diff --git a/salt-pillar/bind/dns.sls b/salt-pillar/bind/dns.sls index 142e373..0ebdcd0 100644 --- a/salt-pillar/bind/dns.sls +++ b/salt-pillar/bind/dns.sls @@ -11,7 +11,7 @@ bind: # dns.spaceboyz.net - 172.22.24.4 - 2a01:4f8:a0:33d0::4 - serial: 2017012300 + serial: 2017031210 reverse-zones-inet: - 72.20.172.in-addr.arpa diff --git a/salt-pillar/bind/dyndns/anon1.sls b/salt-pillar/bind/dyndns/anon1.sls new file mode 100644 index 000000000..b6e6a3f --- /dev/null +++ b/salt-pillar/bind/dyndns/anon1.sls @@ -0,0 +1,18 @@ +#!yaml|gpg +dyndns: + anon1: + interface: ipredator + secret: | + -----BEGIN PGP MESSAGE----- + + hQEMA2PKcvDMvlKLAQgAjh9ugkiUCwnXHHJP7mJqmjnS6shfTXMqPYeR1KTwIWvC + xOSxQBvD/WYOg/p6Jai+dB5TAvI0l1G4oaaii3OoKot0flJPzWR5IgBHJBmDEuii + /pinHD4JpNTDPb2OBE/UXZjyJ4XGCwh8yVaOr5LmRPuB/DMfxk6FpPpDps6n5ioT + i9RkvgZTtyk8nyb3Q+Gg051vXKYOHiZbOtu08GRMDqBjkBwWAaVCWc/ts4Gs0SjG + GgxWR6VWhMSWIbuJmFY5Bix6rRuI6cVY48Xg+/aQXxrSMjI3SKjpeJ0Otn7Hi1Fh + vK6mIZtyESsNt3qHd65GPWJ0PPLiOg6M0peC9rfJgdJnAYq2n/f89jfraVTK3gYL + ch7EWeGAJbqf7srcDqjL/kHVSVrLlh3GSpFZsyD3hOeGMWrkQnnVrMBLo2oAoQSp + bVh+AjIkctnwHJSDS6FsijrQJicLVu/tG/Sg9PqELvWzMf+LvRL49Q== + =zrkj + -----END PGP MESSAGE----- + diff --git a/salt-pillar/bind/dyndns/upstream1.sls b/salt-pillar/bind/dyndns/upstream1.sls new file mode 100644 index 000000000..98a0263 --- /dev/null +++ b/salt-pillar/bind/dyndns/upstream1.sls @@ -0,0 +1,18 @@ +#!yaml|gpg +dyndns: + upstream1: + interface: up1 + secret: | + -----BEGIN PGP MESSAGE----- + + hQEMA2PKcvDMvlKLAQgAlT62OyjlGRcQ8/RivPsFfJfVSoNhGFFbSm+1yfA7Efav + d/ELCj86zXTvYoa4S8jEvd6iqsKOukINlCkYHR3p5Qs31bsSh/B+0B09fksp7d4O + NCE4VVInZe9HY7DpSFEsu44gbit2MJKhhbtozkyEwn3dGaXHmGEWqS1V20fLFeUA + r1ZwqyI6nFHT28thugt36r6/ZblkeZDqH77JuR/AnIsCFtykErZsiTQiiuiiOrvU + /m0kTz0jHBVSRuil3+4uibOWf2eDPuLukD2RXszGnaaq066vlRVyTKTchVjBnqDs + tNYls0rmr6UOOQid7N0BcCjYKKkoF6AVb3R1eA1yG9JnAeSx1KAmIrzfYLJ/eRkw + CPXogzxlMQt1i4fNRVUPWX+V9SHsbw/bp0CgaI1FJsfnVL4+BZejxTpGvybuKR+O + ejuUPineVymhVULbK2bbUGhpn0aaaKmV4CmZusueHg2W2lpJS0UozQ== + =krxI + -----END PGP MESSAGE----- + diff --git a/salt-pillar/bind/dyndns/upstream2.sls b/salt-pillar/bind/dyndns/upstream2.sls new file mode 100644 index 000000000..33ff360 --- /dev/null +++ b/salt-pillar/bind/dyndns/upstream2.sls @@ -0,0 +1,18 @@ +#!yaml|gpg +dyndns: + upstream2: + interface: up2 + secret: | + -----BEGIN PGP MESSAGE----- + + hQEMA2PKcvDMvlKLAQf/dsFJZ7Ud81pppjYXlOAEe1Zz+VqFaR+8kjzTE1uSxqNF + cI3asqGG1ltqY4CNJ0Sw6dzFKgCvBMxY2PlAKi2W/d4VXW+Eq3fuLA9g8AZ3FHxL + 8LgBaxoIuue8lI3FpQk3rbkhnELbwTp8A6Y0TCqexDp7NyieaHdsFkkg9lJn268B + RsIsg2n3ZlpPw6PgQ1qz0hqTlSIi/FyVTX0JLQ7GIpiPZPPsEtT0A62adkla0x4+ + fkrqPBC3jD5ICz/mytkmwWilmkZHO+VXF7juAmwLnmp69w1yhsohVK1mecme60Rt + w6i6cVhvg/EaQnqhKxusLi3DnroaVTwU9wvw3aBiN9JnATYs/Y9LotYP3/4tiPO1 + c45aNN6Oz/s7RwjTjiZv0LqnoXVLYPF2a0xok5eIklwp2f/wp7jh/SelJCZHY7H4 + dx2TiwNW89qYfN4GNmfie+LgJDqs9DEZPBDDwjYBIPDMsh7kZiTo5A== + =pVXt + -----END PGP MESSAGE----- + diff --git a/salt-pillar/top.sls b/salt-pillar/top.sls index f8c9f66..0597c53 100644 --- a/salt-pillar/top.sls +++ b/salt-pillar/top.sls @@ -30,14 +30,21 @@ base: - bind.dns 'upstream1': - upstream.upstream1 + - bind.dyndns.upstream1 + - bind.dns 'upstream2': - upstream.upstream2 + - bind.dyndns.upstream2 'anon*': - bird.ospf - vpn.anon1 - upstream.anon1 - collectd.upstream + - bind.dyndns.anon1 'dns': - bind.dns + - bind.dyndns.upstream1 + - bind.dyndns.upstream2 + - bind.dyndns.anon1 'stats': - collectd.stats-server diff --git a/salt/bind/dyn-domain.zone b/salt/bind/dyn-domain.zone new file mode 100644 index 000000000..d92e2e5 --- /dev/null +++ b/salt/bind/dyn-domain.zone @@ -0,0 +1,13 @@ +$ORIGIN {{ domain }}. +$TTL 10M + +@ IN SOA {{ pillar['bind']['master-ns'] }}. astro.spaceboyz.net. ( + {{ pillar['bind']['serial'] }} ; serial + 1H ; refresh + 1M ; retry + 2H ; expire + 5M ; minimum + ) +{%- for ns in pillar['bind']['public-ns'] %} + IN NS {{ ns }}. +{%- endfor %} diff --git a/salt/bind/init.sls b/salt/bind/init.sls index a047d28..832dc16 100644 --- a/salt/bind/init.sls +++ b/salt/bind/init.sls @@ -37,6 +37,15 @@ bind9: {%- endfor %} +# dyn.zentralwerk.online +{%- set domain = 'dyn.' ~ pillar['bind']['root-domain'] %} +/etc/bind/{{ domain }}.zone: + file.managed: + - source: salt://bind/dyn-domain.zone + - template: 'jinja' + - context: + domain: {{ domain }} + # IPv4 reverse {%- for domain in pillar['bind']['reverse-zones-inet'] %} /etc/bind/{{ domain }}.zone: @@ -56,3 +65,6 @@ bind9: - context: domain: {{ domain }} {%- endfor %} + +rndc reload: + cmd.run: [] diff --git a/salt/bind/named.conf b/salt/bind/named.conf index a65cc31..371fc1b 100644 --- a/salt/bind/named.conf +++ b/salt/bind/named.conf @@ -41,9 +41,32 @@ zone "{{ domain }}" IN { }; {%- endfor %} +# IPv6 reverse zones {%- for domain in pillar['bind']['reverse-zones-inet6'] %} zone "{{ domain }}" IN { type master; file "/etc/bind/{{ domain }}.zone"; }; {%- endfor %} + + +# DynDNS +{%- for name, conf in pillar['dyndns'].items() %} +key "{{ name }}" { + algorithm hmac-sha256; + secret "{{ conf['secret'] }}"; +}; +{%- endfor %} + +# DynDNS zone +{%- set domain = 'dyn.' ~ pillar['bind']['root-domain'] %} +zone "{{ domain }}" IN { + type master; + file "/etc/bind/{{ domain }}.zone"; + {{ slaves() }} + update-policy { +{%- for name, conf in pillar['dyndns'].items() %} + grant {{ name }} name {{ name }}.{{ domain }} ANY; +{%- endfor %} + }; +}; diff --git a/salt/bind/root-domain.zone b/salt/bind/root-domain.zone index 23ee450..12f7a5c 100644 --- a/salt/bind/root-domain.zone +++ b/salt/bind/root-domain.zone @@ -17,3 +17,7 @@ $TTL 10M {{ net }} IN NS {{ ns }}. {%- endfor %} {%- endfor %} + +{%- for ns in pillar['bind']['public-ns'] %} +dyn IN NS {{ ns }}. +{%- endfor %} diff --git a/salt/top.sls b/salt/top.sls index 4df59e1..db915e1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -34,6 +34,7 @@ base: - unbound - upstream.dhcp - upstream.shaping + - upstream.dyndns - collectd 'upstream2': - upstream.port-forwarding @@ -45,6 +46,7 @@ base: - upstream.masquerade - upstream.shaping - upstream.nat66 + - upstream.dyndns - collectd 'dns': - no-ssh diff --git a/salt/upstream/dyndns b/salt/upstream/dyndns new file mode 100644 index 000000000..df1699f --- /dev/null +++ b/salt/upstream/dyndns @@ -0,0 +1,12 @@ +#!/bin/sh + +if [ "$IFACE" = "{{ interface }}" ]; then + IP=`ip a| grep inet |grep $IFACE|awk '{print $2}'|sed -e 's#/.*##'` + + nsupdate -k /etc/dyndns.key << EOF +server {{ pillar['hosts-inet']['serv']['dns'] }} +update delete {{ hostname }}. IN A +update add {{ hostname }}. 10 IN A $IP +send +EOF +fi diff --git a/salt/upstream/dyndns.key b/salt/upstream/dyndns.key new file mode 100644 index 000000000..e7a0a00 --- /dev/null +++ b/salt/upstream/dyndns.key @@ -0,0 +1,4 @@ +key "{{ name }}" { + algorithm hmac-sha256; + secret "{{ secret }}"; +}; diff --git a/salt/upstream/dyndns.sls b/salt/upstream/dyndns.sls new file mode 100644 index 000000000..423630f --- /dev/null +++ b/salt/upstream/dyndns.sls @@ -0,0 +1,26 @@ +{%- set conf = pillar['dyndns'][salt['grains.get']('id')] %} + +/etc/network/if-up.d/dyndns: + file.managed: + - source: salt://upstream/dyndns + - template: 'jinja' + - context: + interface: {{ conf['interface'] }} + hostname: {{ salt['grains.get']('id') }}.dyn.{{ pillar['bind']['root-domain'] }} + - mode: 755 + - require: + - pkg: dnsutils + +/etc/dyndns.key: + file.managed: + - source: salt://upstream/dyndns.key + - template: 'jinja' + - context: + name: {{ salt['grains.get']('id') }} + secret: "{{ conf['secret'] }}" + - mode: 600 + - require: + - pkg: dnsutils + +dnsutils: + pkg.installed: []