# HG changeset patch # User IBBoard # Date 1576956650 18000 # Node ID 308f69ca988c1c1391ee1a3597871abfa0fafda3 # Parent c3fa3d65aa83eb4979c96740f19eca548d9e6088 Add config for new server Includes differences in CentOS 8, new host, and IPv4/6 diff -r c3fa3d65aa83 -r 308f69ca988c common/named.conf-ibbvps.vs.mythic-beasts.com --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/common/named.conf-ibbvps.vs.mythic-beasts.com Sat Dec 21 14:30:50 2019 -0500 @@ -0,0 +1,63 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { 127.0.0.1; }; + listen-on-v6 port 53 { ::1; }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + allow-query { localhost; }; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + max-cache-size 10m; + + forwarders { + 2a00:1098:0:80:1000:3b:0:1 + 2a00:1098:0:82:1000:3b:0:1 + }; + + dnssec-enable yes; + dnssec-validation yes; + + /* Path to ISC DLV key */ + bindkeys-file "/etc/named.iscdlv.key"; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; +}; + +logging { + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; + diff -r c3fa3d65aa83 -r 308f69ca988c common/sysconfig-named --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/common/sysconfig-named Sat Dec 21 14:30:50 2019 -0500 @@ -0,0 +1,1 @@ +OPTIONS="-4" diff -r c3fa3d65aa83 -r 308f69ca988c common/sysconfig-named-ibbvps.vs.mythic-beasts.com diff -r c3fa3d65aa83 -r 308f69ca988c manifests/nodes.pp --- a/manifests/nodes.pp Sat Dec 21 14:19:47 2019 -0500 +++ b/manifests/nodes.pp Sat Dec 21 14:30:50 2019 -0500 @@ -33,3 +33,11 @@ firewall_cmd => 'iptables', } } +node 'ibbvps.vs.mythic-beasts.com' { + class { 'ibboardvpsnode': + primary_ip => '2a00:1098:82:52::1', + mailserver => 'mail.ibboard.co.uk', + imapserver => 'imap.ibboard.co.uk', + firewall_cmd => 'iptables', + } +} diff -r c3fa3d65aa83 -r 308f69ca988c manifests/templates.pp --- a/manifests/templates.pp Sat Dec 21 14:19:47 2019 -0500 +++ b/manifests/templates.pp Sat Dec 21 14:30:50 2019 -0500 @@ -166,7 +166,10 @@ file { '/etc/named.conf': ensure => present, - source => 'puppet:///common/named.conf', + source => [ + "puppet:///common/named.conf-${::hostname}", + "puppet:///common/named.conf", + ], group => 'named', require => Package['bind'], notify => Service['named'], @@ -180,7 +183,10 @@ file { '/etc/sysconfig/named': ensure => present, - content => 'OPTIONS="-4"', + source => [ + "puppet:///common/sysconfig-named-${::hostname}", + "puppet:///common/sysconfig-named", + ], require => Package['bind'], } @@ -205,16 +211,19 @@ ensure => present, source => 'puppet:///common/RPM-GPG-KEY-EPEL-6' } - yumrepo { 'ibboard': - baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', - descr => 'Extra packages from IBBoard', - enabled => 1, - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', - } - file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': - ensure => present, - source => 'puppet:///common/RPM-GPG-KEY-ibboard' + if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 and versioncmp($operatingsystemrelease, '8') < 0 { + # We only have extra packages for CentOS 7 + yumrepo { 'ibboard': + baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/', + descr => 'Extra packages from IBBoard', + enabled => 1, + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard', + } + file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard': + ensure => present, + source => 'puppet:///common/RPM-GPG-KEY-ibboard' + } } yumrepo { 'webtatic': ensure => absent, @@ -416,21 +425,40 @@ # Use Remi's PHP 7.3 for now - 7.4 is still VERY new $php_suffix = '' - yumrepo { 'remirepo-safe': - mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', - descr => "Extra CentOS packages from Remi", - enabled => 1, - failovermethod => 'priority', - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', - } - yumrepo { 'remirepo-php': - mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror', - descr => "PHP7.3 for CentOS from Remi", - enabled => 1, - failovermethod => 'priority', - gpgcheck => 1, - gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { + yumrepo { 'remirepo-safe': + mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror', + descr => "Extra CentOS packages from Remi", + enabled => 1, + failovermethod => 'priority', + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } + yumrepo { 'remirepo-php': + mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/$basearch/mirror', + descr => "PHP7.3 for CentOS from Remi", + enabled => 1, + failovermethod => 'priority', + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } + } else { + yumrepo { 'remirepo-safe': + mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror', + descr => "Extra CentOS packages from Remi", + enabled => 1, + failovermethod => 'priority', + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } + yumrepo { 'remirepo-php': + mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror', + descr => "PHP7.3 for CentOS from Remi", + enabled => 1, + failovermethod => 'priority', + gpgcheck => 1, + gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi', + } } file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi': ensure => present, @@ -477,7 +505,7 @@ class ibboardvpsnode ( $primary_ip, - $secondary_ip, + $secondary_ip = $primary_ip, $mailserver, $imapserver, $firewall_cmd = 'iptables',