cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

wip

Browse source
This commit is contained in:
mwiegand 2021-11-06 06:33:19 +01:00
parent 34e9366c61
commit f87d58bb41
7 changed files with 102 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
bundles/bind/files/db.acme Normal file
View file

@ -0,0 +1,13 @@
$TTL 600
@ IN SOA acme.${hostname}. admin.acme.${hostname}. (
2021070821 ;Serial
3600 ;Refresh
200 ;Retry
1209600 ;Expire
900 ;Negative response caching TTL
)
@ IN A 162.55.188.157
@ IN AAAA 2a01:4f8:1c1c:4121::2
@ IN NS resolver.name.
@ IN NS second.resolver.name.

12
bundles/bind/files/named.conf.local
View file

@ -4,6 +4,11 @@ acl "${view['name']}" {
}; };
% endfor % endfor
key "acme" {
algorithm hmac-sha512;
secret "${acme_key}";
};
% for view in views: % for view in views:
view "${view['name']}" { view "${view['name']}" {
match-clients { ${view['name']}; }; match-clients { ${view['name']}; };
@ -35,6 +40,13 @@ view "${view['name']}" {
}; };
% endfor % endfor
zone "acme.${hostname}" {
type master;
file "/var/lib/bind/${view['name']}/db.acme.${hostname}";
masterfile-format text;
allow-update { key "acme"; };
};
include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.default-zones";
include "/etc/bind/zones.rfc1918"; include "/etc/bind/zones.rfc1918";
}; };

21
bundles/bind/items.py
View file

@ -93,6 +93,8 @@ files['/etc/bind/named.conf.local'] = {
'master_ip': master_ip, 'master_ip': master_ip,
'views': views, 'views': views,
'zones': sorted(zones), 'zones': sorted(zones),
'hostname': node.metadata.get('bind/hostname'),
'acme_key': node.metadata.get('bind/acme_key'),
}, },
'owner': 'root', 'owner': 'root',
'group': 'bind', 'group': 'bind',
@ -135,6 +137,24 @@ for view in views:
'svc_systemd:bind9:restart', 'svc_systemd:bind9:restart',
], ],
} }
files[f"/var/lib/bind/{view['name']}/db.acme.{node.metadata.get('bind/hostname')}"] = {
'source': 'db.acme',
'content_type': 'mako',
'context': {
'hostname': node.metadata.get('bind/hostname'),
},
'owner': 'root',
'group': 'bind',
'needs': [
'pkg_apt:bind9',
],
'needed_by': [
'svc_systemd:bind9',
],
'triggers': [
'svc_systemd:bind9:restart',
],
}
for zone, records in zones.items(): for zone, records in zones.items():
unique_records = [ unique_records = [
@ -175,5 +195,6 @@ actions['named-checkconf'] = {
'unless': 'named-checkconf -z', 'unless': 'named-checkconf -z',
'needs': [ 'needs': [
'svc_systemd:bind9', 'svc_systemd:bind9',
'svc_systemd:bind9:restart',
] ]
} }

17
bundles/bind/metadata.py
View file

@ -26,6 +26,23 @@ defaults = {
} }
@metadata_reactor.provides(
'bind/acme_key',
)
def acme_key(metadata):
return {
'bind': {
'acme_key': repo.libs.hmac.hmac_sha512(
'acme',
str(repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} bind key acme",
length=32,
)),
),
}
}
@metadata_reactor.provides( @metadata_reactor.provides(
'bind/type', 'bind/type',
) )

1
bundles/letsencrypt/README.md Normal file
View file

@ -0,0 +1 @@
https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script

28
bundles/letsencrypt/files/dns-challenge.sh Normal file
View file

@ -0,0 +1,28 @@
#!/usr/bin/env bash
set -e
set -u
set -o pipefail
OPERATION=$1
DOMAIN=$2
TOKEN=$4
TTL=300
case "$1" in
"deploy_challenge")
;;
"clean_challenge")
;;
"deploy_cert")
;;
"unchanged_cert")
;;
"startup_hook")
;;
"exit_hook")
;;
esac
exit 0

10
libs/hmac.py Normal file
View file

@ -0,0 +1,10 @@
import hmac, hashlib, base64
def hmac_sha512(secret, iv):
return base64.b64encode(
hmac.new(
bytes(iv , 'latin-1'),
msg=bytes(secret , 'latin-1'),
digestmod=hashlib.sha512
).digest()
).decode()