__unbound: create more generalized type.
This commit is contained in:
parent
5d1c9ff1d8
commit
a3e59377df
10 changed files with 229 additions and 1147 deletions
File diff suppressed because it is too large
Load diff
|
@ -1,16 +1,21 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
if ! [ -f "${__object:?}/parameter/control-use-certs" ];
|
||||||
|
then
|
||||||
|
exit 0;
|
||||||
|
fi
|
||||||
|
|
||||||
UNBOUND_CERTS_DIR=/etc/unbound
|
UNBOUND_CERTS_DIR=/etc/unbound
|
||||||
|
|
||||||
if [ -f "$__object/parameter/enable-rc" ]; then
|
if [ -f "${__object:?}/parameter/enable-rc" ]; then
|
||||||
echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
|
echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
|
||||||
echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
|
echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat << EOF
|
cat << EOF
|
||||||
if pgrep unbound; then
|
if pgrep unbound; then
|
||||||
service unbound reload
|
service ${__object_id:?} reload
|
||||||
else
|
else
|
||||||
service unbound start
|
service ${__object_id:?} start
|
||||||
fi
|
fi
|
||||||
EOF
|
EOF
|
||||||
|
|
|
@ -1,84 +1,116 @@
|
||||||
cdist-type__unbound(7)
|
cdist-type__unbound(7)
|
||||||
===============================
|
=======================
|
||||||
|
|
||||||
NAME
|
NAME
|
||||||
----
|
----
|
||||||
cdist-type__ungleich_unbound - unbound server deployment for ungleich
|
cdist-type__unbound - configure an instance of unbound, a DNS validating resolver.
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
This unbound (dns resolver and cache) deployment provides DNS64 and fetch
|
This type writes the configuration and OpenRC init scripts to run an instance
|
||||||
answers from specified upstrean DNS server. This is a singleton type.
|
of unbound. The most commonly used options for unbound are configurable through
|
||||||
|
flags.
|
||||||
|
|
||||||
|
Note that this type is currently only implemented (and tested) on Alpine Linux.
|
||||||
|
Please contribute other implementations if you can.
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
|
||||||
-------------------
|
|
||||||
forward_addr
|
|
||||||
DNS servers used to lookup names, can be provided multiple times. It can be
|
|
||||||
either an IPv4 or IPv6 address but no domain name.
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
interface
|
verbosity
|
||||||
Interface to listen on, can be provided multiple times. Defaults to
|
Control the `unbound.conf(5)` verbosity parameter.
|
||||||
'127.0.0.1' and '::1'.
|
|
||||||
|
|
||||||
access-control
|
port
|
||||||
Controls which clients are allowed queries to the unbound service (everything
|
Control the `unbound.conf(5)` port parameter.
|
||||||
but localhost is refused by default), can be provided multiple times. The
|
|
||||||
format is described in unbound.conf(5).
|
|
||||||
|
|
||||||
rc-interface
|
control-port
|
||||||
Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
|
Control the `unbound.conf(5)` control-port parameter.
|
||||||
|
|
||||||
local-data
|
|
||||||
Configure local data, which is served in reply to queries for it. Can be
|
|
||||||
specified multiple times.
|
|
||||||
|
|
||||||
dns64-prefix
|
dns64-prefix
|
||||||
Enable DNS64 with specified prefix.
|
Control the `unbound.conf(5)` dns64-prefix parameter.
|
||||||
|
|
||||||
|
OPTIONAL MULTIPLE PARAMETERS
|
||||||
|
----------------------------
|
||||||
|
interface
|
||||||
|
Control the `unbound.conf(5)` interface parameter. Can be
|
||||||
|
given multiple times, will generate multiple `interface:
|
||||||
|
xxx` clauses.
|
||||||
|
|
||||||
|
access-control
|
||||||
|
Control the `unbound.conf(5)` access-control parameter. Can be given
|
||||||
|
multiple times, will generate multiple `access-control` clauses. The format
|
||||||
|
is an IP block followed by an access-control keyword.
|
||||||
|
|
||||||
|
control-interface
|
||||||
|
Control the `unbound.conf(5)` control-interface parameter. Can be given
|
||||||
|
mutltiple times, will generate multiple `control-interface` clauses. Note
|
||||||
|
that without the `enable-rc` boolean flags, remote control will not be
|
||||||
|
enabled. Note that if at least one control interfaces is not a local socket,
|
||||||
|
then you should enable the `control-use-certs` boolean flag to generate and
|
||||||
|
configure TLS certificates for use between `unbound(8)` and
|
||||||
|
`unbound-control(8)`
|
||||||
|
|
||||||
|
forward-zone
|
||||||
|
Define a forward zone. Each zone is comprised of a name, which defines for
|
||||||
|
what domains this zone applies, and at least one DNS server to which the
|
||||||
|
queries should be forwarded. The format is a comma-separated list of values
|
||||||
|
where the first element is the name of the zone, and the following elements
|
||||||
|
are the IP addresses of the DNS servers; e.g. `example.com,1.2.3.4,4.3.2.1`
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
BOOLEAN PARAMETERS
|
||||||
------------------
|
------------------
|
||||||
disable-ip4
|
ip-transparent
|
||||||
Do not answer or issue queries over IPv4. Cannot be used alongside the
|
Control the `unbound.conf(5)` ip-transparent parameter.
|
||||||
`--disable-ip6` flag.
|
|
||||||
|
|
||||||
disable-ip6
|
dns64
|
||||||
Do not answer or issue queries over IPv6. Cannot be used alongside the
|
Enables the addition of the DNS64 module.
|
||||||
`--disable-ip4` flag.
|
|
||||||
|
|
||||||
enable-rc
|
enable-rc
|
||||||
Enable remote control (see `unbound-control(8)`).
|
Enable remote control.
|
||||||
|
|
||||||
|
control-use-certs
|
||||||
|
Enable the generation using `unbound-control-setup(8)` of TLS certificates
|
||||||
|
for the interaction between `unbound(8)` and `unbound-control(8)`, as well as
|
||||||
|
their inclusion in the configuration file.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
--------
|
--------
|
||||||
|
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
|
||||||
__ungleich_unbound \
|
# Setup bird and open a BGP session.
|
||||||
--interface '::0' \
|
__bird_core --router-id 198.51.100.4
|
||||||
--dns64-prefix '2a0a:e5c0:2:10::/96' \
|
|
||||||
--forward-addr '2a0a:e5c0:2:1::5' \
|
require='__bird_core' __bird_bgp bgp4 \
|
||||||
--forward-addr '2a0a:e5c0:2:1::6' \
|
--description "a test IPv4 BGP instance" \
|
||||||
--access-control '::0/0 deny' \
|
--ipv4-export all \
|
||||||
--access-control '2a0a:e5c0::/29 allow' \
|
--ipv4-import all \
|
||||||
--access-control '2a09:2940::/29 allow' \
|
--ipv6-export none \
|
||||||
--ip6
|
--ipv6-import none \
|
||||||
|
--local-as 1234 \
|
||||||
|
--local-ip 198.51.100.4 \
|
||||||
|
--neighbor-as 4321 \
|
||||||
|
--neighbor-ip 198.51.100.3 \
|
||||||
|
--password hunter01
|
||||||
|
|
||||||
|
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
--------
|
--------
|
||||||
- `unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`_
|
`unbound(8)`
|
||||||
|
`unbound.conf(5)`
|
||||||
|
`unbound-control(8)`
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Timothée Floure <timothee.floure@ungleich.ch>
|
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2020 Timothée Floure. You can redistribute it
|
Copyright \(C) 2021 Joachim Desroches. You can redistribute it
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
published by the Free Software Foundation, either version 3 of the
|
published by the Free Software Foundation, either version 3 of the
|
||||||
License, or (at your option) any later version.
|
License, or (at your option) any later version.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -xe
|
||||||
#
|
#
|
||||||
# 2020 Timothée Floure (timothee.floure@ungleich.ch)
|
# 2020 Joachim Desroches (joachim.desroches@epfl.ch)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -19,86 +19,97 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
os=$(cat "$__global/explorer/os")
|
os=$(cat "${__global:?}/explorer/os")
|
||||||
|
|
||||||
case "$os" in
|
case "$os" in
|
||||||
alpine)
|
alpine)
|
||||||
__package unbound --state present
|
__package unbound
|
||||||
|
openssl_package=openssl
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
|
printf "%s is currently not supported by __unbound\n" "$os" >&2
|
||||||
printf "Please contribute an implementation for it if you can.\n" >&2
|
printf "Please contribute an implementation for it if you can.\n" >&2
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Required parameters:
|
|
||||||
FORWARD_ADDRS=$(cat "$__object/parameter/forward-addr")
|
|
||||||
export FORWARD_ADDRS
|
|
||||||
|
|
||||||
# Optional parameters:
|
# Optional parameters:
|
||||||
if [ -f "$__object/parameter/dns64-prefix" ]; then
|
[ -f "${__object:?}/parameter/verbosity" ] && {
|
||||||
DNS64_PREFIX=$(cat "$__object/parameter/dns64-prefix")
|
VERBOSITY=$(cat "${__object:?}/parameter/verbosity")
|
||||||
export DNS64_PREFIX
|
export VERBOSITY
|
||||||
fi
|
}
|
||||||
|
|
||||||
if [ -f "$__object/parameter/interface" ]; then
|
[ -f "${__object:?}/parameter/port" ] && {
|
||||||
INTERFACES=$(cat "$__object/parameter/interface")
|
PORT=$(cat "${__object:?}/parameter/port")
|
||||||
export INTERFACES
|
export PORT
|
||||||
fi
|
}
|
||||||
|
|
||||||
if [ -f "$__object/parameter/access-control" ]; then
|
[ -f "${__object:?}/parameter/control-port" ] && {
|
||||||
ACCESS_CONTROLS=$(cat "$__object/parameter/access-control")
|
CONTROL_PORT=$(cat "${__object:?}/parameter/control-port")
|
||||||
export ACCESS_CONTROLS
|
export CONTROL_PORT
|
||||||
fi
|
}
|
||||||
|
|
||||||
if [ -f "$__object/parameter/rc-interface" ]; then
|
[ -f "${__object:?}/parameter/dns64-prefix" ] && {
|
||||||
RC_INTERFACE=$(cat "$__object/parameter/rc-interface")
|
PREFIX64=$(cat "${__object:?}/parameter/dns64-prefix")
|
||||||
export RC_INTERFACE
|
export PREFIX64
|
||||||
fi
|
}
|
||||||
|
|
||||||
if [ -f "$__object/parameter/local-data" ]; then
|
|
||||||
LOCAL_DATA=$(cat "$__object/parameter/local-data")
|
|
||||||
export LOCAL_DATA
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Boolean parameters:
|
# Boolean parameters:
|
||||||
if [ -f "$__object/parameter/disable-ip4" ] && \
|
[ -f "${__object:?}/parameter/ip-transparent" ] && {
|
||||||
[ -f "$__object/parameter/disable-ip6" ]; then
|
IP_TRANSPARENT=yes
|
||||||
echo "--disable-ip4 and --disable-ip6 cannot be used at the same time." >&2
|
export IP_TRANSPARENT
|
||||||
exit 1
|
}
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/disable-ip4" ]; then
|
[ -f "${__object:?}/parameter/dns64" ] && {
|
||||||
export DO_IP4='no'
|
DNS64=yes
|
||||||
else
|
export DNS64
|
||||||
export DO_IP4='yes'
|
}
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/disable-ip6" ]; then
|
[ -f "${__object:?}/parameter/enable-rc" ] && {
|
||||||
export DO_IP6='no'
|
ENABLE_RC=yes
|
||||||
else
|
export ENABLE_RC
|
||||||
export DO_IP6='yes'
|
}
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/enable-rc" ]; then
|
[ -f "${__object:?}/parameter/control-use-certs" ] && {
|
||||||
export RC_ENABLE='yes'
|
__package "$openssl_package"
|
||||||
else
|
CONTROL_USE_CERTS=yes
|
||||||
export RC_ENABLE='no'
|
export CONTROL_USE_CERTS
|
||||||
fi
|
}
|
||||||
|
|
||||||
# Certs for remote control:
|
# Certs for remote control, generated if --generate-certs is given.
|
||||||
export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
|
export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
|
||||||
export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
|
export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
|
||||||
export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
|
export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
|
||||||
export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
|
export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
|
||||||
|
|
||||||
|
# If object_id is different from 'unbound', we consider that we are launching a
|
||||||
|
# different instance of unbound and create the appropriate init service.
|
||||||
|
if [ "${__object_id:?}" != "unbound" ];
|
||||||
|
then
|
||||||
|
__link "/etc/init.d/${__object_id:?}" \
|
||||||
|
--type symbolic --source /etc/init.d/unbound
|
||||||
|
|
||||||
|
# The unbound init service checks the proper configuration file but does not
|
||||||
|
# specify to load it, so we add a daemon configuration file.
|
||||||
|
__file "/etc/conf.d/${__object_id:?}" \
|
||||||
|
--owner root --mode 0600 --source - <<- EOF
|
||||||
|
# Generated by cdist.
|
||||||
|
command_args="-c /etc/unbound/\$RC_SVCNAME.conf"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
require="__link/etc/init.d/${__object_id:?}" \
|
||||||
|
__start_on_boot "${__object_id:?}"
|
||||||
|
else
|
||||||
|
__start_on_boot unbound
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Generate and deploy configuration files.
|
# Generate and deploy configuration files.
|
||||||
source_file="$__object/files/unbound.conf"
|
source_file="${__object:?}/files/unbound.conf"
|
||||||
target_file="/etc/unbound/unbound.conf"
|
target_file="/etc/unbound/${__object_id:?}.conf"
|
||||||
|
|
||||||
mkdir -p "$__object/files"
|
mkdir -p "$__object/files"
|
||||||
"$__type/files/unbound.conf.sh" > "$source_file"
|
"${__type:?}/files/unbound.conf.sh" > "$source_file"
|
||||||
require="__package/unbound" __file "$target_file" \
|
require="__package/unbound" __file "$target_file" \
|
||||||
--source "$source_file" \
|
--source "$source_file" \
|
||||||
--owner root \
|
--owner root \
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
disable-ip6
|
ip-transparent
|
||||||
disable-ip4
|
dns64
|
||||||
enable-rc
|
enable-rc
|
||||||
|
control-use-certs
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
127.0.0.1
|
|
|
@ -1,2 +1,4 @@
|
||||||
rc-interface
|
verbosity
|
||||||
|
port
|
||||||
|
control-port
|
||||||
dns64-prefix
|
dns64-prefix
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
access-control
|
|
||||||
local-data
|
|
||||||
interface
|
interface
|
||||||
|
access-control
|
||||||
|
control-interface
|
||||||
|
forward-zone
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
forward-addr
|
|
Loading…
Reference in a new issue