bundles/unbound: introduce, add to nodes

2020-12-13 14:59:44 +01:00 · 2020-12-13 14:59:44 +01:00 · 3eeb253e55
commit 3eeb253e55
parent c5e43188ca
7 changed files with 141 additions and 13 deletions
--- a/bundles/unbound/files/unbound.conf
+++ b/bundles/unbound/files/unbound.conf
@ -0,0 +1,44 @@
+server:
+    # provided by pkg_apt:unbound-anchor
+    auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+    verbosity: 0
+
+% if node.has_bundle('netdata'):
+    statistics-interval: 5
+    extended-statistics: yes
+% else:
+    statistics-interval: 300
+% endif
+    statistics-cumulative: no
+
+    num-threads: ${threads}
+
+% if node.has_bundle('iptables'):
+    # Use iptables to manage access to this service
+    interface: 0.0.0.0
+    interface: ::0
+    access-control: 0.0.0.0/0 allow
+    access-control: ::/0 allow
+% else:
+    interface: 127.0.0.1
+    interface: ::1
+    access-control: 127.0.0.1 allow
+    access-control: ::1 allow
+% endif
+
+    cache-max-ttl: ${max_ttl}
+
+    use-syslog: yes
+    log-queries: no
+
+    root-hints: "/etc/unbound/root-hints.txt"
+
+    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
+
+remote-control:
+% if node.has_bundle('netdata'):
+    control-enable: yes
+% else:
+    control-enable: no
+% endif
--- a/bundles/unbound/items.py
+++ b/bundles/unbound/items.py
@ -0,0 +1,44 @@
+files = {
+    '/etc/unbound/unbound.conf': {
+        'content_type': 'mako',
+        'context': node.metadata['unbound'],
+        'triggers': {
+            'svc_systemd:unbound:restart',
+        },
+    },
+}
+
+actions = {
+    'unbound_generate_certificates': {
+        'command': 'unbound-control-setup',
+        'unless': 'test -f /etc/unbound/unbound_server.key',
+        'needs': {
+            'pkg_apt:unbound',
+            'pkg_apt:unbound-anchor',
+        },
+    },
+    'unbound_download_root_hints': {
+        'command': 'wget -O/etc/unbound/root-hints.txt https://www.internic.net/domain/named.root',
+        'unless': 'test -f /etc/unbound/root-hints.txt',
+        'needs': {
+            'pkg_apt:unbound',
+        },
+    },
+}
+
+svc_systemd = {
+    'unbound': {
+        'needs': {
+            'action:unbound_generate_certificates',
+            'action:unbound_download_root_hints',
+            'file:/etc/unbound/unbound.conf',
+            'pkg_apt:unbound',
+            'pkg_apt:unbound-anchor',
+        },
+    },
+}
+
+if node.has_bundle('systemd-networkd'):
+    svc_systemd['unbound']['needed_by'] = {
+        'file:/etc/resolv.conf',
+    }
--- a/bundles/unbound/metadata.py
+++ b/bundles/unbound/metadata.py
@ -0,0 +1,42 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'unbound': {},
+            'unbound-anchor': {},
+        },
+    },
+    'nameservers': {
+        '127.0.0.1',
+    },
+    'unbound': {
+        'max_ttl': 3600,
+    },
+}
+
+
+@metadata_reactor
+def cpu_cores_to_threads(metadata):
+    return {
+        'unbound': {
+            'threads': metadata.get('vm/cpu', 1)*2,
+        },
+    }
+
+
+@metadata_reactor
+def iptables(metadata):
+    interfaces = metadata.get('unbound/restrict-to-interfaces', set())
+    iptables = []
+
+    for iface in sorted(interfaces):
+        iptables.append(f'iptables -A INPUT -i {iface} -p tcp --dport 53 -j ACCEPT')
+        iptables.append(f'iptables -A INPUT -i {iface} -p udp --dport 53 -j ACCEPT')
+
+    return {
+        'iptables': {
+            'bundle_rules': {
+                'unbound': iptables,
+            },
+        },
+    }
+