array[String[1]] $interface = [], + Boolean $interface_automatic = false, + Array[String[1]] $outgoing_interface = [], # version 1.5.10 + Optional[Integer[1]] $outgoing_range = undef, + Unbound::Range $outgoing_port_permit = '32768-65535', + Unbound::Range $outgoing_port_avoid = '0-32767', + Boolean $outgoing_port_permit_first = true, + Optional[Integer[0]] $outgoing_num_tcp = undef, + Optional[Integer[0]] $incoming_num_tcp = undef, + Integer[0,4096] $edns_buffer_size = 1280, + Optional[Integer[0,65536]] $max_udp_size = undef, + Optional[Unbound::Size] $stream_wait_size = undef, # version 1.9.0 + Optional[Unbound::Size] $msg_cache_size = undef, + Optional[Integer] $msg_cache_slabs = undef, + Optional[Integer] $num_queries_per_thread = undef, + Optional[Integer[1]] $jostle_timeout = undef, + Optional[Integer[0]] $delay_close = undef, + Optional[Integer[1]] $unknown_server_time_limit = undef, # version 1.8.2 + Optional[Unbound::Size] $so_rcvbuf = undef, + Optional[Unbound::Size] $so_sndbuf = undef, + Boolean $so_reuseport = false, # Version 1.4.22 + Boolean $ip_transparent = false, # version 1.5.4 + Boolean $ip_freebind = false, # version 1.5.9 + Optional[Unbound::Size] $rrset_cache_size = undef, + Optional[Integer] $rrset_cache_slabs = undef, + Optional[Integer] $cache_max_ttl = undef, + Optional[Integer] $cache_max_negative_ttl = undef, + Optional[Integer] $cache_min_ttl = undef, + Optional[Integer] $infra_host_ttl = undef, + Optional[Integer] $infra_cache_numhosts = undef, + Optional[Integer] $infra_cache_slabs = undef, + Optional[Integer] $infra_cache_min_rtt = undef, + Array[String[1]] $define_tag = [], # version 1.5.10 + Boolean $do_ip4 = true, + Boolean $do_ip6 = true, + Boolean $prefer_ip6 = false, # version 1.5.10 + Boolean $do_udp = true, + Boolean $do_tcp = true, + Optional[Integer[0]] $tcp_mss = undef, # version 1.5.8 + Optional[Stdlib::Absolutepath] $tls_cert_bundle = undef, # version 1.7.0 + Boolean $tls_upstreami = false, # version 1.7.0 + Optional[Integer[0]] $outgoing_tcp_mss = undef, # version 1.5.8 + Optional[Integer[0]] $tcp_idle_timeout = undef, # version 1.8.0 + Boolean $edns_tcp_keepalive = false, # version 1.8.0 + Optional[Integer[0]] $edns_tcp_keepalive_timeout = undef, # version 1.8.0 + Boolean $tcp_upstream = false, + Boolean $udp_upstream_without_downstream = false, + Boolean $ssl_upstream = false, # version 1.7.0 + Optional[Stdlib::Absolutepath] $ssl_service_key = undef, # version 1.7.0 + Optional[Stdlib::Absolutepath] $ssl_service_pem = undef, # version 1.7.0 + Optional[Integer[0,65535]] $ssl_port = undef, # version 1.7.0 + Optional[String[1]] $tls_ciphers = undef, # version 1.9.0 + Optional[String[1]] $tls_ciphersuites = undef, # version 1.9.0 + Boolean $use_systemd = false, # version 1.6.1 + Boolean $do_daemonize = true, + Hash[String[1], Unbound::Access_control] $access_control = {}, # version 1.5.10 + Optional[Unbound::Chroot] $chroot = undef, + Optional[Stdlib::Absolutepath] $logfile = undef, + Optional[String[1]] $log_identity = undef, # version 1.6.0 + Boolean $log_time_ascii = false, + Boolean $log_queries = false, + Boolean $log_replies = false, # version 1.6.1 + Boolean $log_tag_queryreply = false, # version 1.9.0 + Boolean $log_local_actions = false, # version 1.8.0 + Boolean $log_servfail = false, # version 1.8.0 + Stdlib::Absolutepath $pidfile = '/var/run/unbound/unbound.pid', + Boolean $hide_identity = true, + Optional[String[1]] $identity = undef, + Boolean $hide_version = true, + Optional[String[1]] $version = undef, + Boolean $hide_trustanchor = true, # version 1.6.2 + Array[Integer] $target_fetch_policy = [], + Boolean $harden_short_bufsize = false, + Boolean $harden_large_queries = false, + Boolean $harden_glue = true, + Boolean $harden_dnssec_stripped = true, + Boolean $harden_below_nxdomain = true, + Boolean $harden_referral_path = false, + Boolean $harden_algo_downgrade = false, # Version 1.5.3 + Boolean $use_caps_for_id = false, + Array[String[1]] $caps_whitlist = [], + Boolean $qname_minimisation = false, # version 1.5.7 + Boolean $qname_minimisation_strict = false, # version 1.6.0 + Array[String[1]] $private_address = [], + Array[String[1]] $private_domain = [], + Integer[0] $unwanted_reply_threshold = 10000000, + Array[String[1]] $do_not_query_address = [], + Boolean $do_not_query_localhost = true, + Boolean $prefetch = false, + Boolean $prefetch_key = false, + Boolean $deny_any = false, # version 1.8.2 + Boolean $rrset_roundrobin = false, + Boolean $minimal_responses = false, + Boolean $disable_dnssec_lame_check = false, # version 1.5.9 + Optional[Stdlib::Absolutepath] $trust_anchor_file = undef, + Array[String[1]] $trust_anchor = [], + Boolean $trust_anchor_signaling = true, # version 1.6.4 + Array[String[1]] $domain_insecure = [], + Optional[Integer[1]] $val_sig_skew_min = undef, + Optional[Integer[1]] $val_sig_skew_max = undef, + Optional[Integer[1]] $val_bogus_ttl = undef, + Boolean $val_clean_additional = true, + Optional[Integer[0,2]] $val_log_level = undef, + Boolean $val_permissive_mode = false, + Boolean $ignore_cd_flag = false, + Boolean $serve_expired = false, # version 1.6.0 + Optional[Integer[0]] $serve_expired_ttl = undef, # version 1.8.0 + Boolean $serve_expired_ttl_reset = false, # version 1.8.0 + Optional[Integer[0]] $serve_expired_reply_ttl = undef, # version 1.8.0 + Optional[Integer[0]] $serve_expired_client_timeout = undef, # version 1.8.0 + Array[Integer[1]] $val_nsec3_keysize_iterations = [], + Optional[Integer[0]] $add_holddown = undef, + Optional[Integer[0]] $del_holddown = undef, + Optional[Integer[0]] $keep_missing = undef, + Boolean $permit_small_holddown = false, # Version 1.5.5 + Optional[Unbound::Size] $key_cache_size = undef, + Optional[Integer] $key_cache_slabs = undef, + Optional[Unbound::Size] $neg_cache_size = undef, + Boolean $unblock_lan_zones = false, + Boolean $insecure_lan_zones = false, # version 1.5.8 + Unbound::Local_zone $local_zone = {}, + Optional[Array[String[1]]] $local_data = [], + Optional[Array[String[1]]] $local_data_ptr = [], + Hash[String[1], Array[String[1]]] $local_zone_tag = {}, # version 1.5.10 + Hash[String[1], Unbound::Local_zone_override] $local_zone_override = {}, # version 1.5.10 + Optional[Integer[0]] $ratelimit = undef, + Optional[Unbound::Size] $ratelimit_size = undef, + Optional[Integer[0]] $ratelimit_slabs = undef, + Optional[Integer[0]] $ratelimit_factor = undef, + Hash[String[1], Integer[0]] $ratelimit_for_domain = {}, + Hash[String[1], Integer[0]] $ratelimit_below_domain = {}, + Optional[Integer[0]] $ip_ratelimit = undef, # version 1.6.1 + Optional[Unbound::Size] $ip_ratelimit_size = undef, # version 1.6.1 + Optional[Integer[0]] $ip_ratelimit_slabs = undef, # version 1.6.1 + Optional[Integer[0]] $ip_ratelimit_factor = undef, + Optional[Integer[0,1000]] $fast_server_permil = undef, # version 1.8.2 + Optional[Integer[1]] $fast_server_num = undef, # version 1.8.2 + Hash $forward = {}, + Hash $stub = {}, + Hash $record = {}, + Array $access = ['::1', '127.0.0.1'], + String[1] $confdir = '/etc/unbound', + Stdlib::Absolutepath $directory = $confdir, + String[1] $conf_d = "${confdir}/conf.d", + String[1] $config_file = "${confdir}/unbound.conf", + Boolean $control_enable = false, + String[1] $control_setup_path = '/usr/sbin/unbound-control-setup', + String[1] $control_path = '/usr/sbin/unbound-control', + String[1] $fetch_client = 'wget -O', + String[1] $group = 'unbound', + String[1] $keys_d = "${confdir}/keys.d", + Stdlib::Absolutepath $trusted_keys_file = "${keys_d}/*.key", + Array[Unbound::Module] $module_config = [], + String[1] $owner = 'unbound', + String[1] $username = $owner, + # OpenBSD sets this to an empty string + String $package_name = 'unbound', + String[1] $package_ensure = 'installed', + Boolean $purge_unbound_conf_d = false, + String[1] $root_hints_url = 'https://www.internic.net/domain/named.root', + Stdlib::Absolutepath $runtime_dir = $confdir, + Stdlib::Absolutepath $auto_trust_anchor_file = "${runtime_dir}/root.key", + String[1] $anchor_fetch_command = "unbound-anchor -a ${auto_trust_anchor_file}", + String[1] $service_name = 'unbound', + Boolean $service_hasstatus = true, + Enum['running', 'stopped'] $service_ensure = 'running', + Boolean $service_enable = true, + String[1] $validate_cmd = '/usr/sbin/unbound-checkconf %', + String[1] $restart_cmd = "/bin/systemctl restart ${service_name}", + Array[String[1]] $custom_server_conf = [], + Boolean $skip_roothints_download = false, + Optional[Stdlib::Absolutepath] $python_script = undef, + String[1] $dns64_prefix = '64:ff9b::/96', + Boolean $dns64_synthall = false, + Array[String[1]] $send_client_subnet = [], + Array[String[1]] $client_subnet_zone = [], + Boolean $client_subnet_always_forward = false, + Integer[0,128] $max_client_subnet_ipv6 = 56, + Integer[0,32] $max_client_subnet_ipv4 = 24, + Optional[Integer[0,128]] $min_client_subnet_ipv6 = undef, # version 1.8.2 + Optional[Integer[0,32]] $min_client_subnet_ipv4 = undef, # version 1.8.2 + Optional[Integer[0]] $max_ecs_tree_size_ipv4 = undef, # version 1.8.2 + Optional[Integer[0]] $max_ecs_tree_size_ipv6 = undef, # version 1.8.2 + Boolean $ipsecmod_enabled = true, + Optional[Stdlib::Absolutepath] $ipsecmod_hook = undef, + Boolean $ipsecmod_strict = false, + Integer[1] $ipsecmod_max_ttl = 3600, + Boolean $ipsecmod_ignore_bogus = false, + Array[String[1]] $ipsecmod_whitelist = [], + Optional[String[1]] $backend = undef, + String[1] $secret_seed = 'default', + String[1] $redis_server_host = '127.0.0.1', + Integer[1,65536] $redis_server_port = 6379, + Integer[1] $redis_timeout = 100, + Stdlib::Absolutepath $unbound_conf_d = "${confdir}/unbound.conf.d", + Unbound::Hints_file $hints_file = "${confdir}/root.hints", + Optional[String[1]] $hints_file_content = undef, ) { unless $package_name.empty { package { $package_name: diff --git a/manifests/stub.pp b/manifests/stub.pp index 39aef4f8..6e96cd40 100644 --- a/manifests/stub.pp +++ b/manifests/stub.pp @@ -35,25 +35,27 @@ Variant[Boolean, Enum['true', 'false']] $no_cache = false, # lint:endignore Unbound::Local_zone_type $type = 'transparent', - Stdlib::Unixpath $config_file = lookup('unbound::config_file'), + Optional[Stdlib::Unixpath] $config_file = undef, ) { + include unbound + $_config_file = pick($config_file, $unbound::config_file) concat::fragment { "unbound-stub-${name}": order => '15', - target => $config_file, + target => $_config_file, content => template('unbound/stub.erb'), } if str2bool($insecure) == true { concat::fragment { "unbound-stub-${name}-insecure": order => '01', - target => $config_file, + target => $_config_file, content => " domain-insecure: \"${name}\"\n", } } concat::fragment { "unbound-stub-${name}-local-zone": order => '02', - target => $config_file, + target => $_config_file, content => " local-zone: \"${name}\" ${type} \n", } } diff --git a/templates/interfaces.txt.erb b/templates/interfaces.txt.erb index 4ddb5049..54e79d24 100644 --- a/templates/interfaces.txt.erb +++ b/templates/interfaces.txt.erb @@ -1,5 +1,5 @@ # Used by puppet-unbound -<% unless @interface.nil? -%> +<% unless @interface.empty? -%> <%= @interface.join("\n") %> <% else -%> <%= String.new %> diff --git a/templates/remote.erb b/templates/remote.erb index 91c2f863..40b676ac 100644 --- a/templates/remote.erb +++ b/templates/remote.erb @@ -4,12 +4,8 @@ remote-control: <% else -%> control-enable: no <% end -%> -<% if @interface.is_a? Array -%> <% @interface.each do |int| -%> control-interface: <%= int %> -<% end -%> -<% else -%> - control-interface: <%= @interface %> <% end -%> control-port: <%= @port %> diff --git a/templates/unbound.conf.erb b/templates/unbound.conf.erb index 4bfd6625..400d493c 100644 --- a/templates/unbound.conf.erb +++ b/templates/unbound.conf.erb @@ -7,7 +7,7 @@ end def print_config(name, value, version=false ) if version and scope.call_function('versioncmp', [unbound_version, version]) < 0 - return + return end if value.is_a?(TrueClass) return " #{name}: yes\n" @@ -19,7 +19,7 @@ return " #{name}: \"#{value}\"\n" elsif value.is_a?(Integer) return " #{name}: #{value}\n" - elsif value.is_a?(Array) + elsif value.is_a?(Array) and !value.empty? str = '' value.each { |v| str << " #{name}: #{v}\n" } return str @@ -69,7 +69,7 @@ server: <%= print_config('infra-cache-numhosts', @infra_cache_numhosts) -%> <%= print_config('infra-cache-slabs', @infra_cache_slabs) -%> <%= print_config('infra-cache-min-rtt', @infra_cache_min_rtt) -%> -<% if @define_tag and scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> +<% if !@define_tag.empty? and scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> define-tag: "<%= @define_tag.join(' ') %>" <%- end -%> <%= print_config('do-ip4', @do_ip4) -%> @@ -101,7 +101,7 @@ server: access-control: <%= acc %> allow <%- end -%> <%- end -%> -<%- if @access_control and scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> +<%- if scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> <%- @access_control.each_pair do |prefix, config| -%> <%- if config.includes?('tags') -%> <%- unless config.include?('action') or config.include?('rr_string') -%> @@ -170,7 +170,7 @@ server: <%= print_config('rrset-roundrobin', @rrset_roundrobin) -%> <%= print_config('minimal-responses', @minimal_responses) -%> <%= print_config('disable-dnssec-lame-check', @disable_dnssec_lame_check, '1.5.9') -%> -<%- if @module_config %> +<%- unless @module_config.empty? %> module-config: "<%= @module_config.join(' ') %>" <%- end -%> <%= print_config('trust-anchor-file', @trust_anchor_file) -%> @@ -201,20 +201,18 @@ server: <%= print_config('neg-cache-size', @neg_cache_size) -%> <%= print_config('unblock-lan-zones', @unblock_lan_zones, '1.5.0') -%> <%= print_config('insecure-lan-zones', @insecure_lan_zones, '1.5.8') -%> -<%- if @local_zone -%> - <%- @local_zone.each_pair do |zone, type| -%> +<%- @local_zone.each_pair do |zone, type| -%> local-zone: "<%= zone %>" <%= type %> - <%- end -%> <%- end -%> <%= print_config('local-data', @local_data) -%> <%= print_config('local-data-ptr', @local_data_ptr) -%> -<%- if @local_zone_tag and scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> - <%- @local_zone_tag.each_pair do |zone, tags| -%> +<%- if scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> + <%- @local_zone_tag.each_pair do |zone, tags| -%> local-zone-tag: <%= zone %> "<%= tags.join(' ') %> <%- end -%> <%- end -%> -<%- if @local_zone_override and scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> - <%- @local_zone_override.each_pair do |zone, config| -%> +<%- if scope.call_function('versioncmp', [unbound_version, '1.5.10']) >= 0 -%> + <%- @local_zone_override.each_pair do |zone, config| -%> local-zone-tag: <%= zone %> <%= config['netblock'] %> <%= config['type'] %> <%- end -%> <%- end -%> @@ -222,15 +220,11 @@ server: <%= print_config('ratelimit-size', @ratelimit_size) -%> <%= print_config('ratelimit-slabs', @ratelimit_slabs) -%> <%= print_config('ratelimit-factor', @ratelimit_factor) -%> -<%- if @ratelimit_for_domain -%> - <%- @ratelimit_for_domain.each_pair do |domain, qps| %> +<%- @ratelimit_for_domain.each_pair do |domain, qps| %> ratelimit-for-domain: <%= domain %> <%= qps %> - <%- end -%> <%- end -%> -<%- if @ratelimit_below_domain -%> - <%- @ratelimit_below_domain.each_pair do |domain, qps| %> +<%- @ratelimit_below_domain.each_pair do |domain, qps| %> ratelimit-below-domain: <%= domain %> <%= qps %> - <%- end -%> <%- end -%> <%= print_config('ip-ratelimit', @ip_ratelimit, '1.6.1') -%> <%= print_config('ip-ratelimit-size', @ip_ratelimit_size, '1.6.1') -%> diff --git a/types/chroot.pp b/types/chroot.pp new file mode 100644 index 00000000..9bac98c1 --- /dev/null +++ b/types/chroot.pp @@ -0,0 +1 @@ +type Unbound::Chroot = Variant[Enum[''], Stdlib::Absolutepath] diff --git a/types/hints_file.pp b/types/hints_file.pp new file mode 100644 index 00000000..3c54b839 --- /dev/null +++ b/types/hints_file.pp @@ -0,0 +1 @@ +type Unbound::Hints_file = Variant[Enum['builtin'], Stdlib::Absolutepath]