propellor spin

2015-01-04 14:05:42 -04:00 · 2015-01-04 14:05:42 -04:00 · f36443755e
parent 8c1006c654
commit f36443755e
4 changed files with 13 additions and 11 deletions
--- a/src/Propellor/Info.hs
+++ b/src/Propellor/Info.hs
@ -64,7 +64,6 @@ addDNS r = pureInfoProperty (rdesc r) $ mempty { _dns = S.singleton r }
 	rdesc (NS d) = unwords ["NS", ddesc d]
 	rdesc (TXT s) = unwords ["TXT", s]
 	rdesc (SRV x y z d) = unwords ["SRV", show x, show y, show z, ddesc d]
-	rdesc (INCLUDE f) = unwords ["$INCLUDE", f]

 	ddesc (AbsDomain domain) = domain
 	ddesc (RelDomain domain) = domain
--- a/src/Propellor/Property/Dns.hs
+++ b/src/Propellor/Property/Dns.hs
@ -133,7 +133,7 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
 	-- TODO enable dnssec options.
 	-- 	dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
 	setup = combineProperties ("dns primary for " ++ domain ++ " (signed)")
-		[ setupPrimary zonefile signedZoneFile hosts domain soa rs'
+		[ setupPrimary zonefile signedZoneFile hosts domain soa rs
 		, toProp (zoneSigned domain zonefile)
 		]
 		`onChange` Service.reloaded "bind9"
@ -142,10 +142,6 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
 		`onChange` toProp (revert (zoneSigned domain zonefile))
 		`onChange` Service.reloaded "bind9"
 	
-	-- Include the public keys into the zone file.
-	rs' = include PubKSK : include PubZSK : rs
-	include k = (RootDomain, INCLUDE (keyFn domain k))
-
 	-- Put DNSSEC zone files in a different directory than is used for
 	-- the regular ones. This allows 'primary' to be reverted and
 	-- 'signedPrimary' enabled, without the reverted property stomping
@ -271,7 +267,6 @@ rField (MX _ _) = "MX"
 rField (NS _) = "NS"
 rField (TXT _) = "TXT"
 rField (SRV _ _ _ _) = "SRV"
-rField (INCLUDE _) = "$INCLUDE"

 rValue :: Record -> String
 rValue (Address (IPv4 addr)) = addr
@ -285,7 +280,6 @@ rValue (SRV priority weight port target) = unwords
 	, show port
 	, dValue target
 	]
-rValue (INCLUDE f) = f
 rValue (TXT s) = [q] ++ filter (/= q) s ++ [q]
  where
 	q = '"'
--- a/src/Propellor/Property/DnsSec.hs
+++ b/src/Propellor/Property/DnsSec.hs
@ -41,6 +41,7 @@ zoneSigned :: Domain -> FilePath -> RevertableProperty
 zoneSigned domain zonefile = RevertableProperty setup cleanup
  where
 	setup = check needupdate (forceZoneSigned domain zonefile)
+		`requires` includePubKeys domain zonefile
 		`requires` toProp (keysInstalled domain)
 	
 	cleanup = combineProperties ("removed signed zone for " ++ domain)
@ -65,6 +66,12 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup
 		t2 <- getModificationTime f
 		return (t2 >= t1)

+includePubKeys :: Domain -> FilePath -> Property
+includePubKeys domain zonefile = File.containsLines zonefile $
+	map mkinclude [PubKSK, PubZSK]
+  where
+	mkinclude k = "$INCLUDE " ++ keyFn domain k
+
 forceZoneSigned :: Domain -> FilePath -> Property
 forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do
 	salt <- take 16 <$> saltSha1
@ -95,8 +102,11 @@ saltSha1 = readProcess "sh"

 -- | The file used for a given key.
 keyFn :: Domain -> DnsSecKey -> FilePath
-keyFn domain k =  "/etc/bind/propellor/dnssec" </>
-	"K" ++ domain ++ "." ++ show k ++ keyExt k
+keyFn domain k =  "/etc/bind/propellor/dnssec" </> concat
+	[ "K" ++ domain ++ "."
+	, if isZoneSigningKey k then "ZSK" else "KSK"
+	, keyExt k
+	]

 -- | These are the extensions that dnssec-keygen looks for.
 keyExt :: DnsSecKey -> String
--- a/src/Propellor/Types/Dns.hs
+++ b/src/Propellor/Types/Dns.hs
@ -62,7 +62,6 @@ data Record
 	| NS BindDomain
 	| TXT String
 	| SRV Word16 Word16 Word16 BindDomain
-	| INCLUDE FilePath
 	deriving (Read, Show, Eq, Ord)

 getIPAddr :: Record -> Maybe IPAddr