burble.dn42/dns
1
0
Fork 0
Code Releases Activity

remove certificate generation and add ipv4/ipv6 aliases for nodes
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Simon Marsh 2023-02-16 11:19:58 +00:00
parent c853aa97e0
commit 31c8d3f3ab
Signed by: burble
GPG Key ID: E9B4156C1659C079
13 changed files with 3 additions and 245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ansible.cfg
View File

@ -1,5 +0,0 @@
[defaults]
inventory=inventory.yml
#strategy_plugins = /opt/mitogen-0.2.9/ansible_mitogen/plugins
#strategy = mitogen_linear

16
certs.json
View File

@ -1,16 +0,0 @@
[
{
"cert_name": "collector-dn42",
"names": [
"collector.dn42",
"*.collector.dn42"
]
},
{
"cert_name": "burble-dn42",
"names": [
"burble.dn42",
"*.burble.dn42"
]
}
]

15
deploy.yml
View File

@ -1,15 +0,0 @@
---
###########################################################################
# Deploy certs
###########################################################################
- hosts: rprox
roles:
- { role: rprox, tags: rprox }
- hosts: docker
roles:
- { role: docker, tags: docker }
###########################################################################
# end of file

2
domains/020-burble.com.js
View File

@ -94,11 +94,13 @@ nodes.forEach(function(n) {
// ipv4 // ipv4
if (n[1] != 'undefined') { if (n[1] != 'undefined') {
D_EXTEND(domain,A(n[0], n[1])); D_EXTEND(domain,A(n[0], n[1]));
D_EXTEND(domain,A('ipv4.' + n[0], n[1]));
} }
// ipv6 // ipv6
if (n[2] != 'undefined') { if (n[2] != 'undefined') {
D_EXTEND(domain,AAAA(n[0], n[2])); D_EXTEND(domain,AAAA(n[0], n[2]));
D_EXTEND(domain,AAAA('ipv6.' + n[0], n[2]));
} }
// DN42 public node // DN42 public node

10
group_vars/all.yml
View File

@ -1,10 +0,0 @@
---
###########################################################################
# common connection vars
ansible_user: sol
ansible_become: yes
ansible_python_interpreter: /usr/bin/python3
###########################################################################
# end of file

23
inventory.yml
View File

@ -1,23 +0,0 @@
###########################################################################
all:
children:
rprox:
hosts:
de-fra1.burble.com:
ca-bhs2.burble.com:
fr-rbx1.burble.com:
us-lax1.burble.com:
docker:
hosts:
fr-rbx1.burble.com:
fr-par1.burble.com:
fr-par2.burble.com:
ca-bhs2.burble.com:
de-fra1.burble.com:
ch-zur1.burble.com:
###########################################################################
# end of file

10
roles/docker/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
########################################################################
- name: update traefik
file:
path: '{{ tpath }}/dynamic_conf/burble-dn42.yml'
state: touch
########################################################################
# end of file

22
roles/docker/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
########################################################################
# upload the certs
- copy:
src: 'certificates/{{ d }}/{{ f }}'
dest: '{{ tpath }}/certs/{{ f }}'
owner: root
group: root
mode: 0400
vars:
d: '{{ item.d }}'
f: '{{ item.d }}.{{ item.s }}'
loop:
- { d: 'burble-dn42', s: 'crt' }
- { d: 'burble-dn42', s: 'key' }
notify: update traefik
########################################################################
# end of file

7
roles/docker/vars/main.yml
View File

@ -1,7 +0,0 @@
---
########################################################################
tpath: '/export/apps/docker/config/traefik'
########################################################################
# end of file

23
roles/rprox/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
########################################################################
# upload the certs
- copy:
src: 'certificates/{{ d }}/{{ f }}'
dest: '{{ npath }}/certs/{{ f }}'
owner: '81001'
group: '81001'
mode: 0400
vars:
d: '{{ item.d }}'
f: '{{ item.d }}.{{ item.s }}'
loop:
- { d: 'burble-dn42', s: 'crt' }
- { d: 'burble-dn42', s: 'key' }
- { d: 'collector-dn42', s: 'crt' }
- { d: 'collector-dn42', s: 'key' }
########################################################################
# end of file

7
roles/rprox/vars/main.yml
View File

@ -1,7 +0,0 @@
---
########################################################################
npath: '/export/apps/nginx'
########################################################################
# end of file

99
scripts/push-rprox.sh
View File

@ -1,99 +0,0 @@
#!/bin/bash
########################################################################
certs=(
'burble-dn42'
'collector-dn42'
)
# hosts to push
hosts=(
'rsync.tier2.fr-rbx1.burble.dn42'
'rsync.tier2.de-fra1.burble.dn42'
'rsync.tier2.ca-bhs2.burble.dn42'
)
dst="apps/nginx/certs"
########################################################################
# where am I ?
SCRIPTPATH="$(cd "$(dirname "$0")" ; pwd -P)"
CERTPATH="$(cd "${SCRIPTPATH}/../certificates/"; pwd -P)"
echo "Certs are here: $CERTPATH"
pushd "$CERTPATH"
# create a temp directory
export TMPDIR="$XDG_RUNTIME_DIR"
tmp=$(mktemp -d)
if [ $? -ne 0 -o -z "$tmp"]
then
echo "Failed to create tmp directory"
exit 1
fi
echo "Created tmp directory: $tmp"
function cleanup {
if [ -d "$tmp" ]
then
echo "Cleaning tmp directory"
rm -rf "$tmp" > /dev/null 2>&1
fi
}
trap cleanup EXIT
export VAULT_ADDR='https://vault.burble.dn42'
########################################################################
# generate one time key for deployment access
echo "Generating temporary rsync key"
sshkey="${tmp}/rsync_key"
ssh-keygen -t ed25519 -a 100 -N '' -f "$sshkey"
vault write \
-field=signed_key \
burble.dn42/ssh/user/sign/rsync \
public_key="@${sshkey}.pub" \
> "${sshkey}-cert.pub"
if [ $? -ne 0 ]
then
echo "Failed to generate temporary rsync key"
exit 1
fi
echo "Key is signed"
# fixup perms
chmod 0600 "${tmp}"/*
########################################################################
# create a list of files to push
declare -a flist
echo "Files to copy:"
for cert in ${certs[@]}
do
crt="${cert}/${cert}.crt"
key="${cert}/${cert}.key"
echo " - $crt"
echo " - $key"
flist+=( "$crt" "$key" )
done
# and push to hosts
for host in ${hosts[@]}
do
echo "Syncing host: $host"
rsync -avogp --delete -e "ssh -i '${sshkey}'" \
--chown 81001:81001 --chmod=D2700,F600 \
"${flist[@]}" \
"root@${host}:${dst}/"
done
popd
########################################################################
# end of file

7
scripts/renew.sh
View File

@ -1,7 +0,0 @@
#!/bin/bash
dnscontrol get-certs \
--acme https://acme-v2.acme.dn42/directory \
--agreeTOS \
--email "dn42@burble.com" \
--renew 30