From 3859db1146fda3fe37933020279c18bfbd14feb4 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Sat, 6 Nov 2021 12:44:32 +0100
Subject: [PATCH] wip

---
 bundles/bind-acme/metadata.py       |  3 ++-
 bundles/bind/files/named.conf.local |  7 +++---
 bundles/bind/items.py               | 34 ++++++++++++++++++-----------
 bundles/bind/metadata.py            |  8 +++----
 bundles/letsencrypt/files/hook.sh   | 27 +++++++++++++++++++----
 bundles/letsencrypt/items.py        |  6 ++---
 nodes/htz.mails.py                  |  2 ++
 7 files changed, 58 insertions(+), 29 deletions(-)

diff --git a/bundles/bind-acme/metadata.py b/bundles/bind-acme/metadata.py
index e8c8b98..1e78cd2 100644
--- a/bundles/bind-acme/metadata.py
+++ b/bundles/bind-acme/metadata.py
@@ -27,8 +27,9 @@ def acme_zone(metadata):
         'bind': {
             'zones': {
                 metadata.get('bind/acme_hostname'): {
-                    'keys': ['acme'],
+                    'dynamic': True,
                     'records': set(),
+                    'views': ['external'],
                 },
             },
         },
diff --git a/bundles/bind/files/named.conf.local b/bundles/bind/files/named.conf.local
index cc020ec..d388abd 100644
--- a/bundles/bind/files/named.conf.local
+++ b/bundles/bind/files/named.conf.local
@@ -33,15 +33,14 @@ view "${view['name']}" {
   };
 
   % for zone, conf in sorted(zones.items()):
+  <% if view['name'] not in conf.get('views', ['internal', 'external']): continue %>
   zone "${zone}" {
     type ${type};
     % if type == 'slave':
     masters { ${master_ip}; };
     % endif
-    % if type == 'master':
-    % for key in conf.get('keys', []):
-    allow-update { key "${key}"; };
-    % endfor
+    % if type == 'master' and zone in keys:
+    allow-update { key "${zone}"; };
     % endif
     file "/var/lib/bind/${view['name']}/db.${zone}";
   };
diff --git a/bundles/bind/items.py b/bundles/bind/items.py
index 025bee1..8a5d2c3 100644
--- a/bundles/bind/items.py
+++ b/bundles/bind/items.py
@@ -144,6 +144,9 @@ for view in views:
     }
 
     for zone, conf in zones.items():
+        if view['name'] not in conf.get('views', ['internal', 'external']):
+            continue
+        
         records = conf['records']
         unique_records = [
             dict(record_tuple)
@@ -155,19 +158,7 @@ for view in views:
         files[f"/var/lib/bind/{view['name']}/db.{zone}"] = {
             'owner': 'bind',
             'group': 'bind',
-            'source': 'db',
-            'content_type': 'mako',
-            'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if 'keys' in conf else 'false',
-            'context': {
-                'view': view['name'],
-                'serial': datetime.now().strftime('%Y%m%d%H'),
-                'records': list(filter(
-                    lambda record: record_matches_view(record, records, view['name']),
-                    unique_records
-                )),
-                'hostname': node.metadata.get('bind/hostname'),
-                'type': node.metadata.get('bind/type'),
-            },
+            'content_type': 'any',
             'needs': [
                 f"directory:/var/lib/bind/{view['name']}",
             ],
@@ -178,6 +169,23 @@ for view in views:
                 'svc_systemd:bind9:restart',
             ],
         }
+        if node.metadata.get('bind/type') == 'master':
+            files[f"/var/lib/bind/{view['name']}/db.{zone}"].update({
+                'source': 'db',
+                'content_type': 'mako',
+                'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if conf.get('dynamic', False) else 'false',
+                'context': {
+                    'view': view['name'],
+                    'serial': datetime.now().strftime('%Y%m%d%H'),
+                    'records': list(filter(
+                        lambda record: record_matches_view(record, records, view['name']),
+                        unique_records
+                    )),
+                    'hostname': node.metadata.get('bind/hostname'),
+                    'type': node.metadata.get('bind/type'),
+                    'keys': node.metadata.get('bind/keys'),
+                },
+            })
 
 svc_systemd['bind9'] = {}
 
diff --git a/bundles/bind/metadata.py b/bundles/bind/metadata.py
index f13d837..fc60108 100644
--- a/bundles/bind/metadata.py
+++ b/bundles/bind/metadata.py
@@ -145,15 +145,15 @@ def generate_keys(metadata):
     return {
         'bind': {
             'keys': {
-                key: repo.libs.hmac.hmac_sha512(
-                    'acme',
+                zone: repo.libs.hmac.hmac_sha512(
+                    zone,
                     str(repo.vault.random_bytes_as_base64_for(
-                        f"{metadata.get('id')} bind key {key}",
+                        f"{metadata.get('id')} bind key {zone}",
                         length=32,
                     )),
                 )
                     for zone, conf in metadata.get('bind/zones').items()
-                    for key in set(conf.get('keys', []))
+                    if conf.get('dynamic', False)
             },
         },
     }
diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh
index 1fc93b8..55916a6 100644
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@@ -7,18 +7,37 @@ deploy_challenge() {
   SERVER=${server}
   DOMAIN=$1
   CHALLENGE=$3
-  KEY=hmac-sha512:acme:${acme_key}
+  KEY=hmac-sha512:acme.sublimity.de:${acme_key}
   cmd="
     server 162.55.188.157
     zone acme.sublimity.de.
-    update delete $DOMAIN.$ACME_ZONE. TXT
     update add $DOMAIN.$ACME_ZONE. 60 IN TXT \"$CHALLENGE\"
     send
   "
   echo "$cmd"
   echo "$cmd" | nsupdate -y $KEY
   
-  sleep 10
+  sleep 20
+}
+
+clean_challenge() {
+  set -e
+  set -u
+  set -o pipefail
+  
+  ACME_ZONE=${zone}
+  SERVER=${server}
+  DOMAIN=$1
+  CHALLENGE=$3
+  KEY=hmac-sha512:acme.sublimity.de:${acme_key}
+  cmd="
+    server 162.55.188.157
+    zone acme.sublimity.de.
+    update delete $DOMAIN.$ACME_ZONE. TXT
+    send
+  "
+  echo "$cmd"
+  echo "$cmd" | nsupdate -y $KEY
 }
 
 deploy_cert() {<%text>
@@ -55,6 +74,6 @@ exit_hook() {<%text>
 
 <%text>
 HANDLER="$1"; shift
-if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook|deploy_challenge)$ ]]; then
+if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook|deploy_challenge|clean_challenge)$ ]]; then
     "$HANDLER" "$@"
 fi</%text>
diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py
index 6e0b555..dd793c6 100644
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@@ -24,7 +24,7 @@ files = {
         'context': {
             'server': node.metadata.get('network/external/ipv4').split('/')[0],
             'zone': node.metadata.get('bind/acme_hostname'),
-            'acme_key': node.metadata.get('bind/keys/acme'),
+            'acme_key': node.metadata.get('bind/keys/acme.sublimity.de'),
         },
         'mode': '0755',
     },
@@ -37,7 +37,7 @@ files = {
 }
 
 actions['letsencrypt_update_certificates'] = {
-    'command': 'dehydrated --cron --accept-terms --challenge http-01',
+    'command': 'true || dehydrated --cron --accept-terms --challenge http-01',
     'triggered': True,
     'skip': delegated,
     'needs': {
@@ -56,6 +56,6 @@ for domain in node.metadata.get('letsencrypt/domains').keys():
             'svc_systemd:nginx',
         },
         'triggers': {
-            'action:letsencrypt_update_certificates',
+           'action:letsencrypt_update_certificates',
         },
     }
diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py
index 10d98c1..aa0a126 100644
--- a/nodes/htz.mails.py
+++ b/nodes/htz.mails.py
@@ -65,6 +65,8 @@
             'domains': {
                 'ckn.li': set(),
                 'test1.ckn.li': set(),
+                'test2.ckn.li': set(),
+                'test3.ckn.li': set(),
                 'sublimity.de': set(),
                 'freibrief.net': set(),
             },