Merge branch 'unbound-nodns64' into 'master'

Allow non-dns64 unbound setup, normalize unbound type parameters

See merge request ungleich-public/cdist-contrib!20
This commit is contained in:
fnux 2021-01-25 07:36:58 +01:00
commit 1a4e95c821
10 changed files with 52 additions and 38 deletions

View file

@ -1,5 +1,10 @@
#!/bin/sh #!/bin/sh
module_config="validator iterator"
if [ -n "$DNS64_PREFIX" ]; then
module_config="dns64 $module_config"
fi
generate_interface() { generate_interface() {
for i in $INTERFACES; do for i in $INTERFACES; do
echo " interface: $i" echo " interface: $i"
@ -26,6 +31,12 @@ generate_local_data() {
done done
} }
generate_dns64_prefix() {
if [ -n "$DNS64_PREFIX" ]; then
echo " dns64-prefix: $DNS64_PREFIX"
fi
}
cat << EOF cat << EOF
# #
# THIS FILE HAS BEEN GENERATED BY CDIST, DO NOT EDIT BY HAND. # THIS FILE HAS BEEN GENERATED BY CDIST, DO NOT EDIT BY HAND.
@ -506,7 +517,7 @@ $(generate_access_control)
# most modules have to be listed at the beginning of the line, # most modules have to be listed at the beginning of the line,
# except cachedb(just before iterator), and python (at the beginning, # except cachedb(just before iterator), and python (at the beginning,
# or, just before the iterator). # or, just before the iterator).
module-config: "dns64 validator iterator" module-config: "$module_config"
# File with trusted keys, kept uptodate using RFC5011 probes, # File with trusted keys, kept uptodate using RFC5011 probes,
# initial file like trust-anchor-file, then it stores metadata. # initial file like trust-anchor-file, then it stores metadata.
@ -776,7 +787,8 @@ $(generate_local_data)
# DNS64 prefix. Must be specified when DNS64 is use. # DNS64 prefix. Must be specified when DNS64 is use.
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
dns64-prefix: $DNS64_PREFIX # dns64-prefix: $DNS64_PREFIX"
$(generate_dns64_prefix)
# DNS64 ignore AAAA records for these domains and use A instead. # DNS64 ignore AAAA records for these domains and use A instead.
# dns64-ignore-aaaa: "example.com" # dns64-ignore-aaaa: "example.com"

View file

@ -2,7 +2,7 @@
UNBOUND_CERTS_DIR=/etc/unbound UNBOUND_CERTS_DIR=/etc/unbound
if [ -f "$__object/parameter/enable_rc" ]; then if [ -f "$__object/parameter/enable-rc" ]; then
echo "unbound-control-setup -d $UNBOUND_CERTS_DIR" echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key" echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
fi fi

View file

@ -13,9 +13,6 @@ answers from specified upstrean DNS server. This is a singleton type.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
dns64_prefix
IPv6 prefix used for DNS64.
forward_addr forward_addr
DNS servers used to lookup names, can be provided multiple times. It can be DNS servers used to lookup names, can be provided multiple times. It can be
either an IPv4 or IPv6 address but no domain name. either an IPv4 or IPv6 address but no domain name.
@ -26,18 +23,21 @@ interface
Interface to listen on, can be provided multiple times. Defaults to Interface to listen on, can be provided multiple times. Defaults to
'127.0.0.1' and '::1'. '127.0.0.1' and '::1'.
access_control access-control
Controls which clients are allowed queries to the unbound service (everything Controls which clients are allowed queries to the unbound service (everything
but localhost is refused by default), can be provided multiple times. The but localhost is refused by default), can be provided multiple times. The
format is described in unbound.conf(5). format is described in unbound.conf(5).
rc_interface rc-interface
Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`). Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
local_data local-data
Configure local data, which is served in reply to queries for it. Can be Configure local data, which is served in reply to queries for it. Can be
specified multiple times. specified multiple times.
dns64-prefix
Enable DNS64 with specified prefix.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
disable-ip4 disable-ip4
@ -48,7 +48,7 @@ disable-ip6
Do not answer or issue queries over IPv6. Cannot be used alongside the Do not answer or issue queries over IPv6. Cannot be used alongside the
`--disable-ip4` flag. `--disable-ip4` flag.
enable_rc enable-rc
Enable remote control (see `unbound-control(8)`). Enable remote control (see `unbound-control(8)`).
EXAMPLES EXAMPLES
@ -58,12 +58,12 @@ EXAMPLES
__ungleich_unbound \ __ungleich_unbound \
--interface '::0' \ --interface '::0' \
--dns64_prefix '2a0a:e5c0:2:10::/96' \ --dns64-prefix '2a0a:e5c0:2:10::/96' \
--forward_addr '2a0a:e5c0:2:1::5' \ --forward-addr '2a0a:e5c0:2:1::5' \
--forward_addr '2a0a:e5c0:2:1::6' \ --forward-addr '2a0a:e5c0:2:1::6' \
--access_control '::0/0 deny' \ --access-control '::0/0 deny' \
--access_control '2a0a:e5c0::/29 allow' \ --access-control '2a0a:e5c0::/29 allow' \
--access_control '2a09:2940::/29 allow' \ --access-control '2a09:2940::/29 allow' \
--ip6 --ip6
SEE ALSO SEE ALSO

View file

@ -33,52 +33,55 @@ case "$os" in
esac esac
# Required parameters: # Required parameters:
DNS64_PREFIX=$(cat "$__object/parameter/dns64_prefix") FORWARD_ADDRS=$(cat "$__object/parameter/forward-addr")
export DNS64_PREFIX
FORWARD_ADDRS=$(cat "$__object/parameter/forward_addr")
export FORWARD_ADDRS export FORWARD_ADDRS
# Optional parameters: # Optional parameters:
if [ -f "$__object/parameter/dns64-prefix" ]; then
DNS64_PREFIX=$(cat "$__object/parameter/dns64-prefix")
export DNS64_PREFIX
fi
if [ -f "$__object/parameter/interface" ]; then if [ -f "$__object/parameter/interface" ]; then
INTERFACES=$(cat "$__object/parameter/interface") INTERFACES=$(cat "$__object/parameter/interface")
export INTERFACES export INTERFACES
fi fi
if [ -f "$__object/parameter/access_control" ]; then if [ -f "$__object/parameter/access-control" ]; then
ACCESS_CONTROLS=$(cat "$__object/parameter/access_control") ACCESS_CONTROLS=$(cat "$__object/parameter/access-control")
export ACCESS_CONTROLS export ACCESS_CONTROLS
fi fi
if [ -f "$__object/parameter/rc_interface" ]; then if [ -f "$__object/parameter/rc-interface" ]; then
RC_INTERFACE=$(cat "$__object/parameter/rc_interface") RC_INTERFACE=$(cat "$__object/parameter/rc-interface")
export RC_INTERFACE export RC_INTERFACE
fi fi
if [ -f "$__object/parameter/local_data" ]; then if [ -f "$__object/parameter/local-data" ]; then
LOCAL_DATA=$(cat "$__object/parameter/local_data") LOCAL_DATA=$(cat "$__object/parameter/local-data")
export LOCAL_DATA export LOCAL_DATA
fi fi
# Boolean parameters: # Boolean parameters:
if [ -f "$__object/parameter/disable_ip4" ] && \ if [ -f "$__object/parameter/disable-ip4" ] && \
[ -f "$__object/parameter/disable_ip6" ]; then [ -f "$__object/parameter/disable-ip6" ]; then
echo "--disable-ip4 and --disable-ip6 cannot be used at the same time." >&2 echo "--disable-ip4 and --disable-ip6 cannot be used at the same time." >&2
exit 1 exit 1
fi fi
if [ -f "$__object/parameter/disable_ip4" ]; then if [ -f "$__object/parameter/disable-ip4" ]; then
export DO_IP4='no' export DO_IP4='no'
else else
export DO_IP4='yes' export DO_IP4='yes'
fi fi
if [ -f "$__object/parameter/disable_ip6" ]; then if [ -f "$__object/parameter/disable-ip6" ]; then
export DO_IP6='no' export DO_IP6='no'
else else
export DO_IP6='yes' export DO_IP6='yes'
fi fi
if [ -f "$__object/parameter/enable_rc" ]; then if [ -f "$__object/parameter/enable-rc" ]; then
export RC_ENABLE='yes' export RC_ENABLE='yes'
else else
export RC_ENABLE='no' export RC_ENABLE='no'

View file

@ -1,3 +1,3 @@
disable_ip6 disable-ip6
disable_ip4 disable-ip4
enable_rc enable-rc

View file

@ -1 +1 @@
rc_interface rc-interface

View file

@ -1,3 +1,3 @@
access_control access-control
local_data local-data
interface interface

View file

@ -1 +0,0 @@
dns64_prefix

View file

@ -1 +1 @@
forward_addr forward-addr