diff --git a/README.md b/README.md index 1cd6fd1..d5eb971 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,14 @@ class { 'bind': allow_recursion => [ 'localhost', ], } ``` +Or with hiera +```puppet +bind::listen_on: 127.0.0.1 +bind::listen_on_v6: none +bind::allow_query: localhost +bind::allow_query_cache: localhost +bind::allow_recursion: localhost +``` ## Usage @@ -60,6 +68,22 @@ bind::acl { 'lan': address_match_list => [ '192.168.10.0/24' ], } ``` +Or with hiera +```puppet +bind::allow_query: + - localhost + - lan +bind::allow_query_cache: + - localhost + - lan +bind::allow_recursion: + - localhost + - lan + +bind::acls: + lan: + address_match_list: 192.168.10.0/24 +``` ### Caching name server with forwarders @@ -73,6 +97,21 @@ class { 'bind': forwarders => [ '10.0.0.53', '10.1.1.53', ], } ``` +Or with hiera +```puppet +bind::allow_query: + - localhost + - 10/8 +bind::allow_query_cache: + - localhost + - 10/8 +bind::allow_recursion: + - localhost + - 10/8 +bind::forwarders: + - 10.0.0.53 + - 10.1.1.53 +``` ### Manage a primary zone @@ -83,6 +122,12 @@ bind::zone::primary { 'example.com': source => 'puppet:///modules/profile/dns/example.com.zone', } ``` +Or with hiera +```puppet +bind::zone::primarys: + example.com: + source: 'puppet:///modules/profile/dns/example.com.zone' +``` The zone file will be managed on the server as `/var/lib/bind/primary/com/example/db.example.com`. This tree structure is better than a flat directory structure if many zones will be managed by the server. @@ -101,6 +146,18 @@ bind::zone::primary { 'example.com': content => epp("profile/dynamic-zone-template.epp", $params), } ``` +Or with hiera +```puppet +bind::keys: + nsupdate: + secret: TopSecret + keyfile: /etc/bind/nsupdate.key + +bind::zone::primarys: + example.com: + update_policy: grant nsupdate zonesub any + content: 'epp("profile/dynamic-zone-template.epp", $params)' +``` If the zone file `/var/lib/bind/primary/com/example/db.example.com` does not exist on the name server, a new file will be created using the specified template. After that the file content can not be managed by Puppet as `named` will periodically need to update the zone file when processing dynamic updates. The `source` or `content` parameters are ignored in this case. @@ -122,6 +179,20 @@ bind::zone::primary { 'example.net': source => 'puppet:///modules/profile/dns/example.net.zone', } ``` +Or with hiera +```puppet +bind::dnssec_policys: + standard: + csk_lifetime: unlimited + csk_algorithm: ecdsap256sha256 + +bind::zone::primarys: + example.net: + dnssec_policy: standard + inline_signing: true + source: 'puppet:///modules/profile/dns/example.net.zone' +} +``` DNSSEC policies are available with Bind 9.16 and later. @@ -138,6 +209,16 @@ bind::view { 'internal': order => '10', } ``` +Or with hiera +```puppet +bind::views: + internal: + match_clients: localnets + allow_query: localnets + allow_recursion: localnets + recursion: true + order: 10 +``` The view `external` is for all other hosts and should only be used for your primary or secondary zones. @@ -151,6 +232,17 @@ bind::view { 'external': order => '20', } ``` +Or with hiera +```puppet +bind::views: + external: + match_clients: any + allow_query: any + recursion: false + localhost_forward_enable: false + localhost_reverse_enable: false + order: 20 +``` The defined types `bind::zone::primary` and `bind::zone::secondary` can be used to add zones to this view. diff --git a/manifests/init.pp b/manifests/init.pp index 443fdd6..5ab455d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -321,6 +321,73 @@ # once a day the DNSSEC trust anchors in use will be transmitted to the zon # owners. This is enabled by default. # +# @param bind:acls +# Hash of `bind::acls` resources. +# source the hash of bind::acls and trigger the class bind::acl +# +# @param bind:amls +# Hash of `bind::amls` resources. +# source the hash of bind::amls and trigger the class bind::aml +# +# @param dnssec_policys +# Hash of `bind::dnssec_policys` resources. +# source the hash of bind::dnssec_policys and trigger the class bind::dnssec_policy +# +# @param keys +# Hash of `bind::keys` resources. +# source the hash of bind::keys and trigger the class bind::key +# +# @param views +# Hash of `bind::views` resources. +# source the hash of bind::views and trigger the class bind::view +# +# @param statistics_channels +# Hash of `bind::statistics_channels` resources. +# source the hash of bind::statistics_channels and trigger the class bind::statistics_channel +# +# @param controls_inets +# Hash of `bind::controls::inets` resources. +# source the hash of bind::controls::inets and trigger the class bind::controls::inet +# +# @param controls_unixs +# Hash of `bind::controls::unixs` resources. +# source the hash of bind::controls::unixs and trigger the class bind::controls::unix +# +# @param logging_categorys +# Hash of `bind::logging::categorys` resources. +# source the hash of bind::logging::categorys and trigger the class bind::logging::category +# +# @param logging_channel_files +# Hash of `bind::logging::channel_files` resources. +# source the hash of bind::logging::channel_files and trigger the class bind::logging::channel_file +# +# @param logging_channel_syslogs +# Hash of `bind::logging::channel_syslogs` resources. +# source the hash of bind::logging::channel_syslogs and trigger the class bind::logging::channel_syslog +# +# @param zone_forwards +# Hash of `bind::zone::forwards` resources. +# source the hash of bind::zone::forwards and trigger the class bind::zone::forward +# +# @param zone_hints +# Hash of `bind::zone::hints` resources. +# source the hash of bind::zone::hints and trigger the class bind::zone::hint +# +# @param zone_in_views +# Hash of `bind::zone::in_views` resources. +# source the hash of bind::zone::in_views and trigger the class bind::zone::in_view +# +# @param zone_mirrors +# Hash of `bind::zone::mirrors` resources. +# source the hash of bind::zone::mirrors and trigger the class bind::zone::mirror +# +# @param zone_primarys +# Hash of `bind::zone::primarys` resources. +# source the hash of bind::zone::primarys and trigger the class bind::zone::primary +# +# @param zone_secondarys +# Hash of `bind::zone::secondarys` resources. +# source the hash of bind::zone::secondarys and trigger the class bind::zone::secondary # class bind ( Stdlib::Absolutepath $confdir, @@ -385,6 +452,24 @@ Optional[String] $report_version = undef, Optional[Boolean] $querylog_enable = undef, Optional[Boolean] $trust_anchor_telemetry = undef, + Optional[Hash] $acls = {}, + Optional[Hash] $amls = {}, + Optional[Hash] $configs = {}, + Optional[Hash] $dnssec_policys = {}, + Optional[Hash] $keys = {}, + Optional[Hash] $statistics_channels = {}, + Optional[Hash] $views = {}, + Optional[Hash] $controls_inets = lookup(bind::controls::inets, undef, undef, {}), + Optional[Hash] $controls_unixs = lookup(bind::controls::unixs, undef, undef, {}), + Optional[Hash] $logging_categorys = lookup(bind::logging::categorys, undef, undef, {}), + Optional[Hash] $logging_channel_files = lookup(bind::logging::channel_files, undef, undef, {}), + Optional[Hash] $logging_channel_syslogs = lookup(bind::logging::syslogs, undef, undef, {}), + Optional[Hash] $zone_forwards = lookup(bind::zone::forwards, undef, undef, {}), + Optional[Hash] $zone_hints = lookup(bind::zone::hints, undef, undef, {}), + Optional[Hash] $zone_in_views = lookup(bind::zone::in_views, undef, undef, {}), + Optional[Hash] $zone_mirrors = lookup(bind::zone::in_views, undef, undef, {}), + Optional[Hash] $zone_primarys = lookup(bind::zone::primarys, undef, undef, {}), + Optional[Hash] $zone_secondarys = lookup(bind::zone::secondarys, undef, undef, {}), ) { $header_message = '// This file is managed by Puppet. DO NOT EDIT.' @@ -844,6 +929,13 @@ before => Service['bind'], } + $configs.each |$key, $value| { + bind::config { $key: + * => $value, + } + notify => Service['bind'], + } + # # Misc zone files # @@ -938,4 +1030,123 @@ name => $service_name, restart => "${rndc_program} reconfig", } + + $acls.each |$key, $value| { + bind::acl { $key: + * => $value, + } + notify => Service['bind'], + } + + $amls.each |$key, $value| { + bind::aml { $key: + * => $value, + } + notify => Service['bind'], + } + + $dnssec_policys.each |$key, $value| { + bind::dnssec_policy { $key: + * => $value, + } + notify => Service['bind'], + } + + $keys.each |$key, $value| { + bind::key { $key: + * => $value, + } + notify => Service['bind'], + } + + $statistics_channels.each |$key, $value| { + bind::statistics_channel { $key: + * => $value, + } + notify => Service['bind'], + } + + $views.each |$key, $value| { + bind::view { $key: + * => $value, + } + notify => Service['bind'], + } + + $controls_inets.each |$key, $value| { + bind::controls::inet { $key: + * => $value, + } + notify => Service['bind'], + } + + $controls_unixs.each |$key, $value| { + bind::controls::unix { $key: + * => $value, + } + notify => Service['bind'], + } + + $logging_categorys.each |$key, $value| { + bind::logging::category { $key: + * => $value, + } + notify => Service['bind'], + } + + $logging_channel_files.each |$key, $value| { + bind::logging::channel_file { $key: + * => $value, + } + notify => Service['bind'], + } + + $logging_channel_syslogs.each |$key, $value| { + bind::logging::channel_syslog { $key: + * => $value, + } + notify => Service['bind'], + } + + $zone_forwards.each |$key, $value| { + bind::zone::forward { $key: + * => $value, + } + notify => Service['bind'], + } + + $zone_hints.each |$key, $value| { + bind::zone::hint { $key: + * => $value, + } + notify => Service['bind'], + } + + $zone_in_views.each |$key, $value| { + bind::zone::in_view { $key: + * => $value, + } + notify => Service['bind'], + } + + $zone_mirrors.each |$key, $value| { + bind::zone::mirror { $key: + * => $value, + } + notify => Service['bind'], + } + + $zone_primarys.each |$key, $value| { + bind::zone::primary { $key: + * => $value, + } + notify => Service['bind'], + } + + $zone_secondarys.each |$key, $value| { + bind::zone::secondary { $key: + * => $value, + } + notify => Service['bind'], + } }