cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

eip

Browse source
This commit is contained in:
mwiegand 2021-11-07 11:46:00 +01:00
parent d9c01370a1
commit 76f05a43fb
6 changed files with 122 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
bundles/bind/files/named.conf.local
View file

@ -1,21 +1,31 @@
% for view in views: % for view_name, view_conf in views.items():
acl "${view['name']}" { acl "${view_name}" {
${' '.join(f'{e};' for e in view['acl'])} ${' '.join(f'{e};' for e in view_conf['acl'])}
}; };
% endfor % endfor
% for name, token in keys.items(): % for view_name, view_conf in views.items():
% for name, token in view_conf['keys'].items():
key "${name}" { key "${name}" {
algorithm hmac-sha512; algorithm hmac-sha512;
secret "${token}"; secret "${token}";
}; };
% endfor % endfor
% endfor
% for view in views: % for view_name, view_conf in views.items():
view "${view['name']}" { view "${view_name}" {
match-clients { ${view['name']}; }; match-clients {
% for rejected_client in view_conf['rejected_clients']:
! ${rejected_client};
% endfor
% for key in view_conf['keys']:
${key};
% endfor
${view_name};
};
% if view['is_internal']: % if view_conf['is_internal']:
recursion yes; recursion yes;
% else: % else:
recursion no; recursion no;
@ -33,7 +43,7 @@ view "${view['name']}" {
}; };
% for zone, conf in sorted(zones.items()): % for zone, conf in sorted(zones.items()):
<% if view['name'] not in conf.get('views', ['internal', 'external']): continue %> <% if view_name not in conf.get('views', ['internal', 'external']): continue %>
zone "${zone}" { zone "${zone}" {
type ${type}; type ${type};
% if type == 'slave': % if type == 'slave':
@ -42,7 +52,7 @@ view "${view['name']}" {
% if type == 'master' and zone in keys: % if type == 'master' and zone in keys:
allow-update { key "${zone}"; }; allow-update { key "${zone}"; };
% endif % endif
file "/var/lib/bind/${view['name']}/db.${zone}"; file "/var/lib/bind/${view_name}/db.${zone}";
}; };
% endfor % endfor

44
bundles/bind/items.py
View file

@ -68,33 +68,15 @@ files['/etc/bind/named.conf.options'] = {
], ],
} }
views = [
{
'name': 'internal',
'is_internal': True,
'acl': [
'127.0.0.1',
'10.0.0.0/8',
'169.254.0.0/16',
'172.16.0.0/12',
'192.168.0.0/16',
]
},
{
'name': 'external',
'is_internal': False,
'acl': [
'any',
]
},
]
files['/etc/bind/named.conf.local'] = { files['/etc/bind/named.conf.local'] = {
'content_type': 'mako', 'content_type': 'mako',
'context': { 'context': {
'type': node.metadata.get('bind/type'), 'type': node.metadata.get('bind/type'),
'master_ip': master_ip, 'master_ip': master_ip,
'views': views, 'views': dict(sorted(
node.metadata.get('bind/views').items(),
key=lambda e: (e[1].get('default', False), e[0]),
)),
'zones': zones, 'zones': zones,
'hostname': node.metadata.get('bind/hostname'), 'hostname': node.metadata.get('bind/hostname'),
'keys': node.metadata.get('bind/keys'), 'keys': node.metadata.get('bind/keys'),
@ -130,8 +112,8 @@ def record_matches_view(record, records, view):
return False return False
return True return True
for view in views: for view_name, view_conf in node.metadata.get('bind/views').items():
directories[f"/var/lib/bind/{view['name']}"] = { directories[f"/var/lib/bind/{view_name}"] = {
'owner': 'bind', 'owner': 'bind',
'group': 'bind', 'group': 'bind',
'purge': True, 'purge': True,
@ -144,7 +126,7 @@ for view in views:
} }
for zone, conf in zones.items(): for zone, conf in zones.items():
if view['name'] not in conf.get('views', ['internal', 'external']): if view_name not in conf.get('views', ['internal', 'external']):
continue continue
records = conf['records'] records = conf['records']
@ -155,11 +137,11 @@ for view in views:
) )
] ]
files[f"/var/lib/bind/{view['name']}/db.{zone}"] = { files[f"/var/lib/bind/{view_name}/db.{zone}"] = {
'owner': 'bind', 'owner': 'bind',
'group': 'bind', 'group': 'bind',
'needs': [ 'needs': [
f"directory:/var/lib/bind/{view['name']}", f"directory:/var/lib/bind/{view_name}",
], ],
'needed_by': [ 'needed_by': [
'svc_systemd:bind9', 'svc_systemd:bind9',
@ -169,15 +151,15 @@ for view in views:
], ],
} }
if True or node.metadata.get('bind/type') == 'master': #FIXME: slave doesnt get updated if db doesnt get rewritten on each apply if True or node.metadata.get('bind/type') == 'master': #FIXME: slave doesnt get updated if db doesnt get rewritten on each apply
files[f"/var/lib/bind/{view['name']}/db.{zone}"].update({ files[f"/var/lib/bind/{view_name}/db.{zone}"].update({
'source': 'db', 'source': 'db',
'content_type': 'mako', 'content_type': 'mako',
'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if conf.get('dynamic', False) else 'false', 'unless': f"test -f /var/lib/bind/{view_name}/db.{zone}" if conf.get('dynamic', False) else 'false',
'context': { 'context': {
'view': view['name'], 'view': view_name,
'serial': datetime.now().strftime('%Y%m%d%H'), 'serial': datetime.now().strftime('%Y%m%d%H'),
'records': list(filter( 'records': list(filter(
lambda record: record_matches_view(record, records, view['name']), lambda record: record_matches_view(record, records, view_name),
unique_records unique_records
)), )),
'hostname': node.metadata.get('bind/hostname'), 'hostname': node.metadata.get('bind/hostname'),

73
bundles/bind/metadata.py
View file

@ -11,7 +11,34 @@ defaults = {
'bind': { 'bind': {
'zones': {}, 'zones': {},
'slaves': {}, 'slaves': {},
'views': {
'internal': {
'is_internal': True,
'acl': {
'127.0.0.1',
'10.0.0.0/8',
'169.254.0.0/16',
'172.16.0.0/12',
'192.168.0.0/16',
},
'keys': {}, 'keys': {},
'rejected_keys': set(),
},
'external': {
'default': True,
'name': 'external',
'is_internal': False,
'acl': {
'any',
},
'keys': {},
'rejected_keys': set(),
},
},
'keys': {
'internal': {},
'external': {},
},
}, },
'telegraf': { 'telegraf': {
'config': { 'config': {
@ -139,21 +166,59 @@ def slaves(metadata):
@metadata_reactor.provides( @metadata_reactor.provides(
'bind/keys', 'bind/views',
) )
def generate_keys(metadata): def generate_keys(metadata):
return { return {
'bind': { 'bind': {
'views': {
view: {
'keys': { 'keys': {
zone: repo.libs.hmac.hmac_sha512( f'{view}.{zone}': repo.libs.hmac.hmac_sha512(
zone, zone,
str(repo.vault.random_bytes_as_base64_for( str(repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} bind key {zone}", f"{metadata.get('id')} bind {view} key {zone}",
length=32, length=32,
)), )),
) )
for zone, conf in metadata.get('bind/zones').items() for zone, conf in metadata.get('bind/zones').items()
if conf.get('dynamic', False) if conf.get('dynamic', False)
}, and view in conf.get('views', metadata.get('bind/views').keys())
}
}
for view in metadata.get('bind/views')
}
},
}
@metadata_reactor.provides(
'bind/views',
)
def collected_rejected_keys_from_other_views(metadata):
return {
'bind': {
'views': {
view: {
'rejected_clients': {
# reject other views keys
*{
key
for other_view, other_conf in metadata.get('bind/views').items()
if other_view != view
and not other_conf.get('default')
for key in other_conf['keys']
},
# reject other views acls
*{
other_view
for other_view, other_conf in metadata.get('bind/views').items()
if other_view != view
and not other_conf.get('default')
},
}
}
for view in metadata.get('bind/views')
}
}, },
} }

8
bundles/letsencrypt/files/hook.sh
View file

@ -4,22 +4,22 @@ set -o pipefail
deploy_challenge() { deploy_challenge() {
echo " echo "
server ${server} server 10.0.10.2
zone ${zone}. zone ${zone}.
update add $1.${zone}. 60 IN TXT \"$3\" update add $1.${zone}. 60 IN TXT \"$3\"
send send
" | tee | nsupdate -y hmac-sha512:${zone}:${acme_key} " | tee | nsupdate -y hmac-sha512:${acme_key_name}:${acme_key}
sleep 10 sleep 10
} }
clean_challenge() { clean_challenge() {
echo " echo "
server ${server} server 10.0.10.2
zone ${zone}. zone ${zone}.
update delete $1.${zone}. TXT update delete $1.${zone}. TXT
send send
" | tee | nsupdate -y hmac-sha512:${zone}:${acme_key} " | tee | nsupdate -y hmac-sha512:${acme_key_name}:${acme_key}
} }
deploy_cert() { deploy_cert() {

3
bundles/letsencrypt/items.py
View file

@ -30,7 +30,8 @@ files = {
'context': { 'context': {
'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip, 'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip,
'zone': acme_node.metadata.get('bind/acme_zone'), 'zone': acme_node.metadata.get('bind/acme_zone'),
'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')), 'acme_key_name': 'external' + acme_node.metadata.get('bind/acme_zone'),
'acme_key': acme_node.metadata.get('bind/views/external/keys/external.' + acme_node.metadata.get('bind/acme_zone')),
'domains': node.metadata.get('letsencrypt/domains'), 'domains': node.metadata.get('letsencrypt/domains'),
}, },
'mode': '0755', 'mode': '0755',

5
nodes/home.openhab3.py
View file

@ -40,6 +40,11 @@
}, },
}, },
}, },
'letsencrypt': {
'domains': {
'test11.ckn.li': {},
}
},
'java': { 'java': {
'version': 11, 'version': 11,
}, },