__unbound: wire remote control configuration

This commit is contained in:
fnux 2020-06-07 08:46:18 +02:00
parent 25e72d7135
commit 7b9ffb4a41
7 changed files with 40 additions and 6 deletions

View file

@ -857,14 +857,14 @@ python:
remote-control: remote-control:
# Enable remote control with unbound-control(8) here. # Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup. # set up the keys and certificates with unbound-control-setup.
# control-enable: no control-enable: $RC_ENABLE
# what interfaces are listened to for remote control. # what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces. # give 0.0.0.0 and ::0 to listen to all interfaces.
# set to an absolute path to use a unix local name pipe, certificates # set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present. # are not used for that, so key and cert files need not be present.
# control-interface: 127.0.0.1 # control-interface: 127.0.0.1
# control-interface: ::1 control-interface: $RC_INTERFACE
# port number for remote control operations. # port number for remote control operations.
# control-port: 8953 # control-port: 8953
@ -874,16 +874,16 @@ remote-control:
# control-use-cert: "yes" # control-use-cert: "yes"
# unbound server key file. # unbound server key file.
# server-key-file: "/unbound_server.key" server-key-file: "$RC_SERVER_KEY_FILE"
# unbound server certificate file. # unbound server certificate file.
# server-cert-file: "/unbound_server.pem" server-cert-file: "$RC_SERVER_CERT_FILE"
# unbound-control key file. # unbound-control key file.
# control-key-file: "/unbound_control.key" control-key-file: "$RC_CONTROL_KEY_FILE"
# unbound-control certificate file. # unbound-control certificate file.
# control-cert-file: "/unbound_control.pem" control-cert-file: "$RC_CONTROL_CERT_FILE"
# Stub zones. # Stub zones.
# Create entries like below, to make all queries for 'example.com' and # Create entries like below, to make all queries for 'example.com' and

8
type/__unbound/gencode-remote Executable file
View file

@ -0,0 +1,8 @@
#!/bin/sh
UNBOUND_CERTS_DIR=/etc/unbound
if [ -f "$__object/parameter/enable_rc" ]; then
echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
fi

View file

@ -31,6 +31,9 @@ access_control
but localhost is refused by default), can be provided multiple times. The but localhost is refused by default), can be provided multiple times. The
format is described in unbound.conf(5). format is described in unbound.conf(5).
rc_interface
Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
disable-ip4 disable-ip4
@ -41,6 +44,9 @@ disable-ip6
Do not answer or issue queries over IPv6. Cannot be used alongside the Do not answer or issue queries over IPv6. Cannot be used alongside the
`--disable-ip4` flag. `--disable-ip4` flag.
enable_rc
Enable remote control (see `unbound-control(8)`).
EXAMPLES EXAMPLES
-------- --------

View file

@ -49,6 +49,11 @@ if [ -f "$__object/parameter/access_control" ]; then
export ACCESS_CONTROLS export ACCESS_CONTROLS
fi fi
if [ -f "$__object/parameter/rc_interface" ]; then
RC_INTERFACE=$(cat "$__object/parameter/rc_interface")
export RC_INTERFACE
fi
# Boolean parameters: # Boolean parameters:
if [ -f "$__object/parameter/disable_ip4" ] && \ if [ -f "$__object/parameter/disable_ip4" ] && \
[ -f "$__object/parameter/disable_ip6" ]; then [ -f "$__object/parameter/disable_ip6" ]; then
@ -68,6 +73,18 @@ else
export DO_IP6='yes' export DO_IP6='yes'
fi fi
if [ -f "$__object/parameter/enable_rc" ]; then
export RC_ENABLE='yes'
else
export RC_ENABLE='no'
fi
# Certs for remote control:
export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
# Generate and deploy configuration files. # Generate and deploy configuration files.
source_file="$__object/files/unbound.conf" source_file="$__object/files/unbound.conf"
target_file="/etc/unbound/unbound.conf" target_file="/etc/unbound/unbound.conf"

View file

@ -1,2 +1,3 @@
disable_ip6 disable_ip6
disable_ip4 disable_ip4
enable_rc

View file

@ -0,0 +1 @@
127.0.0.1

View file

@ -0,0 +1 @@
rc_interface