From 79b2b259bc823cb5c10d5ac2e74e6e1405e6be31 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 15 Oct 2021 02:07:50 +0200 Subject: [PATCH] bind: init --- flake.lock | 16 +-- flake.nix | 13 +++ host-registry.nix | 2 + hosts/containers/bind/default.nix | 174 ++++++++++++++++++++++++++++++ secrets | 2 +- 5 files changed, 198 insertions(+), 9 deletions(-) create mode 100644 hosts/containers/bind/default.nix diff --git a/flake.lock b/flake.lock index 6de4dd50..4adc85d2 100644 --- a/flake.lock +++ b/flake.lock @@ -127,11 +127,11 @@ }, "secrets": { "locked": { - "lastModified": 1633479869, - "narHash": "sha256-HhpstvGfR0TyCCFVOGZVRAay+6dJ6d8EMMTx952xKQ0=", + "lastModified": 1634253091, + "narHash": "sha256-aEKQ8bzsK/0RwNXcBcch1J9M369C83QpzU7PWuaCW6w=", "ref": "master", - "rev": "eecfed3c6287b9a3f5f0c9469a3f6975048b891a", - "revCount": 101, + "rev": "4b502a1f949417f0c9c9bba57837041cf6d06e9e", + "revCount": 102, "type": "git", "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git" }, @@ -216,11 +216,11 @@ "zentralwerk-network-key": "zentralwerk-network-key" }, "locked": { - "lastModified": 1633637325, - "narHash": "sha256-c9jPnvN08QSnSgWYfd4ZcaH90lVdjICdqWJYJO8M4NU=", + "lastModified": 1634222813, + "narHash": "sha256-bn8G0GFn9+vS676MsqIkxF10qhV8XPCHjHvcmmim/GI=", "ref": "master", - "rev": "1010f1c93bbdaabb483f831542445ec4f921ab9e", - "revCount": 1196, + "rev": "2459cea80e8c7df3d24bfd22337984e8e146ed5f", + "revCount": 1197, "type": "git", "url": "https://gitea.c3d2.de/zentralwerk/network.git" }, diff --git a/flake.nix b/flake.nix index 5a51e629..fde684e8 100644 --- a/flake.nix +++ b/flake.nix @@ -431,6 +431,19 @@ system = "x86_64-linux"; }; + bind = nixosSystem' { + modules = [ + ({ ... }: { + nixpkgs.overlays = with secrets.overlays; [ + # bind + ]; + }) + ./lib/lxc-container.nix + ./hosts/containers/bind + ]; + system = "x86_64-linux"; + }; + }; nixosModule = import ./lib; diff --git a/host-registry.nix b/host-registry.nix index 7b5e1ff3..13aa1f02 100644 --- a/host-registry.nix +++ b/host-registry.nix @@ -116,6 +116,8 @@ rec { ip6 = "2a00:8180:2c00:282:1024:5fff:febd:9be7"; }; + gitea.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8MmjiiRmiyUqRYs5a07m7qKDwxh2NwvS2h7pm2b+zx"; + dacbert.ip4 = "dacbert.hq.c3d2.de"; }; diff --git a/hosts/containers/bind/default.nix b/hosts/containers/bind/default.nix new file mode 100644 index 00000000..50b6f969 --- /dev/null +++ b/hosts/containers/bind/default.nix @@ -0,0 +1,174 @@ +{ hostRegistry, config, pkgs, ... }: +let + systemctl = "${pkgs.systemd}/bin/systemctl"; + deployCommand = "${systemctl} start deploy-c3d2-dns"; + reloadCommand = "${systemctl} reload bind"; +in +{ + c3d2 = { + isInHq = false; + hq.statistics.enable = true; + }; + + networking.hostName = "bind"; + networking.useNetworkd = true; + networking.interfaces.eth0.ipv4.addresses = [{ + address = hostRegistry.hosts.${config.networking.hostName}.ip4; + prefixLength = 26; + }]; + networking.defaultGateway = "172.20.73.1"; + + networking.firewall.allowedTCPPorts = [ + 53 + 80 443 + ]; + networking.firewall.allowedUDPPorts = [ + 53 + ]; + + services.bind = { + enable = true; + extraConfig = '' + include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf"; + ''; + }; + + # Web server + services.nginx = { + enable = true; + virtualHosts = { + # hooks, logs + "bind.serv.zentralwerk.org" = { + default = true; + enableACME = true; + forceSSL = true; + locations."/hooks/".proxyPass = "http://localhost:9000/hooks/"; + }; + }; + }; + + # Build user + users.groups.c3d2-dns = {}; + users.users.c3d2-dns = { + isSystemUser = true; + group = "c3d2-dns"; + home = "/var/lib/c3d2-dns"; + }; + + systemd.tmpfiles.rules = [ + "d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -" + ]; + + # Build script + systemd.services.deploy-c3d2-dns = let + # inherit (pkgs.bind-secrets) giteaToken sshPrivkey; + giteaToken = "8bcab04863519d239a0b42d4fd3c02dce144b0c0"; + + sshPrivkey = '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACCbHM7kAahk7NZQ4bMwEVJv3d2RzLJB5Tdsgi6aaUEQYwAAAJDq6piE6uqY + hAAAAAtzc2gtZWQyNTUxOQAAACCbHM7kAahk7NZQ4bMwEVJv3d2RzLJB5Tdsgi6aaUEQYw + AAAEAs34c89xB1x4ZHPQywNuIIcbDqiuVtYWC9NhFwVQGo2JsczuQBqGTs1lDhszARUm/d + 3ZHMskHlN2yCLpppQRBjAAAADXN0ZXBoYW5AYmxhemU= + -----END OPENSSH PRIVATE KEY----- + ''; + in { + wantedBy = [ "multi-user.target" ]; + before = [ "bind.service" ]; + path = with pkgs; [ git nix curl ]; + script = '' + mkdir -p .ssh + cp ${builtins.toFile "id_ed25519" sshPrivkey} .ssh/id_ed25519 + echo "gitea.c3d2.de ${hostRegistry.hosts.gitea.publicKey}" > .ssh/known_hosts + chmod 0600 .ssh/id_ed25519 + + # Build at least once + touch deploy-pending + + [ -d c3d2-dns ] || git clone --depth=1 gitea@gitea.c3d2.de:c3d2-admins/c3d2-dns.git + cd c3d2-dns + + # Loop in case the webhook was called while we were building + while [ -e ../deploy-pending ]; do + rm ../deploy-pending + git checkout . + git pull + REV=$(git rev-parse HEAD) + + set +e + curl -X POST \ + "https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "{ \"context\": \"c3d2-dns\", \"description\": \"reloading...\", \"state\": \"pending\"}" + + for f in *.conf ; do + sed -e 's#/home/git/#${config.users.users.c3d2-dns.home}/#g' -i $f + done + /run/wrappers/bin/sudo systemctl reload bind + + if [ $? = 0 ]; then + STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"deployed\", \"state\": \"success\"}" + else + STATUS="{ \"context\": \"c3d2-dns\", \"description\": \"build failure\", \"state\": \"failure\"}" + fi + curl -X POST \ + "https://gitea.c3d2.de/api/v1/repos/c3d2-admins/c3d2-dns/statuses/$REV?token=${giteaToken}" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "$STATUS" + + set -e + done + ''; + serviceConfig = { + User = "c3d2-dns"; + Group = config.users.users.c3d2-dns.group; + PrivateTmp = true; + ProtectSystem = "full"; + ReadWritePaths = config.users.users.c3d2-dns.home; + WorkingDirectory = config.users.users.c3d2-dns.home; + }; + }; + + systemd.timers.deploy-c3d2-dns = { + partOf = [ "deploy-c3d2-dns.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "hourly"; + }; + + security.sudo.extraRules = [ { + users = [ "c3d2-dns" ]; + commands = [ { + command = deployCommand; + options = [ "NOPASSWD" ]; + } { + command = reloadCommand; + options = [ "NOPASSWD" ]; + } ]; + } ]; + + systemd.services.webhook = + let + hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ { + id = "deploy-c3d2-dns"; + execute-command = pkgs.writeShellScript "deploy-c3d2-dns" '' + # Request (re-)deployment + touch ${config.users.users.c3d2-dns.home}/deploy-pending + + # Start deploy-c3d2-dns.service if not already running + exec /run/wrappers/bin/sudo ${deployCommand} + ''; + } ]); + in { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1"; + User = "c3d2-dns"; + Group = config.users.users.c3d2-dns.group; + PrivateTmp = true; + ProtectSystem = "full"; + }; + }; +} diff --git a/secrets b/secrets index eecfed3c..3b337a98 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit eecfed3c6287b9a3f5f0c9469a3f6975048b891a +Subproject commit 3b337a981efaca600fc268d31a553522a578d7dd