wip
This commit is contained in:
mwiegand
parent
c252ae4734
commit
3859db1146
7 changed files with 58 additions and 29 deletions
|
|
@ -27,8 +27,9 @@ def acme_zone(metadata):
|
|||
'bind': {
|
||||
'zones': {
|
||||
metadata.get('bind/acme_hostname'): {
|
||||
'keys': ['acme'],
|
||||
'dynamic': True,
|
||||
'records': set(),
|
||||
'views': ['external'],
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -33,15 +33,14 @@ view "${view['name']}" {
|
|||
};
|
||||
|
||||
% for zone, conf in sorted(zones.items()):
|
||||
<% if view['name'] not in conf.get('views', ['internal', 'external']): continue %>
|
||||
zone "${zone}" {
|
||||
type ${type};
|
||||
% if type == 'slave':
|
||||
masters { ${master_ip}; };
|
||||
% endif
|
||||
% if type == 'master':
|
||||
% for key in conf.get('keys', []):
|
||||
allow-update { key "${key}"; };
|
||||
% endfor
|
||||
% if type == 'master' and zone in keys:
|
||||
allow-update { key "${zone}"; };
|
||||
% endif
|
||||
file "/var/lib/bind/${view['name']}/db.${zone}";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -144,6 +144,9 @@ for view in views:
|
|||
}
|
||||
|
||||
for zone, conf in zones.items():
|
||||
if view['name'] not in conf.get('views', ['internal', 'external']):
|
||||
continue
|
||||
|
||||
records = conf['records']
|
||||
unique_records = [
|
||||
dict(record_tuple)
|
||||
|
|
@ -155,19 +158,7 @@ for view in views:
|
|||
files[f"/var/lib/bind/{view['name']}/db.{zone}"] = {
|
||||
'owner': 'bind',
|
||||
'group': 'bind',
|
||||
'source': 'db',
|
||||
'content_type': 'mako',
|
||||
'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if 'keys' in conf else 'false',
|
||||
'context': {
|
||||
'view': view['name'],
|
||||
'serial': datetime.now().strftime('%Y%m%d%H'),
|
||||
'records': list(filter(
|
||||
lambda record: record_matches_view(record, records, view['name']),
|
||||
unique_records
|
||||
)),
|
||||
'hostname': node.metadata.get('bind/hostname'),
|
||||
'type': node.metadata.get('bind/type'),
|
||||
},
|
||||
'content_type': 'any',
|
||||
'needs': [
|
||||
f"directory:/var/lib/bind/{view['name']}",
|
||||
],
|
||||
|
|
@ -178,6 +169,23 @@ for view in views:
|
|||
'svc_systemd:bind9:restart',
|
||||
],
|
||||
}
|
||||
if node.metadata.get('bind/type') == 'master':
|
||||
files[f"/var/lib/bind/{view['name']}/db.{zone}"].update({
|
||||
'source': 'db',
|
||||
'content_type': 'mako',
|
||||
'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if conf.get('dynamic', False) else 'false',
|
||||
'context': {
|
||||
'view': view['name'],
|
||||
'serial': datetime.now().strftime('%Y%m%d%H'),
|
||||
'records': list(filter(
|
||||
lambda record: record_matches_view(record, records, view['name']),
|
||||
unique_records
|
||||
)),
|
||||
'hostname': node.metadata.get('bind/hostname'),
|
||||
'type': node.metadata.get('bind/type'),
|
||||
'keys': node.metadata.get('bind/keys'),
|
||||
},
|
||||
})
|
||||
|
||||
svc_systemd['bind9'] = {}
|
||||
|
||||
|
|
|
|||
|
|
@ -145,15 +145,15 @@ def generate_keys(metadata):
|
|||
return {
|
||||
'bind': {
|
||||
'keys': {
|
||||
key: repo.libs.hmac.hmac_sha512(
|
||||
'acme',
|
||||
zone: repo.libs.hmac.hmac_sha512(
|
||||
zone,
|
||||
str(repo.vault.random_bytes_as_base64_for(
|
||||
f"{metadata.get('id')} bind key {key}",
|
||||
f"{metadata.get('id')} bind key {zone}",
|
||||
length=32,
|
||||
)),
|
||||
)
|
||||
for zone, conf in metadata.get('bind/zones').items()
|
||||
for key in set(conf.get('keys', []))
|
||||
if conf.get('dynamic', False)
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,18 +7,37 @@ deploy_challenge() {
|
|||
SERVER=${server}
|
||||
DOMAIN=$1
|
||||
CHALLENGE=$3
|
||||
KEY=hmac-sha512:acme:${acme_key}
|
||||
KEY=hmac-sha512:acme.sublimity.de:${acme_key}
|
||||
cmd="
|
||||
server 162.55.188.157
|
||||
zone acme.sublimity.de.
|
||||
update delete $DOMAIN.$ACME_ZONE. TXT
|
||||
update add $DOMAIN.$ACME_ZONE. 60 IN TXT \"$CHALLENGE\"
|
||||
send
|
||||
"
|
||||
echo "$cmd"
|
||||
echo "$cmd" | nsupdate -y $KEY
|
||||
|
||||
sleep 10
|
||||
sleep 20
|
||||
}
|
||||
|
||||
clean_challenge() {
|
||||
set -e
|
||||
set -u
|
||||
set -o pipefail
|
||||
|
||||
ACME_ZONE=${zone}
|
||||
SERVER=${server}
|
||||
DOMAIN=$1
|
||||
CHALLENGE=$3
|
||||
KEY=hmac-sha512:acme.sublimity.de:${acme_key}
|
||||
cmd="
|
||||
server 162.55.188.157
|
||||
zone acme.sublimity.de.
|
||||
update delete $DOMAIN.$ACME_ZONE. TXT
|
||||
send
|
||||
"
|
||||
echo "$cmd"
|
||||
echo "$cmd" | nsupdate -y $KEY
|
||||
}
|
||||
|
||||
deploy_cert() {<%text>
|
||||
|
|
@ -55,6 +74,6 @@ exit_hook() {<%text>
|
|||
|
||||
<%text>
|
||||
HANDLER="$1"; shift
|
||||
if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook|deploy_challenge)$ ]]; then
|
||||
if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook|deploy_challenge|clean_challenge)$ ]]; then
|
||||
"$HANDLER" "$@"
|
||||
fi</%text>
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ files = {
|
|||
'context': {
|
||||
'server': node.metadata.get('network/external/ipv4').split('/')[0],
|
||||
'zone': node.metadata.get('bind/acme_hostname'),
|
||||
'acme_key': node.metadata.get('bind/keys/acme'),
|
||||
'acme_key': node.metadata.get('bind/keys/acme.sublimity.de'),
|
||||
},
|
||||
'mode': '0755',
|
||||
},
|
||||
|
|
@ -37,7 +37,7 @@ files = {
|
|||
}
|
||||
|
||||
actions['letsencrypt_update_certificates'] = {
|
||||
'command': 'dehydrated --cron --accept-terms --challenge http-01',
|
||||
'command': 'true || dehydrated --cron --accept-terms --challenge http-01',
|
||||
'triggered': True,
|
||||
'skip': delegated,
|
||||
'needs': {
|
||||
|
|
@ -56,6 +56,6 @@ for domain in node.metadata.get('letsencrypt/domains').keys():
|
|||
'svc_systemd:nginx',
|
||||
},
|
||||
'triggers': {
|
||||
'action:letsencrypt_update_certificates',
|
||||
'action:letsencrypt_update_certificates',
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,6 +65,8 @@
|
|||
'domains': {
|
||||
'ckn.li': set(),
|
||||
'test1.ckn.li': set(),
|
||||
'test2.ckn.li': set(),
|
||||
'test3.ckn.li': set(),
|
||||
'sublimity.de': set(),
|
||||
'freibrief.net': set(),
|
||||
},
|
||||
|
|
|
|||
Loading…
Reference in a new issue