__unbound: create more generalized type.

2021-05-11 12:00:02 +02:00 · 2021-05-11 12:00:02 +02:00 · a3e59377df
commit a3e59377df
parent 5d1c9ff1d8
10 changed files with 229 additions and 1147 deletions
--- a/type/__unbound/files/unbound.conf.sh
+++ b/type/__unbound/files/unbound.conf.sh
--- a/type/__unbound/gencode-remote
+++ b/type/__unbound/gencode-remote
@ -1,16 +1,21 @@
 #!/bin/sh

+if ! [ -f "${__object:?}/parameter/control-use-certs" ];
+then
+	exit 0;
+fi
+
 UNBOUND_CERTS_DIR=/etc/unbound

-if [ -f "$__object/parameter/enable-rc" ]; then
+if [ -f "${__object:?}/parameter/enable-rc" ]; then
 	echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
 	echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
 fi

 cat << EOF
 if pgrep unbound; then
-	service unbound reload
+	service ${__object_id:?} reload
 else
-	service unbound start
+	service ${__object_id:?} start
 fi
 EOF
--- a/type/__unbound/man.rst
+++ b/type/__unbound/man.rst
@ -1,84 +1,116 @@
 cdist-type__unbound(7)
-===============================
+=======================

 NAME
 ----
-cdist-type__ungleich_unbound - unbound server deployment for ungleich
+cdist-type__unbound - configure an instance of unbound, a DNS validating resolver.


 DESCRIPTION
 -----------
-This unbound (dns resolver and cache) deployment provides DNS64 and fetch
-answers from specified upstrean DNS server. This is a singleton type.
+This type writes the configuration and OpenRC init scripts to run an instance
+of unbound. The most commonly used options for unbound are configurable through
+flags.
+
+Note that this type is currently only implemented (and tested) on Alpine Linux.
+Please contribute other implementations if you can.

-REQUIRED PARAMETERS
-------------------
-forward_addr
-  DNS servers used to lookup names, can be provided multiple times. It can be
-  either an IPv4 or IPv6 address but no domain name.

 OPTIONAL PARAMETERS
 -------------------
-interface
-  Interface to listen on, can be provided multiple times. Defaults to
-  '127.0.0.1' and '::1'.
+verbosity
+  Control the `unbound.conf(5)` verbosity parameter.

-access-control
-  Controls which clients are allowed queries to the unbound service (everything
-  but localhost is refused by default), can be provided multiple times. The
-  format is described in unbound.conf(5).
+port
+  Control the `unbound.conf(5)` port parameter.

-rc-interface
-  Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
-
-local-data
-  Configure local data, which is served in reply to queries for it. Can be
-  specified multiple times.
+control-port
+  Control the `unbound.conf(5)` control-port parameter.

 dns64-prefix
-  Enable DNS64 with specified prefix.
+  Control the `unbound.conf(5)` dns64-prefix parameter.
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+interface
+  Control the `unbound.conf(5)` interface parameter. Can be
+  given multiple times, will generate multiple `interface:
+  xxx` clauses.
+
+access-control
+  Control the `unbound.conf(5)` access-control parameter. Can be given
+  multiple times, will generate multiple `access-control` clauses. The format
+  is an IP block followed by an access-control keyword.
+
+control-interface
+  Control the `unbound.conf(5)` control-interface parameter. Can be given
+  mutltiple times, will generate multiple `control-interface` clauses. Note
+  that without the `enable-rc` boolean flags, remote control will not be
+  enabled. Note that if at least one control interfaces is not a local socket,
+  then you should enable the `control-use-certs` boolean flag to generate and
+  configure TLS certificates for use between `unbound(8)` and
+  `unbound-control(8)`
+
+forward-zone
+  Define a forward zone. Each zone is comprised of a name, which defines for
+  what domains this zone applies, and at least one DNS server to which the
+  queries should be forwarded. The format is a comma-separated list of values
+  where the first element is the name of the zone, and the following elements
+  are the IP addresses of the DNS servers; e.g. `example.com,1.2.3.4,4.3.2.1`

 BOOLEAN PARAMETERS
 ------------------
-disable-ip4
-  Do not answer or issue queries over IPv4. Cannot be used alongside the
-  `--disable-ip6` flag.
+ip-transparent
+  Control the `unbound.conf(5)` ip-transparent parameter.

-disable-ip6
-  Do not answer or issue queries over IPv6. Cannot be used alongside the
-  `--disable-ip4` flag.
+dns64
+  Enables the addition of the DNS64 module.

 enable-rc
-  Enable remote control (see `unbound-control(8)`).
+  Enable remote control.
+
+control-use-certs
+  Enable the generation using `unbound-control-setup(8)` of TLS certificates
+  for the interaction between `unbound(8)` and `unbound-control(8)`, as well as
+  their inclusion in the configuration file.
+

 EXAMPLES
 --------

 .. code-block:: sh

-    __ungleich_unbound \
-      --interface '::0' \
-      --dns64-prefix '2a0a:e5c0:2:10::/96' \
-      --forward-addr '2a0a:e5c0:2:1::5' \
-      --forward-addr '2a0a:e5c0:2:1::6' \
-      --access-control '::0/0 deny' \
-      --access-control '2a0a:e5c0::/29 allow' \
-      --access-control '2a09:2940::/29 allow' \
-      --ip6
+    # Setup bird and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_bgp bgp4 \
+        --description "a test IPv4 BGP instance" \
+        --ipv4-export all \
+        --ipv4-import all \
+        --ipv6-export none \
+        --ipv6-import none \
+        --local-as 1234 \
+        --local-ip 198.51.100.4 \
+        --neighbor-as 4321 \
+        --neighbor-ip 198.51.100.3 \
+        --password hunter01
+

 SEE ALSO
 --------
- `unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`_
+`unbound(8)`
+`unbound.conf(5)`
+`unbound-control(8)`


 AUTHORS
 -------
-Timothée Floure <timothee.floure@ungleich.ch>
+Joachim Desroches <joachim.desroches@epfl.ch>


 COPYING
 -------
-Copyright \(C) 2020 Timothée Floure. You can redistribute it
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__unbound/manifest
+++ b/type/__unbound/manifest
@ -1,6 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh -xe
 #
-# 2020 Timothée Floure (timothee.floure@ungleich.ch)
+# 2020 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
@ -19,86 +19,97 @@
 #


-os=$(cat "$__global/explorer/os")
+os=$(cat "${__global:?}/explorer/os")

 case "$os" in
-   alpine)
-      __package unbound --state present
-   ;;
-   *)
-      printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
-      printf "Please contribute an implementation for it if you can.\n" >&2
-      exit 1
-   ;;
+alpine)
+	__package unbound
+	openssl_package=openssl
+	;;
+*)
+	printf "%s is currently not supported by __unbound\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
 esac

-# Required parameters:
-FORWARD_ADDRS=$(cat "$__object/parameter/forward-addr")
-export FORWARD_ADDRS
-
 # Optional parameters:
-if [ -f "$__object/parameter/dns64-prefix" ]; then
-	DNS64_PREFIX=$(cat "$__object/parameter/dns64-prefix")
-	export DNS64_PREFIX
-fi
+[ -f "${__object:?}/parameter/verbosity" ] && {
+	VERBOSITY=$(cat "${__object:?}/parameter/verbosity")
+	export VERBOSITY
+}

-if [ -f "$__object/parameter/interface" ]; then
-   INTERFACES=$(cat "$__object/parameter/interface")
-   export INTERFACES
-fi
+[ -f "${__object:?}/parameter/port" ] && {
+	PORT=$(cat "${__object:?}/parameter/port")
+	export PORT
+}

-if [ -f "$__object/parameter/access-control" ]; then
-   ACCESS_CONTROLS=$(cat "$__object/parameter/access-control")
-   export ACCESS_CONTROLS
-fi
+[ -f "${__object:?}/parameter/control-port" ] && {
+	CONTROL_PORT=$(cat "${__object:?}/parameter/control-port")
+	export CONTROL_PORT
+}

-if [ -f "$__object/parameter/rc-interface" ]; then
-   RC_INTERFACE=$(cat "$__object/parameter/rc-interface")
-   export RC_INTERFACE
-fi
-
-if [ -f "$__object/parameter/local-data" ]; then
-   LOCAL_DATA=$(cat "$__object/parameter/local-data")
-   export LOCAL_DATA
-fi
+[ -f "${__object:?}/parameter/dns64-prefix" ] && {
+	PREFIX64=$(cat "${__object:?}/parameter/dns64-prefix")
+	export PREFIX64
+}

 # Boolean parameters:
-if [ -f "$__object/parameter/disable-ip4" ] && \
-   [ -f "$__object/parameter/disable-ip6" ]; then
-    echo "--disable-ip4 and --disable-ip6 cannot be used at the same time." >&2
-    exit 1
-fi
+[ -f "${__object:?}/parameter/ip-transparent" ] && {
+	IP_TRANSPARENT=yes
+	export IP_TRANSPARENT
+}

-if [ -f "$__object/parameter/disable-ip4" ]; then
-    export DO_IP4='no'
-else
-    export DO_IP4='yes'
-fi
+[ -f "${__object:?}/parameter/dns64" ] && {
+	DNS64=yes
+	export DNS64
+}

-if [ -f "$__object/parameter/disable-ip6" ]; then
-    export DO_IP6='no'
-else
-    export DO_IP6='yes'
-fi
+[ -f "${__object:?}/parameter/enable-rc" ] && {
+	ENABLE_RC=yes
+	export ENABLE_RC
+}

-if [ -f "$__object/parameter/enable-rc" ]; then
-    export RC_ENABLE='yes'
-else
-    export RC_ENABLE='no'
-fi
+[ -f "${__object:?}/parameter/control-use-certs" ] && {
+	__package "$openssl_package"
+	CONTROL_USE_CERTS=yes
+	export CONTROL_USE_CERTS
+}

-# Certs for remote control:
+# Certs for remote control, generated if --generate-certs is given.
 export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
 export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
 export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
 export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'

+# If object_id is different from 'unbound', we consider that we are launching a
+# different instance of unbound and create the appropriate init service.
+if [ "${__object_id:?}" != "unbound" ];
+then
+	__link "/etc/init.d/${__object_id:?}" \
+		--type symbolic --source /etc/init.d/unbound
+
+	# The unbound init service checks the proper configuration file but does not
+	# specify to load it, so we add a daemon configuration file.
+	__file "/etc/conf.d/${__object_id:?}" \
+		--owner root --mode 0600 --source - <<- EOF
+		# Generated by cdist.
+		command_args="-c /etc/unbound/\$RC_SVCNAME.conf"
+		EOF
+
+	require="__link/etc/init.d/${__object_id:?}" \
+		__start_on_boot "${__object_id:?}"
+else
+		__start_on_boot unbound
+fi
+
+
 # Generate and deploy configuration files.
-source_file="$__object/files/unbound.conf"
-target_file="/etc/unbound/unbound.conf"
+source_file="${__object:?}/files/unbound.conf"
+target_file="/etc/unbound/${__object_id:?}.conf"

 mkdir -p "$__object/files"
-"$__type/files/unbound.conf.sh" > "$source_file"
+"${__type:?}/files/unbound.conf.sh" > "$source_file"
 require="__package/unbound" __file "$target_file" \
    --source "$source_file" \
    --owner root \
--- a/type/__unbound/parameter/boolean
+++ b/type/__unbound/parameter/boolean
@ -1,3 +1,4 @@
-disable-ip6
-disable-ip4
+ip-transparent
+dns64
 enable-rc
+control-use-certs
--- a/type/__unbound/parameter/default/rc-interface
+++ b/type/__unbound/parameter/default/rc-interface
@ -1 +0,0 @@
-127.0.0.1
--- a/type/__unbound/parameter/optional
+++ b/type/__unbound/parameter/optional
@ -1,2 +1,4 @@
-rc-interface
+verbosity
+port
+control-port
 dns64-prefix
--- a/type/__unbound/parameter/optional_multiple
+++ b/type/__unbound/parameter/optional_multiple
@ -1,3 +1,4 @@
-access-control
-local-data
 interface
+access-control
+control-interface
+forward-zone
--- a/type/__unbound/parameter/required_multiple
+++ b/type/__unbound/parameter/required_multiple
@ -1 +0,0 @@
-forward-addr
--- a/type/__unbound/singleton
+++ b/type/__unbound/singleton