From cb8eb8dac2b0b5182645501ba9961c99e6074516 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Sat, 26 Jun 2021 13:36:22 +0200
Subject: [PATCH] wip

---
 bundles/bind/files/db               |  8 +--
 bundles/bind/files/named.conf       |  1 -
 bundles/bind/files/named.conf.local | 17 ++++---
 bundles/bind/items.py               | 75 +++++++++++++++++++++++++----
 4 files changed, 81 insertions(+), 20 deletions(-)

diff --git a/bundles/bind/files/db b/bundles/bind/files/db
index fee1f9f..cc0584d 100644
--- a/bundles/bind/files/db
+++ b/bundles/bind/files/db
@@ -1,6 +1,6 @@
 <%!
 def column_width(column, table):
-    return max(map(lambda row: len(row[column]), table)) if table else 0
+    return max(map(lambda row: len(row[column]), table)) if table else 0    
 %>\
 $TTL 600
 @   IN  SOA        ns.sublimity.de. admin.sublimity.de. (
@@ -15,9 +15,9 @@ $TTL 600
 ${(record['name'] or '@').ljust(column_width('name', records))} \
 IN \
 ${record['type'].ljust(column_width('type', records))} \
-  % if record['type'] == 'TXT':
+    % if record['type'] == 'TXT':
 (${' '.join('"'+record['value'][i:i+255]+'"' for i in range(0, len(record['value']), 255))})
-  % else:
+    % else:
 ${record['value']}
-  % endif
+    % endif
 % endfor
diff --git a/bundles/bind/files/named.conf b/bundles/bind/files/named.conf
index f2b4b65..d301bd7 100644
--- a/bundles/bind/files/named.conf
+++ b/bundles/bind/files/named.conf
@@ -1,3 +1,2 @@
 include "/etc/bind/named.conf.options";
 include "/etc/bind/named.conf.local";
-include "/etc/bind/named.conf.default-zones";
diff --git a/bundles/bind/files/named.conf.local b/bundles/bind/files/named.conf.local
index 25fec94..3b0cfa3 100644
--- a/bundles/bind/files/named.conf.local
+++ b/bundles/bind/files/named.conf.local
@@ -1,8 +1,13 @@
-% for zone in zones:
-zone "${zone}" {
-        type master;
-        file "/var/lib/bind/db.${zone}";
+% for view in views:
+view "${view['name']}" {
+  match-clients {${' '.join(f'{e}; ' for e in view['acl'])}};
+  % for zone in zones:
+  zone "${zone}" {
+    type master;
+    file "/var/lib/bind/${view['name']}/db.${zone}";
+  };
+  % endfor
+  include "/etc/bind/named.conf.default-zones";
+  include "/etc/bind/zones.rfc1918";
 };
 % endfor
-
-include "/etc/bind/zones.rfc1918";
diff --git a/bundles/bind/items.py b/bundles/bind/items.py
index eca0d68..4c2b70f 100644
--- a/bundles/bind/items.py
+++ b/bundles/bind/items.py
@@ -1,4 +1,6 @@
-directories['/var/lib/bind'] = {
+from ipaddress import ip_address
+
+directories[f'/var/lib/bind'] = {
     'purge': True,
     'needed_by': [
         'svc_systemd:bind9',
@@ -38,9 +40,28 @@ files['/etc/bind/named.conf.options'] = {
         'svc_systemd:bind9:restart',
     ],
 }
+
+views = [
+    {
+        'name': 'internal',
+        'is_internal': True,
+        'acl': [
+            '10.0.0.0/16',
+        ]
+    },
+    {
+        'name': 'external', 
+        'is_internal': False,
+        'acl': [
+            'any',
+        ]
+    },
+]
+
 files['/etc/bind/named.conf.local'] = {
     'content_type': 'mako',
     'context': {
+        'views': views,
         'zones': sorted(node.metadata.get('bind/zones')),
     },
     'owner': 'root',
@@ -53,14 +74,27 @@ files['/etc/bind/named.conf.local'] = {
     ],
 }
 
-for zone, records in node.metadata.get('bind/zones').items():
-    files[f'/var/lib/bind/db.{zone}'] = {
-        'group': 'bind',
-        'source': 'db',
-        'content_type': 'mako',
-        'context': {
-            'records': records,
-        },
+def use_record(record, records, view):
+    if record['type'] in ['A', 'AAAA']:
+        if view == 'external':
+            # no internal addresses in external view
+            if ip_address(record['value']).is_private:
+                return False
+        elif view == 'internal':
+            # external addresses in internal view only, if no internal exists
+            if ip_address(record['value']).is_global:
+                for other_record in records:
+                    if (
+                        record['name'] == other_record['name'] and
+                        record['type'] == other_record['type'] and
+                        ip_address(other_record['value']).is_private
+                    ):
+                        return False
+    return True
+    
+for view in views:
+    directories[f"/var/lib/bind/{view['name']}"] = {
+        'purge': True,
         'needed_by': [
             'svc_systemd:bind9',
         ],
@@ -69,6 +103,29 @@ for zone, records in node.metadata.get('bind/zones').items():
         ],
     }
 
+    for zone, records in node.metadata.get('bind/zones').items():
+        files[f"/var/lib/bind/{view['name']}/db.{zone}"] = {
+            'group': 'bind',
+            'source': 'db',
+            'content_type': 'mako',
+            'context': {
+                'view': view['name'],
+                'records': list(filter(
+                    lambda record: use_record(record, records, view['name']),
+                    records
+                )),
+            },
+            'needs': [
+                f"directory:/var/lib/bind/{view['name']}",
+            ],
+            'needed_by': [
+                'svc_systemd:bind9',
+            ],
+            'triggers': [
+                'svc_systemd:bind9:restart',
+            ],
+        }
+
 svc_systemd['bind9'] = {}
 
 actions['named-checkconf'] = {