__unbound: create more generalized type.

This commit is contained in:
sparrowhawk 2021-05-11 12:00:02 +02:00
parent 5d1c9ff1d8
commit a3e59377df
No known key found for this signature in database
GPG key ID: 6778C9C29C02D691
10 changed files with 229 additions and 1147 deletions

File diff suppressed because it is too large Load diff

View file

@ -1,16 +1,21 @@
#!/bin/sh #!/bin/sh
if ! [ -f "${__object:?}/parameter/control-use-certs" ];
then
exit 0;
fi
UNBOUND_CERTS_DIR=/etc/unbound UNBOUND_CERTS_DIR=/etc/unbound
if [ -f "$__object/parameter/enable-rc" ]; then if [ -f "${__object:?}/parameter/enable-rc" ]; then
echo "unbound-control-setup -d $UNBOUND_CERTS_DIR" echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key" echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
fi fi
cat << EOF cat << EOF
if pgrep unbound; then if pgrep unbound; then
service unbound reload service ${__object_id:?} reload
else else
service unbound start service ${__object_id:?} start
fi fi
EOF EOF

View file

@ -1,84 +1,116 @@
cdist-type__unbound(7) cdist-type__unbound(7)
=============================== =======================
NAME NAME
---- ----
cdist-type__ungleich_unbound - unbound server deployment for ungleich cdist-type__unbound - configure an instance of unbound, a DNS validating resolver.
DESCRIPTION DESCRIPTION
----------- -----------
This unbound (dns resolver and cache) deployment provides DNS64 and fetch This type writes the configuration and OpenRC init scripts to run an instance
answers from specified upstrean DNS server. This is a singleton type. of unbound. The most commonly used options for unbound are configurable through
flags.
Note that this type is currently only implemented (and tested) on Alpine Linux.
Please contribute other implementations if you can.
REQUIRED PARAMETERS
-------------------
forward_addr
DNS servers used to lookup names, can be provided multiple times. It can be
either an IPv4 or IPv6 address but no domain name.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
interface verbosity
Interface to listen on, can be provided multiple times. Defaults to Control the `unbound.conf(5)` verbosity parameter.
'127.0.0.1' and '::1'.
access-control port
Controls which clients are allowed queries to the unbound service (everything Control the `unbound.conf(5)` port parameter.
but localhost is refused by default), can be provided multiple times. The
format is described in unbound.conf(5).
rc-interface control-port
Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`). Control the `unbound.conf(5)` control-port parameter.
local-data
Configure local data, which is served in reply to queries for it. Can be
specified multiple times.
dns64-prefix dns64-prefix
Enable DNS64 with specified prefix. Control the `unbound.conf(5)` dns64-prefix parameter.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
interface
Control the `unbound.conf(5)` interface parameter. Can be
given multiple times, will generate multiple `interface:
xxx` clauses.
access-control
Control the `unbound.conf(5)` access-control parameter. Can be given
multiple times, will generate multiple `access-control` clauses. The format
is an IP block followed by an access-control keyword.
control-interface
Control the `unbound.conf(5)` control-interface parameter. Can be given
mutltiple times, will generate multiple `control-interface` clauses. Note
that without the `enable-rc` boolean flags, remote control will not be
enabled. Note that if at least one control interfaces is not a local socket,
then you should enable the `control-use-certs` boolean flag to generate and
configure TLS certificates for use between `unbound(8)` and
`unbound-control(8)`
forward-zone
Define a forward zone. Each zone is comprised of a name, which defines for
what domains this zone applies, and at least one DNS server to which the
queries should be forwarded. The format is a comma-separated list of values
where the first element is the name of the zone, and the following elements
are the IP addresses of the DNS servers; e.g. `example.com,1.2.3.4,4.3.2.1`
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
disable-ip4 ip-transparent
Do not answer or issue queries over IPv4. Cannot be used alongside the Control the `unbound.conf(5)` ip-transparent parameter.
`--disable-ip6` flag.
disable-ip6 dns64
Do not answer or issue queries over IPv6. Cannot be used alongside the Enables the addition of the DNS64 module.
`--disable-ip4` flag.
enable-rc enable-rc
Enable remote control (see `unbound-control(8)`). Enable remote control.
control-use-certs
Enable the generation using `unbound-control-setup(8)` of TLS certificates
for the interaction between `unbound(8)` and `unbound-control(8)`, as well as
their inclusion in the configuration file.
EXAMPLES EXAMPLES
-------- --------
.. code-block:: sh .. code-block:: sh
__ungleich_unbound \ # Setup bird and open a BGP session.
--interface '::0' \ __bird_core --router-id 198.51.100.4
--dns64-prefix '2a0a:e5c0:2:10::/96' \
--forward-addr '2a0a:e5c0:2:1::5' \ require='__bird_core' __bird_bgp bgp4 \
--forward-addr '2a0a:e5c0:2:1::6' \ --description "a test IPv4 BGP instance" \
--access-control '::0/0 deny' \ --ipv4-export all \
--access-control '2a0a:e5c0::/29 allow' \ --ipv4-import all \
--access-control '2a09:2940::/29 allow' \ --ipv6-export none \
--ip6 --ipv6-import none \
--local-as 1234 \
--local-ip 198.51.100.4 \
--neighbor-as 4321 \
--neighbor-ip 198.51.100.3 \
--password hunter01
SEE ALSO SEE ALSO
-------- --------
- `unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`_ `unbound(8)`
`unbound.conf(5)`
`unbound-control(8)`
AUTHORS AUTHORS
------- -------
Timothée Floure <timothee.floure@ungleich.ch> Joachim Desroches <joachim.desroches@epfl.ch>
COPYING COPYING
------- -------
Copyright \(C) 2020 Timothée Floure. You can redistribute it Copyright \(C) 2021 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

View file

@ -1,6 +1,6 @@
#!/bin/sh -e #!/bin/sh -xe
# #
# 2020 Timothée Floure (timothee.floure@ungleich.ch) # 2020 Joachim Desroches (joachim.desroches@epfl.ch)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -19,86 +19,97 @@
# #
os=$(cat "$__global/explorer/os") os=$(cat "${__global:?}/explorer/os")
case "$os" in case "$os" in
alpine) alpine)
__package unbound --state present __package unbound
openssl_package=openssl
;; ;;
*) *)
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2 printf "%s is currently not supported by __unbound\n" "$os" >&2
printf "Please contribute an implementation for it if you can.\n" >&2 printf "Please contribute an implementation for it if you can.\n" >&2
exit 1 exit 1
;; ;;
esac esac
# Required parameters:
FORWARD_ADDRS=$(cat "$__object/parameter/forward-addr")
export FORWARD_ADDRS
# Optional parameters: # Optional parameters:
if [ -f "$__object/parameter/dns64-prefix" ]; then [ -f "${__object:?}/parameter/verbosity" ] && {
DNS64_PREFIX=$(cat "$__object/parameter/dns64-prefix") VERBOSITY=$(cat "${__object:?}/parameter/verbosity")
export DNS64_PREFIX export VERBOSITY
fi }
if [ -f "$__object/parameter/interface" ]; then [ -f "${__object:?}/parameter/port" ] && {
INTERFACES=$(cat "$__object/parameter/interface") PORT=$(cat "${__object:?}/parameter/port")
export INTERFACES export PORT
fi }
if [ -f "$__object/parameter/access-control" ]; then [ -f "${__object:?}/parameter/control-port" ] && {
ACCESS_CONTROLS=$(cat "$__object/parameter/access-control") CONTROL_PORT=$(cat "${__object:?}/parameter/control-port")
export ACCESS_CONTROLS export CONTROL_PORT
fi }
if [ -f "$__object/parameter/rc-interface" ]; then [ -f "${__object:?}/parameter/dns64-prefix" ] && {
RC_INTERFACE=$(cat "$__object/parameter/rc-interface") PREFIX64=$(cat "${__object:?}/parameter/dns64-prefix")
export RC_INTERFACE export PREFIX64
fi }
if [ -f "$__object/parameter/local-data" ]; then
LOCAL_DATA=$(cat "$__object/parameter/local-data")
export LOCAL_DATA
fi
# Boolean parameters: # Boolean parameters:
if [ -f "$__object/parameter/disable-ip4" ] && \ [ -f "${__object:?}/parameter/ip-transparent" ] && {
[ -f "$__object/parameter/disable-ip6" ]; then IP_TRANSPARENT=yes
echo "--disable-ip4 and --disable-ip6 cannot be used at the same time." >&2 export IP_TRANSPARENT
exit 1 }
fi
if [ -f "$__object/parameter/disable-ip4" ]; then [ -f "${__object:?}/parameter/dns64" ] && {
export DO_IP4='no' DNS64=yes
else export DNS64
export DO_IP4='yes' }
fi
if [ -f "$__object/parameter/disable-ip6" ]; then [ -f "${__object:?}/parameter/enable-rc" ] && {
export DO_IP6='no' ENABLE_RC=yes
else export ENABLE_RC
export DO_IP6='yes' }
fi
if [ -f "$__object/parameter/enable-rc" ]; then [ -f "${__object:?}/parameter/control-use-certs" ] && {
export RC_ENABLE='yes' __package "$openssl_package"
else CONTROL_USE_CERTS=yes
export RC_ENABLE='no' export CONTROL_USE_CERTS
fi }
# Certs for remote control: # Certs for remote control, generated if --generate-certs is given.
export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key' export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem' export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key' export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem' export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
# If object_id is different from 'unbound', we consider that we are launching a
# different instance of unbound and create the appropriate init service.
if [ "${__object_id:?}" != "unbound" ];
then
__link "/etc/init.d/${__object_id:?}" \
--type symbolic --source /etc/init.d/unbound
# The unbound init service checks the proper configuration file but does not
# specify to load it, so we add a daemon configuration file.
__file "/etc/conf.d/${__object_id:?}" \
--owner root --mode 0600 --source - <<- EOF
# Generated by cdist.
command_args="-c /etc/unbound/\$RC_SVCNAME.conf"
EOF
require="__link/etc/init.d/${__object_id:?}" \
__start_on_boot "${__object_id:?}"
else
__start_on_boot unbound
fi
# Generate and deploy configuration files. # Generate and deploy configuration files.
source_file="$__object/files/unbound.conf" source_file="${__object:?}/files/unbound.conf"
target_file="/etc/unbound/unbound.conf" target_file="/etc/unbound/${__object_id:?}.conf"
mkdir -p "$__object/files" mkdir -p "$__object/files"
"$__type/files/unbound.conf.sh" > "$source_file" "${__type:?}/files/unbound.conf.sh" > "$source_file"
require="__package/unbound" __file "$target_file" \ require="__package/unbound" __file "$target_file" \
--source "$source_file" \ --source "$source_file" \
--owner root \ --owner root \

View file

@ -1,3 +1,4 @@
disable-ip6 ip-transparent
disable-ip4 dns64
enable-rc enable-rc
control-use-certs

View file

@ -1 +0,0 @@
127.0.0.1

View file

@ -1,2 +1,4 @@
rc-interface verbosity
port
control-port
dns64-prefix dns64-prefix

View file

@ -1,3 +1,4 @@
access-control
local-data
interface interface
access-control
control-interface
forward-zone

View file

@ -1 +0,0 @@
forward-addr