cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

wip

Browse source
This commit is contained in:
mwiegand 2021-11-07 17:19:30 +01:00
parent 35c1db0ec6
commit 9ce47a0aa7
5 changed files with 28 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
bundles/bind-acme/metadata.py
View file

@ -25,7 +25,6 @@ def acme_records(metadata):
@metadata_reactor.provides(
'bind/acls/acme',
'bind/keys/acme',
'bind/views/internal/acl',
'bind/views/external/zones',
)
def acme_zone(metadata):
@ -43,16 +42,11 @@ def acme_zone(metadata):
'!{ !{' + ' '.join(f'{ip};' for ip in sorted(allowed_ips)) + '}; any;}',
},
},
'keys': {
'acme': {},
},
'views': {
'internal': {
'acl': {
'! key acme',
},
},
'external': {
'keys': {
'acme': {},
},
'zones': {
metadata.get('bind/acme_zone'): {
'allow_update': {

4
bundles/bind/files/named.conf.local
View file

@ -6,12 +6,14 @@ acl "${acl_name}" {
};
% endfor
% for key_name, key_conf in sorted(keys.items()):
% for view_name, view_conf in views.items():
% for key_name, key_conf in sorted(view_conf['keys'].items()):
key "${key_name}" {
algorithm hmac-sha512;
secret "${key_conf['token']}";
};
% endfor
% endfor
% for view_name, view_conf in views.items():
view "${view_name}" {

1
bundles/bind/items.py
View file

@ -81,7 +81,6 @@ files['/etc/bind/named.conf.local'] = {
for view_name, view_conf in master_node.metadata.get('bind/views').items()
},
},
'keys': master_node.metadata.get('bind/keys'),
'views': dict(sorted(
master_node.metadata.get('bind/views').items(),
key=lambda e: (e[1].get('default', False), e[0]),

37
bundles/bind/metadata.py
View file

@ -23,6 +23,7 @@ defaults = {
'views': {
'internal': {
'is_internal': True,
'keys': {},
'acl': {
'our-nets',
},
@ -31,6 +32,7 @@ defaults = {
'external': {
'default': True,
'is_internal': False,
'keys': {},
'acl': {
'any',
},
@ -38,7 +40,6 @@ defaults = {
},
},
'zones': {},
'keys': {},
},
'telegraf': {
'config': {
@ -175,24 +176,29 @@ def slaves(metadata):
@metadata_reactor.provides(
'bind/keys',
'bind/views',
)
def generate_keys(metadata):
return {
'bind': {
'keys': {
key: {
'token':repo.libs.hmac.hmac_sha512(
key,
str(repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} bind key {key}",
length=32,
)),
)
'views': {
view_name: {
'keys': {
key: {
'token':repo.libs.hmac.hmac_sha512(
key,
str(repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} bind key {key}",
length=32,
)),
)
}
for key in view_conf['keys']
}
}
for view_name, view_conf in metadata.get('bind/views').items()
}
for key in metadata.get('bind/keys')
},
}
}
@ -213,11 +219,10 @@ def generate_acl_entries_for_keys(metadata):
},
# reject keys from other views
*{
f'! key {other_view_name}.{zone_name}'
f'! key {key}'
for other_view_name, other_view_conf in metadata.get('bind/views').items()
if other_view_name != view_name
for zone_name, zone_conf in other_view_conf['zones'].items()
if zone_conf.get('key', False)
for key in other_view_conf.get('keys', [])
}
}
}

2
bundles/letsencrypt/items.py
View file

@ -31,7 +31,7 @@ files = {
'server': ip_interface(acme_node.metadata.get('network/internal/ipv4')).ip,
'zone': acme_node.metadata.get('bind/acme_zone'),
'acme_key_name': 'acme',
'acme_key': acme_node.metadata.get('bind/keys/acme/token'),
'acme_key': acme_node.metadata.get('bind/views/external/keys/acme/token'),
'domains': node.metadata.get('letsencrypt/domains'),
},
'mode': '0755',