feat: add dns resolver/master classes

- define resolver and master dns server
- export A and PTR records from dns clients
- collect exported resources for master
- create hiera structure for acls, zones and views

.reek.yml

@@ -0,0 +1,5 @@
+# .reek.yml
+
+detectors:
+  FeatureEnvy:
+    enabled: false

.rubocop.yml

@@ -0,0 +1,10 @@
+# .rubocop.yml
+
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
+
+Style/Documentation:
+  Enabled: false
+
+Layout/LineLength:
+  Max: 140

Puppetfile

@@ -27,3 +27,7 @@ mod 'puppet-selinux', '4.1.0'
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
 mod 'saz-sudo', '8.0.0'
+
+mod 'bind',
+  :git => 'https://git.unkin.net/unkinben/puppet-bind.git',
+  :tag => '1.0'

hieradata/roles/infra/dns/master.yaml

@@ -0,0 +1,28 @@
+---
+profiles::dns::master::acls:
+  acl-main.unkin.net:
+    addresses:
+      - 198.18.17.0/24
+
+profiles::dns::master::zones:
+  main.unkin.net-master:
+    domain: 'main.unkin.net'
+    zone_type: 'master'
+    dynamic: false
+  17.18.198.in-addr.arpa-master:
+    domain: '17.18.198.in-addr.arpa'
+    zone_type: 'master'
+    dynamic: false
+
+profiles::dns::master::views:
+  authoritive:
+    recursion: false
+    zones:
+      - main.unkin.net-master
+      - 17.18.198.in-addr.arpa-master
+    match_clients:
+      - acl-main.unkin.net
+
+profiles::dns::master::tags:
+  ptr: 'master-ptr-records'
+  a: 'master-a-records'

hieradata/roles/infra/dns/resolver.yaml

@@ -0,0 +1,29 @@
+---
+profiles::dns::resolver::acls:
+  acl-main.unkin.net:
+    addresses:
+      - 198.18.17.0/24
+
+profiles::dns::resolver::zones:
+  main.unkin.net-forward:
+    domain: 'main.unkin.net'
+    zone_type: 'forward'
+    forwarders:
+      - 198.18.17.23
+      - 198.18.17.24
+    forward: 'only'
+  prod.unkin.net-forward:
+    domain: 'prod.unkin.net'
+    zone_type: 'forward'
+    forwarders:
+      - 10.10.8.1
+    forward: 'only'
+
+profiles::dns::resolver::views:
+  openforwarder:
+    recursion: true
+    zones:
+      - main.unkin.net-forward
+      - prod.unkin.net-forward
+    match_clients:
+      - acl-main.unkin.net

site/profiles/lib/facter/arpa.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+# arpa_fact.rb
+
+require 'facter'
+
+Facter.add(:arpa) do
+  setcode do
+    arpa_info = {}
+    Facter.value(:networking)['interfaces'].each do |interface_name, values|
+      next unless values.key?('ip')
+
+      ip_address = values['ip']
+      reversed_ip_parts = ip_address.split('.').reverse
+      addr = "#{reversed_ip_parts.join('.')}.in-addr.arpa"
+
+      trimmed_ip_parts = reversed_ip_parts[1..]
+      zone = "#{trimmed_ip_parts.join('.')}.in-addr.arpa"
+
+      arpa_info[interface_name] = {
+        'zone' => zone,
+        'addr' => addr
+      }
+    end
+    arpa_info
+  end
+end

site/profiles/manifests/base.pp

@@ -30,6 +30,9 @@ class profiles::base (
   include profiles::accounts::sysadmin
   include profiles::ntp::client
 
+  # configure dns records for client
+  profiles::dns::client {"${facts['networking']['fqdn']}-default":}
+
   # include the python class
   class { 'python':
     manage_python_package => true,

site/profiles/manifests/dns/client.pp

@@ -0,0 +1,34 @@
+# profiles::dns::client
+define profiles::dns::client (
+  Integer   $ttl  = 600,
+  String    $intf = $facts['networking']['primary'],
+  String    $addr = $facts['networking']['ip'],
+  String    $fqdn = $facts['networking']['fqdn'],
+  Boolean   $forward = true,
+  Boolean   $reverse = true,
+){
+
+  if $forward {
+    @@resource_record { "${fqdn}_${intf}-a":
+      ensure => present,
+      record => $::facts['networking']['fqdn'],
+      type   => 'A',
+      data   => [$::facts['networking']['ip']],
+      ttl    => $ttl,
+      zone   => "${::facts['networking']['domain']}-master",
+      tag    => 'master-a-record',
+    }
+  }
+
+  if $reverse {
+    @@resource_record { "${fqdn}_${addr}-ptr":
+      ensure => present,
+      record => $::facts['arpa'][$intf]['addr'],
+      type   => 'PTR',
+      data   => [$fqdn],
+      ttl    => $ttl,
+      zone   => "${::facts['arpa'][$intf]['zone']}-master",
+      tag    => 'master-ptr-record',
+    }
+  }
+}

site/profiles/manifests/dns/master.pp

@@ -0,0 +1,27 @@
+# profiles::dns::master authoritative service
+class profiles::dns::master (
+  Hash    $acls  = {},
+  Hash    $zones = {},
+  Hash    $views = {},
+  Hash[
+    String,
+    String
+  ]       $tags  = {},
+  Boolean $dnssec = false,
+){
+
+  class {'profiles::dns::server':
+    acls       => $acls,
+    zones      => $zones,
+    views      => $views,
+    forwarders => [],
+    dnssec     => $dnssec,
+  }
+
+  # collect records
+  $tags.each | String $key, String $tag_value | {
+    if $tag_value != undef {
+      Resource_record <<| tag == $tag_value |>>
+    }
+  }
+}

site/profiles/manifests/dns/resolver.pp

@@ -0,0 +1,16 @@
+# profiles::dns::resolver
+class profiles::dns::resolver (
+  Hash  $acls  = {},
+  Hash  $zones = {},
+  Hash  $views = {},
+  Array $forwarders = ['8.8.8.8', '1.1.1.1'],
+){
+
+  class {'profiles::dns::server':
+    acls       => $acls,
+    zones      => $zones,
+    views      => $views,
+    forwarders => $forwarders,
+  }
+
+}

site/profiles/manifests/dns/server.pp

@@ -0,0 +1,44 @@
+# profiles::dns::server
+class profiles::dns::server (
+  Hash    $acls  = {},
+  Hash    $zones = {},
+  Hash    $views = {},
+  Array   $forwarders = ['8.8.8.8', '1.1.1.1'],
+  Boolean $dnssec = true,
+){
+
+  # if forwarders are empty, set it to undef
+  if $forwarders == [] {
+    $use_forwarders = undef
+  }else{
+    $use_forwarders = $forwarders
+  }
+
+  # setup base bind server
+  class { 'bind':
+      forwarders => $use_forwarders,
+      dnssec     => $dnssec,
+      version    => 'Controlled by Puppet',
+  }
+
+  # if acls, import them
+  $acls.each | $name, $data | {
+    bind::acl { $name:
+        * => $data,
+    }
+  }
+
+  # if zones, import them
+  $zones.each | $name, $data | {
+    bind::zone { $name:
+        * => $data,
+    }
+  }
+
+  # if views, import them
+  $views.each | $name, $data | {
+    bind::view { $name:
+        * => $data,
+    }
+  }
+}

site/roles/manifests/infra/dns/master.pp

@@ -1,7 +1,8 @@
-# roles::infra::dns::authoritive
+# roles::infra::dns::master
 # defines a dns server with master-only zones
 #
-class roles::infra::dns::authoritive {
+class roles::infra::dns::master {
     include profiles::defaults
     include profiles::base
+    include profiles::dns::master
 }

site/roles/manifests/infra/dns/resolver.pp

@@ -4,4 +4,5 @@
 class roles::infra::dns::resolver {
     include profiles::defaults
     include profiles::base
+    include profiles::dns::resolver
 }