cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests8 Projects Releases Wiki Activity

eip

Browse source
This commit is contained in:
mwiegand 2021-11-07 11:46:00 +01:00
parent d9c01370a1
commit 76f05a43fb
6 changed files with 122 additions and 59 deletions

30
bundles/bind/files/named.conf.local
View file

@ -1,21 +1,31 @@
% for view in views:
acl "${view['name']}" {
${' '.join(f'{e};' for e in view['acl'])}
% for view_name, view_conf in views.items():
acl "${view_name}" {
${' '.join(f'{e};' for e in view_conf['acl'])}
};
% endfor
% for name, token in keys.items():
% for view_name, view_conf in views.items():
% for name, token in view_conf['keys'].items():
key "${name}" {
algorithm hmac-sha512;
secret "${token}";
};
% endfor
% endfor
% for view in views:
view "${view['name']}" {
match-clients { ${view['name']}; };
% for view_name, view_conf in views.items():
view "${view_name}" {
match-clients {
% for rejected_client in view_conf['rejected_clients']:
! ${rejected_client};
% endfor
% for key in view_conf['keys']:
${key};
% endfor
${view_name};
};
% if view['is_internal']:
% if view_conf['is_internal']:
recursion yes;
% else:
recursion no;
@ -33,7 +43,7 @@ view "${view['name']}" {
};
% for zone, conf in sorted(zones.items()):
<% if view['name'] not in conf.get('views', ['internal', 'external']): continue %>
<% if view_name not in conf.get('views', ['internal', 'external']): continue %>
zone "${zone}" {
type ${type};
% if type == 'slave':
@ -42,7 +52,7 @@ view "${view['name']}" {
% if type == 'master' and zone in keys:
allow-update { key "${zone}"; };
% endif
file "/var/lib/bind/${view['name']}/db.${zone}";
file "/var/lib/bind/${view_name}/db.${zone}";
};
% endfor

44
bundles/bind/items.py
View file

@ -68,33 +68,15 @@ files['/etc/bind/named.conf.options'] = {
],
}
views = [
{
'name': 'internal',
'is_internal': True,
'acl': [
'127.0.0.1',
'10.0.0.0/8',
'169.254.0.0/16',
'172.16.0.0/12',
'192.168.0.0/16',
]
},
{
'name': 'external',
'is_internal': False,
'acl': [
'any',
]
},
]
files['/etc/bind/named.conf.local'] = {
'content_type': 'mako',
'context': {
'type': node.metadata.get('bind/type'),
'master_ip': master_ip,
'views': views,
'views': dict(sorted(
node.metadata.get('bind/views').items(),
key=lambda e: (e[1].get('default', False), e[0]),
)),
'zones': zones,
'hostname': node.metadata.get('bind/hostname'),
'keys': node.metadata.get('bind/keys'),
@ -130,8 +112,8 @@ def record_matches_view(record, records, view):
return False
return True
for view in views:
directories[f"/var/lib/bind/{view['name']}"] = {
for view_name, view_conf in node.metadata.get('bind/views').items():
directories[f"/var/lib/bind/{view_name}"] = {
'owner': 'bind',
'group': 'bind',
'purge': True,
@ -144,7 +126,7 @@ for view in views:
}
for zone, conf in zones.items():
if view['name'] not in conf.get('views', ['internal', 'external']):
if view_name not in conf.get('views', ['internal', 'external']):
continue
records = conf['records']
@ -155,11 +137,11 @@ for view in views:
)
]
files[f"/var/lib/bind/{view['name']}/db.{zone}"] = {
files[f"/var/lib/bind/{view_name}/db.{zone}"] = {
'owner': 'bind',
'group': 'bind',
'needs': [
f"directory:/var/lib/bind/{view['name']}",
f"directory:/var/lib/bind/{view_name}",
],
'needed_by': [
'svc_systemd:bind9',
@ -169,15 +151,15 @@ for view in views:
],
}
if True or node.metadata.get('bind/type') == 'master': #FIXME: slave doesnt get updated if db doesnt get rewritten on each apply
files[f"/var/lib/bind/{view['name']}/db.{zone}"].update({
files[f"/var/lib/bind/{view_name}/db.{zone}"].update({
'source': 'db',
'content_type': 'mako',
'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if conf.get('dynamic', False) else 'false',
'unless': f"test -f /var/lib/bind/{view_name}/db.{zone}" if conf.get('dynamic', False) else 'false',
'context': {
'view': view['name'],
'view': view_name,
'serial': datetime.now().strftime('%Y%m%d%H'),
'records': list(filter(
lambda record: record_matches_view(record, records, view['name']),
lambda record: record_matches_view(record, records, view_name),
unique_records
)),
'hostname': node.metadata.get('bind/hostname'),

91
bundles/bind/metadata.py
View file

@ -11,7 +11,34 @@ defaults = {
'bind': {
'zones': {},
'slaves': {},
'keys': {},
'views': {
'internal': {
'is_internal': True,
'acl': {
'127.0.0.1',
'10.0.0.0/8',
'169.254.0.0/16',
'172.16.0.0/12',
'192.168.0.0/16',
},
'keys': {},
'rejected_keys': set(),
},
'external': {
'default': True,
'name': 'external',
'is_internal': False,
'acl': {
'any',
},
'keys': {},
'rejected_keys': set(),
},
},
'keys': {
'internal': {},
'external': {},
},
},
'telegraf': {
'config': {
@ -139,21 +166,59 @@ def slaves(metadata):
@metadata_reactor.provides(
'bind/keys',
'bind/views',
)
def generate_keys(metadata):
return {
'bind': {
'keys': {
zone: repo.libs.hmac.hmac_sha512(
zone,
str(repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} bind key {zone}",
length=32,
)),
)
for zone, conf in metadata.get('bind/zones').items()
if conf.get('dynamic', False)
},
'views': {
view: {
'keys': {
f'{view}.{zone}': repo.libs.hmac.hmac_sha512(
zone,
str(repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} bind {view} key {zone}",
length=32,
)),
)
for zone, conf in metadata.get('bind/zones').items()
if conf.get('dynamic', False)
and view in conf.get('views', metadata.get('bind/views').keys())
}
}
for view in metadata.get('bind/views')
}
},
}
@metadata_reactor.provides(
'bind/views',
)
def collected_rejected_keys_from_other_views(metadata):
return {
'bind': {
'views': {
view: {
'rejected_clients': {
# reject other views keys
*{
key
for other_view, other_conf in metadata.get('bind/views').items()
if other_view != view
and not other_conf.get('default')
for key in other_conf['keys']
},
# reject other views acls
*{
other_view
for other_view, other_conf in metadata.get('bind/views').items()
if other_view != view
and not other_conf.get('default')
},
}
}
for view in metadata.get('bind/views')
}
},
}

8
bundles/letsencrypt/files/hook.sh
View file

@ -4,22 +4,22 @@ set -o pipefail
deploy_challenge() {
echo "
server ${server}
server 10.0.10.2
zone ${zone}.
update add $1.${zone}. 60 IN TXT \"$3\"
send
" | tee | nsupdate -y hmac-sha512:${zone}:${acme_key}
" | tee | nsupdate -y hmac-sha512:${acme_key_name}:${acme_key}
sleep 10
}
clean_challenge() {
echo "
server ${server}
server 10.0.10.2
zone ${zone}.
update delete $1.${zone}. TXT
send
" | tee | nsupdate -y hmac-sha512:${zone}:${acme_key}
" | tee | nsupdate -y hmac-sha512:${acme_key_name}:${acme_key}
}
deploy_cert() {

3
bundles/letsencrypt/items.py
View file

@ -30,7 +30,8 @@ files = {
'context': {
'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip,
'zone': acme_node.metadata.get('bind/acme_zone'),
'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')),
'acme_key_name': 'external' + acme_node.metadata.get('bind/acme_zone'),
'acme_key': acme_node.metadata.get('bind/views/external/keys/external.' + acme_node.metadata.get('bind/acme_zone')),
'domains': node.metadata.get('letsencrypt/domains'),
},
'mode': '0755',

5
nodes/home.openhab3.py
View file

@ -40,6 +40,11 @@
},
},
},
'letsencrypt': {
'domains': {
'test11.ckn.li': {},
}
},
'java': {
'version': 11,
},