X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/45dde9418dd342bb1a632d82559201c0b3becf1a..d16f3d1a7f01a40ad821948956a21d26fdcab32b:/cookbooks/geodns/recipes/default.rb?ds=sidebyside diff --git a/cookbooks/geodns/recipes/default.rb b/cookbooks/geodns/recipes/default.rb index f24f1b8de..a50b71141 100644 --- a/cookbooks/geodns/recipes/default.rb +++ b/cookbooks/geodns/recipes/default.rb @@ -17,29 +17,40 @@ # limitations under the License. # +include_recipe "geoipupdate" + +servers = search(:node, "roles:geodns").collect(&:name).sort + +servers << "dummy.example.com" if servers.empty? + package %w[ - geoipupdate gdnsd ] -execute "geoipdate" do - command "geoipupdate" - user "root" - group "root" - not_if { ::File.exist?("/var/lib/GeoIP/GeoLite2-Country.mmdb") } -end - directory "/etc/gdnsd/config.d" do owner "nobody" group "nogroup" - mode 0o755 + mode "755" +end + +%w[nominatim].each do |zone| + %w[map resource weighted].each do |type| + template "/etc/gdnsd/config.d/#{zone}.#{type}" do + action :create_if_missing + source "zone.#{type}.erb" + owner "nobody" + group "nogroup" + mode "644" + variables :zone => zone + end + end end template "/etc/gdnsd/config" do source "config.erb" owner "root" group "root" - mode 0o644 + mode "644" notifies :restart, "service[gdnsd]" end @@ -47,7 +58,8 @@ template "/etc/gdnsd/zones/geo.openstreetmap.org" do source "geo.erb" owner "root" group "root" - mode 0o644 + mode "644" + variables :servers => servers notifies :restart, "service[gdnsd]" end @@ -62,11 +74,8 @@ systemd_service "gdnsd-reload" do user "root" exec_start "/bin/systemctl reload-or-restart gdnsd" standard_output "null" - private_tmp true - private_devices true - protect_system "full" - protect_home true - no_new_privileges true + sandbox true + restrict_address_families "AF_UNIX" end systemd_path "gdnsd-reload" do @@ -81,16 +90,14 @@ end firewall_rule "accept-dns-udp" do action :accept - source "net" - dest "fw" - proto "udp" + context :incoming + protocol :udp dest_ports "domain" end firewall_rule "accept-dns-tcp" do action :accept - source "net" - dest "fw" - proto "tcp:syn" + context :incoming + protocol :tcp dest_ports "domain" end