propellor spin
This commit is contained in:
parent
0bc737c1ba
commit
34c7a14060
|
@ -59,7 +59,7 @@ addNamedConf conf d = d { _namedconf = new }
|
|||
where
|
||||
m = _namedconf d
|
||||
domain = confDomain conf
|
||||
new = case (confType conf, confType <$> M.lookup domain m) of
|
||||
new = case (confDnsServerType conf, confDnsServerType <$> M.lookup domain m) of
|
||||
(Secondary, Just Master) -> m
|
||||
_ -> M.insert domain conf m
|
||||
|
||||
|
|
|
@ -40,6 +40,17 @@ import Data.List
|
|||
-- that cannot be configured elsewhere. This often includes NS records,
|
||||
-- TXT records and perhaps CNAMEs pointing at hosts that propellor does
|
||||
-- not control.
|
||||
--
|
||||
-- The primary server is configured to only allow zone transfers to
|
||||
-- secondary dns servers. These are determined in two ways:
|
||||
--
|
||||
-- 1. By looking at the properties of other hosts, to find hosts that
|
||||
-- are configured as the secondary dns server.
|
||||
--
|
||||
-- 2. By looking for NS Records in the passed list of records.
|
||||
--
|
||||
-- In either case, the secondary dns server Host should have an ipv4
|
||||
-- property.
|
||||
primary :: [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
|
||||
primary hosts domain soa rs = RevertableProperty setup cleanup
|
||||
where
|
||||
|
@ -63,11 +74,17 @@ primary hosts domain soa rs = RevertableProperty setup cleanup
|
|||
satisfy
|
||||
conf = NamedConf
|
||||
{ confDomain = domain
|
||||
, confType = Master
|
||||
, confDnsServerType = Master
|
||||
, confFile = zonefile
|
||||
, confMasters = []
|
||||
, confAllowTransfer = nub $
|
||||
concatMap (\m -> hostAddresses m hosts) $
|
||||
otherServers Secondary hosts domain ++
|
||||
mapMaybe (domainHostName <=< getNS) rootRecords
|
||||
, confLines = []
|
||||
}
|
||||
rootRecords = map snd $
|
||||
filter (\(d, _r) -> d == RootDomain || d == AbsDomain domain) rs
|
||||
needupdate = do
|
||||
v <- readZonePropellorFile zonefile
|
||||
return $ case v of
|
||||
|
@ -86,12 +103,7 @@ primary hosts domain soa rs = RevertableProperty setup cleanup
|
|||
-- Note that if a host is declared to be a primary and a secondary dns
|
||||
-- server for the same domain, the primary server config always wins.
|
||||
secondary :: [Host] -> Domain -> RevertableProperty
|
||||
secondary hosts domain = secondaryFor masters hosts domain
|
||||
where
|
||||
masters = M.keys $ M.filter ismaster $ hostAttrMap hosts
|
||||
ismaster attr = case M.lookup domain (_namedconf attr) of
|
||||
Nothing -> False
|
||||
Just conf -> confType conf == Master && confDomain conf == domain
|
||||
secondary hosts domain = secondaryFor (otherServers Master hosts domain) hosts domain
|
||||
|
||||
-- | This variant is useful if the primary server does not have its DNS
|
||||
-- configured via propellor.
|
||||
|
@ -105,12 +117,22 @@ secondaryFor masters hosts domain = RevertableProperty setup cleanup
|
|||
desc = "dns secondary for " ++ domain
|
||||
conf = NamedConf
|
||||
{ confDomain = domain
|
||||
, confType = Secondary
|
||||
, confDnsServerType = Secondary
|
||||
, confFile = "db." ++ domain
|
||||
, confMasters = concatMap (\m -> hostAddresses m hosts) masters
|
||||
, confLines = ["allow-transfer { }"]
|
||||
, confAllowTransfer = []
|
||||
, confLines = []
|
||||
}
|
||||
|
||||
otherServers :: DnsServerType -> [Host] -> Domain -> [HostName]
|
||||
otherServers wantedtype hosts domain =
|
||||
M.keys $ M.filter wanted $ hostAttrMap hosts
|
||||
where
|
||||
wanted attr = case M.lookup domain (_namedconf attr) of
|
||||
Nothing -> False
|
||||
Just conf -> confDnsServerType conf == wantedtype
|
||||
&& confDomain conf == domain
|
||||
|
||||
-- | Rewrites the whole named.conf.local file to serve the zones
|
||||
-- configured by `primary` and `secondary`, and ensures that bind9 is
|
||||
-- running.
|
||||
|
@ -130,20 +152,26 @@ confStanza :: NamedConf -> [Line]
|
|||
confStanza c =
|
||||
[ "// automatically generated by propellor"
|
||||
, "zone \"" ++ confDomain c ++ "\" {"
|
||||
, cfgline "type" (if confType c == Master then "master" else "slave")
|
||||
, cfgline "type" (if confDnsServerType c == Master then "master" else "slave")
|
||||
, cfgline "file" ("\"" ++ confFile c ++ "\"")
|
||||
] ++
|
||||
(if null (confMasters c) then [] else mastersblock) ++
|
||||
mastersblock ++
|
||||
allowtransferblock ++
|
||||
(map (\l -> "\t" ++ l ++ ";") (confLines c)) ++
|
||||
[ "};"
|
||||
, ""
|
||||
]
|
||||
where
|
||||
cfgline f v = "\t" ++ f ++ " " ++ v ++ ";"
|
||||
mastersblock =
|
||||
[ "\tmasters {" ] ++
|
||||
(map (\ip -> "\t\t" ++ fromIPAddr ip ++ ";") (confMasters c)) ++
|
||||
ipblock name l =
|
||||
[ "\t" ++ name ++ " {" ] ++
|
||||
(map (\ip -> "\t\t" ++ fromIPAddr ip ++ ";") l) ++
|
||||
[ "\t};" ]
|
||||
mastersblock
|
||||
| null (confMasters c) = []
|
||||
| otherwise = ipblock "masters" (confMasters c)
|
||||
-- an empty block prohibits any transfers
|
||||
allowtransferblock = ipblock "allow-transfer" (confAllowTransfer c)
|
||||
|
||||
namedConfFile :: FilePath
|
||||
namedConfFile = "/etc/bind/named.conf.local"
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
module Propellor.Types.Dns where
|
||||
|
||||
import Propellor.Types.OS (HostName)
|
||||
|
||||
import Data.Word
|
||||
|
||||
type Domain = String
|
||||
|
@ -14,14 +16,15 @@ fromIPAddr (IPv6 addr) = addr
|
|||
-- | Represents a bind 9 named.conf file.
|
||||
data NamedConf = NamedConf
|
||||
{ confDomain :: Domain
|
||||
, confType :: Type
|
||||
, confDnsServerType :: DnsServerType
|
||||
, confFile :: FilePath
|
||||
, confMasters :: [IPAddr]
|
||||
, confAllowTransfer :: [IPAddr]
|
||||
, confLines :: [String]
|
||||
}
|
||||
deriving (Show, Eq, Ord)
|
||||
|
||||
data Type = Master | Secondary
|
||||
data DnsServerType = Master | Secondary
|
||||
deriving (Show, Eq, Ord)
|
||||
|
||||
-- | Represents a bind 9 zone file.
|
||||
|
@ -66,6 +69,10 @@ getCNAME :: Record -> Maybe BindDomain
|
|||
getCNAME (CNAME d) = Just d
|
||||
getCNAME _ = Nothing
|
||||
|
||||
getNS :: Record -> Maybe BindDomain
|
||||
getNS (NS d) = Just d
|
||||
getNS _ = Nothing
|
||||
|
||||
-- | Bind serial numbers are unsigned, 32 bit integers.
|
||||
type SerialNumber = Word32
|
||||
|
||||
|
@ -78,3 +85,8 @@ type SerialNumber = Word32
|
|||
-- to add nameservers, MX's, etc to a domain.
|
||||
data BindDomain = RelDomain Domain | AbsDomain Domain | RootDomain
|
||||
deriving (Read, Show, Eq, Ord)
|
||||
|
||||
domainHostName :: BindDomain -> Maybe HostName
|
||||
domainHostName (RelDomain d) = Just d
|
||||
domainHostName (AbsDomain d) = Just d
|
||||
domainHostName RootDomain = Nothing
|
||||
|
|
|
@ -299,6 +299,8 @@ monsters = -- but do want to track their public keys etc.
|
|||
& sshPubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ=="
|
||||
, host "github.com"
|
||||
& sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
|
||||
, host "ns6.gandi.net"
|
||||
& ipv4 "217.70.177.40"
|
||||
, host "turtle.kitenet.net"
|
||||
& ipv4 "67.223.19.96"
|
||||
& ipv6 "2001:4978:f:2d9::2"
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
propellor (0.5.1) UNRELEASED; urgency=medium
|
||||
|
||||
* Add missing build deps and deps. Closes: #745459
|
||||
* Primary DNS servers now have allow-transfer automatically populated
|
||||
with the IP addresses of secondary dns servers. So, it's important
|
||||
that all secondary DNS servers have an ipv4 (and/or ipv6) property
|
||||
configured.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Tue, 22 Apr 2014 19:07:59 -0400
|
||||
|
||||
|
|
Loading…
Reference in New Issue