From 76b54fc59d80a46cefd15af95afc53fc8874270e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 11 Nov 2023 23:00:55 +1100 Subject: [PATCH 1/2] feat: add dns resolver/master classes - define resolver and master dns server - export A and PTR records from dns clients - collect exported resources for master - create hiera structure for acls, zones and views --- .reek.yml | 5 +++ .rubocop.yml | 10 +++++ Puppetfile | 4 ++ hieradata/roles/infra/dns/master.yaml | 28 ++++++++++++ hieradata/roles/infra/dns/resolver.yaml | 29 ++++++++++++ site/profiles/lib/facter/arpa.rb | 27 ++++++++++++ site/profiles/manifests/base.pp | 3 ++ site/profiles/manifests/dns/client.pp | 34 ++++++++++++++ site/profiles/manifests/dns/master.pp | 27 ++++++++++++ site/profiles/manifests/dns/resolver.pp | 16 +++++++ site/profiles/manifests/dns/server.pp | 44 +++++++++++++++++++ .../infra/dns/{authoritive.pp => master.pp} | 5 ++- site/roles/manifests/infra/dns/resolver.pp | 1 + 13 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 .reek.yml create mode 100644 .rubocop.yml create mode 100644 hieradata/roles/infra/dns/master.yaml create mode 100644 hieradata/roles/infra/dns/resolver.yaml create mode 100644 site/profiles/lib/facter/arpa.rb create mode 100644 site/profiles/manifests/dns/client.pp create mode 100644 site/profiles/manifests/dns/master.pp create mode 100644 site/profiles/manifests/dns/resolver.pp create mode 100644 site/profiles/manifests/dns/server.pp rename site/roles/manifests/infra/dns/{authoritive.pp => master.pp} (52%) diff --git a/.reek.yml b/.reek.yml new file mode 100644 index 0000000..5d9b3c5 --- /dev/null +++ b/.reek.yml @@ -0,0 +1,5 @@ +# .reek.yml + +detectors: + FeatureEnvy: + enabled: false diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..ac0c163 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,10 @@ +# .rubocop.yml + +Style/ClassAndModuleChildren: + EnforcedStyle: compact + +Style/Documentation: + Enabled: false + +Layout/LineLength: + Max: 140 diff --git a/Puppetfile b/Puppetfile index 1da664c..fda7e8a 100644 --- a/Puppetfile +++ b/Puppetfile @@ -27,3 +27,7 @@ mod 'puppet-selinux', '4.1.0' # other mod 'ghoneycutt-puppet', '3.3.0' mod 'saz-sudo', '8.0.0' + +mod 'bind', + :git => 'https://git.unkin.net/unkinben/puppet-bind.git', + :tag => '1.0' diff --git a/hieradata/roles/infra/dns/master.yaml b/hieradata/roles/infra/dns/master.yaml new file mode 100644 index 0000000..c2a99c1 --- /dev/null +++ b/hieradata/roles/infra/dns/master.yaml @@ -0,0 +1,28 @@ +--- +profiles::dns::master::acls: + acl-main.unkin.net: + addresses: + - 198.18.17.0/24 + +profiles::dns::master::zones: + main.unkin.net-master: + domain: 'main.unkin.net' + zone_type: 'master' + dynamic: false + 17.18.198.in-addr.arpa-master: + domain: '17.18.198.in-addr.arpa' + zone_type: 'master' + dynamic: false + +profiles::dns::master::views: + authoritive: + recursion: false + zones: + - main.unkin.net-master + - 17.18.198.in-addr.arpa-master + match_clients: + - acl-main.unkin.net + +profiles::dns::master::tags: + ptr: 'master-ptr-records' + a: 'master-a-records' diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml new file mode 100644 index 0000000..2c0fa2d --- /dev/null +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -0,0 +1,29 @@ +--- +profiles::dns::resolver::acls: + acl-main.unkin.net: + addresses: + - 198.18.17.0/24 + +profiles::dns::resolver::zones: + main.unkin.net-forward: + domain: 'main.unkin.net' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + prod.unkin.net-forward: + domain: 'prod.unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.8.1 + forward: 'only' + +profiles::dns::resolver::views: + openforwarder: + recursion: true + zones: + - main.unkin.net-forward + - prod.unkin.net-forward + match_clients: + - acl-main.unkin.net diff --git a/site/profiles/lib/facter/arpa.rb b/site/profiles/lib/facter/arpa.rb new file mode 100644 index 0000000..25d2bad --- /dev/null +++ b/site/profiles/lib/facter/arpa.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +# arpa_fact.rb + +require 'facter' + +Facter.add(:arpa) do + setcode do + arpa_info = {} + Facter.value(:networking)['interfaces'].each do |interface_name, values| + next unless values.key?('ip') + + ip_address = values['ip'] + reversed_ip_parts = ip_address.split('.').reverse + addr = "#{reversed_ip_parts.join('.')}.in-addr.arpa" + + trimmed_ip_parts = reversed_ip_parts[1..] + zone = "#{trimmed_ip_parts.join('.')}.in-addr.arpa" + + arpa_info[interface_name] = { + 'zone' => zone, + 'addr' => addr + } + end + arpa_info + end +end diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp index d601bf8..1182097 100644 --- a/site/profiles/manifests/base.pp +++ b/site/profiles/manifests/base.pp @@ -30,6 +30,9 @@ class profiles::base ( include profiles::accounts::sysadmin include profiles::ntp::client + # configure dns records for client + profiles::dns::client {"${facts['networking']['fqdn']}-default":} + # include the python class class { 'python': manage_python_package => true, diff --git a/site/profiles/manifests/dns/client.pp b/site/profiles/manifests/dns/client.pp new file mode 100644 index 0000000..60abe10 --- /dev/null +++ b/site/profiles/manifests/dns/client.pp @@ -0,0 +1,34 @@ +# profiles::dns::client +define profiles::dns::client ( + Integer $ttl = 600, + String $intf = $facts['networking']['primary'], + String $addr = $facts['networking']['ip'], + String $fqdn = $facts['networking']['fqdn'], + Boolean $forward = true, + Boolean $reverse = true, +){ + + if $forward { + @@resource_record { "${fqdn}_${intf}-a": + ensure => present, + record => $::facts['networking']['fqdn'], + type => 'A', + data => [$::facts['networking']['ip']], + ttl => $ttl, + zone => "${::facts['networking']['domain']}-master", + tag => 'master-a-record', + } + } + + if $reverse { + @@resource_record { "${fqdn}_${addr}-ptr": + ensure => present, + record => $::facts['arpa'][$intf]['addr'], + type => 'PTR', + data => [$fqdn], + ttl => $ttl, + zone => "${::facts['arpa'][$intf]['zone']}-master", + tag => 'master-ptr-record', + } + } +} diff --git a/site/profiles/manifests/dns/master.pp b/site/profiles/manifests/dns/master.pp new file mode 100644 index 0000000..5b0a158 --- /dev/null +++ b/site/profiles/manifests/dns/master.pp @@ -0,0 +1,27 @@ +# profiles::dns::master authoritative service +class profiles::dns::master ( + Hash $acls = {}, + Hash $zones = {}, + Hash $views = {}, + Hash[ + String, + String + ] $tags = {}, + Boolean $dnssec = false, +){ + + class {'profiles::dns::server': + acls => $acls, + zones => $zones, + views => $views, + forwarders => [], + dnssec => $dnssec, + } + + # collect records + $tags.each | String $key, String $tag_value | { + if $tag_value != undef { + Resource_record <<| tag == $tag_value |>> + } + } +} diff --git a/site/profiles/manifests/dns/resolver.pp b/site/profiles/manifests/dns/resolver.pp new file mode 100644 index 0000000..bc95e6d --- /dev/null +++ b/site/profiles/manifests/dns/resolver.pp @@ -0,0 +1,16 @@ +# profiles::dns::resolver +class profiles::dns::resolver ( + Hash $acls = {}, + Hash $zones = {}, + Hash $views = {}, + Array $forwarders = ['8.8.8.8', '1.1.1.1'], +){ + + class {'profiles::dns::server': + acls => $acls, + zones => $zones, + views => $views, + forwarders => $forwarders, + } + +} diff --git a/site/profiles/manifests/dns/server.pp b/site/profiles/manifests/dns/server.pp new file mode 100644 index 0000000..06a4dba --- /dev/null +++ b/site/profiles/manifests/dns/server.pp @@ -0,0 +1,44 @@ +# profiles::dns::server +class profiles::dns::server ( + Hash $acls = {}, + Hash $zones = {}, + Hash $views = {}, + Array $forwarders = ['8.8.8.8', '1.1.1.1'], + Boolean $dnssec = true, +){ + + # if forwarders are empty, set it to undef + if $forwarders == [] { + $use_forwarders = undef + }else{ + $use_forwarders = $forwarders + } + + # setup base bind server + class { 'bind': + forwarders => $use_forwarders, + dnssec => $dnssec, + version => 'Controlled by Puppet', + } + + # if acls, import them + $acls.each | $name, $data | { + bind::acl { $name: + * => $data, + } + } + + # if zones, import them + $zones.each | $name, $data | { + bind::zone { $name: + * => $data, + } + } + + # if views, import them + $views.each | $name, $data | { + bind::view { $name: + * => $data, + } + } +} diff --git a/site/roles/manifests/infra/dns/authoritive.pp b/site/roles/manifests/infra/dns/master.pp similarity index 52% rename from site/roles/manifests/infra/dns/authoritive.pp rename to site/roles/manifests/infra/dns/master.pp index ab81813..e5d50de 100644 --- a/site/roles/manifests/infra/dns/authoritive.pp +++ b/site/roles/manifests/infra/dns/master.pp @@ -1,7 +1,8 @@ -# roles::infra::dns::authoritive +# roles::infra::dns::master # defines a dns server with master-only zones # -class roles::infra::dns::authoritive { +class roles::infra::dns::master { include profiles::defaults include profiles::base + include profiles::dns::master } diff --git a/site/roles/manifests/infra/dns/resolver.pp b/site/roles/manifests/infra/dns/resolver.pp index 1bf97ab..606ca9f 100644 --- a/site/roles/manifests/infra/dns/resolver.pp +++ b/site/roles/manifests/infra/dns/resolver.pp @@ -4,4 +4,5 @@ class roles::infra::dns::resolver { include profiles::defaults include profiles::base + include profiles::dns::resolver } From d877fd00f382e0dbbaa71f3c5a26730194d4f5ca Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 13 Nov 2023 22:00:19 +1100 Subject: [PATCH 2/2] chore: bump enc version https://git.unkin.net/unkinben/puppet-enc/pulls/27 --- hieradata/roles/puppet/puppetmaster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hieradata/roles/puppet/puppetmaster.yaml b/hieradata/roles/puppet/puppetmaster.yaml index eb72974..931b916 100644 --- a/hieradata/roles/puppet/puppetmaster.yaml +++ b/hieradata/roles/puppet/puppetmaster.yaml @@ -9,7 +9,7 @@ profiles::puppet::autosign::domains: # - 'somenode.main.unkin.net' profiles::puppet::enc::repo: https://git.unkin.net/unkinben/puppet-enc.git -profiles::puppet::enc::release: '0.5' +profiles::puppet::enc::release: '0.6' profiles::puppet::enc::force: true profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git profiles::puppet::g10k::bin_path: '/opt/puppetlabs/bin/g10k'