bind: init
This commit is contained in:
parent
14428dabcd
commit
79b2b259bc
16
flake.lock
16
flake.lock
|
@ -127,11 +127,11 @@
|
||||||
},
|
},
|
||||||
"secrets": {
|
"secrets": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1633479869,
|
"lastModified": 1634253091,
|
||||||
"narHash": "sha256-HhpstvGfR0TyCCFVOGZVRAay+6dJ6d8EMMTx952xKQ0=",
|
"narHash": "sha256-aEKQ8bzsK/0RwNXcBcch1J9M369C83QpzU7PWuaCW6w=",
|
||||||
"ref": "master",
|
"ref": "master",
|
||||||
"rev": "eecfed3c6287b9a3f5f0c9469a3f6975048b891a",
|
"rev": "4b502a1f949417f0c9c9bba57837041cf6d06e9e",
|
||||||
"revCount": 101,
|
"revCount": 102,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||||
},
|
},
|
||||||
|
@ -216,11 +216,11 @@
|
||||||
"zentralwerk-network-key": "zentralwerk-network-key"
|
"zentralwerk-network-key": "zentralwerk-network-key"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1633637325,
|
"lastModified": 1634222813,
|
||||||
"narHash": "sha256-c9jPnvN08QSnSgWYfd4ZcaH90lVdjICdqWJYJO8M4NU=",
|
"narHash": "sha256-bn8G0GFn9+vS676MsqIkxF10qhV8XPCHjHvcmmim/GI=",
|
||||||
"ref": "master",
|
"ref": "master",
|
||||||
"rev": "1010f1c93bbdaabb483f831542445ec4f921ab9e",
|
"rev": "2459cea80e8c7df3d24bfd22337984e8e146ed5f",
|
||||||
"revCount": 1196,
|
"revCount": 1197,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
||||||
},
|
},
|
||||||
|
|
13
flake.nix
13
flake.nix
|
@ -431,6 +431,19 @@
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
bind = nixosSystem' {
|
||||||
|
modules = [
|
||||||
|
({ ... }: {
|
||||||
|
nixpkgs.overlays = with secrets.overlays; [
|
||||||
|
# bind
|
||||||
|
];
|
||||||
|
})
|
||||||
|
./lib/lxc-container.nix
|
||||||
|
./hosts/containers/bind
|
||||||
|
];
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nixosModule = import ./lib;
|
nixosModule = import ./lib;
|
||||||
|
|
|
@ -116,6 +116,8 @@ rec {
|
||||||
ip6 = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
|
ip6 = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
gitea.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8MmjiiRmiyUqRYs5a07m7qKDwxh2NwvS2h7pm2b+zx";
|
||||||
|
|
||||||
dacbert.ip4 = "dacbert.hq.c3d2.de";
|
dacbert.ip4 = "dacbert.hq.c3d2.de";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,174 @@
|
||||||
|
{ hostRegistry, config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
systemctl = "${pkgs.systemd}/bin/systemctl";
|
||||||
|
deployCommand = "${systemctl} start deploy-c3d2-dns";
|
||||||
|
reloadCommand = "${systemctl} reload bind";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
c3d2 = {
|
||||||
|
isInHq = false;
|
||||||
|
hq.statistics.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "bind";
|
||||||
|
networking.useNetworkd = true;
|
||||||
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = hostRegistry.hosts.${config.networking.hostName}.ip4;
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
|
networking.defaultGateway = "172.20.73.1";
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
53
|
||||||
|
80 443
|
||||||
|
];
|
||||||
|
networking.firewall.allowedUDPPorts = [
|
||||||
|
53
|
||||||
|
];
|
||||||
|
|
||||||
|
services.bind = {
|
||||||
|
enable = true;
|
||||||
|
extraConfig = ''
|
||||||
|
include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Web server
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts = {
|
||||||
|
# hooks, logs
|
||||||
|
"bind.serv.zentralwerk.org" = {
|
||||||
|
default = true;
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Build user
|
||||||
|
users.groups.c3d2-dns = {};
|
||||||
|
users.users.c3d2-dns = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "c3d2-dns";
|
||||||
|
home = "/var/lib/c3d2-dns";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Build script
|
||||||
|
systemd.services.deploy-c3d2-dns = let
|
||||||
|
# inherit (pkgs.bind-secrets) giteaToken sshPrivkey;
|
||||||
|
giteaToken = "8bcab04863519d239a0b42d4fd3c02dce144b0c0";
|
||||||
|
|
||||||
|
sshPrivkey = ''
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||||
|
QyNTUxOQAAACCbHM7kAahk7NZQ4bMwEVJv3d2RzLJB5Tdsgi6aaUEQYwAAAJDq6piE6uqY
|
||||||
|
hAAAAAtzc2gtZWQyNTUxOQAAACCbHM7kAahk7NZQ4bMwEVJv3d2RzLJB5Tdsgi6aaUEQYw
|
||||||
|
AAAEAs34c89xB1x4ZHPQywNuIIcbDqiuVtYWC9NhFwVQGo2JsczuQBqGTs1lDhszARUm/d
|
||||||
|
3ZHMskHlN2yCLpppQRBjAAAADXN0ZXBoYW5AYmxhemU=
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
before = [ "bind.service" ];
|
||||||
|
path = with pkgs; [ git nix curl ];
|
||||||
|
script = ''
|
||||||
|
mkdir -p .ssh
|
||||||
|
cp ${builtins.toFile "id_ed25519" sshPrivkey} .ssh/id_ed25519
|
||||||
|
echo "gitea.c3d2.de ${hostRegistry.hosts.gitea.publicKey}" > .ssh/known_hosts
|
||||||
|
chmod 0600 .ssh/id_ed25519
|
||||||
|
|
||||||
|
# Build at least once
|
||||||
|
touch deploy-pending
|
||||||
|
|
||||||
|
[ -d c3d2-dns ] || git clone --depth=1 gitea@gitea.c3d2.de:c3d2-admins/c3d2-dns.git
|
||||||
|
cd c3d2-dns
|
||||||
|
|
||||||
|
# Loop in case the webhook was called while we were building
|
||||||
|
while [ -e ../deploy-pending ]; do
|
||||||
|
rm ../deploy-pending
|
||||||
|
git checkout .
|
||||||
|
git pull
|
||||||
|
REV=$(git rev-parse HEAD)
|
||||||
|
|
||||||
|
set +e
|
||||||
|
curl -X POST \
|
||||||
|
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
|
||||||
|
-H "accept: application/json" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
|
||||||
|
|
||||||
|
for f in *.conf ; do
|
||||||
|
sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
|
||||||
|
done
|
||||||
|
/run/wrappers/bin/sudo systemctl reload bind
|
||||||
|
|
||||||
|
if [ $? = 0 ]; then
|
||||||
|
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}"
|
||||||
|
else
|
||||||
|
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}"
|
||||||
|
fi
|
||||||
|
curl -X POST \
|
||||||
|
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
|
||||||
|
-H "accept: application/json" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-d "$STATUS"
|
||||||
|
|
||||||
|
set -e
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
User = "c3d2-dns";
|
||||||
|
Group = config.users.users.c3d2-dns.group;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectSystem = "full";
|
||||||
|
ReadWritePaths = config.users.users.c3d2-dns.home;
|
||||||
|
WorkingDirectory = config.users.users.c3d2-dns.home;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers.deploy-c3d2-dns = {
|
||||||
|
partOf = [ "deploy-c3d2-dns.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnCalendar = "hourly";
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.extraRules = [ {
|
||||||
|
users = [ "c3d2-dns" ];
|
||||||
|
commands = [ {
|
||||||
|
command = deployCommand;
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
|
} {
|
||||||
|
command = reloadCommand;
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
|
} ];
|
||||||
|
} ];
|
||||||
|
|
||||||
|
systemd.services.webhook =
|
||||||
|
let
|
||||||
|
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
|
||||||
|
id = "deploy-c3d2-dns";
|
||||||
|
execute-command = pkgs.writeShellScript "deploy-c3d2-dns" ''
|
||||||
|
# Request (re-)deployment
|
||||||
|
touch ${config.users.users.c3d2-dns.home}/deploy-pending
|
||||||
|
|
||||||
|
# Start deploy-c3d2-dns.service if not already running
|
||||||
|
exec /run/wrappers/bin/sudo ${deployCommand}
|
||||||
|
'';
|
||||||
|
} ]);
|
||||||
|
in {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1";
|
||||||
|
User = "c3d2-dns";
|
||||||
|
Group = config.users.users.c3d2-dns.group;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectSystem = "full";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
2
secrets
2
secrets
|
@ -1 +1 @@
|
||||||
Subproject commit eecfed3c6287b9a3f5f0c9469a3f6975048b891a
|
Subproject commit 3b337a981efaca600fc268d31a553522a578d7dd
|
Loading…
Reference in New Issue