From 7b9ffb4a413693556a6c19258ba3a17d1614613f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Sun, 7 Jun 2020 08:46:18 +0200 Subject: [PATCH] __unbound: wire remote control configuration --- type/__unbound/files/unbound.conf.sh | 12 ++++++------ type/__unbound/gencode-remote | 8 ++++++++ type/__unbound/man.rst | 6 ++++++ type/__unbound/manifest | 17 +++++++++++++++++ type/__unbound/parameter/boolean | 1 + type/__unbound/parameter/default/rc_interface | 1 + type/__unbound/parameter/optional | 1 + 7 files changed, 40 insertions(+), 6 deletions(-) create mode 100755 type/__unbound/gencode-remote create mode 100644 type/__unbound/parameter/default/rc_interface create mode 100644 type/__unbound/parameter/optional diff --git a/type/__unbound/files/unbound.conf.sh b/type/__unbound/files/unbound.conf.sh index effea65..46d2824 100755 --- a/type/__unbound/files/unbound.conf.sh +++ b/type/__unbound/files/unbound.conf.sh @@ -857,14 +857,14 @@ python: remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. - # control-enable: no + control-enable: $RC_ENABLE # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. # set to an absolute path to use a unix local name pipe, certificates # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 - # control-interface: ::1 + control-interface: $RC_INTERFACE # port number for remote control operations. # control-port: 8953 @@ -874,16 +874,16 @@ remote-control: # control-use-cert: "yes" # unbound server key file. - # server-key-file: "/unbound_server.key" + server-key-file: "$RC_SERVER_KEY_FILE" # unbound server certificate file. - # server-cert-file: "/unbound_server.pem" + server-cert-file: "$RC_SERVER_CERT_FILE" # unbound-control key file. - # control-key-file: "/unbound_control.key" + control-key-file: "$RC_CONTROL_KEY_FILE" # unbound-control certificate file. - # control-cert-file: "/unbound_control.pem" + control-cert-file: "$RC_CONTROL_CERT_FILE" # Stub zones. # Create entries like below, to make all queries for 'example.com' and diff --git a/type/__unbound/gencode-remote b/type/__unbound/gencode-remote new file mode 100755 index 0000000..5d2bb4a --- /dev/null +++ b/type/__unbound/gencode-remote @@ -0,0 +1,8 @@ +#!/bin/sh + +UNBOUND_CERTS_DIR=/etc/unbound + +if [ -f "$__object/parameter/enable_rc" ]; then + echo "unbound-control-setup -d $UNBOUND_CERTS_DIR" + echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key" +fi diff --git a/type/__unbound/man.rst b/type/__unbound/man.rst index 6d113b0..679e601 100644 --- a/type/__unbound/man.rst +++ b/type/__unbound/man.rst @@ -31,6 +31,9 @@ access_control but localhost is refused by default), can be provided multiple times. The format is described in unbound.conf(5). +rc_interface + Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`). + BOOLEAN PARAMETERS ------------------ disable-ip4 @@ -41,6 +44,9 @@ disable-ip6 Do not answer or issue queries over IPv6. Cannot be used alongside the `--disable-ip4` flag. +enable_rc + Enable remote control (see `unbound-control(8)`). + EXAMPLES -------- diff --git a/type/__unbound/manifest b/type/__unbound/manifest index a25cdec..d85ad66 100755 --- a/type/__unbound/manifest +++ b/type/__unbound/manifest @@ -49,6 +49,11 @@ if [ -f "$__object/parameter/access_control" ]; then export ACCESS_CONTROLS fi +if [ -f "$__object/parameter/rc_interface" ]; then + RC_INTERFACE=$(cat "$__object/parameter/rc_interface") + export RC_INTERFACE +fi + # Boolean parameters: if [ -f "$__object/parameter/disable_ip4" ] && \ [ -f "$__object/parameter/disable_ip6" ]; then @@ -68,6 +73,18 @@ else export DO_IP6='yes' fi +if [ -f "$__object/parameter/enable_rc" ]; then + export RC_ENABLE='yes' +else + export RC_ENABLE='no' +fi + +# Certs for remote control: +export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key' +export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem' +export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key' +export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem' + # Generate and deploy configuration files. source_file="$__object/files/unbound.conf" target_file="/etc/unbound/unbound.conf" diff --git a/type/__unbound/parameter/boolean b/type/__unbound/parameter/boolean index a2d5910..b6e53a1 100644 --- a/type/__unbound/parameter/boolean +++ b/type/__unbound/parameter/boolean @@ -1,2 +1,3 @@ disable_ip6 disable_ip4 +enable_rc diff --git a/type/__unbound/parameter/default/rc_interface b/type/__unbound/parameter/default/rc_interface new file mode 100644 index 0000000..7b9ad53 --- /dev/null +++ b/type/__unbound/parameter/default/rc_interface @@ -0,0 +1 @@ +127.0.0.1 diff --git a/type/__unbound/parameter/optional b/type/__unbound/parameter/optional new file mode 100644 index 0000000..0826b6e --- /dev/null +++ b/type/__unbound/parameter/optional @@ -0,0 +1 @@ +rc_interface