From 9ce47a0aa7d98ec976351b737f2a4b54ba8ce274 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sun, 7 Nov 2021 17:19:30 +0100 Subject: [PATCH] wip --- bundles/bind-acme/metadata.py | 12 +++------- bundles/bind/files/named.conf.local | 4 +++- bundles/bind/items.py | 1 - bundles/bind/metadata.py | 37 ++++++++++++++++------------- bundles/letsencrypt/items.py | 2 +- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/bundles/bind-acme/metadata.py b/bundles/bind-acme/metadata.py index ab605df..99cf9b0 100644 --- a/bundles/bind-acme/metadata.py +++ b/bundles/bind-acme/metadata.py @@ -25,7 +25,6 @@ def acme_records(metadata): @metadata_reactor.provides( 'bind/acls/acme', 'bind/keys/acme', - 'bind/views/internal/acl', 'bind/views/external/zones', ) def acme_zone(metadata): @@ -43,16 +42,11 @@ def acme_zone(metadata): '!{ !{' + ' '.join(f'{ip};' for ip in sorted(allowed_ips)) + '}; any;}', }, }, - 'keys': { - 'acme': {}, - }, 'views': { - 'internal': { - 'acl': { - '! key acme', - }, - }, 'external': { + 'keys': { + 'acme': {}, + }, 'zones': { metadata.get('bind/acme_zone'): { 'allow_update': { diff --git a/bundles/bind/files/named.conf.local b/bundles/bind/files/named.conf.local index 9f93faa..835c462 100644 --- a/bundles/bind/files/named.conf.local +++ b/bundles/bind/files/named.conf.local @@ -6,12 +6,14 @@ acl "${acl_name}" { }; % endfor -% for key_name, key_conf in sorted(keys.items()): +% for view_name, view_conf in views.items(): +% for key_name, key_conf in sorted(view_conf['keys'].items()): key "${key_name}" { algorithm hmac-sha512; secret "${key_conf['token']}"; }; % endfor +% endfor % for view_name, view_conf in views.items(): view "${view_name}" { diff --git a/bundles/bind/items.py b/bundles/bind/items.py index fc274fd..0118129 100644 --- a/bundles/bind/items.py +++ b/bundles/bind/items.py @@ -81,7 +81,6 @@ files['/etc/bind/named.conf.local'] = { for view_name, view_conf in master_node.metadata.get('bind/views').items() }, }, - 'keys': master_node.metadata.get('bind/keys'), 'views': dict(sorted( master_node.metadata.get('bind/views').items(), key=lambda e: (e[1].get('default', False), e[0]), diff --git a/bundles/bind/metadata.py b/bundles/bind/metadata.py index f6826b9..4292607 100644 --- a/bundles/bind/metadata.py +++ b/bundles/bind/metadata.py @@ -23,6 +23,7 @@ defaults = { 'views': { 'internal': { 'is_internal': True, + 'keys': {}, 'acl': { 'our-nets', }, @@ -31,6 +32,7 @@ defaults = { 'external': { 'default': True, 'is_internal': False, + 'keys': {}, 'acl': { 'any', }, @@ -38,7 +40,6 @@ defaults = { }, }, 'zones': {}, - 'keys': {}, }, 'telegraf': { 'config': { @@ -175,24 +176,29 @@ def slaves(metadata): @metadata_reactor.provides( - 'bind/keys', + 'bind/views', ) def generate_keys(metadata): return { 'bind': { - 'keys': { - key: { - 'token':repo.libs.hmac.hmac_sha512( - key, - str(repo.vault.random_bytes_as_base64_for( - f"{metadata.get('id')} bind key {key}", - length=32, - )), - ) + 'views': { + view_name: { + 'keys': { + key: { + 'token':repo.libs.hmac.hmac_sha512( + key, + str(repo.vault.random_bytes_as_base64_for( + f"{metadata.get('id')} bind key {key}", + length=32, + )), + ) + } + for key in view_conf['keys'] + } } + for view_name, view_conf in metadata.get('bind/views').items() } - for key in metadata.get('bind/keys') - }, + } } @@ -213,11 +219,10 @@ def generate_acl_entries_for_keys(metadata): }, # reject keys from other views *{ - f'! key {other_view_name}.{zone_name}' + f'! key {key}' for other_view_name, other_view_conf in metadata.get('bind/views').items() if other_view_name != view_name - for zone_name, zone_conf in other_view_conf['zones'].items() - if zone_conf.get('key', False) + for key in other_view_conf.get('keys', []) } } } diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py index 1e53a74..c92fd68 100644 --- a/bundles/letsencrypt/items.py +++ b/bundles/letsencrypt/items.py @@ -31,7 +31,7 @@ files = { 'server': ip_interface(acme_node.metadata.get('network/internal/ipv4')).ip, 'zone': acme_node.metadata.get('bind/acme_zone'), 'acme_key_name': 'acme', - 'acme_key': acme_node.metadata.get('bind/keys/acme/token'), + 'acme_key': acme_node.metadata.get('bind/views/external/keys/acme/token'), 'domains': node.metadata.get('letsencrypt/domains'), }, 'mode': '0755',