summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJoey Hess2015-01-03 19:09:02 -0400
committerJoey Hess2015-01-03 19:10:17 -0400
commit4dd6596919e8e7c14436fb0cabd113664680faf7 (patch)
tree522f2230bbb4802d7ceafd3d5b4552ce52851382 /src
parent05004730c7ad30223989faddb7ff520f6af1cf53 (diff)
add DnsSec module
Diffstat (limited to 'src')
-rw-r--r--src/Propellor/Property/DnsSec.hs48
1 files changed, 48 insertions, 0 deletions
diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs
new file mode 100644
index 00000000..55a447a1
--- /dev/null
+++ b/src/Propellor/Property/DnsSec.hs
@@ -0,0 +1,48 @@
+module Propellor.Property.DnsSec where
+
+import Propellor
+import Propellor.Property.File
+
+-- | Puts the DNSSEC key files in place from PrivData.
+--
+-- signedPrimary uses this, so this property does not normally need to be
+-- used directly.
+keysInstalled :: Domain -> RevertableProperty
+keysInstalled domain = RevertableProperty setup cleanup
+ where
+ setup = propertyList "DNSSEC keys installed" $
+ map installkey keys
+
+ cleanup = propertyList "DNSSEC keys removed" $
+ map (notPresent . keyFn domain) keys
+
+ installkey k = (if isPublic k then hasPrivContentExposedFrom else hasPrivContentFrom)
+ (keysrc k) (keyFn domain k) (Context domain)
+
+ keys = [ PubZSK, PrivZSK, PubKSK, PrivKSK ]
+
+ keysrc k = PrivDataSource (DnsSec k) $ unwords
+ [ "The file with extension"
+ , keyExt k
+ , " created by running:"
+ , if isZoneSigningKey k
+ then "dnssec-keygen -a RSASHA256 -b 2048 -n ZONE " ++ domain
+ else "dnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE " ++ domain
+ ]
+
+-- | The file used for a given key.
+keyFn :: Domain -> DnsSecKey -> FilePath
+keyFn domain k = "/etc/bind/propellor" </>
+ "K" ++ domain ++ "." ++ show k ++ keyExt k
+
+-- | These are the extensions that dnssec-keygen looks for.
+keyExt :: DnsSecKey -> String
+keyExt k
+ | isPublic k = ".key"
+ | otherwise = ".private"
+
+isPublic :: DnsSecKey -> Bool
+isPublic k = k `elem` [PubZSK, PubKSK]
+
+isZoneSigningKey :: DnsSecKey -> Bool
+isZoneSigningKey k = k `elem` [PubZSK, PrivZSK]