Franziska Kunsmann
5c1eba0d58
All checks were successful
bundlewrap/pipeline/head This commit looks good
65 lines
1.7 KiB
Python
65 lines
1.7 KiB
Python
defaults = {
|
|
'apt': {
|
|
'packages': {
|
|
'unbound': {},
|
|
'unbound-anchor': {},
|
|
},
|
|
},
|
|
'cron': {
|
|
'unbound_refresh_root-hints': '{} {} * * {} root wget -q -O/etc/unbound/root-hints.txt https://www.internic.net/domain/named.root'.format(
|
|
node.magic_number%60,
|
|
node.magic_number%24,
|
|
node.magic_number%7,
|
|
),
|
|
},
|
|
'nameservers': {
|
|
'127.0.0.1',
|
|
},
|
|
'unbound': {
|
|
'max_ttl': 3600,
|
|
'cache_size': '512M',
|
|
},
|
|
}
|
|
|
|
|
|
@metadata_reactor.provides(
|
|
'unbound/threads',
|
|
'unbound/cache_slabs',
|
|
)
|
|
def cpu_cores_to_config_values(metadata):
|
|
num_cpus = metadata.get('vm/cpu', 1)
|
|
|
|
return {
|
|
'unbound': {
|
|
'threads': num_cpus*2,
|
|
'cache_slabs': 2**(num_cpus-1).bit_length(),
|
|
},
|
|
}
|
|
|
|
|
|
@metadata_reactor.provides(
|
|
'iptables/bundle_rules/unbound',
|
|
)
|
|
def iptables(metadata):
|
|
identifiers = metadata.get('unbound/restrict-to', set())
|
|
rules = set()
|
|
|
|
if identifiers:
|
|
for identifier in sorted(identifiers):
|
|
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
|
|
|
for address in resolved['ipv4']:
|
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT')
|
|
rules.add(f'iptables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT')
|
|
|
|
for address in resolved['ipv6']:
|
|
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT')
|
|
rules.add(f'ip6tables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT')
|
|
|
|
return {
|
|
'iptables': {
|
|
'bundle_rules': {
|
|
'unbound': list(sorted(rules)),
|
|
},
|
|
},
|
|
}
|