diff --git a/files/unbound/insecure.conf b/files/unbound/insecure.conf new file mode 100644 index 00000000..0abfe714 --- /dev/null +++ b/files/unbound/insecure.conf @@ -0,0 +1,5 @@ +# File managed by Puppet (class profile::unbound), modifications will be lost. +# Our upstream DNS servers don't support DNSSEC; make them permissive + +server: + val-permissive-mode: yes diff --git a/manifests/unbound.pp b/manifests/unbound.pp index 837e8c5e..3f1fb915 100644 --- a/manifests/unbound.pp +++ b/manifests/unbound.pp @@ -1,39 +1,55 @@ # Parameters for the unbound DNS resolver class profile::unbound { $has_local_cache = hiera('dns::local_cache') $package = 'unbound' $service = 'unbound' $forwarders_file = '/etc/unbound/unbound.conf.d/forwarders.conf' if $has_local_cache { include ::profile::resolv_conf $forwarders = hiera('dns::forwarders') $forward_zones = hiera('dns::forward_zones') package {$package: ensure => installed, } service {$service: ensure => running, enable => true, require => [ Package[$package], File[$forwarders_file], ] } -> File['/etc/resolv.conf'] # uses variables $forwarders, $forward_zones file {'/etc/unbound/unbound.conf.d/forwarders.conf': ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/unbound/forwarders.conf.erb'), require => Package[$package], notify => Service[$service], } + + if $::location == 'sesi_rocquencourt' { + file {'/etc/unbound/unbound.conf.d/insecure.conf': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/profile/unbound/insecure.conf', + require => Package[$package], + notify => Service[$service], + } + } else { + file {'/etc/unbound/unbound.conf.d/insecure.conf': + ensure => absent, + } + } } }