add DnsSec module

This commit is contained in:
Joey Hess 2015-01-03 19:09:02 -04:00
parent 05004730c7
commit 4dd6596919
2 changed files with 49 additions and 0 deletions

View File

@ -77,6 +77,7 @@ Library
Propellor.Property.Cron Propellor.Property.Cron
Propellor.Property.Debootstrap Propellor.Property.Debootstrap
Propellor.Property.Dns Propellor.Property.Dns
Propellor.Property.DnsSec
Propellor.Property.Docker Propellor.Property.Docker
Propellor.Property.File Propellor.Property.File
Propellor.Property.Firewall Propellor.Property.Firewall

View File

@ -0,0 +1,48 @@
module Propellor.Property.DnsSec where
import Propellor
import Propellor.Property.File
-- | Puts the DNSSEC key files in place from PrivData.
--
-- signedPrimary uses this, so this property does not normally need to be
-- used directly.
keysInstalled :: Domain -> RevertableProperty
keysInstalled domain = RevertableProperty setup cleanup
where
setup = propertyList "DNSSEC keys installed" $
map installkey keys
cleanup = propertyList "DNSSEC keys removed" $
map (notPresent . keyFn domain) keys
installkey k = (if isPublic k then hasPrivContentExposedFrom else hasPrivContentFrom)
(keysrc k) (keyFn domain k) (Context domain)
keys = [ PubZSK, PrivZSK, PubKSK, PrivKSK ]
keysrc k = PrivDataSource (DnsSec k) $ unwords
[ "The file with extension"
, keyExt k
, " created by running:"
, if isZoneSigningKey k
then "dnssec-keygen -a RSASHA256 -b 2048 -n ZONE " ++ domain
else "dnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE " ++ domain
]
-- | The file used for a given key.
keyFn :: Domain -> DnsSecKey -> FilePath
keyFn domain k = "/etc/bind/propellor" </>
"K" ++ domain ++ "." ++ show k ++ keyExt k
-- | These are the extensions that dnssec-keygen looks for.
keyExt :: DnsSecKey -> String
keyExt k
| isPublic k = ".key"
| otherwise = ".private"
isPublic :: DnsSecKey -> Bool
isPublic k = k `elem` [PubZSK, PubKSK]
isZoneSigningKey :: DnsSecKey -> Bool
isZoneSigningKey k = k `elem` [PubZSK, PrivZSK]