Skip to content

Commit

Permalink
Merge pull request voxpupuli#356 from b4ldr/dnstap
Browse files Browse the repository at this point in the history
Dnstap: Add new class to manage dnstap configueration
  • Loading branch information
bastelfreak authored Jan 17, 2025
2 parents 56b192c + 69948ca commit 6d9ba2b
Show file tree
Hide file tree
Showing 5 changed files with 497 additions and 0 deletions.
226 changes: 226 additions & 0 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
### Classes

* [`unbound`](#unbound): Installs and configures Unbound, the caching DNS resolver from NLnet Labs
* [`unbound::dnstap`](#unbound--dnstap)
* [`unbound::remote`](#unbound--remote): Configure remote control of the unbound daemon process

### Defined types
Expand All @@ -16,6 +17,10 @@
* [`unbound::record`](#unbound--record): Create an unbound static DNS record override
* [`unbound::stub`](#unbound--stub): Create an unbound stub zone for caching upstream name resolvers

### Functions

* [`unbound::print_config`](#unbound--print_config): Print a configuration value if it is defined and the version is supported

### Data types

* [`Unbound::Access_control`](#Unbound--Access_control): custom type for access control lists
Expand Down Expand Up @@ -1916,6 +1921,195 @@ specifying reduces the number of puppet runs

Default value: `$facts['unbound_version']`

### <a name="unbound--dnstap"></a>`unbound::dnstap`

The unbound::dnstap class.

#### Parameters

The following parameters are available in the `unbound::dnstap` class:

* [`enable`](#-unbound--dnstap--enable)
* [`bidirectional`](#-unbound--dnstap--bidirectional)
* [`socket_path`](#-unbound--dnstap--socket_path)
* [`ip`](#-unbound--dnstap--ip)
* [`tls`](#-unbound--dnstap--tls)
* [`tls_host`](#-unbound--dnstap--tls_host)
* [`tls_cert_bundle`](#-unbound--dnstap--tls_cert_bundle)
* [`tls_cert_key_file`](#-unbound--dnstap--tls_cert_key_file)
* [`tls_cert_cert_file`](#-unbound--dnstap--tls_cert_cert_file)
* [`send_identity`](#-unbound--dnstap--send_identity)
* [`send_version`](#-unbound--dnstap--send_version)
* [`identity`](#-unbound--dnstap--identity)
* [`version`](#-unbound--dnstap--version)
* [`sample_rate`](#-unbound--dnstap--sample_rate)
* [`log_resolver_query_messages`](#-unbound--dnstap--log_resolver_query_messages)
* [`log_resolver_response_messages`](#-unbound--dnstap--log_resolver_response_messages)
* [`log_client_query_messages`](#-unbound--dnstap--log_client_query_messages)
* [`log_client_response_messages`](#-unbound--dnstap--log_client_response_messages)
* [`log_forwarder_query_messages`](#-unbound--dnstap--log_forwarder_query_messages)
* [`log_forwarder_response_messages`](#-unbound--dnstap--log_forwarder_response_messages)

##### <a name="-unbound--dnstap--enable"></a>`enable`

Data type: `Boolean`

Whether to enable dnstap.

Default value: `true`

##### <a name="-unbound--dnstap--bidirectional"></a>`bidirectional`

Data type: `Boolean`

Whether to enable bidirectional dnstap.

Default value: `true`

##### <a name="-unbound--dnstap--socket_path"></a>`socket_path`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the dnstap socket.

Default value: `undef`

##### <a name="-unbound--dnstap--ip"></a>`ip`

Data type: `Optional[Unbound::Address]`

The IP address for dnstap.

Default value: `undef`

##### <a name="-unbound--dnstap--tls"></a>`tls`

Data type: `Boolean`

Whether to enable TLS for dnstap.

Default value: `true`

##### <a name="-unbound--dnstap--tls_host"></a>`tls_host`

Data type: `Optional[Stdlib::Host]`

The TLS host for dnstap.

Default value: `undef`

##### <a name="-unbound--dnstap--tls_cert_bundle"></a>`tls_cert_bundle`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the TLS certificate bundle.

Default value: `undef`

##### <a name="-unbound--dnstap--tls_cert_key_file"></a>`tls_cert_key_file`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the TLS certificate key file.

Default value: `undef`

##### <a name="-unbound--dnstap--tls_cert_cert_file"></a>`tls_cert_cert_file`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the TLS certificate file.

Default value: `undef`

##### <a name="-unbound--dnstap--send_identity"></a>`send_identity`

Data type: `Boolean`

Whether to send the identity in dnstap messages.

Default value: `false`

##### <a name="-unbound--dnstap--send_version"></a>`send_version`

Data type: `Boolean`

Whether to send the version in dnstap messages.

Default value: `false`

##### <a name="-unbound--dnstap--identity"></a>`identity`

Data type: `Optional[String[1]]`

The identity to send in dnstap messages.

Default value: `undef`

##### <a name="-unbound--dnstap--version"></a>`version`

Data type: `Optional[String[1]]`

The version to send in dnstap messages.

Default value: `undef`

##### <a name="-unbound--dnstap--sample_rate"></a>`sample_rate`

Data type: `Integer[0,1000]`

The sample rate for dnstap messages.

Default value: `0`

##### <a name="-unbound--dnstap--log_resolver_query_messages"></a>`log_resolver_query_messages`

Data type: `Boolean`

Whether to log resolver query messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_resolver_response_messages"></a>`log_resolver_response_messages`

Data type: `Boolean`

Whether to log resolver response messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_client_query_messages"></a>`log_client_query_messages`

Data type: `Boolean`

Whether to log client query messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_client_response_messages"></a>`log_client_response_messages`

Data type: `Boolean`

Whether to log client response messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_forwarder_query_messages"></a>`log_forwarder_query_messages`

Data type: `Boolean`

Whether to log forwarder query messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_forwarder_response_messages"></a>`log_forwarder_response_messages`

Data type: `Boolean`

Whether to log forwarder response messages.

Default value: `false`

### <a name="unbound--remote"></a>`unbound::remote`

Configure remote control of the unbound daemon process
Expand Down Expand Up @@ -2341,6 +2535,38 @@ Name of the unbound config file

Default value: `undef`

## Functions

### <a name="unbound--print_config"></a>`unbound::print_config`

Type: Puppet Language

Print a configuration value if it is defined and the version is supported

#### `unbound::print_config(String[1] $name, Optional[Variant[Boolean, Integer, String, Array[String, 1]]] $value = undef, Optional[String[1]] $version = undef)`

The unbound::print_config function.

Returns: `String` the config item as a string or an empty string if the version is not supported

##### `name`

Data type: `String[1]`

the config item name

##### `value`

Data type: `Optional[Variant[Boolean, Integer, String, Array[String, 1]]]`

the config item value

##### `version`

Data type: `Optional[String[1]]`

the version when the config item was introduced

## Data types

### <a name="Unbound--Access_control"></a>`Unbound::Access_control`
Expand Down
21 changes: 21 additions & 0 deletions functions/print_config.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# @summary Print a configuration value if it is defined and the version is supported
# @param name the config item name
# @param value the config item value
# @param version the version when the config item was introduced
# @return the config item as a string or an empty string if the version is not supported
function unbound::print_config (
String[1] $name,
Optional[Variant[Boolean, Integer, String, Array[String, 1]]] $value = undef,
Optional[String[1]] $version = undef,
) >> String {
$unbound_version = $facts['unbound_version'].lest || { '0.a' }
if ($value =~ Undef or ($version =~ NotUndef and versioncmp($unbound_version, $version) < 0)) {
return ''
}
$value ? {
String => " ${name}: \"${value}\"",
Integer => " ${name}: ${value}",
Boolean => " ${name}: ${value.bool2str('yes', 'no')}",
Array => $value.map |$v| { " ${name}: \"${v}\"" }.join("\n"),
}
}
104 changes: 104 additions & 0 deletions manifests/dnstap.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# @summary
# @param enable
# Whether to enable dnstap.
# @param bidirectional
# Whether to enable bidirectional dnstap.
# @param socket_path
# The path to the dnstap socket.
# @param ip
# The IP address for dnstap.
# @param tls
# Whether to enable TLS for dnstap.
# @param tls_host
# The TLS host for dnstap.
# @param tls_cert_bundle
# The path to the TLS certificate bundle.
# @param tls_cert_key_file
# The path to the TLS certificate key file.
# @param tls_cert_cert_file
# The path to the TLS certificate file.
# @param send_identity
# Whether to send the identity in dnstap messages.
# @param send_version
# Whether to send the version in dnstap messages.
# @param identity
# The identity to send in dnstap messages.
# @param version
# The version to send in dnstap messages.
# @param sample_rate
# The sample rate for dnstap messages.
# @param log_resolver_query_messages
# Whether to log resolver query messages.
# @param log_resolver_response_messages
# Whether to log resolver response messages.
# @param log_client_query_messages
# Whether to log client query messages.
# @param log_client_response_messages
# Whether to log client response messages.
# @param log_forwarder_query_messages
# Whether to log forwarder query messages.
# @param log_forwarder_response_messages
# Whether to log forwarder response messages.
class unbound::dnstap (
Boolean $enable = true, # version 1.11
Boolean $bidirectional = true, # version 1.11
Optional[Stdlib::Absolutepath] $socket_path = undef, # version 1.11
Optional[Unbound::Address] $ip = undef, # version 1.11
Boolean $tls = true, # version 1.11
Optional[Stdlib::Host] $tls_host = undef, # version 1.11
Optional[Stdlib::Absolutepath] $tls_cert_bundle = undef, # version 1.11
Optional[Stdlib::Absolutepath] $tls_cert_key_file = undef, # version 1.11
Optional[Stdlib::Absolutepath] $tls_cert_cert_file = undef, # version 1.11
Boolean $send_identity = false, # version 1.11
Boolean $send_version = false, # version 1.11
Optional[String[1]] $identity = undef, # version 1.11
Optional[String[1]] $version = undef, # version 1.11
Integer[0,1000] $sample_rate = 0, # version 1.21
Boolean $log_resolver_query_messages = false, # version 1.11
Boolean $log_resolver_response_messages = false, # version 1.11
Boolean $log_client_query_messages = false, # version 1.11
Boolean $log_client_response_messages = false, # version 1.11
Boolean $log_forwarder_query_messages = false, # version 1.11
Boolean $log_forwarder_response_messages = false, # version 1.11

) {
include unbound
if $enable and $socket_path == undef and $ip == undef {
fail('Either ip or socket_path is required when dnstap is enabled')
}
if $enable {
$ip_config = $ip.then |$v| {
@("CONFIG")
${unbound::print_config('dnstap-ip', $v, '1.11')}
${unbound::print_config('dnstap-tls', $tls, '1.11')}
${unbound::print_config('dnstap-tls-host', $tls_host, '1.11')}
${unbound::print_config('dnstap-tls-cert-bundle', $tls_cert_bundle, '1.11')}
${unbound::print_config('dnstap-tls-cert-key-file', $tls_cert_key_file, '1.11')}
${unbound::print_config('dnstap-tls-cert-cert-file', $tls_cert_cert_file, '1.11')}
| CONFIG
}
$config = @("CONFIG")
dnstap:
${unbound::print_config('dnstap-enable', $enable, '1.11')}
${unbound::print_config('dnstap-bidirectional', $bidirectional, '1.11')}
${unbound::print_config('dnstap-socket-path', $socket_path, '1.11')}
${$ip_config}
${unbound::print_config('dnstap-send-identity', $send_identity, '1.11')}
${unbound::print_config('dnstap-send-version', $send_version, '1.11')}
${unbound::print_config('dnstap-identity', $identity, '1.11')}
${unbound::print_config('dnstap-version', $version, '1.11')}
${unbound::print_config('dnstap-sample-rate', $sample_rate, '1.21')}
${unbound::print_config('dnstap-log-resolver-query-messages', $log_resolver_query_messages, '1.11')}
${unbound::print_config('dnstap-log-resolver-response-messages', $log_resolver_response_messages, '1.11')}
${unbound::print_config('dnstap-log-client-query-messages', $log_client_query_messages, '1.11')}
${unbound::print_config('dnstap-log-client-response-messages', $log_client_response_messages, '1.11')}
${unbound::print_config('dnstap-log-forwarder-query-messages', $log_forwarder_query_messages, '1.11')}
${unbound::print_config('dnstap-log-forwarder-response-messages', $log_forwarder_response_messages, '1.11')}
| CONFIG
concat::fragment { 'unbound-dnstap':
order => '20',
target => $unbound::config_file,
content => $config.split("\n").filter |$x| { !$x.empty }.join("\n"),
}
}
}
Loading

0 comments on commit 6d9ba2b

Please sign in to comment.