bind: doc, refactor, fix
This commit is contained in:
parent
29aa88ebca
commit
06948797be
|
@ -3,6 +3,7 @@ let
|
|||
systemctl = "${pkgs.systemd}/bin/systemctl";
|
||||
deployCommand = "${systemctl} start deploy-c3d2-dns";
|
||||
reloadCommand = "${systemctl} reload bind";
|
||||
restartCommand = "${systemctl} restart bind";
|
||||
in
|
||||
{
|
||||
c3d2 = {
|
||||
|
@ -19,13 +20,17 @@ in
|
|||
networking.defaultGateway = "172.20.73.1";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
# DNS
|
||||
53
|
||||
# HTTP(s)
|
||||
80 443
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
# DNS
|
||||
53
|
||||
];
|
||||
|
||||
# DNS server
|
||||
services.bind = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
|
@ -37,6 +42,14 @@ in
|
|||
};
|
||||
'';
|
||||
};
|
||||
systemd.services.bind = {
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
RestartSec = "1s";
|
||||
};
|
||||
};
|
||||
|
||||
# BIND statistics in Grafana
|
||||
services.collectd.plugins.bind = ''
|
||||
URL "http://127.0.0.1:8053/";
|
||||
ParseTime false
|
||||
|
@ -48,20 +61,6 @@ in
|
|||
MemoryStats true
|
||||
'';
|
||||
|
||||
# Web server
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
# hooks, logs
|
||||
"bind.serv.zentralwerk.org" = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Build user
|
||||
users.groups.c3d2-dns = {};
|
||||
users.users.c3d2-dns = {
|
||||
|
@ -108,15 +107,25 @@ in
|
|||
-H "Content-Type: application/json" \
|
||||
-d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
|
||||
|
||||
# Fix legacy paths (TODO)
|
||||
for f in *.conf ; do
|
||||
sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
|
||||
done
|
||||
/run/wrappers/bin/sudo systemctl reload bind
|
||||
# Allow creation of .jnl files by BIND for DynDNS
|
||||
chmod a+w zones
|
||||
# Take action
|
||||
if systemctl is-active -q bind; then
|
||||
/run/wrappers/bin/sudo ${reloadCommand}
|
||||
MSG=reload
|
||||
else
|
||||
/run/wrappers/bin/sudo ${restartCommand}
|
||||
MSG=restart
|
||||
fi
|
||||
|
||||
if [ $? = 0 ]; then
|
||||
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}"
|
||||
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \""$MSG"ed\", \"state\": \"success\"}"
|
||||
else
|
||||
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}"
|
||||
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"$MSG failure\", \"state\": \"failure\"}"
|
||||
fi
|
||||
curl -X POST \
|
||||
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
|
||||
|
@ -137,12 +146,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.timers.deploy-c3d2-dns = {
|
||||
partOf = [ "deploy-c3d2-dns.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "hourly";
|
||||
};
|
||||
|
||||
# Privileged commands triggered by webhook/deploy-c3d2-dns
|
||||
security.sudo.extraRules = [ {
|
||||
users = [ "c3d2-dns" ];
|
||||
commands = [ {
|
||||
|
@ -151,9 +155,27 @@ in
|
|||
} {
|
||||
command = reloadCommand;
|
||||
options = [ "NOPASSWD" ];
|
||||
} {
|
||||
command = restartCommand;
|
||||
options = [ "NOPASSWD" ];
|
||||
} ];
|
||||
} ];
|
||||
|
||||
# Web server just for the webhook
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
# hooks, logs
|
||||
"bind.serv.zentralwerk.org" = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Webhook service
|
||||
systemd.services.webhook =
|
||||
let
|
||||
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
|
||||
|
|
Loading…
Reference in New Issue