Merge branch 'unbound-ng' into 'master'

__unbound: create more generalized type.

See merge request ungleich-public/cdist-contrib!36
This commit is contained in:
fnux 2021-05-14 08:32:26 +02:00
commit 916862f7ab
10 changed files with 268 additions and 1141 deletions

File diff suppressed because it is too large Load diff

View file

@ -1,16 +1,21 @@
#!/bin/sh
if ! [ -f "${__object:?}/parameter/control-use-certs" ];
then
exit 0;
fi
UNBOUND_CERTS_DIR=/etc/unbound
if [ -f "$__object/parameter/enable-rc" ]; then
if [ -f "${__object:?}/parameter/enable-rc" ]; then
echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
fi
cat << EOF
if pgrep unbound; then
service unbound reload
service ${__object_id:?} reload
else
service unbound start
service ${__object_id:?} start
fi
EOF

View file

@ -1,84 +1,126 @@
cdist-type__unbound(7)
===============================
=======================
NAME
----
cdist-type__ungleich_unbound - unbound server deployment for ungleich
cdist-type__unbound - configure an instance of unbound, a DNS validating resolver.
DESCRIPTION
-----------
This unbound (dns resolver and cache) deployment provides DNS64 and fetch
answers from specified upstrean DNS server. This is a singleton type.
This type writes the configuration and OpenRC init scripts to run an instance
of unbound. The most commonly used options for unbound are configurable through
flags.
Note that this type is currently only implemented (and tested) on Alpine Linux.
Please contribute other implementations if you can.
REQUIRED PARAMETERS
-------------------
forward_addr
DNS servers used to lookup names, can be provided multiple times. It can be
either an IPv4 or IPv6 address but no domain name.
OPTIONAL PARAMETERS
-------------------
interface
Interface to listen on, can be provided multiple times. Defaults to
'127.0.0.1' and '::1'.
verbosity
Control the `unbound.conf(5)` verbosity parameter.
access-control
Controls which clients are allowed queries to the unbound service (everything
but localhost is refused by default), can be provided multiple times. The
format is described in unbound.conf(5).
port
Control the `unbound.conf(5)` port parameter.
rc-interface
Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
local-data
Configure local data, which is served in reply to queries for it. Can be
specified multiple times.
control-port
Control the `unbound.conf(5)` control-port parameter.
dns64-prefix
Enable DNS64 with specified prefix.
Control the `unbound.conf(5)` dns64-prefix parameter.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
interface
Control the `unbound.conf(5)` interface parameter. Can be
given multiple times, will generate multiple `interface:
xxx` clauses.
access-control
Control the `unbound.conf(5)` access-control parameter. Can be given
multiple times, will generate multiple `access-control` clauses. The format
is an IP block followed by an access-control keyword.
control-interface
Control the `unbound.conf(5)` control-interface parameter. Can be given
mutltiple times, will generate multiple `control-interface` clauses. Note
that without the `enable-rc` boolean flags, remote control will not be
enabled. Note that if at least one control interfaces is not a local socket,
then you should enable the `control-use-certs` boolean flag to generate and
configure TLS certificates for use between `unbound(8)` and
`unbound-control(8)`
forward-zone
Define a forward zone. Each zone is comprised of a name, which defines for
what domains this zone applies, and at least one DNS server to which the
queries should be forwarded. The format is a comma-separated list of values
where the first element is the name of the zone, and the following elements
are the IP addresses of the DNS servers; e.g. `example.com,1.2.3.4,4.3.2.1`
local-data
Control the `unbound.conf(5)` local-data parameter. Note that no local-zone
is defined, so the unbound default is to treat this data as a transparent
local zone.
BOOLEAN PARAMETERS
------------------
disable-ip4
Do not answer or issue queries over IPv4. Cannot be used alongside the
`--disable-ip6` flag.
ip-transparent
Control the `unbound.conf(5)` ip-transparent parameter.
disable-ip6
Do not answer or issue queries over IPv6. Cannot be used alongside the
`--disable-ip4` flag.
dns64
Enables the addition of the DNS64 module.
enable-rc
Enable remote control (see `unbound-control(8)`).
Enable remote control.
control-use-certs
Enable the generation using `unbound-control-setup(8)` of TLS certificates
for the interaction between `unbound(8)` and `unbound-control(8)`, as well as
their inclusion in the configuration file.
disable-ip4
Disable answering queries over IPv4.
disable-ip6
Disable answering queries over IPv6.
EXAMPLES
--------
.. code-block:: sh
__ungleich_unbound \
--interface '::0' \
--dns64-prefix '2a0a:e5c0:2:10::/96' \
--forward-addr '2a0a:e5c0:2:1::5' \
--forward-addr '2a0a:e5c0:2:1::6' \
--access-control '::0/0 deny' \
--access-control '2a0a:e5c0::/29 allow' \
--access-control '2a09:2940::/29 allow' \
--ip6
# Setup two resolvers, one with dns64, the other without.
__unbound unbound \
--dns64 \
--ip-transparent \
--interface "$address" \
--access-control "$address/64 allow" \
--enable-rc \
--control-interface "/var/run/unbound_control.sock"
__unbound unbound6only \
--ip-transparent \
--interface "$addresstwo" \
--access-control "$addresstwo/64 allow" \
--forward-zone "example.com,1.1.1.1,2.2.2.2"
SEE ALSO
--------
- `unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`_
`unbound(8)`
`unbound.conf(5)`
`unbound-control(8)`
AUTHORS
-------
Timothée Floure <timothee.floure@ungleich.ch>
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2020 Timothée Floure. You can redistribute it
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,6 +1,6 @@
#!/bin/sh -e
#!/bin/sh -xe
#
# 2020 Timothée Floure (timothee.floure@ungleich.ch)
# 2020 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
@ -19,87 +19,117 @@
#
os=$(cat "$__global/explorer/os")
os=$(cat "${__global:?}/explorer/os")
case "$os" in
alpine)
__package unbound --state present
;;
*)
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
alpine)
__package unbound
openssl_package=openssl
;;
*)
printf "%s is currently not supported by __unbound\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
# Required parameters:
FORWARD_ADDRS=$(cat "$__object/parameter/forward-addr")
export FORWARD_ADDRS
# Optional parameters:
if [ -f "$__object/parameter/dns64-prefix" ]; then
DNS64_PREFIX=$(cat "$__object/parameter/dns64-prefix")
export DNS64_PREFIX
if [ -f "${__object:?}/parameter/verbosity" ];
then
VERBOSITY=$(cat "${__object:?}/parameter/verbosity")
export VERBOSITY
fi
if [ -f "$__object/parameter/interface" ]; then
INTERFACES=$(cat "$__object/parameter/interface")
export INTERFACES
if [ -f "${__object:?}/parameter/port" ];
then
PORT=$(cat "${__object:?}/parameter/port")
export PORT
fi
if [ -f "$__object/parameter/access-control" ]; then
ACCESS_CONTROLS=$(cat "$__object/parameter/access-control")
export ACCESS_CONTROLS
if [ -f "${__object:?}/parameter/control-port" ];
then
CONTROL_PORT=$(cat "${__object:?}/parameter/control-port")
export CONTROL_PORT
fi
if [ -f "$__object/parameter/rc-interface" ]; then
RC_INTERFACE=$(cat "$__object/parameter/rc-interface")
export RC_INTERFACE
fi
if [ -f "$__object/parameter/local-data" ]; then
LOCAL_DATA=$(cat "$__object/parameter/local-data")
export LOCAL_DATA
if [ -f "${__object:?}/parameter/dns64-prefix" ];
then
PREFIX64=$(cat "${__object:?}/parameter/dns64-prefix")
export PREFIX64
fi
# Boolean parameters:
if [ -f "$__object/parameter/disable-ip4" ] && \
[ -f "$__object/parameter/disable-ip6" ]; then
echo "--disable-ip4 and --disable-ip6 cannot be used at the same time." >&2
exit 1
if [ -f "${__object:?}/parameter/ip-transparent" ];
then
IP_TRANSPARENT=yes
export IP_TRANSPARENT
fi
if [ -f "$__object/parameter/disable-ip4" ]; then
export DO_IP4='no'
else
export DO_IP4='yes'
if [ -f "${__object:?}/parameter/dns64" ];
then
DNS64=yes
export DNS64
fi
if [ -f "$__object/parameter/disable-ip6" ]; then
export DO_IP6='no'
else
export DO_IP6='yes'
if [ -f "${__object:?}/parameter/enable-rc" ];
then
ENABLE_RC=yes
export ENABLE_RC
fi
if [ -f "$__object/parameter/enable-rc" ]; then
export RC_ENABLE='yes'
else
export RC_ENABLE='no'
if [ -f "${__object:?}/parameter/disable-ip4" ];
then
DISABLE_IPV4=yes
export DISABLE_IPV4
fi
# Certs for remote control:
if [ -f "${__object:?}/parameter/disable-ip6" ];
then
DISABLE_IPV6=yes
export DISABLE_IPV6
fi
if [ -f "${__object:?}/parameter/control-use-certs" ];
then
__package "$openssl_package"
export CONTROL_USE_CERTS=yes
fi
# Certs for remote control, generated if --generate-certs is given.
export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
export require='__package/unbound'
# If object_id is different from 'unbound', we consider that we are launching a
# different instance of unbound and create the appropriate init service.
if [ "${__object_id:?}" != "unbound" ];
then
__link "/etc/init.d/${__object_id:?}" \
--type symbolic --source /etc/init.d/unbound
# The unbound init service checks the proper configuration file but does not
# specify to load it, so we add a daemon configuration file.
__file "/etc/conf.d/${__object_id:?}" \
--owner root --mode 0600 --source - <<- EOF
# Generated by cdist.
command_args="-c /etc/unbound/\$RC_SVCNAME.conf"
EOF
require="__link/etc/init.d/${__object_id:?}" \
__start_on_boot "${__object_id:?}"
else
__start_on_boot unbound
fi
unset require
# Generate and deploy configuration files.
source_file="$__object/files/unbound.conf"
target_file="/etc/unbound/unbound.conf"
source_file="${__object:?}/files/unbound.conf"
target_file="/etc/unbound/${__object_id:?}.conf"
mkdir -p "$__object/files"
"$__type/files/unbound.conf.sh" > "$source_file"
"${__type:?}/files/unbound.conf.sh" > "$source_file"
require="__package/unbound" __file "$target_file" \
--source "$source_file" \
--owner root \
--mode 644
--owner root --mode 644

View file

@ -1,3 +1,6 @@
disable-ip6
disable-ip4
ip-transparent
dns64
enable-rc
control-use-certs
disable-ip4
disable-ip6

View file

@ -1 +0,0 @@
127.0.0.1

View file

@ -1,2 +1,4 @@
rc-interface
verbosity
port
control-port
dns64-prefix

View file

@ -1,3 +1,5 @@
access-control
local-data
interface
access-control
control-interface
forward-zone
local-data

View file

@ -1 +0,0 @@
forward-addr