diff --git a/bundles/bind/files/named.conf.local b/bundles/bind/files/named.conf.local index d388abd..5a0ddc4 100644 --- a/bundles/bind/files/named.conf.local +++ b/bundles/bind/files/named.conf.local @@ -1,21 +1,31 @@ -% for view in views: -acl "${view['name']}" { - ${' '.join(f'{e};' for e in view['acl'])} +% for view_name, view_conf in views.items(): +acl "${view_name}" { + ${' '.join(f'{e};' for e in view_conf['acl'])} }; % endfor -% for name, token in keys.items(): +% for view_name, view_conf in views.items(): +% for name, token in view_conf['keys'].items(): key "${name}" { algorithm hmac-sha512; secret "${token}"; }; % endfor +% endfor -% for view in views: -view "${view['name']}" { - match-clients { ${view['name']}; }; +% for view_name, view_conf in views.items(): +view "${view_name}" { + match-clients { + % for rejected_client in view_conf['rejected_clients']: + ! ${rejected_client}; + % endfor + % for key in view_conf['keys']: + ${key}; + % endfor + ${view_name}; + }; - % if view['is_internal']: + % if view_conf['is_internal']: recursion yes; % else: recursion no; @@ -33,7 +43,7 @@ view "${view['name']}" { }; % for zone, conf in sorted(zones.items()): - <% if view['name'] not in conf.get('views', ['internal', 'external']): continue %> + <% if view_name not in conf.get('views', ['internal', 'external']): continue %> zone "${zone}" { type ${type}; % if type == 'slave': @@ -42,7 +52,7 @@ view "${view['name']}" { % if type == 'master' and zone in keys: allow-update { key "${zone}"; }; % endif - file "/var/lib/bind/${view['name']}/db.${zone}"; + file "/var/lib/bind/${view_name}/db.${zone}"; }; % endfor diff --git a/bundles/bind/items.py b/bundles/bind/items.py index c20ceba..96ef842 100644 --- a/bundles/bind/items.py +++ b/bundles/bind/items.py @@ -68,33 +68,15 @@ files['/etc/bind/named.conf.options'] = { ], } -views = [ - { - 'name': 'internal', - 'is_internal': True, - 'acl': [ - '127.0.0.1', - '10.0.0.0/8', - '169.254.0.0/16', - '172.16.0.0/12', - '192.168.0.0/16', - ] - }, - { - 'name': 'external', - 'is_internal': False, - 'acl': [ - 'any', - ] - }, -] - files['/etc/bind/named.conf.local'] = { 'content_type': 'mako', 'context': { 'type': node.metadata.get('bind/type'), 'master_ip': master_ip, - 'views': views, + 'views': dict(sorted( + node.metadata.get('bind/views').items(), + key=lambda e: (e[1].get('default', False), e[0]), + )), 'zones': zones, 'hostname': node.metadata.get('bind/hostname'), 'keys': node.metadata.get('bind/keys'), @@ -130,8 +112,8 @@ def record_matches_view(record, records, view): return False return True -for view in views: - directories[f"/var/lib/bind/{view['name']}"] = { +for view_name, view_conf in node.metadata.get('bind/views').items(): + directories[f"/var/lib/bind/{view_name}"] = { 'owner': 'bind', 'group': 'bind', 'purge': True, @@ -144,7 +126,7 @@ for view in views: } for zone, conf in zones.items(): - if view['name'] not in conf.get('views', ['internal', 'external']): + if view_name not in conf.get('views', ['internal', 'external']): continue records = conf['records'] @@ -155,11 +137,11 @@ for view in views: ) ] - files[f"/var/lib/bind/{view['name']}/db.{zone}"] = { + files[f"/var/lib/bind/{view_name}/db.{zone}"] = { 'owner': 'bind', 'group': 'bind', 'needs': [ - f"directory:/var/lib/bind/{view['name']}", + f"directory:/var/lib/bind/{view_name}", ], 'needed_by': [ 'svc_systemd:bind9', @@ -169,15 +151,15 @@ for view in views: ], } if True or node.metadata.get('bind/type') == 'master': #FIXME: slave doesnt get updated if db doesnt get rewritten on each apply - files[f"/var/lib/bind/{view['name']}/db.{zone}"].update({ + files[f"/var/lib/bind/{view_name}/db.{zone}"].update({ 'source': 'db', 'content_type': 'mako', - 'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if conf.get('dynamic', False) else 'false', + 'unless': f"test -f /var/lib/bind/{view_name}/db.{zone}" if conf.get('dynamic', False) else 'false', 'context': { - 'view': view['name'], + 'view': view_name, 'serial': datetime.now().strftime('%Y%m%d%H'), 'records': list(filter( - lambda record: record_matches_view(record, records, view['name']), + lambda record: record_matches_view(record, records, view_name), unique_records )), 'hostname': node.metadata.get('bind/hostname'), diff --git a/bundles/bind/metadata.py b/bundles/bind/metadata.py index fc60108..9923532 100644 --- a/bundles/bind/metadata.py +++ b/bundles/bind/metadata.py @@ -11,7 +11,34 @@ defaults = { 'bind': { 'zones': {}, 'slaves': {}, - 'keys': {}, + 'views': { + 'internal': { + 'is_internal': True, + 'acl': { + '127.0.0.1', + '10.0.0.0/8', + '169.254.0.0/16', + '172.16.0.0/12', + '192.168.0.0/16', + }, + 'keys': {}, + 'rejected_keys': set(), + }, + 'external': { + 'default': True, + 'name': 'external', + 'is_internal': False, + 'acl': { + 'any', + }, + 'keys': {}, + 'rejected_keys': set(), + }, + }, + 'keys': { + 'internal': {}, + 'external': {}, + }, }, 'telegraf': { 'config': { @@ -139,21 +166,59 @@ def slaves(metadata): @metadata_reactor.provides( - 'bind/keys', + 'bind/views', ) def generate_keys(metadata): return { 'bind': { - 'keys': { - zone: repo.libs.hmac.hmac_sha512( - zone, - str(repo.vault.random_bytes_as_base64_for( - f"{metadata.get('id')} bind key {zone}", - length=32, - )), - ) - for zone, conf in metadata.get('bind/zones').items() - if conf.get('dynamic', False) - }, + 'views': { + view: { + 'keys': { + f'{view}.{zone}': repo.libs.hmac.hmac_sha512( + zone, + str(repo.vault.random_bytes_as_base64_for( + f"{metadata.get('id')} bind {view} key {zone}", + length=32, + )), + ) + for zone, conf in metadata.get('bind/zones').items() + if conf.get('dynamic', False) + and view in conf.get('views', metadata.get('bind/views').keys()) + } + } + for view in metadata.get('bind/views') + } + }, + } + +@metadata_reactor.provides( + 'bind/views', +) +def collected_rejected_keys_from_other_views(metadata): + return { + 'bind': { + 'views': { + view: { + 'rejected_clients': { + # reject other views keys + *{ + key + for other_view, other_conf in metadata.get('bind/views').items() + if other_view != view + and not other_conf.get('default') + for key in other_conf['keys'] + }, + # reject other views acls + *{ + other_view + for other_view, other_conf in metadata.get('bind/views').items() + if other_view != view + and not other_conf.get('default') + }, + + } + } + for view in metadata.get('bind/views') + } }, } diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh index ebe0846..a3d853d 100644 --- a/bundles/letsencrypt/files/hook.sh +++ b/bundles/letsencrypt/files/hook.sh @@ -4,22 +4,22 @@ set -o pipefail deploy_challenge() { echo " - server ${server} + server 10.0.10.2 zone ${zone}. update add $1.${zone}. 60 IN TXT \"$3\" send - " | tee | nsupdate -y hmac-sha512:${zone}:${acme_key} + " | tee | nsupdate -y hmac-sha512:${acme_key_name}:${acme_key} sleep 10 } clean_challenge() { echo " - server ${server} + server 10.0.10.2 zone ${zone}. update delete $1.${zone}. TXT send - " | tee | nsupdate -y hmac-sha512:${zone}:${acme_key} + " | tee | nsupdate -y hmac-sha512:${acme_key_name}:${acme_key} } deploy_cert() { diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py index 6cde675..3f25917 100644 --- a/bundles/letsencrypt/items.py +++ b/bundles/letsencrypt/items.py @@ -30,7 +30,8 @@ files = { 'context': { 'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip, 'zone': acme_node.metadata.get('bind/acme_zone'), - 'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')), + 'acme_key_name': 'external' + acme_node.metadata.get('bind/acme_zone'), + 'acme_key': acme_node.metadata.get('bind/views/external/keys/external.' + acme_node.metadata.get('bind/acme_zone')), 'domains': node.metadata.get('letsencrypt/domains'), }, 'mode': '0755', diff --git a/nodes/home.openhab3.py b/nodes/home.openhab3.py index 46ed10c..3254b93 100644 --- a/nodes/home.openhab3.py +++ b/nodes/home.openhab3.py @@ -40,6 +40,11 @@ }, }, }, + 'letsencrypt': { + 'domains': { + 'test11.ckn.li': {}, + } + }, 'java': { 'version': 11, },