Merge branch 'unbound-ng' into 'master'

__unbound: create more generalized type.

See merge request ungleich-public/cdist-contrib!36

type/__unbound/gencode-remote

@@ -1,16 +1,21 @@
 #!/bin/sh
 
+if ! [ -f "${__object:?}/parameter/control-use-certs" ];
+then
+	exit 0;
+fi
+
 UNBOUND_CERTS_DIR=/etc/unbound
 
-if [ -f "$__object/parameter/enable-rc" ]; then
+if [ -f "${__object:?}/parameter/enable-rc" ]; then
 	echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
 	echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
 fi
 
 cat << EOF
 if pgrep unbound; then
-	service unbound reload
+	service ${__object_id:?} reload
 else
-	service unbound start
+	service ${__object_id:?} start
 fi
 EOF

type/__unbound/man.rst

@@ -1,84 +1,126 @@
 cdist-type__unbound(7)
-===============================
+=======================
 
 NAME
 ----
-cdist-type__ungleich_unbound - unbound server deployment for ungleich
+cdist-type__unbound - configure an instance of unbound, a DNS validating resolver.
 
 
 DESCRIPTION
 -----------
-This unbound (dns resolver and cache) deployment provides DNS64 and fetch
-answers from specified upstrean DNS server. This is a singleton type.
+This type writes the configuration and OpenRC init scripts to run an instance
+of unbound. The most commonly used options for unbound are configurable through
+flags.
+
+Note that this type is currently only implemented (and tested) on Alpine Linux.
+Please contribute other implementations if you can.
 
-REQUIRED PARAMETERS
--------------------
-forward_addr
-  DNS servers used to lookup names, can be provided multiple times. It can be
-  either an IPv4 or IPv6 address but no domain name.
 
 OPTIONAL PARAMETERS
 -------------------
+verbosity
+  Control the `unbound.conf(5)` verbosity parameter.
+
+port
+  Control the `unbound.conf(5)` port parameter.
+
+control-port
+  Control the `unbound.conf(5)` control-port parameter.
+
+dns64-prefix
+  Control the `unbound.conf(5)` dns64-prefix parameter.
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
 interface
-  Interface to listen on, can be provided multiple times. Defaults to
-  '127.0.0.1' and '::1'.
+  Control the `unbound.conf(5)` interface parameter. Can be
+  given multiple times, will generate multiple `interface:
+  xxx` clauses.
 
 access-control
-  Controls which clients are allowed queries to the unbound service (everything
-  but localhost is refused by default), can be provided multiple times. The
-  format is described in unbound.conf(5).
-
-rc-interface
-  Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
+  Control the `unbound.conf(5)` access-control parameter. Can be given
+  multiple times, will generate multiple `access-control` clauses. The format
+  is an IP block followed by an access-control keyword.
+
+control-interface
+  Control the `unbound.conf(5)` control-interface parameter. Can be given
+  mutltiple times, will generate multiple `control-interface` clauses. Note
+  that without the `enable-rc` boolean flags, remote control will not be
+  enabled. Note that if at least one control interfaces is not a local socket,
+  then you should enable the `control-use-certs` boolean flag to generate and
+  configure TLS certificates for use between `unbound(8)` and
+  `unbound-control(8)`
+
+forward-zone
+  Define a forward zone. Each zone is comprised of a name, which defines for
+  what domains this zone applies, and at least one DNS server to which the
+  queries should be forwarded. The format is a comma-separated list of values
+  where the first element is the name of the zone, and the following elements
+  are the IP addresses of the DNS servers; e.g. `example.com,1.2.3.4,4.3.2.1`
 
 local-data
-  Configure local data, which is served in reply to queries for it. Can be
-  specified multiple times.
-
-dns64-prefix
-  Enable DNS64 with specified prefix.
+  Control the `unbound.conf(5)` local-data parameter. Note that no local-zone
+  is defined, so the unbound default is to treat this data as a transparent
+  local zone.
 
 BOOLEAN PARAMETERS
 ------------------
-disable-ip4
-  Do not answer or issue queries over IPv4. Cannot be used alongside the
-  `--disable-ip6` flag.
+ip-transparent
+  Control the `unbound.conf(5)` ip-transparent parameter.
 
-disable-ip6
-  Do not answer or issue queries over IPv6. Cannot be used alongside the
-  `--disable-ip4` flag.
+dns64
+  Enables the addition of the DNS64 module.
 
 enable-rc
-  Enable remote control (see `unbound-control(8)`).
+  Enable remote control.
+
+control-use-certs
+  Enable the generation using `unbound-control-setup(8)` of TLS certificates
+  for the interaction between `unbound(8)` and `unbound-control(8)`, as well as
+  their inclusion in the configuration file.
+
+disable-ip4
+  Disable answering queries over IPv4.
+
+disable-ip6
+  Disable answering queries over IPv6.
 
 EXAMPLES
 --------
 
 .. code-block:: sh
 
-    __ungleich_unbound \
-      --interface '::0' \
-      --dns64-prefix '2a0a:e5c0:2:10::/96' \
-      --forward-addr '2a0a:e5c0:2:1::5' \
-      --forward-addr '2a0a:e5c0:2:1::6' \
-      --access-control '::0/0 deny' \
-      --access-control '2a0a:e5c0::/29 allow' \
-      --access-control '2a09:2940::/29 allow' \
-      --ip6
+        # Setup two resolvers, one with dns64, the other without.
+        __unbound unbound \
+                --dns64 \
+                --ip-transparent \
+                --interface "$address" \
+                --access-control "$address/64 allow" \
+                --enable-rc \
+                --control-interface "/var/run/unbound_control.sock"
+
+        __unbound unbound6only \
+                --ip-transparent \
+                --interface "$addresstwo" \
+                --access-control "$addresstwo/64 allow" \
+                --forward-zone "example.com,1.1.1.1,2.2.2.2"
+
 
 SEE ALSO
 --------
-- `unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`_
+`unbound(8)`
+`unbound.conf(5)`
+`unbound-control(8)`
 
 
 AUTHORS
 -------
-Timothée Floure <timothee.floure@ungleich.ch>
+Joachim Desroches <joachim.desroches@epfl.ch>
 
 
 COPYING
 -------
-Copyright \(C) 2020 Timothée Floure. You can redistribute it
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

type/__unbound/manifest

@@ -1,6 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh -xe
 #
-# 2020 Timothée Floure (timothee.floure@ungleich.ch)
+# 2020 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
@@ -19,87 +19,117 @@
 #
 
 
-os=$(cat "$__global/explorer/os")
+os=$(cat "${__global:?}/explorer/os")
 
 case "$os" in
-   alpine)
-      __package unbound --state present
-   ;;
-   *)
-      printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
-      printf "Please contribute an implementation for it if you can.\n" >&2
-      exit 1
-   ;;
+alpine)
+	__package unbound
+	openssl_package=openssl
+	;;
+*)
+	printf "%s is currently not supported by __unbound\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
 esac
 
-# Required parameters:
-FORWARD_ADDRS=$(cat "$__object/parameter/forward-addr")
-export FORWARD_ADDRS
-
 # Optional parameters:
-if [ -f "$__object/parameter/dns64-prefix" ]; then
-	DNS64_PREFIX=$(cat "$__object/parameter/dns64-prefix")
-	export DNS64_PREFIX
+if [ -f "${__object:?}/parameter/verbosity" ];
+then
+	VERBOSITY=$(cat "${__object:?}/parameter/verbosity")
+	export VERBOSITY
 fi
 
-if [ -f "$__object/parameter/interface" ]; then
-   INTERFACES=$(cat "$__object/parameter/interface")
-   export INTERFACES
+if [ -f "${__object:?}/parameter/port" ];
+then
+	PORT=$(cat "${__object:?}/parameter/port")
+	export PORT
 fi
 
-if [ -f "$__object/parameter/access-control" ]; then
-   ACCESS_CONTROLS=$(cat "$__object/parameter/access-control")
-   export ACCESS_CONTROLS
+if [ -f "${__object:?}/parameter/control-port" ];
+then
+	CONTROL_PORT=$(cat "${__object:?}/parameter/control-port")
+	export CONTROL_PORT
 fi
 
-if [ -f "$__object/parameter/rc-interface" ]; then
-   RC_INTERFACE=$(cat "$__object/parameter/rc-interface")
-   export RC_INTERFACE
+if [ -f "${__object:?}/parameter/dns64-prefix" ];
+then
+	PREFIX64=$(cat "${__object:?}/parameter/dns64-prefix")
+	export PREFIX64
 fi
 
-if [ -f "$__object/parameter/local-data" ]; then
-   LOCAL_DATA=$(cat "$__object/parameter/local-data")
-   export LOCAL_DATA
+# Boolean parameters:
+if [ -f "${__object:?}/parameter/ip-transparent" ];
+then
+	IP_TRANSPARENT=yes
+	export IP_TRANSPARENT
 fi
 
-# Boolean parameters:
-if [ -f "$__object/parameter/disable-ip4" ] && \
-   [ -f "$__object/parameter/disable-ip6" ]; then
-    echo "--disable-ip4 and --disable-ip6 cannot be used at the same time." >&2
-    exit 1
+if [ -f "${__object:?}/parameter/dns64" ];
+then
+	DNS64=yes
+	export DNS64
 fi
 
-if [ -f "$__object/parameter/disable-ip4" ]; then
-    export DO_IP4='no'
-else
-    export DO_IP4='yes'
+if [ -f "${__object:?}/parameter/enable-rc" ];
+then
+	ENABLE_RC=yes
+	export ENABLE_RC
 fi
 
-if [ -f "$__object/parameter/disable-ip6" ]; then
-    export DO_IP6='no'
-else
-    export DO_IP6='yes'
+if [ -f "${__object:?}/parameter/disable-ip4" ];
+then
+	DISABLE_IPV4=yes
+	export DISABLE_IPV4
 fi
 
-if [ -f "$__object/parameter/enable-rc" ]; then
-    export RC_ENABLE='yes'
-else
-    export RC_ENABLE='no'
+if [ -f "${__object:?}/parameter/disable-ip6" ];
+then
+	DISABLE_IPV6=yes
+	export DISABLE_IPV6
 fi
 
-# Certs for remote control:
+if [ -f "${__object:?}/parameter/control-use-certs" ];
+then
+	__package "$openssl_package"
+	export CONTROL_USE_CERTS=yes
+fi
+
+# Certs for remote control, generated if --generate-certs is given.
 export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
 export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
 export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
 export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
 
+export require='__package/unbound'
+# If object_id is different from 'unbound', we consider that we are launching a
+# different instance of unbound and create the appropriate init service.
+if [ "${__object_id:?}" != "unbound" ];
+then
+	__link "/etc/init.d/${__object_id:?}" \
+		--type symbolic --source /etc/init.d/unbound
+
+	# The unbound init service checks the proper configuration file but does not
+	# specify to load it, so we add a daemon configuration file.
+	__file "/etc/conf.d/${__object_id:?}" \
+		--owner root --mode 0600 --source - <<- EOF
+		# Generated by cdist.
+		command_args="-c /etc/unbound/\$RC_SVCNAME.conf"
+		EOF
+
+	require="__link/etc/init.d/${__object_id:?}" \
+		__start_on_boot "${__object_id:?}"
+else
+		__start_on_boot unbound
+fi
+unset require
+
 # Generate and deploy configuration files.
-source_file="$__object/files/unbound.conf"
-target_file="/etc/unbound/unbound.conf"
+source_file="${__object:?}/files/unbound.conf"
+target_file="/etc/unbound/${__object_id:?}.conf"
 
 mkdir -p "$__object/files"
-"$__type/files/unbound.conf.sh" > "$source_file"
+"${__type:?}/files/unbound.conf.sh" > "$source_file"
 require="__package/unbound" __file "$target_file" \
     --source "$source_file" \
-    --owner root \
-    --mode 644
+    --owner root --mode 644

type/__unbound/parameter/boolean

@@ -1,3 +1,6 @@
-disable-ip6
-disable-ip4
+ip-transparent
+dns64
 enable-rc
+control-use-certs
+disable-ip4
+disable-ip6

type/__unbound/parameter/optional

@@ -1,2 +1,4 @@
-rc-interface
+verbosity
+port
+control-port
 dns64-prefix

type/__unbound/parameter/optional_multiple

@@ -1,3 +1,5 @@
+interface
 access-control
+control-interface
+forward-zone
 local-data
-interface