unkinben/puppet-bind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add dynamic parameter to bind::zone

Browse Source 
Add a parameter to `bind::zone` which indicates whether a zone is dynamic or
not. This has the effect of allowing puppet to manage the zone file rather than
simply initialize it. This change also introduces more appropriate handling of
slave and stub zones, so that puppet will not populate a stock zone file,
forcing the nameserver to do a zone transfer when a zone is created.

Also, there is now a substancial amount of validation in the `bind::zone` class
in order to prevent invalid parameter combinations, so that validity may be
assumed elsewhere in the manifest and in the configuration template.
This commit is contained in:
Nate Riffe 2015-05-14 11:14:48 -05:00
parent ebe75830c6
commit 9f5c4bacb0
3 changed files with 101 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
manifests/zone.pp
View File

@ -3,6 +3,7 @@
define bind::zone ( define bind::zone (
$zone_type, $zone_type,
$domain = '', $domain = '',
$dynamic = true,
$masters = '', $masters = '',
$transfer_source = '', $transfer_source = '',
$allow_updates = '', $allow_updates = '',
@ -16,74 +17,104 @@ define bind::zone (
$forward = '', $forward = '',
$source = '', $source = '',
) { ) {
$cachedir = $bind::cachedir # where there is a zone, there is a server
include bind
$cachedir = $::bind::cachedir
$_domain = pick($domain, $name)
if $domain == '' { # dynamic implies master zone
$_domain = $name validate_bool(!($dynamic and $zone_type != 'master'))
} else {
$_domain = $domain # masters implies slave/stub zone
validate_bool(!($masters != '' and ! member(['slave', 'stub'], $zone_type)))
# transfer_source implies slave/stub zone
validate_bool(!($transfer_source != '' and ! member(['slave', 'stub'], $zone_type)))
# allow_updates implies dynamic
validate_bool(!($allow_update != '' and ! $dynamic))
# dnssec implies dynamic zone
validate_bool(!($dnssec and ! $dynamic))
# key_directory implies dnssec
validate_bool(!($key_directory != '' and ! $dnssec))
# allow_notify implies slave/stub zone
validate_bool(!($allow_notify != '' and ! member(['slave', 'stub'], $zone_type)))
# forwarders implies forward zone
validate_bool(!($forwarders != '' and $zone_type != 'forward'))
# forward implies forward zone
validate_bool(!($forward != '' and $zone_type != 'forward'))
# source implies master/hint zone
validate_bool(!($source != '' and ! member(['master', 'hint'], $zone_type)))
$zone_file_mode = $zone_type ? {
'master' => $dynamic ? {
true => 'init',
false => 'managed',
},
'slave' => 'allowed',
'hint' => 'managed',
'stub' => 'allowed',
default => 'absent',
} }
$has_zone_file = $zone_type ? { if member(['init', 'managed', 'allowed'], $zone_file_mode) {
'master' => true,
'slave' => true,
'hint' => true,
'stub' => true,
default => false,
}
if $has_zone_file {
if $zone_type == 'master' and $source != '' {
$_source = $source
} else {
$_source = 'puppet:///modules/bind/db.empty'
}
file { "${cachedir}/${name}": file { "${cachedir}/${name}":
ensure => directory, ensure => directory,
owner => $bind::params::bind_user, owner => $::bind::params::bind_user,
group => $bind::params::bind_group, group => $::bind::params::bind_group,
mode => '0755', mode => '0755',
require => Package['bind'], require => Package['bind'],
} }
file { "${cachedir}/${name}/${_domain}": if member(['init', 'managed'], $zone_file_mode) {
ensure => present, file { "${cachedir}/${name}/${_domain}":
owner => $bind::params::bind_user, ensure => present,
group => $bind::params::bind_group, owner => $::bind::params::bind_user,
mode => '0644', group => $::bind::params::bind_group,
replace => false, mode => '0644',
source => $_source, replace => ($zone_file_mode == 'managed'),
audit => [ content ], source => pick($source, 'puppet:///modules/bind/db.empty'),
audit => [ content ],
}
} }
} elsif $zone_file_mode == 'absent' {
if $dnssec { file { "${cachedir}/${name}":
exec { "dnssec-keygen-${name}": ensure => absent,
command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
'${_domain}' '${key_directory}'",
cwd => $cachedir,
user => $bind::params::bind_user,
creates => "${cachedir}/${name}/${_domain}.signed",
timeout => 0, # crypto is hard
require => [
File['/usr/local/bin/dnssec-init'],
File["${cachedir}/${name}/${_domain}"]
],
}
file { "${cachedir}/${name}/${_domain}.signed":
owner => $bind::params::bind_user,
group => $bind::params::bind_group,
mode => '0644',
audit => [ content ],
}
} }
} }
file { "${bind::confdir}/zones/${name}.conf": if $dnssec {
exec { "dnssec-keygen-${name}":
command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
'${_domain}' '${key_directory}'",
cwd => $cachedir,
user => $::bind::params::bind_user,
creates => "${cachedir}/${name}/${_domain}.signed",
timeout => 0, # crypto is hard
require => [
File['/usr/local/bin/dnssec-init'],
File["${cachedir}/${name}/${_domain}"]
],
}
file { "${cachedir}/${name}/${_domain}.signed":
owner => $::bind::params::bind_user,
group => $::bind::params::bind_group,
mode => '0644',
audit => [ content ],
}
}
file { "${::bind::confdir}/zones/${name}.conf":
ensure => present, ensure => present,
owner => 'root', owner => 'root',
group => $bind::params::bind_group, group => $::bind::params::bind_group,
mode => '0644', mode => '0644',
content => template('bind/zone.conf.erb'), content => template('bind/zone.conf.erb'),
notify => Service['bind'], notify => Service['bind'],

1
metadata.json
View File

@ -27,6 +27,7 @@
} }
], ],
"dependencies": [ "dependencies": [
{ "name": "puppetlabs/stdlib" },
{ "name": "puppetlabs/concat", "version_requirement": ">=1.0.0 <2.0.0" }, { "name": "puppetlabs/concat", "version_requirement": ">=1.0.0 <2.0.0" },
{ "name": "ripienaar/module_data" } { "name": "ripienaar/module_data" }
] ]

34
templates/zone.conf.erb
View File

@ -2,35 +2,33 @@
# This file managed by puppet - changes will be lost # This file managed by puppet - changes will be lost
zone "<%= @_domain %>" { zone "<%= @_domain %>" {
type <%= @zone_type %>; type <%= @zone_type %>;
<%- if @has_zone_file -%> <%- if @dnssec -%>
<%- if @dnssec -%>
auto-dnssec maintain; auto-dnssec maintain;
<%- if @key_directory and @key_directory != '' -%> <%- if @key_directory and @key_directory != '' -%>
key-directory "<%= @key_directory %>"; key-directory "<%= @key_directory %>";
<%- else -%>
key-directory "<%= @cachedir %>/<%= @name %>";
<%- end -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed";
<%- else -%> <%- else -%>
key-directory "<%= @cachedir %>/<%= @name %>";
<%- end -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed";
<%- elsif %w(init managed allowed).include? @zone_file_mode -%>
file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>"; file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>";
<%- end -%> <%- end -%>
<%- unless @zone_type == 'stub' -%> <%- if %w(master slave).include? @zone_type -%>
notify <%= @ns_notify ? 'yes' : 'no' %>; notify <%= @ns_notify ? 'yes' : 'no' %>;
<%- end -%> <%- end -%>
<%- if @also_notify and @also_notify != '' -%> <%- if @also_notify and @also_notify != '' -%>
also-notify { also-notify {
<%- Array(@also_notify).each do |server| -%> <%- Array(@also_notify).each do |server| -%>
<%= server %>; <%= server %>;
<%- end -%>
};
<%- end -%> <%- end -%>
<%- if @allow_notify and @allow_notify != '' -%> };
<%- end -%>
<%- if @allow_notify and @allow_notify != '' -%>
allow-notify { allow-notify {
<%- Array(@allow_notify).each do |server| -%> <%- Array(@allow_notify).each do |server| -%>
<%= server %>; <%= server %>;
<%- end -%>
};
<%- end -%> <%- end -%>
};
<%- end -%> <%- end -%>
<%- if @masters and @masters != '' -%> <%- if @masters and @masters != '' -%>
masters { masters {