Skip to content

Commit

Permalink
dnstap: add new class to add dnstap configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
b4ldr committed Jan 17, 2025
1 parent 13368fd commit daef4f3
Show file tree
Hide file tree
Showing 3 changed files with 417 additions and 0 deletions.
190 changes: 190 additions & 0 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
### Classes

* [`unbound`](#unbound): Installs and configures Unbound, the caching DNS resolver from NLnet Labs
* [`unbound::dnstap`](#unbound--dnstap)
* [`unbound::remote`](#unbound--remote): Configure remote control of the unbound daemon process

### Defined types
Expand Down Expand Up @@ -1920,6 +1921,195 @@ specifying reduces the number of puppet runs

Default value: `$facts['unbound_version']`

### <a name="unbound--dnstap"></a>`unbound::dnstap`

The unbound::dnstap class.

#### Parameters

The following parameters are available in the `unbound::dnstap` class:

* [`enable`](#-unbound--dnstap--enable)
* [`bidirectional`](#-unbound--dnstap--bidirectional)
* [`socket_path`](#-unbound--dnstap--socket_path)
* [`ip`](#-unbound--dnstap--ip)
* [`tls`](#-unbound--dnstap--tls)
* [`tls_host`](#-unbound--dnstap--tls_host)
* [`tls_cert_bundle`](#-unbound--dnstap--tls_cert_bundle)
* [`tls_cert_key_file`](#-unbound--dnstap--tls_cert_key_file)
* [`tls_cert_cert_file`](#-unbound--dnstap--tls_cert_cert_file)
* [`send_identity`](#-unbound--dnstap--send_identity)
* [`send_version`](#-unbound--dnstap--send_version)
* [`identity`](#-unbound--dnstap--identity)
* [`version`](#-unbound--dnstap--version)
* [`sample_rate`](#-unbound--dnstap--sample_rate)
* [`log_resolver_query_messages`](#-unbound--dnstap--log_resolver_query_messages)
* [`log_resolver_response_messages`](#-unbound--dnstap--log_resolver_response_messages)
* [`log_client_query_messages`](#-unbound--dnstap--log_client_query_messages)
* [`log_client_response_messages`](#-unbound--dnstap--log_client_response_messages)
* [`log_forwarder_query_messages`](#-unbound--dnstap--log_forwarder_query_messages)
* [`log_forwarder_response_messages`](#-unbound--dnstap--log_forwarder_response_messages)

##### <a name="-unbound--dnstap--enable"></a>`enable`

Data type: `Boolean`

Whether to enable dnstap.

Default value: `false`

##### <a name="-unbound--dnstap--bidirectional"></a>`bidirectional`

Data type: `Boolean`

Whether to enable bidirectional dnstap.

Default value: `true`

##### <a name="-unbound--dnstap--socket_path"></a>`socket_path`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the dnstap socket.

Default value: `undef`

##### <a name="-unbound--dnstap--ip"></a>`ip`

Data type: `Optional[Unbound::Address]`

The IP address for dnstap.

Default value: `undef`

##### <a name="-unbound--dnstap--tls"></a>`tls`

Data type: `Boolean`

Whether to enable TLS for dnstap.

Default value: `true`

##### <a name="-unbound--dnstap--tls_host"></a>`tls_host`

Data type: `Optional[Stdlib::Host]`

The TLS host for dnstap.

Default value: `undef`

##### <a name="-unbound--dnstap--tls_cert_bundle"></a>`tls_cert_bundle`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the TLS certificate bundle.

Default value: `undef`

##### <a name="-unbound--dnstap--tls_cert_key_file"></a>`tls_cert_key_file`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the TLS certificate key file.

Default value: `undef`

##### <a name="-unbound--dnstap--tls_cert_cert_file"></a>`tls_cert_cert_file`

Data type: `Optional[Stdlib::Absolutepath]`

The path to the TLS certificate file.

Default value: `undef`

##### <a name="-unbound--dnstap--send_identity"></a>`send_identity`

Data type: `Boolean`

Whether to send the identity in dnstap messages.

Default value: `false`

##### <a name="-unbound--dnstap--send_version"></a>`send_version`

Data type: `Boolean`

Whether to send the version in dnstap messages.

Default value: `false`

##### <a name="-unbound--dnstap--identity"></a>`identity`

Data type: `Optional[String[1]]`

The identity to send in dnstap messages.

Default value: `undef`

##### <a name="-unbound--dnstap--version"></a>`version`

Data type: `Optional[String[1]]`

The version to send in dnstap messages.

Default value: `undef`

##### <a name="-unbound--dnstap--sample_rate"></a>`sample_rate`

Data type: `Integer[0,1000]`

The sample rate for dnstap messages.

Default value: `0`

##### <a name="-unbound--dnstap--log_resolver_query_messages"></a>`log_resolver_query_messages`

Data type: `Boolean`

Whether to log resolver query messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_resolver_response_messages"></a>`log_resolver_response_messages`

Data type: `Boolean`

Whether to log resolver response messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_client_query_messages"></a>`log_client_query_messages`

Data type: `Boolean`

Whether to log client query messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_client_response_messages"></a>`log_client_response_messages`

Data type: `Boolean`

Whether to log client response messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_forwarder_query_messages"></a>`log_forwarder_query_messages`

Data type: `Boolean`

Whether to log forwarder query messages.

Default value: `false`

##### <a name="-unbound--dnstap--log_forwarder_response_messages"></a>`log_forwarder_response_messages`

Data type: `Boolean`

Whether to log forwarder response messages.

Default value: `false`

### <a name="unbound--remote"></a>`unbound::remote`

Configure remote control of the unbound daemon process
Expand Down
104 changes: 104 additions & 0 deletions manifests/dnstap.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# @summary
# @param enable
# Whether to enable dnstap.
# @param bidirectional
# Whether to enable bidirectional dnstap.
# @param socket_path
# The path to the dnstap socket.
# @param ip
# The IP address for dnstap.
# @param tls
# Whether to enable TLS for dnstap.
# @param tls_host
# The TLS host for dnstap.
# @param tls_cert_bundle
# The path to the TLS certificate bundle.
# @param tls_cert_key_file
# The path to the TLS certificate key file.
# @param tls_cert_cert_file
# The path to the TLS certificate file.
# @param send_identity
# Whether to send the identity in dnstap messages.
# @param send_version
# Whether to send the version in dnstap messages.
# @param identity
# The identity to send in dnstap messages.
# @param version
# The version to send in dnstap messages.
# @param sample_rate
# The sample rate for dnstap messages.
# @param log_resolver_query_messages
# Whether to log resolver query messages.
# @param log_resolver_response_messages
# Whether to log resolver response messages.
# @param log_client_query_messages
# Whether to log client query messages.
# @param log_client_response_messages
# Whether to log client response messages.
# @param log_forwarder_query_messages
# Whether to log forwarder query messages.
# @param log_forwarder_response_messages
# Whether to log forwarder response messages.
class unbound::dnstap (
Boolean $enable = true, # version 1.11
Boolean $bidirectional = true, # version 1.11
Optional[Stdlib::Absolutepath] $socket_path = undef, # version 1.11
Optional[Unbound::Address] $ip = undef, # version 1.11
Boolean $tls = true, # version 1.11
Optional[Stdlib::Host] $tls_host = undef, # version 1.11
Optional[Stdlib::Absolutepath] $tls_cert_bundle = undef, # version 1.11
Optional[Stdlib::Absolutepath] $tls_cert_key_file = undef, # version 1.11
Optional[Stdlib::Absolutepath] $tls_cert_cert_file = undef, # version 1.11
Boolean $send_identity = false, # version 1.11
Boolean $send_version = false, # version 1.11
Optional[String[1]] $identity = undef, # version 1.11
Optional[String[1]] $version = undef, # version 1.11
Integer[0,1000] $sample_rate = 0, # version 1.21
Boolean $log_resolver_query_messages = false, # version 1.11
Boolean $log_resolver_response_messages = false, # version 1.11
Boolean $log_client_query_messages = false, # version 1.11
Boolean $log_client_response_messages = false, # version 1.11
Boolean $log_forwarder_query_messages = false, # version 1.11
Boolean $log_forwarder_response_messages = false, # version 1.11

) {
include unbound
if $enable and $socket_path == undef and $ip == undef {
fail('Either ip or socket_path is required when dnstap is enabled')
}
if $enable {
$ip_config = $ip.then |$v| {
@("CONFIG")
${unbound::print_config('dnstap-ip', $v, '1.11')}
${unbound::print_config('dnstap-tls', $tls, '1.11')}
${unbound::print_config('dnstap-tls-host', $tls_host, '1.11')}
${unbound::print_config('dnstap-tls-cert-bundle', $tls_cert_bundle, '1.11')}
${unbound::print_config('dnstap-tls-cert-key-file', $tls_cert_key_file, '1.11')}
${unbound::print_config('dnstap-tls-cert-cert-file', $tls_cert_cert_file, '1.11')}
| CONFIG
}
$config = @("CONFIG")
dnstap:
${unbound::print_config('dnstap-enable', $enable, '1.11')}
${unbound::print_config('dnstap-bidirectional', $bidirectional, '1.11')}
${unbound::print_config('dnstap-socket-path', $socket_path, '1.11')}
${$ip_config}
${unbound::print_config('dnstap-send-identity', $send_identity, '1.11')}
${unbound::print_config('dnstap-send-version', $send_version, '1.11')}
${unbound::print_config('dnstap-identity', $identity, '1.11')}
${unbound::print_config('dnstap-version', $version, '1.11')}
${unbound::print_config('dnstap-sample-rate', $sample_rate, '1.21')}
${unbound::print_config('dnstap-log-resolver-query-messages', $log_resolver_query_messages, '1.11')}
${unbound::print_config('dnstap-log-resolver-response-messages', $log_resolver_response_messages, '1.11')}
${unbound::print_config('dnstap-log-client-query-messages', $log_client_query_messages, '1.11')}
${unbound::print_config('dnstap-log-client-response-messages', $log_client_response_messages, '1.11')}
${unbound::print_config('dnstap-log-forwarder-query-messages', $log_forwarder_query_messages, '1.11')}
${unbound::print_config('dnstap-log-forwarder-response-messages', $log_forwarder_response_messages, '1.11')}
| CONFIG
concat::fragment { 'unbound-dnstap':
order => '20',
target => $unbound::config_file,
content => $config.split("\n").filter |$x| { !$x.empty }.join("\n"),
}
}
}
Loading

0 comments on commit daef4f3

Please sign in to comment.