unkinben/puppet-bind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #36 from inkblot/managed-zone-file

Browse Source 
Add `dynamic` parameter to `bind::zone`
This commit is contained in:
Nate Riffe 2015-05-15 07:56:26 -05:00
commit 993692aa85
4 changed files with 121 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -107,6 +107,15 @@ file will not be overwritten. Only the `zone_type` is required. If `domain` is
unspecified, the title of the `bind::zone` declaration will be used as the unspecified, the title of the `bind::zone` declaration will be used as the
domain. domain.
A master zone with a zone file managed directly by Puppet:
bind::zone { 'example.org':
zone_type => 'master',
dynamic => false,
source => 'puppet:///dns/db.example.org',
allow_transfers => [ 'secondary-dns', ],
}
A master zone with DNSSec disabled which allows updates using a TSIG key and A master zone with DNSSec disabled which allows updates using a TSIG key and
zone transfers to servers matching an acl: zone transfers to servers matching an acl:

143
manifests/zone.pp
View File

@ -3,6 +3,7 @@
define bind::zone ( define bind::zone (
$zone_type, $zone_type,
$domain = '', $domain = '',
$dynamic = true,
$masters = '', $masters = '',
$transfer_source = '', $transfer_source = '',
$allow_updates = '', $allow_updates = '',
@ -16,74 +17,120 @@ define bind::zone (
$forward = '', $forward = '',
$source = '', $source = '',
) { ) {
$cachedir = $bind::cachedir # where there is a zone, there is a server
include bind
$cachedir = $::bind::cachedir
$_domain = pick($domain, $name)
if $domain == '' { unless !($masters != '' and ! member(['slave', 'stub'], $zone_type)) {
$_domain = $name fail("masters may only be provided for bind::zone resources with zone_type 'slave' or 'stub'")
} else {
$_domain = $domain
} }
$has_zone_file = $zone_type ? { unless !($transfer_source != '' and ! member(['slave', 'stub'], $zone_type)) {
'master' => true, fail("transfer_source may only be provided for bind::zone resources with zone_type 'slave' or 'stub'")
'slave' => true,
'hint' => true,
'stub' => true,
default => false,
} }
if $has_zone_file { unless !($allow_update != '' and ! $dynamic) {
if $zone_type == 'master' and $source != '' { fail("allow_update may only be provided for bind::zone resources with dynamic set to true")
$_source = $source }
} else {
$_source = 'puppet:///modules/bind/db.empty'
}
unless !($dnssec and ! $dynamic) {
fail("dnssec may only be true for bind::zone resources with dynamic set to true")
}
unless !($key_directory != '' and ! $dnssec) {
fail("key_directory may only be provided for bind::zone resources with dnssec set to true")
}
unless !($allow_notify != '' and ! member(['slave', 'stub'], $zone_type)) {
fail("allow_notify may only be provided for bind::zone resources with zone_type 'slave' or 'stub'")
}
unless !($forwarders != '' and $zone_type != 'forward') {
fail("forwarders may only be provided for bind::zone resources with zone_type 'forward'")
}
unless !($forward != '' and $zone_type != 'forward') {
fail("forward may only be provided for bind::zone resources with zone_type 'forward'")
}
unless !($source != '' and ! member(['master', 'hint'], $zone_type)) {
fail("source may only be provided for bind::zone resources with zone_type 'master' or 'hint'")
}
$zone_file_mode = $zone_type ? {
'master' => $dynamic ? {
true => 'init',
false => 'managed',
},
'slave' => 'allowed',
'hint' => 'managed',
'stub' => 'allowed',
default => 'absent',
}
if member(['init', 'managed', 'allowed'], $zone_file_mode) {
file { "${cachedir}/${name}": file { "${cachedir}/${name}":
ensure => directory, ensure => directory,
owner => $bind::params::bind_user, owner => $::bind::params::bind_user,
group => $bind::params::bind_group, group => $::bind::params::bind_group,
mode => '0755', mode => '0755',
require => Package['bind'], require => Package['bind'],
} }
file { "${cachedir}/${name}/${_domain}": if member(['init', 'managed'], $zone_file_mode) {
ensure => present, file { "${cachedir}/${name}/${_domain}":
owner => $bind::params::bind_user, ensure => present,
group => $bind::params::bind_group, owner => $::bind::params::bind_user,
mode => '0644', group => $::bind::params::bind_group,
replace => false, mode => '0644',
source => $_source, replace => ($zone_file_mode == 'managed'),
audit => [ content ], source => pick($source, 'puppet:///modules/bind/db.empty'),
audit => [ content ],
}
} }
if $dnssec { if $zone_file_mode == 'managed' {
exec { "dnssec-keygen-${name}": exec { "rndc reload ${_domain}":
command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ command => "/usr/sbin/rndc reload ${_domain}",
'${_domain}' '${key_directory}'", user => $::bind::params::bind_user,
cwd => $cachedir, refreshonly => true,
user => $bind::params::bind_user, require => Service['bind'],
creates => "${cachedir}/${name}/${_domain}.signed", subscribe => File["${cachedir}/${name}/${_domain}"],
timeout => 0, # crypto is hard
require => [
File['/usr/local/bin/dnssec-init'],
File["${cachedir}/${name}/${_domain}"]
],
}
file { "${cachedir}/${name}/${_domain}.signed":
owner => $bind::params::bind_user,
group => $bind::params::bind_group,
mode => '0644',
audit => [ content ],
} }
} }
} elsif $zone_file_mode == 'absent' {
file { "${cachedir}/${name}":
ensure => absent,
}
} }
file { "${bind::confdir}/zones/${name}.conf": if $dnssec {
exec { "dnssec-keygen-${name}":
command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
'${_domain}' '${key_directory}'",
cwd => $cachedir,
user => $::bind::params::bind_user,
creates => "${cachedir}/${name}/${_domain}.signed",
timeout => 0, # crypto is hard
require => [
File['/usr/local/bin/dnssec-init'],
File["${cachedir}/${name}/${_domain}"]
],
}
file { "${cachedir}/${name}/${_domain}.signed":
owner => $::bind::params::bind_user,
group => $::bind::params::bind_group,
mode => '0644',
audit => [ content ],
}
}
file { "${::bind::confdir}/zones/${name}.conf":
ensure => present, ensure => present,
owner => 'root', owner => 'root',
group => $bind::params::bind_group, group => $::bind::params::bind_group,
mode => '0644', mode => '0644',
content => template('bind/zone.conf.erb'), content => template('bind/zone.conf.erb'),
notify => Service['bind'], notify => Service['bind'],

1
metadata.json
View File

@ -27,6 +27,7 @@
} }
], ],
"dependencies": [ "dependencies": [
{ "name": "puppetlabs/stdlib" },
{ "name": "puppetlabs/concat", "version_requirement": ">=1.0.0 <2.0.0" }, { "name": "puppetlabs/concat", "version_requirement": ">=1.0.0 <2.0.0" },
{ "name": "ripienaar/module_data" } { "name": "ripienaar/module_data" }
] ]

34
templates/zone.conf.erb
View File

@ -2,35 +2,33 @@
# This file managed by puppet - changes will be lost # This file managed by puppet - changes will be lost
zone "<%= @_domain %>" { zone "<%= @_domain %>" {
type <%= @zone_type %>; type <%= @zone_type %>;
<%- if @has_zone_file -%> <%- if @dnssec -%>
<%- if @dnssec -%>
auto-dnssec maintain; auto-dnssec maintain;
<%- if @key_directory and @key_directory != '' -%> <%- if @key_directory and @key_directory != '' -%>
key-directory "<%= @key_directory %>"; key-directory "<%= @key_directory %>";
<%- else -%>
key-directory "<%= @cachedir %>/<%= @name %>";
<%- end -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed";
<%- else -%> <%- else -%>
key-directory "<%= @cachedir %>/<%= @name %>";
<%- end -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed";
<%- elsif %w(init managed allowed).include? @zone_file_mode -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>"; file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>";
<%- end -%> <%- end -%>
<%- unless @zone_type == 'stub' -%> <%- if %w(master slave).include? @zone_type -%>
notify <%= @ns_notify ? 'yes' : 'no' %>; notify <%= @ns_notify ? 'yes' : 'no' %>;
<%- end -%> <%- end -%>
<%- if @also_notify and @also_notify != '' -%> <%- if @also_notify and @also_notify != '' -%>
also-notify { also-notify {
<%- Array(@also_notify).each do |server| -%> <%- Array(@also_notify).each do |server| -%>
<%= server %>; <%= server %>;
<%- end -%>
};
<%- end -%> <%- end -%>
<%- if @allow_notify and @allow_notify != '' -%> };
<%- end -%>
<%- if @allow_notify and @allow_notify != '' -%>
allow-notify { allow-notify {
<%- Array(@allow_notify).each do |server| -%> <%- Array(@allow_notify).each do |server| -%>
<%= server %>; <%= server %>;
<%- end -%>
};
<%- end -%> <%- end -%>
};
<%- end -%> <%- end -%>
<%- if @masters and @masters != '' -%> <%- if @masters and @masters != '' -%>
masters { masters {