summaryrefslogtreecommitdiff
path: root/src/Propellor
diff options
context:
space:
mode:
authorJoey Hess2015-01-04 14:05:42 -0400
committerJoey Hess2015-01-04 14:05:42 -0400
commitf36443755e9c151d7d93b172fb2260b007ec483f (patch)
tree0e0427fef1c6f5edacf6366f5de74f09c32e62c1 /src/Propellor
parent8c1006c6542082691fce24c701d0a1ffd6ec0452 (diff)
propellor spin
Diffstat (limited to 'src/Propellor')
-rw-r--r--src/Propellor/Info.hs1
-rw-r--r--src/Propellor/Property/Dns.hs8
-rw-r--r--src/Propellor/Property/DnsSec.hs14
-rw-r--r--src/Propellor/Types/Dns.hs1
4 files changed, 13 insertions, 11 deletions
diff --git a/src/Propellor/Info.hs b/src/Propellor/Info.hs
index 3af3fc15..0437f8ec 100644
--- a/src/Propellor/Info.hs
+++ b/src/Propellor/Info.hs
@@ -64,7 +64,6 @@ addDNS r = pureInfoProperty (rdesc r) $ mempty { _dns = S.singleton r }
rdesc (NS d) = unwords ["NS", ddesc d]
rdesc (TXT s) = unwords ["TXT", s]
rdesc (SRV x y z d) = unwords ["SRV", show x, show y, show z, ddesc d]
- rdesc (INCLUDE f) = unwords ["$INCLUDE", f]
ddesc (AbsDomain domain) = domain
ddesc (RelDomain domain) = domain
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs
index 27f81f62..c5a4efa9 100644
--- a/src/Propellor/Property/Dns.hs
+++ b/src/Propellor/Property/Dns.hs
@@ -133,7 +133,7 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
-- TODO enable dnssec options.
-- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
setup = combineProperties ("dns primary for " ++ domain ++ " (signed)")
- [ setupPrimary zonefile signedZoneFile hosts domain soa rs'
+ [ setupPrimary zonefile signedZoneFile hosts domain soa rs
, toProp (zoneSigned domain zonefile)
]
`onChange` Service.reloaded "bind9"
@@ -142,10 +142,6 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
`onChange` toProp (revert (zoneSigned domain zonefile))
`onChange` Service.reloaded "bind9"
- -- Include the public keys into the zone file.
- rs' = include PubKSK : include PubZSK : rs
- include k = (RootDomain, INCLUDE (keyFn domain k))
-
-- Put DNSSEC zone files in a different directory than is used for
-- the regular ones. This allows 'primary' to be reverted and
-- 'signedPrimary' enabled, without the reverted property stomping
@@ -271,7 +267,6 @@ rField (MX _ _) = "MX"
rField (NS _) = "NS"
rField (TXT _) = "TXT"
rField (SRV _ _ _ _) = "SRV"
-rField (INCLUDE _) = "$INCLUDE"
rValue :: Record -> String
rValue (Address (IPv4 addr)) = addr
@@ -285,7 +280,6 @@ rValue (SRV priority weight port target) = unwords
, show port
, dValue target
]
-rValue (INCLUDE f) = f
rValue (TXT s) = [q] ++ filter (/= q) s ++ [q]
where
q = '"'
diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs
index e4a8cad9..f39fcb25 100644
--- a/src/Propellor/Property/DnsSec.hs
+++ b/src/Propellor/Property/DnsSec.hs
@@ -41,6 +41,7 @@ zoneSigned :: Domain -> FilePath -> RevertableProperty
zoneSigned domain zonefile = RevertableProperty setup cleanup
where
setup = check needupdate (forceZoneSigned domain zonefile)
+ `requires` includePubKeys domain zonefile
`requires` toProp (keysInstalled domain)
cleanup = combineProperties ("removed signed zone for " ++ domain)
@@ -65,6 +66,12 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup
t2 <- getModificationTime f
return (t2 >= t1)
+includePubKeys :: Domain -> FilePath -> Property
+includePubKeys domain zonefile = File.containsLines zonefile $
+ map mkinclude [PubKSK, PubZSK]
+ where
+ mkinclude k = "$INCLUDE " ++ keyFn domain k
+
forceZoneSigned :: Domain -> FilePath -> Property
forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do
salt <- take 16 <$> saltSha1
@@ -95,8 +102,11 @@ saltSha1 = readProcess "sh"
-- | The file used for a given key.
keyFn :: Domain -> DnsSecKey -> FilePath
-keyFn domain k = "/etc/bind/propellor/dnssec" </>
- "K" ++ domain ++ "." ++ show k ++ keyExt k
+keyFn domain k = "/etc/bind/propellor/dnssec" </> concat
+ [ "K" ++ domain ++ "."
+ , if isZoneSigningKey k then "ZSK" else "KSK"
+ , keyExt k
+ ]
-- | These are the extensions that dnssec-keygen looks for.
keyExt :: DnsSecKey -> String
diff --git a/src/Propellor/Types/Dns.hs b/src/Propellor/Types/Dns.hs
index 2fbf51e5..5e9666d8 100644
--- a/src/Propellor/Types/Dns.hs
+++ b/src/Propellor/Types/Dns.hs
@@ -62,7 +62,6 @@ data Record
| NS BindDomain
| TXT String
| SRV Word16 Word16 Word16 BindDomain
- | INCLUDE FilePath
deriving (Read, Show, Eq, Ord)
getIPAddr :: Record -> Maybe IPAddr