bind: init

This commit is contained in:
Astro 2021-10-15 02:07:50 +02:00
parent 14428dabcd
commit 79b2b259bc
5 changed files with 198 additions and 9 deletions

View File

@ -127,11 +127,11 @@
},
"secrets": {
"locked": {
"lastModified": 1633479869,
"narHash": "sha256-HhpstvGfR0TyCCFVOGZVRAay+6dJ6d8EMMTx952xKQ0=",
"lastModified": 1634253091,
"narHash": "sha256-aEKQ8bzsK/0RwNXcBcch1J9M369C83QpzU7PWuaCW6w=",
"ref": "master",
"rev": "eecfed3c6287b9a3f5f0c9469a3f6975048b891a",
"revCount": 101,
"rev": "4b502a1f949417f0c9c9bba57837041cf6d06e9e",
"revCount": 102,
"type": "git",
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
},
@ -216,11 +216,11 @@
"zentralwerk-network-key": "zentralwerk-network-key"
},
"locked": {
"lastModified": 1633637325,
"narHash": "sha256-c9jPnvN08QSnSgWYfd4ZcaH90lVdjICdqWJYJO8M4NU=",
"lastModified": 1634222813,
"narHash": "sha256-bn8G0GFn9+vS676MsqIkxF10qhV8XPCHjHvcmmim/GI=",
"ref": "master",
"rev": "1010f1c93bbdaabb483f831542445ec4f921ab9e",
"revCount": 1196,
"rev": "2459cea80e8c7df3d24bfd22337984e8e146ed5f",
"revCount": 1197,
"type": "git",
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
},

View File

@ -431,6 +431,19 @@
system = "x86_64-linux";
};
bind = nixosSystem' {
modules = [
({ ... }: {
nixpkgs.overlays = with secrets.overlays; [
# bind
];
})
./lib/lxc-container.nix
./hosts/containers/bind
];
system = "x86_64-linux";
};
};
nixosModule = import ./lib;

View File

@ -116,6 +116,8 @@ rec {
ip6 = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
};
gitea.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8MmjiiRmiyUqRYs5a07m7qKDwxh2NwvS2h7pm2b+zx";
dacbert.ip4 = "dacbert.hq.c3d2.de";
};

View File

@ -0,0 +1,174 @@
{ hostRegistry, config, pkgs, ... }:
let
systemctl = "${pkgs.systemd}/bin/systemctl";
deployCommand = "${systemctl} start deploy-c3d2-dns";
reloadCommand = "${systemctl} reload bind";
in
{
c3d2 = {
isInHq = false;
hq.statistics.enable = true;
};
networking.hostName = "bind";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [{
address = hostRegistry.hosts.${config.networking.hostName}.ip4;
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
networking.firewall.allowedTCPPorts = [
53
80 443
];
networking.firewall.allowedUDPPorts = [
53
];
services.bind = {
enable = true;
extraConfig = ''
include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf";
'';
};
# Web server
services.nginx = {
enable = true;
virtualHosts = {
# hooks, logs
"bind.serv.zentralwerk.org" = {
default = true;
enableACME = true;
forceSSL = true;
locations."/hooks/".proxyPass = "http://localhost:9000/hooks/";
};
};
};
# Build user
users.groups.c3d2-dns = {};
users.users.c3d2-dns = {
isSystemUser = true;
group = "c3d2-dns";
home = "/var/lib/c3d2-dns";
};
systemd.tmpfiles.rules = [
"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
];
# Build script
systemd.services.deploy-c3d2-dns = let
# inherit (pkgs.bind-secrets) giteaToken sshPrivkey;
giteaToken = "8bcab04863519d239a0b42d4fd3c02dce144b0c0";
sshPrivkey = ''
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCbHM7kAahk7NZQ4bMwEVJv3d2RzLJB5Tdsgi6aaUEQYwAAAJDq6piE6uqY
hAAAAAtzc2gtZWQyNTUxOQAAACCbHM7kAahk7NZQ4bMwEVJv3d2RzLJB5Tdsgi6aaUEQYw
AAAEAs34c89xB1x4ZHPQywNuIIcbDqiuVtYWC9NhFwVQGo2JsczuQBqGTs1lDhszARUm/d
3ZHMskHlN2yCLpppQRBjAAAADXN0ZXBoYW5AYmxhemU=
-----END OPENSSH PRIVATE KEY-----
'';
in {
wantedBy = [ "multi-user.target" ];
before = [ "bind.service" ];
path = with pkgs; [ git nix curl ];
script = ''
mkdir -p .ssh
cp ${builtins.toFile "id_ed25519" sshPrivkey} .ssh/id_ed25519
echo "gitea.c3d2.de ${hostRegistry.hosts.gitea.publicKey}" > .ssh/known_hosts
chmod 0600 .ssh/id_ed25519
# Build at least once
touch deploy-pending
[ -d c3d2-dns ] || git clone --depth=1 gitea@gitea.c3d2.de:c3d2-admins/c3d2-dns.git
cd c3d2-dns
# Loop in case the webhook was called while we were building
while [ -e ../deploy-pending ]; do
rm ../deploy-pending
git checkout .
git pull
REV=$(git rev-parse HEAD)
set +e
curl -X POST \
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}"
for f in *.conf ; do
sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f
done
/run/wrappers/bin/sudo systemctl reload bind
if [ $? = 0 ]; then
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}"
else
STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}"
fi
curl -X POST \
"https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$STATUS"
set -e
done
'';
serviceConfig = {
User = "c3d2-dns";
Group = config.users.users.c3d2-dns.group;
PrivateTmp = true;
ProtectSystem = "full";
ReadWritePaths = config.users.users.c3d2-dns.home;
WorkingDirectory = config.users.users.c3d2-dns.home;
};
};
systemd.timers.deploy-c3d2-dns = {
partOf = [ "deploy-c3d2-dns.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "hourly";
};
security.sudo.extraRules = [ {
users = [ "c3d2-dns" ];
commands = [ {
command = deployCommand;
options = [ "NOPASSWD" ];
} {
command = reloadCommand;
options = [ "NOPASSWD" ];
} ];
} ];
systemd.services.webhook =
let
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
id = "deploy-c3d2-dns";
execute-command = pkgs.writeShellScript "deploy-c3d2-dns" ''
# Request (re-)deployment
touch ${config.users.users.c3d2-dns.home}/deploy-pending
# Start deploy-c3d2-dns.service if not already running
exec /run/wrappers/bin/sudo ${deployCommand}
'';
} ]);
in {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1";
User = "c3d2-dns";
Group = config.users.users.c3d2-dns.group;
PrivateTmp = true;
ProtectSystem = "full";
};
};
}

@ -1 +1 @@
Subproject commit eecfed3c6287b9a3f5f0c9469a3f6975048b891a
Subproject commit 3b337a981efaca600fc268d31a553522a578d7dd