bind: doc, refactor, fix

2021-10-18 04:04:40 +02:00 · 2021-10-18 04:04:40 +02:00 · 06948797be
parent 29aa88ebca
commit 06948797be
1 changed files with 45 additions and 23 deletions
--- a/hosts/containers/bind/default.nix
+++ b/hosts/containers/bind/default.nix
@ -3,6 +3,7 @@ let
  systemctl = "${pkgs.systemd}/bin/systemctl";
  deployCommand = "${systemctl} start deploy-c3d2-dns";
  reloadCommand = "${systemctl} reload bind";
+  restartCommand = "${systemctl} restart bind";
 in
 {
  c3d2 = {
@ -19,13 +20,17 @@ in
  networking.defaultGateway = "172.20.73.1";

  networking.firewall.allowedTCPPorts = [
+    # DNS
    53
+    # HTTP(s)
    80 443
  ];
  networking.firewall.allowedUDPPorts = [
+    # DNS
    53
  ];

+  # DNS server
  services.bind = {
    enable = true;
    extraConfig = ''
@ -37,6 +42,14 @@ in
      };
    '';
  };
+  systemd.services.bind = {
+    serviceConfig = {
+      Restart = "always";
+      RestartSec = "1s";
+    };
+  };
+
+  # BIND statistics in Grafana
  services.collectd.plugins.bind = ''
    URL "http://127.0.0.1:8053/";
    ParseTime       false
@ -48,20 +61,6 @@ in
    MemoryStats     true
  '';

-  # Web server
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      # hooks, logs
-      "bind.serv.zentralwerk.org" = {
-        default = true;
-        enableACME = true;
-        forceSSL = true;
-        locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
-      };
-    };
-  };
-
  # Build user
  users.groups.c3d2-dns = {};
  users.users.c3d2-dns = {
@ -108,15 +107,25 @@ in
          -H "Content-Type: application/json" \
          -d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"

+        # Fix legacy paths (TODO)
        for f in *.conf ; do
          sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
        done
-        /run/wrappers/bin/sudo systemctl reload bind
+        # Allow creation of .jnl files by BIND for DynDNS
+        chmod a+w zones
+        # Take action
+        if systemctl is-active -q bind; then
+          /run/wrappers/bin/sudo ${reloadCommand}
+          MSG=reload
+        else
+          /run/wrappers/bin/sudo ${restartCommand}
+          MSG=restart
+        fi

        if [ $? = 0 ]; then
-          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}"
+          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \""$MSG"ed\", \"state\": \"success\"}"
        else
-          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}"
+          STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"$MSG failure\", \"state\": \"failure\"}"
        fi
        curl -X POST \
          "https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
@ -137,12 +146,7 @@ in
    };
  };

-  systemd.timers.deploy-c3d2-dns = {
-    partOf = [ "deploy-c3d2-dns.service" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig.OnCalendar = "hourly";
-  };
-
+  # Privileged commands triggered by webhook/deploy-c3d2-dns
  security.sudo.extraRules = [ {
    users = [ "c3d2-dns" ];
    commands = [ {
@ -151,9 +155,27 @@ in
    } {
      command = reloadCommand;
      options = [ "NOPASSWD" ];
+    } {
+      command = restartCommand;
+      options = [ "NOPASSWD" ];
    } ];
  } ];

+  # Web server just for the webhook
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      # hooks, logs
+      "bind.serv.zentralwerk.org" = {
+        default = true;
+        enableACME = true;
+        forceSSL = true;
+        locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
+      };
+    };
+  };
+
+  # Webhook service
  systemd.services.webhook =
    let
      hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {