From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 18:53:33 +0000 (+0200)
Subject: No longer allow nagios to recurse on our binds
X-Git-Url: https://wiki.adam-barratt.org.uk/gitweb/?a=commitdiff_plain;h=8efc3cb29ac84aed50f87cc92ad50a6d21a10f8a;p=mirror%2Fdsa-puppet.git

No longer allow nagios to recurse on our binds
---

diff --git a/data/common.yaml b/data/common.yaml
index e2bb53b60..635f03ecc 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -54,9 +54,6 @@ apt::sources::debian::location: 'https://deb.debian.org/debian/'
 # all of these should be retired in favour of including the class role
 # with the host. weasel, 2019-09
 roles:
-  nagiosmaster:
-    # XXX - only used by bind ACLs
-    - tchaikovsky.debian.org
   security_mirror:
     # XXX used also in ferm me.conf.erb
     mirror-anu.debian.org:
diff --git a/modules/named/templates/named.conf.options.erb b/modules/named/templates/named.conf.options.erb
index 83f1f638c..9f0398394 100644
--- a/modules/named/templates/named.conf.options.erb
+++ b/modules/named/templates/named.conf.options.erb
@@ -3,22 +3,6 @@
 // USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
 //
 
-acl Nagios {
-<%=
-  roles = scope.lookupvar('deprecated::roles')
-  str = ''
-  roles['nagiosmaster'].each do |node|
-          str += scope.lookupvar('deprecated::allnodeinfo')[node]['ipHostNumber'].collect do |ip|
-              if ip =~ /:/
-                  "\t#{ip}/128;\n"
-              else
-                  "\t#{ip}/32;\n"
-              end
-          end.join("")
-  end
-  str-%>
-};
-
 options {
 	directory "/var/cache/bind";
 
@@ -32,15 +16,6 @@ options {
 	blackhole { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; };
 <% end -%>
 
-<%=
-  allowed='Nagios; '
-
-  str =  "\tallow-recursion { " + allowed + " };\n"
-  str += "\tallow-query { " + allowed + " };\n"
-
-  str
--%>
-
 	dnssec-enable yes;
 	dnssec-validation yes;