dnstap: add new class to add dnstap configuration

voxpupuli · Jan 17, 2025 · 916a65d · 916a65d
1 parent a759c37
commit 916a65d
Show file tree

Hide file tree

Showing 3 changed files with 419 additions and 0 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -7,6 +7,7 @@
 ### Classes
 
 * [`unbound`](#unbound): Installs and configures Unbound, the caching DNS resolver from NLnet Labs
+* [`unbound::dnstap`](#unbound--dnstap)
 * [`unbound::remote`](#unbound--remote): Configure remote control of the unbound daemon process
 
 ### Defined types
@@ -1920,6 +1921,195 @@ specifying reduces the number of puppet runs
 
 Default value: `$facts['unbound_version']`
 
+### <a name="unbound--dnstap"></a>`unbound::dnstap`
+
+The unbound::dnstap class.
+
+#### Parameters
+
+The following parameters are available in the `unbound::dnstap` class:
+
+* [`enable`](#-unbound--dnstap--enable)
+* [`bidirectional`](#-unbound--dnstap--bidirectional)
+* [`socket_path`](#-unbound--dnstap--socket_path)
+* [`ip`](#-unbound--dnstap--ip)
+* [`tls`](#-unbound--dnstap--tls)
+* [`tls_host`](#-unbound--dnstap--tls_host)
+* [`tls_cert_bundle`](#-unbound--dnstap--tls_cert_bundle)
+* [`tls_cert_key_file`](#-unbound--dnstap--tls_cert_key_file)
+* [`tls_cert_cert_file`](#-unbound--dnstap--tls_cert_cert_file)
+* [`send_identity`](#-unbound--dnstap--send_identity)
+* [`send_version`](#-unbound--dnstap--send_version)
+* [`identity`](#-unbound--dnstap--identity)
+* [`version`](#-unbound--dnstap--version)
+* [`sample_rate`](#-unbound--dnstap--sample_rate)
+* [`log_resolver_query_messages`](#-unbound--dnstap--log_resolver_query_messages)
+* [`log_resolver_response_messages`](#-unbound--dnstap--log_resolver_response_messages)
+* [`log_client_query_messages`](#-unbound--dnstap--log_client_query_messages)
+* [`log_client_response_messages`](#-unbound--dnstap--log_client_response_messages)
+* [`log_forwarder_query_messages`](#-unbound--dnstap--log_forwarder_query_messages)
+* [`log_forwarder_response_messages`](#-unbound--dnstap--log_forwarder_response_messages)
+
+##### <a name="-unbound--dnstap--enable"></a>`enable`
+
+Data type: `Boolean`
+
+Whether to enable dnstap.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--bidirectional"></a>`bidirectional`
+
+Data type: `Boolean`
+
+Whether to enable bidirectional dnstap.
+
+Default value: `true`
+
+##### <a name="-unbound--dnstap--socket_path"></a>`socket_path`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+The path to the dnstap socket.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--ip"></a>`ip`
+
+Data type: `Optional[Unbound::Address]`
+
+The IP address for dnstap.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--tls"></a>`tls`
+
+Data type: `Boolean`
+
+Whether to enable TLS for dnstap.
+
+Default value: `true`
+
+##### <a name="-unbound--dnstap--tls_host"></a>`tls_host`
+
+Data type: `Optional[Stdlib::Host]`
+
+The TLS host for dnstap.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--tls_cert_bundle"></a>`tls_cert_bundle`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+The path to the TLS certificate bundle.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--tls_cert_key_file"></a>`tls_cert_key_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+The path to the TLS certificate key file.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--tls_cert_cert_file"></a>`tls_cert_cert_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+The path to the TLS certificate file.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--send_identity"></a>`send_identity`
+
+Data type: `Boolean`
+
+Whether to send the identity in dnstap messages.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--send_version"></a>`send_version`
+
+Data type: `Boolean`
+
+Whether to send the version in dnstap messages.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--identity"></a>`identity`
+
+Data type: `Optional[String[1]]`
+
+The identity to send in dnstap messages.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--version"></a>`version`
+
+Data type: `Optional[String[1]]`
+
+The version to send in dnstap messages.
+
+Default value: `undef`
+
+##### <a name="-unbound--dnstap--sample_rate"></a>`sample_rate`
+
+Data type: `Integer[0,1000]`
+
+The sample rate for dnstap messages.
+
+Default value: `0`
+
+##### <a name="-unbound--dnstap--log_resolver_query_messages"></a>`log_resolver_query_messages`
+
+Data type: `Boolean`
+
+Whether to log resolver query messages.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--log_resolver_response_messages"></a>`log_resolver_response_messages`
+
+Data type: `Boolean`
+
+Whether to log resolver response messages.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--log_client_query_messages"></a>`log_client_query_messages`
+
+Data type: `Boolean`
+
+Whether to log client query messages.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--log_client_response_messages"></a>`log_client_response_messages`
+
+Data type: `Boolean`
+
+Whether to log client response messages.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--log_forwarder_query_messages"></a>`log_forwarder_query_messages`
+
+Data type: `Boolean`
+
+Whether to log forwarder query messages.
+
+Default value: `false`
+
+##### <a name="-unbound--dnstap--log_forwarder_response_messages"></a>`log_forwarder_response_messages`
+
+Data type: `Boolean`
+
+Whether to log forwarder response messages.
+
+Default value: `false`
+
 ### <a name="unbound--remote"></a>`unbound::remote`
 
 Configure remote control of the unbound daemon process

diff --git a/manifests/dnstap.pp b/manifests/dnstap.pp
@@ -0,0 +1,104 @@
+# @summary
+# @param enable
+#   Whether to enable dnstap.
+# @param bidirectional
+#   Whether to enable bidirectional dnstap.
+# @param socket_path
+#   The path to the dnstap socket.
+# @param ip
+#   The IP address for dnstap.
+# @param tls
+#   Whether to enable TLS for dnstap.
+# @param tls_host
+#   The TLS host for dnstap.
+# @param tls_cert_bundle
+#   The path to the TLS certificate bundle.
+# @param tls_cert_key_file
+#   The path to the TLS certificate key file.
+# @param tls_cert_cert_file
+#   The path to the TLS certificate file.
+# @param send_identity
+#   Whether to send the identity in dnstap messages.
+# @param send_version
+#   Whether to send the version in dnstap messages.
+# @param identity
+#   The identity to send in dnstap messages.
+# @param version
+#   The version to send in dnstap messages.
+# @param sample_rate
+#   The sample rate for dnstap messages.
+# @param log_resolver_query_messages
+#   Whether to log resolver query messages.
+# @param log_resolver_response_messages
+#   Whether to log resolver response messages.
+# @param log_client_query_messages
+#   Whether to log client query messages.
+# @param log_client_response_messages
+#   Whether to log client response messages.
+# @param log_forwarder_query_messages
+#   Whether to log forwarder query messages.
+# @param log_forwarder_response_messages
+#   Whether to log forwarder response messages.
+class unbound::dnstap (
+  Boolean                        $enable                          = false,  # version 1.11
+  Boolean                        $bidirectional                   = true,   # version 1.11
+  Optional[Stdlib::Absolutepath] $socket_path                     = undef,  # version 1.11
+  Optional[Unbound::Address]     $ip                              = undef,  # version 1.11
+  Boolean                        $tls                             = true,   # version 1.11
+  Optional[Stdlib::Host]         $tls_host                        = undef,  # version 1.11
+  Optional[Stdlib::Absolutepath] $tls_cert_bundle                 = undef,  # version 1.11
+  Optional[Stdlib::Absolutepath] $tls_cert_key_file               = undef,  # version 1.11
+  Optional[Stdlib::Absolutepath] $tls_cert_cert_file              = undef,  # version 1.11
+  Boolean                        $send_identity                   = false,  # version 1.11
+  Boolean                        $send_version                    = false,  # version 1.11
+  Optional[String[1]]            $identity                        = undef,  # version 1.11
+  Optional[String[1]]            $version                         = undef,  # version 1.11
+  Integer[0,1000]                $sample_rate                     = 0,      # version 1.21
+  Boolean                        $log_resolver_query_messages     = false,  # version 1.11
+  Boolean                        $log_resolver_response_messages  = false,  # version 1.11
+  Boolean                        $log_client_query_messages       = false,  # version 1.11
+  Boolean                        $log_client_response_messages    = false,  # version 1.11
+  Boolean                        $log_forwarder_query_messages    = false,  # version 1.11
+  Boolean                        $log_forwarder_response_messages = false,  # version 1.11
+
+) {
+  include unbound
+  if $enable and $socket_path == undef and $ip == undef {
+    fail('Either ip or socket_path is required when dnstap is enabled')
+  }
+  if $enable {
+    $ip_config = $ip.then |$v| {
+      @("CONFIG")
+        ${unbound::print_config('dnstap-ip', $v, '1.11')}
+        ${unbound::print_config('dnstap-tls', $tls, '1.11')}
+        ${unbound::print_config('dnstap-tls-host', $tls_host, '1.11')}
+        ${unbound::print_config('dnstap-tls-cert-bundle', $tls_cert_bundle, '1.11')}
+        ${unbound::print_config('dnstap-tls-cert-key-file', $tls_cert_key_file, '1.11')}
+        ${unbound::print_config('dnstap-tls-cert-cert-file', $tls_cert_cert_file, '1.11')}
+        | CONFIG
+    }
+    $config = @("CONFIG")
+      dnstap:
+      ${unbound::print_config('dnstap-enable', $enable, '1.11')}
+      ${unbound::print_config('dnstap-bidirectional', $bidirectional, '1.11')}
+      ${unbound::print_config('dnstap-socket-path', $socket_path, '1.11')}
+      ${$ip_config}
+      ${unbound::print_config('dnstap-send-identity', $send_identity, '1.11')}
+      ${unbound::print_config('dnstap-send-version', $send_version, '1.11')}
+      ${unbound::print_config('dnstap-identity', $identity, '1.11')}
+      ${unbound::print_config('dnstap-version', $version, '1.11')}
+      ${unbound::print_config('dnstap-sample-rate', $sample_rate, '1.21')}
+      ${unbound::print_config('dnstap-log-resolver-query-messages', $log_resolver_query_messages, '1.11')}
+      ${unbound::print_config('dnstap-log-resolver-response-messages', $log_resolver_response_messages, '1.11')}
+      ${unbound::print_config('dnstap-log-client-query-messages', $log_client_query_messages, '1.11')}
+      ${unbound::print_config('dnstap-log-client-response-messages', $log_client_response_messages, '1.11')}
+      ${unbound::print_config('dnstap-log-forwarder-query-messages', $log_forwarder_query_messages, '1.11')}
+      ${unbound::print_config('dnstap-log-forwarder-response-messages', $log_forwarder_response_messages, '1.11')}
+      | CONFIG
+    concat::fragment { 'unbound-dnstap':
+      order   => '20',
+      target  => $unbound::config_file,
+      content => $config.split("\n").filter |$x| { !$x.empty }.join("\n"),
+    }
+  }
+}