diff --git a/bundles/bind/files/db b/bundles/bind/files/db index 46d1bb2..fee1f9f 100644 --- a/bundles/bind/files/db +++ b/bundles/bind/files/db @@ -5,21 +5,19 @@ def column_width(column, table): $TTL 600 @ IN SOA ns.sublimity.de. admin.sublimity.de. ( 2020080302 ;Serial - 1200 ;Refresh - 600 ;Retry + 600 ;Refresh + 300 ;Retry 1209600 ;Expire - 600 ;Negative response caching TTL + 300 ;Negative response caching TTL ) % for record in sorted(records, key=lambda r: (r['name'], r['type'], r['value'])): - % for part in (record['value'][i:i+255] for i in range(0, len(record['value']), 255)): -${record['name'].ljust(column_width('name', records))} \ +${(record['name'] or '@').ljust(column_width('name', records))} \ IN \ ${record['type'].ljust(column_width('type', records))} \ - % if record['type'] == 'TXT': -"${part}" - % else: -${part} - % endif - % endfor + % if record['type'] == 'TXT': +(${' '.join('"'+record['value'][i:i+255]+'"' for i in range(0, len(record['value']), 255))}) + % else: +${record['value']} + % endif % endfor diff --git a/bundles/bind/files/named.conf b/bundles/bind/files/named.conf new file mode 100644 index 0000000..f2b4b65 --- /dev/null +++ b/bundles/bind/files/named.conf @@ -0,0 +1,3 @@ +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; diff --git a/bundles/bind/files/named.conf.local b/bundles/bind/files/named.conf.local index b81b6d8..25fec94 100644 --- a/bundles/bind/files/named.conf.local +++ b/bundles/bind/files/named.conf.local @@ -5,4 +5,4 @@ zone "${zone}" { }; % endfor -// include "/etc/bind/zones.rfc1918"; +include "/etc/bind/zones.rfc1918"; diff --git a/bundles/bind/files/named.conf.options b/bundles/bind/files/named.conf.options new file mode 100644 index 0000000..a59bbf2 --- /dev/null +++ b/bundles/bind/files/named.conf.options @@ -0,0 +1,7 @@ +options { + directory "/var/cache/bind"; + dnssec-validation auto; + listen-on-v6 { any; }; + max-cache-size 20%; + querylog yes; +}; diff --git a/bundles/bind/items.py b/bundles/bind/items.py index bea90d7..eca0d68 100644 --- a/bundles/bind/items.py +++ b/bundles/bind/items.py @@ -18,6 +18,26 @@ files['/etc/default/bind9'] = { ], } +files['/etc/bind/named.conf'] = { + 'owner': 'root', + 'group': 'bind', + 'needed_by': [ + 'svc_systemd:bind9', + ], + 'triggers': [ + 'svc_systemd:bind9:restart', + ], +} +files['/etc/bind/named.conf.options'] = { + 'owner': 'root', + 'group': 'bind', + 'needed_by': [ + 'svc_systemd:bind9', + ], + 'triggers': [ + 'svc_systemd:bind9:restart', + ], +} files['/etc/bind/named.conf.local'] = { 'content_type': 'mako', 'context': { diff --git a/bundles/bind/metadata.py b/bundles/bind/metadata.py index e0d5b7c..e537b9e 100644 --- a/bundles/bind/metadata.py +++ b/bundles/bind/metadata.py @@ -46,9 +46,8 @@ def collect_records(metadata): ), key=len, ) - if matching_zones: - zone = matching_zones[0] + zone = matching_zones[-1] else: continue @@ -77,7 +76,7 @@ def ns_records(metadata): 'bind': { 'zones': { zone: [ - {'name': '', 'type': 'NS', 'value': f"{metadata.get('bind/domain')}."}, + {'name': '@', 'type': 'NS', 'value': f"{metadata.get('bind/domain')}."}, ] for zone in metadata.get('bind/zones').keys() }, }, diff --git a/bundles/mailserver/metadata.py b/bundles/mailserver/metadata.py index 1204186..99c539b 100644 --- a/bundles/mailserver/metadata.py +++ b/bundles/mailserver/metadata.py @@ -45,7 +45,7 @@ def dns(metadata): for domain in metadata.get('mailserver/domains'): dns[domain] = { - 'MX': [f'5 {domain}'], + 'MX': [f'5 {domain}.'], 'TXT': ['v=spf1 a mx -all'], } diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py index bc392eb..6eb5df7 100644 --- a/bundles/users/metadata.py +++ b/bundles/users/metadata.py @@ -1,6 +1,5 @@ from base64 import b64decode - defaults = { 'users': { 'root': { @@ -18,7 +17,7 @@ def user(metadata): for name, config in metadata.get('users').items(): users[name] = { - 'authorized_keys': [] + 'authorized_keys': [], } if not 'full_name' in config: @@ -31,7 +30,7 @@ def user(metadata): users[name]['shell'] = '/bin/bash' if not 'privkey' in users[name] and not 'pubkey' in users[name]: - privkey, pubkey = repo.libs.ssh.generate_ad25519_key_pair( + privkey, pubkey = repo.libs.ssh.generate_ed25519_key_pair( b64decode(str(repo.vault.random_bytes_as_base64_for(f"{name}@{metadata.get('id')}", length=32))) ) users[name]['keytype'] = 'ed25519' diff --git a/data/dkim/islamicstate.eu.privkey.enc b/data/dkim/islamicstate.eu.privkey.enc new file mode 100644 index 0000000..4de106a --- /dev/null +++ b/data/dkim/islamicstate.eu.privkey.enc @@ -0,0 +1 @@ +encrypt$gAAAAABg1uKdl_1A48p7K8tAxh-3QrP8XEplOoQ0VPf4ioO5MN7EF-cJr6QaYEE8zGyJ1luIcqIs8gOICYnMBM6_PsHLkTRq4cvdoEy3989F26fLrc8n2VaXe1eXhe6f87slT4ZR64NJL9UKhaZpkWKXTzDxJd621-wb8MUXJdTg_aJFDh0YK2Qh2waayiQeGa4IY6IOp68un0DIw_XrawxJgZZn9lae1oWdkg_hZeeuZS09kGBVYdwkJDC_mmebwJzYPxek96bn5vdxm2-YTVoeB8PyGA5q8gRJSKyuxtqBQAJJhXJtBdQX--mh0lA3PzCmhA_qwIEhqmJjiE6InnFkFADibofpJsT2MLuS-1PyeD54lhuMZlY9J6HU2fDWdlCVF9K-vy04mjBpWdUU_CUdURkRdOwVrdzt5P2CgilXSaM2nmK_uEWMLsh0SoOJoqyKZaCJ_5TO7ztM_4_vLyNN379F3wVw2iLF_R-cBtZbgERTkvfUw5ppUGYDSyq125cwXJtGTBWK35SU7_5PEID_JjijYcGEe7o4uOj3zqqK3V2JVVBplc45cJi_BIbb77alC1IDKI6MR608qNmutlcKNyRD1JvhwmAP4BDr-gnA4R5NtMRS0s-ZVqxfE8d2yrZJx3EgNxJ3wujlE9QaNxory_utU6i3fnPWNgyXO7UwtVhF_CFEmcB43nDs7Hw5Uzo4Sq-wvgM_Lepj7kLrznqL1PUWucy5ETa9wWZoEf9_1w6T3kJ5Df1nft8N9JI66WUcOiCk4tc5x1qcn1EGVxM_4Pw37kbAUL3tQW-DuUxa1lnKzmLGwgpyV72a1Ivzr46yuIgVOGF5sCFa5yUTS5Uvny8qZ0jBOf9hVJE0ewdrYh9bap8xSo4qC4EZC8YXhZg5_0-WsS7myccSScYEzCUlTdafOrHoO1f4_NBUivUBlO5cRBGoy6O7m-C5MeXaPkglijYhX5iBg_nYKFOgIldF2v0JC1VCsnXCiiC3r6vpNAYl06vAXPJoESx8B9qHdQvU8iJ9ZVTQxMYXTVMRzni6ZA8xunfeHd60vouS67E1yjEMQ56eTqaDDeTYTbMRV6AgZYE-JJQPQkJCqjB3j_bIEpyFEKRnCKUU3eu5-hnLIsia2XMlXgmCwVJm3is_LKQ5ETeehUYLfInccH-nUI7t6qe1v8qQ0JsLERO9Qcfr19_W8ESR5z0ludb2FgjcTUFQiZVXcXGMyinUZsQY6RIOOZ1r-89XjsW5PSmdbM7edxuL_8pWhCMGvZMgU3XHehqYfeWXSVchJbGXSPpCPNfhEmzINWk8BwWyl9YQjWt35_nK0smOzTnPLrfhBVU8uw05KXe6rd0FSdUrj2VCW0y4ii4TMsyFYC_ZTw7x-VkVqdphWzaT28N_wqQZlxFrHWMN02iocbivxEr1UE_VeI6DQQ9ueDPxJoiH6IkTa9Ct_sTKoMD19O_TGg7DrLWZ97tohJQtc4oolFYJ57COu53sR3xbIHfJMYzjRyrZpVPlTkhKH9qMVXxy8e1WNyjOc8-S9Diuv7AFegAYXcye9_b-4facFkEVc4HZws6fht0iQHfUMnk4qmGCxSEuZxo1c0htkWG0eZ5VTq01PHt9EOBkj4A6zM6PPqrqL_NyeF4nvH5_hLmFeSQBfN4iTIlVL9ANexUXQ8u2o2gbmkpsoNP375uClDEWYuElHTiemuIw-cp9KfPyafrOyv3zAZHQ6Eh-Z71-FN-mIqAHpe2DjhG688VNkQnnyXYS4SjXCmN0qdvFzBSzYG-kxV02VTEVoa7jynYWpUqSjkURZZspTVLHA3Iw7m2kdENVBbK0vHkFmhIm0MfXIyJ4pnE1kdeDzB9QycUHK1WSuqiqotsg698BscQ94Z0fUQNt1WJdQZrV0IMS9EXgM29IBjaVWc7yJhqIMLDVio2_7QrfRdqzBoteRSE8Pfq2gLAHL6n0W3IAqV0H5CL1VrKnia83U1y7Gq_yrQh9_E2YoE3YNOI2zNwbUtA5WRNNxNbyjFgupfnx8XvINljNaaRrK8XkPnhaJw1yfTP__LbnL1UruKdHfRMeJYj_W9Kp3TatbllGTq5zN88O22cJWMYKGIBioIB8eZMyLPc8bgA-MGwVscrvFtxspOHASCJ5b1VVtASczIncFldiju9lS_3fNi6UgCDSGw236DLsXZzR_pjjlQkubTwffJscwKmo5hqzx9fYhxiipkL-VGINyF1qClc5ydIWpMzhMPsS-sbvSKau8M9fBlKmlxYDp_uVdy4n-NmYJho1uMUyTnREd5qF0_v8an4oMNldUGy7k0cnbDD7_av7BICX_MIizcgzoAckHSG6RHK-wyx4xqmAb4I= \ No newline at end of file diff --git a/data/dkim/islamicstate.eu.pubkey b/data/dkim/islamicstate.eu.pubkey new file mode 100644 index 0000000..4be1464 --- /dev/null +++ b/data/dkim/islamicstate.eu.pubkey @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHb5hZmUHCe1Rc0OKbnqD20YkhUI2/PaQCEMORZHfOWUSSlLmZcye9kYBTcXNPE4uDW7dCqo2Ng+rXzl3AOcjx12JrFPNi2HN3sHj+bbcsr05ZLYIHvAeWJuV39/A1Xf8yyZ9fzlpAK+fBqKIo+UEnv1ViEBDrdL5LIC90cBmayBcHyvtLBJqoutIOqwNkyXyw7ATPRwTzfevS1iObEmhpkdY2eWfbFQg1TDjcrGALOc0u4BDH9cyit2smAsh4HNpaPhZLJ6X1O0IpfMArv2xyyMkkJI6iRzgOf1Rk68nMKuV8HhvEdI934o9bRcqT9u0LUCWdKhG/OSAcSkUFCBZ9 \ No newline at end of file diff --git a/data/dkim/mail3.sublimity.de.privkey.enc b/data/dkim/mail3.sublimity.de.privkey.enc new file mode 100644 index 0000000..ada3ca8 --- /dev/null +++ b/data/dkim/mail3.sublimity.de.privkey.enc @@ -0,0 +1 @@ +encrypt$gAAAAABg1uyiaIUW_xg6bDDltvSBvSx2D2A4ZPdJTNAkgkKNCwT6ByS-QAUEHd8_DPUGL4KX2bJWoZCCDbQOhGOt7-uZvEYyMRweoMHLuSdNe65ryuQWa4EoLnnB1ek-hzdoRDIya5oaF7J3p0xse5Wy_PvS-tQRNrJ5m7f40KUGOYu6XEAMOAE07F9cG6iDbFp3WFH8SdfBsjVH_LzMb4F5HPCkPh7RshcJ0CMs_RAmxE9T07jzi0zfYWbG_R_DuPaSOXNNbD1euGaVkQfaZKWpHQQSM45YISsdW64CLVSGZlsLZOeUoGbq0PFE6Y-WUZ3g7PKBtlCvBYzqhRBqNyY4dTD_PmcykETUEtp_QoQNJBhmy9HgyHPyl0fwJwdo9YqRtqIYXgXsQ1zs2okvupBKSV_vh-28fHRknOEZfxM04ALCZWTdGpswY3RQrVbMToz58ZwhH1dwtFoFccYrKgZpzLQtkmg3AwuabPn6VtO1pSxAFPXspGc3o1lwkapTETn0j42IfVaanYghIOa2PV8szMEnKJcZ5Rf99i8lQk3F9t8PgRXbXBKPrzKFbrzu4W335V7LeZxLUZEW39-FWz6WUMJ8IfpXLGKNuKsU67dO4pempf5RSA1USCF4el3qmvdfMm1hxgWc88kBfr1_MFFPtJqBQCPO6MjXZJ4dV4CudT-vf1GVZQhczoK7fyUN-OSzJ0EtsDKbvxS4lVySrBI1PMPVI7Ah1eRJ2KJHsNe2uKcVZvKqpCYZJdi5g9vqr2eofCAgyNBa9tNWR4tMuoQ3vht7OSR1S4LW_Zky1x3jo65oXiU-9wQE0VpQccjHX5N0jYVUhexk9Q1xO3oj0qMMw4JcL77H4_CmdUgKCPoWO3VHSlSh4JD4iSTLKyWl6frx2aPMHbiDOK9TMiLY9cEOCIkawCSJ4IeFMd0QTRG_Ly-ngeIuKINZYcH5IuwpIZKwBIQ8vweJdX5pO58rwVOOnDWCvYdTwzqC7NsRNSXwW3567gE8orH8EUZ3HWGr4HcJeTuJ4ewM-MH2aPWLNjCzhd-jgWtanHVGHsC4qdwpOZAjr_zbMUvegxA1ZWqeSUkvdscJgBivJKOZIC-fNi8t6vVBu1aUMr-Cb_HV3LV94GdPZz765tr-bJ4JpJswnoWFnF4njP0EnoCN2WmoLpC6ivjhgaulaWlF1MrqpnjhgkkbUPHJVL8dCDThmNihJeAGcUCNKD-5pQrsHEmZsLWphcK6XzfYxXIWBZe_7WlZ49T62lhpoelxNXhgDEncr6Z4Z0Gqx4sjRBBz-UcCh4uR3hMC-bZUyTdzCZhhxbqt0w5DCq0tAK1XHszkZlkc5ceckbSZSlc_mE4aPhv1w3sUs4duSHBqxfbrr9fAfay2k1Etc0nDiH3n19txDKAUyZUpb_0NoXbczG0x51MjdR5w5rSoU4jcQ6FHlMHVYse5Qg-EYEnH5o1MP2RrWB4-q9i6wEeDzdKgbVWgO1MBr3uK82NsFiZD6oPa_Yb_Sw-Y5-UzJ_tjG4DysXimcGney8CuXsHVBuYsJKPjrEGnKpbmWuopZ83f7FPzFEjZVWOPPRE2Nef9tNz2p5bF0rt5iv_vOS8UUMdEY7n4fWYpcGQPOZ1DhMXAvIz_yQx3mZYWGnaU3zDwIm_ryeVElYpV06Yk6dRCq6p4mTMFM7LrK_kv47BguMRx2mRfr_WtfSr1mxBSV8-0OaXVpDMeutzoBnYL3-RrfVklri36l0wtC2kft6taOHYH0e883APweTIz-_1VUVYIB9zdM6QvMx6-U9Jd1rC7Fdg24F-2SAAeUKclM7SNK7OiMD4opk7EUncnwSdDYlFFMqTNmliVuUPW_4YWsNHpHUajyuKfanCiVltw5Bx4xWwyHFYc5rIK4c5nkT3Hc7-SQas1Rxxfrny148QFxF-4ZdPQdF9r81Qfk7VcotCgBTfplupSqYVGNMboPwNLOwsOG7D7fCVx8915L7tVuYWLLi6HT5iC2ML393QYAm_YfypFCS7BzvTCw_sr0K03zgnk63y8XKJltPBRZuouB94WgkfSCMoB3R_66Dtnl8icLJDV0QpHwtFSLcjUYKPlyaN0a3SffHr1ExJtzsw9Bvqrp85S1ii1Uj-TVu4SU8rtTKme5GQ6-WS9jt2Dw_3Me7c6Ms5L3B-t9G2ZhI-O5Q2lzkXNdN2KN70wT-GjOXPuolwFkcDGDYM6QueB_nAQErsTtuMeiyQVO7j97dkNVMhUn-ZRUBUNs_nP7CPMw8uki903gPLmC3kJFKZ73u0wzv0SkWMSj4A_0b6o1J-2ixD97pIWPwnbOIEU_8u0fY3GMXsjK8t-usdzkTgD427zh23t3Uk= \ No newline at end of file diff --git a/data/dkim/mail3.sublimity.de.pubkey b/data/dkim/mail3.sublimity.de.pubkey new file mode 100644 index 0000000..705f49c --- /dev/null +++ b/data/dkim/mail3.sublimity.de.pubkey @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbsx9bRuzwTsAiFeuYq00Xtxlqqu+aNLBDGFIVSAVETojhqmNlBBaZ0R3mxT/YVkGPYQC5IOF4lZRtCjcRs3QKSJCHxEs3dHba84wP1wg0y1X9WK8pkXiZo9BgbUbxkJz6EWg5FUM/LYWly2lTg4VY/YvoMEKUEicr2fAJuDYiUnK6WXcYIfgHe3Jfjw2IE/oNuk8p1XoazCPcLLw7xT6TleVE/t3pZT0AYFOepm1HQ9xTDS475E4Rn11OkGC7Wd+Roqguer/zAT0353iKIQNj1H3pxHiKY84TFs36p7m3CbeEFDDfdi3bbBFy3Rm9774/mVXyLVE5ZGoKfU8rS0TT \ No newline at end of file diff --git a/libs/ssh.py b/libs/ssh.py index 2f59072..1bbcbf6 100644 --- a/libs/ssh.py +++ b/libs/ssh.py @@ -3,7 +3,7 @@ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey from cryptography.hazmat.primitives import serialization -def generate_ad25519_key_pair(secret): +def generate_ed25519_key_pair(secret): privkey_bytes = Ed25519PrivateKey.from_private_bytes(secret) nondeterministic_privatekey = privkey_bytes.private_bytes( diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py index cf8285a..28943d1 100644 --- a/nodes/htz.mails.py +++ b/nodes/htz.mails.py @@ -15,6 +15,7 @@ 'zfs', ], 'metadata': { + 'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae', 'bind': { 'domain': 'ns.sublimity.de', 'zones': { @@ -28,9 +29,17 @@ 'wingl.de': [], 'woodpipe.de': [], 'ckn.li': [], + 'islamicstate.eu': [], + }, + }, + 'dns': { + 'islamicstate.eu': { + 'A': ['1.2.3.4'], + }, + 'test.islamicstate.eu': { + 'AAAA': ['::1337'], }, }, - 'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae', 'network': { 'interface': 'eth0', 'ipv4': '162.55.188.157/32', @@ -58,7 +67,8 @@ 'hostname': 'mail2.sublimity.de', 'admin_email': 'postmaster@sublimity.de', 'domains': [ - 'mail2.sublimity.de', + 'mail3.sublimity.de', + 'islamicstate.eu', # 'sublimity.de', # 'freibrief.net', # 'nadenau.net', @@ -78,9 +88,6 @@ 'version': '1.4.11', 'installer': True, }, - 'users': { - 'test': {}, - }, 'vm': { 'cpu': 2, },