bind: doc, refactor, fix
This commit is contained in:
parent
29aa88ebca
commit
06948797be
|
@ -3,6 +3,7 @@ let
|
||||||
systemctl = "${pkgs.systemd}/bin/systemctl";
|
systemctl = "${pkgs.systemd}/bin/systemctl";
|
||||||
deployCommand = "${systemctl} start deploy-c3d2-dns";
|
deployCommand = "${systemctl} start deploy-c3d2-dns";
|
||||||
reloadCommand = "${systemctl} reload bind";
|
reloadCommand = "${systemctl} reload bind";
|
||||||
|
restartCommand = "${systemctl} restart bind";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
|
@ -19,13 +20,17 @@ in
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
# DNS
|
||||||
53
|
53
|
||||||
|
# HTTP(s)
|
||||||
80 443
|
80 443
|
||||||
];
|
];
|
||||||
networking.firewall.allowedUDPPorts = [
|
networking.firewall.allowedUDPPorts = [
|
||||||
|
# DNS
|
||||||
53
|
53
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# DNS server
|
||||||
services.bind = {
|
services.bind = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -37,6 +42,14 @@ in
|
||||||
};
|
};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
systemd.services.bind = {
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = "1s";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# BIND statistics in Grafana
|
||||||
services.collectd.plugins.bind = ''
|
services.collectd.plugins.bind = ''
|
||||||
URL "http://127.0.0.1:8053/";
|
URL "http://127.0.0.1:8053/";
|
||||||
ParseTime false
|
ParseTime false
|
||||||
|
@ -48,20 +61,6 @@ in
|
||||||
MemoryStats true
|
MemoryStats true
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Web server
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
virtualHosts = {
|
|
||||||
# hooks, logs
|
|
||||||
"bind.serv.zentralwerk.org" = {
|
|
||||||
default = true;
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Build user
|
# Build user
|
||||||
users.groups.c3d2-dns = {};
|
users.groups.c3d2-dns = {};
|
||||||
users.users.c3d2-dns = {
|
users.users.c3d2-dns = {
|
||||||
|
@ -108,15 +107,25 @@ in
|
||||||
-H "Content-Type: application/json" \
|
-H "Content-Type: application/json" \
|
||||||
-d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
|
-d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
|
||||||
|
|
||||||
|
# Fix legacy paths (TODO)
|
||||||
for f in *.conf ; do
|
for f in *.conf ; do
|
||||||
sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
|
sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
|
||||||
done
|
done
|
||||||
/run/wrappers/bin/sudo systemctl reload bind
|
# Allow creation of .jnl files by BIND for DynDNS
|
||||||
|
chmod a+w zones
|
||||||
|
# Take action
|
||||||
|
if systemctl is-active -q bind; then
|
||||||
|
/run/wrappers/bin/sudo ${reloadCommand}
|
||||||
|
MSG=reload
|
||||||
|
else
|
||||||
|
/run/wrappers/bin/sudo ${restartCommand}
|
||||||
|
MSG=restart
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $? = 0 ]; then
|
if [ $? = 0 ]; then
|
||||||
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}"
|
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \""$MSG"ed\", \"state\": \"success\"}"
|
||||||
else
|
else
|
||||||
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}"
|
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"$MSG failure\", \"state\": \"failure\"}"
|
||||||
fi
|
fi
|
||||||
curl -X POST \
|
curl -X POST \
|
||||||
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
|
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
|
||||||
|
@ -137,12 +146,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.timers.deploy-c3d2-dns = {
|
# Privileged commands triggered by webhook/deploy-c3d2-dns
|
||||||
partOf = [ "deploy-c3d2-dns.service" ];
|
|
||||||
wantedBy = [ "timers.target" ];
|
|
||||||
timerConfig.OnCalendar = "hourly";
|
|
||||||
};
|
|
||||||
|
|
||||||
security.sudo.extraRules = [ {
|
security.sudo.extraRules = [ {
|
||||||
users = [ "c3d2-dns" ];
|
users = [ "c3d2-dns" ];
|
||||||
commands = [ {
|
commands = [ {
|
||||||
|
@ -151,9 +155,27 @@ in
|
||||||
} {
|
} {
|
||||||
command = reloadCommand;
|
command = reloadCommand;
|
||||||
options = [ "NOPASSWD" ];
|
options = [ "NOPASSWD" ];
|
||||||
|
} {
|
||||||
|
command = restartCommand;
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
} ];
|
} ];
|
||||||
} ];
|
} ];
|
||||||
|
|
||||||
|
# Web server just for the webhook
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts = {
|
||||||
|
# hooks, logs
|
||||||
|
"bind.serv.zentralwerk.org" = {
|
||||||
|
default = true;
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Webhook service
|
||||||
systemd.services.webhook =
|
systemd.services.webhook =
|
||||||
let
|
let
|
||||||
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
|
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
|
||||||
|
|
Loading…
Reference in New Issue