changeset 247:308f69ca988c

Add config for new server Includes differences in CentOS 8, new host, and IPv4/6
author IBBoard <dev@ibboard.co.uk>
date Sat, 21 Dec 2019 14:30:50 -0500
parents c3fa3d65aa83
children 72deb9ebb15e
files common/named.conf-ibbvps.vs.mythic-beasts.com common/sysconfig-named common/sysconfig-named-ibbvps.vs.mythic-beasts.com manifests/nodes.pp manifests/templates.pp
diffstat 4 files changed, 128 insertions(+), 28 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/named.conf-ibbvps.vs.mythic-beasts.com	Sat Dec 21 14:30:50 2019 -0500
@@ -0,0 +1,63 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+	max-cache-size 10m;
+
+	forwarders {
+		2a00:1098:0:80:1000:3b:0:1
+		2a00:1098:0:82:1000:3b:0:1
+	};
+
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/named.iscdlv.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/sysconfig-named	Sat Dec 21 14:30:50 2019 -0500
@@ -0,0 +1,1 @@
+OPTIONS="-4"
--- a/manifests/nodes.pp	Sat Dec 21 14:19:47 2019 -0500
+++ b/manifests/nodes.pp	Sat Dec 21 14:30:50 2019 -0500
@@ -33,3 +33,11 @@
 		firewall_cmd => 'iptables',
 	}
 }
+node 'ibbvps.vs.mythic-beasts.com' {
+	class { 'ibboardvpsnode':
+		primary_ip => '2a00:1098:82:52::1',
+		mailserver => 'mail.ibboard.co.uk',
+		imapserver => 'imap.ibboard.co.uk',
+		firewall_cmd => 'iptables',
+	}
+}
--- a/manifests/templates.pp	Sat Dec 21 14:19:47 2019 -0500
+++ b/manifests/templates.pp	Sat Dec 21 14:30:50 2019 -0500
@@ -166,7 +166,10 @@
 
 	file { '/etc/named.conf':
 		ensure => present,
-		source => 'puppet:///common/named.conf',
+		source => [
+                        "puppet:///common/named.conf-${::hostname}",
+                        "puppet:///common/named.conf",
+                ],
 		group => 'named',
 		require => Package['bind'],
 		notify => Service['named'],
@@ -180,7 +183,10 @@
 
 	file { '/etc/sysconfig/named':
 		ensure => present,
-		content => 'OPTIONS="-4"',
+		source => [
+			"puppet:///common/sysconfig-named-${::hostname}",
+			"puppet:///common/sysconfig-named",
+		],
 		require => Package['bind'],
 	}
 
@@ -205,16 +211,19 @@
 		ensure => present,
 		source => 'puppet:///common/RPM-GPG-KEY-EPEL-6'
 	}
-	yumrepo { 'ibboard':
-		baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/',
-		descr => 'Extra packages from IBBoard',
-		enabled => 1,
-		gpgcheck => 1,
-		gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard',
-	}
-	file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard':
-		ensure => present,
-		source => 'puppet:///common/RPM-GPG-KEY-ibboard'
+	if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 and versioncmp($operatingsystemrelease, '8') < 0 {
+		# We only have extra packages for CentOS 7
+		yumrepo { 'ibboard':
+			baseurl => 'https://download.opensuse.org/repositories/home:/IBBoard:/server/CentOS_$releasever/',
+			descr => 'Extra packages from IBBoard',
+			enabled => 1,
+			gpgcheck => 1,
+			gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard',
+		}
+		file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-ibboard':
+			ensure => present,
+			source => 'puppet:///common/RPM-GPG-KEY-ibboard'
+		}
 	}
 	yumrepo { 'webtatic':
 		ensure => absent,
@@ -416,21 +425,40 @@
 
 	# Use Remi's PHP 7.3 for now - 7.4 is still VERY new
 	$php_suffix = ''
-	yumrepo { 'remirepo-safe':
-		mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror',
-		descr => "Extra CentOS packages from Remi",
-		enabled => 1,
-		failovermethod => 'priority',
-		gpgcheck => 1,
-		gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
-	}
-	yumrepo { 'remirepo-php':
-		mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror',
-		descr => "PHP7.3 for CentOS from Remi",
-		enabled => 1,
-		failovermethod => 'priority',
-		gpgcheck => 1,
-		gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
+	if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 {
+		yumrepo { 'remirepo-safe':
+			mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/$basearch/mirror',
+			descr => "Extra CentOS packages from Remi",
+			enabled => 1,
+			failovermethod => 'priority',
+			gpgcheck => 1,
+			gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
+		}
+		yumrepo { 'remirepo-php':
+			mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/$basearch/mirror',
+			descr => "PHP7.3 for CentOS from Remi",
+			enabled => 1,
+			failovermethod => 'priority',
+			gpgcheck => 1,
+			gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
+		}
+	} else {
+		yumrepo { 'remirepo-safe':
+			mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/safe/mirror',
+			descr => "Extra CentOS packages from Remi",
+			enabled => 1,
+			failovermethod => 'priority',
+			gpgcheck => 1,
+			gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
+		}
+		yumrepo { 'remirepo-php':
+			mirrorlist => 'http://cdn.remirepo.net/enterprise/$releasever/php73/mirror',
+			descr => "PHP7.3 for CentOS from Remi",
+			enabled => 1,
+			failovermethod => 'priority',
+			gpgcheck => 1,
+			gpgkey => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi',
+		}
 	}
 	file { '/etc/pki/rpm-gpg/RPM-GPG-KEY-remi':
 		ensure => present,
@@ -477,7 +505,7 @@
 
 class ibboardvpsnode (
 	$primary_ip,
-	$secondary_ip,
+	$secondary_ip = $primary_ip,
 	$mailserver,
 	$imapserver,
 	$firewall_cmd = 'iptables',