summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJoey Hess2015-01-04 13:22:23 -0400
committerJoey Hess2015-01-04 13:22:23 -0400
commite67901a77b0bdde7ea4d37083e770c723018dc32 (patch)
tree3799f3731484f8a8a656a53aac208a7a113bee43 /src
parentd6c8ddb955707cd73f66fcb662ea4616c5715d39 (diff)
use separate directory for dnssec files
Diffstat (limited to 'src')
-rw-r--r--src/Propellor/Property/Dns.hs39
-rw-r--r--src/Propellor/Property/DnsSec.hs2
2 files changed, 20 insertions, 21 deletions
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs
index 38e98eac..47f39718 100644
--- a/src/Propellor/Property/Dns.hs
+++ b/src/Propellor/Property/Dns.hs
@@ -56,18 +56,20 @@ import Data.List
primary :: [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
primary hosts domain soa rs = RevertableProperty setup cleanup
where
- setup = setupPrimary hosts domain soa rs
+ setup = setupPrimary zonefile hosts domain soa rs
`onChange` Service.reloaded "bind9"
- cleanup = cleanupPrimary domain
+ cleanup = cleanupPrimary zonefile domain
`onChange` Service.reloaded "bind9"
-setupPrimary :: [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> Property
-setupPrimary hosts domain soa rs = withwarnings (check needupdate baseprop)
+ zonefile = "/etc/bind/propellor/db." ++ domain
+
+setupPrimary :: FilePath -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> Property
+setupPrimary zonefile hosts domain soa rs =
+ withwarnings (check needupdate baseprop)
`requires` servingZones
where
(partialzone, zonewarnings) = genZone hosts domain soa
zone = partialzone { zHosts = zHosts partialzone ++ rs }
- zonefile = zoneFile domain
baseprop = Property ("dns primary for " ++ domain)
(makeChange $ writeZoneFile zone zonefile)
(addNamedConf conf)
@@ -101,16 +103,11 @@ setupPrimary hosts domain soa rs = withwarnings (check needupdate baseprop)
in z /= oldzone || oldserial < sSerial (zSOA zone)
-cleanupPrimary :: Domain -> Property
-cleanupPrimary domain = check (doesFileExist zonefile) $
+cleanupPrimary :: FilePath -> Domain -> Property
+cleanupPrimary zonefile domain = check (doesFileExist zonefile) $
property ("removed dns primary for " ++ domain)
(makeChange $ removeZoneFile zonefile)
`requires` namedConfWritten
- where
- zonefile = zoneFile domain
-
-zoneFile :: Domain -> FilePath
-zoneFile domain = "/etc/bind/propellor/db." ++ domain
-- | Primary dns server for a domain, secured with DNSSEC.
--
@@ -133,24 +130,26 @@ zoneFile domain = "/etc/bind/propellor/db." ++ domain
signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
where
- -- TODO put signed zone file in named.conf.
-- TODO enable dnssec options.
-- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
- -- TODO write to entirely different files than does primary,
- -- so that primary can be reverted and signedPrimary enabled,
- -- or vice-versa, without conflicts.
- setup = setupPrimary hosts domain soa rs'
- `onChange` toProp (zoneSigned domain (zoneFile domain))
+ setup = setupPrimary zonefile hosts domain soa rs'
+ `onChange` toProp (zoneSigned domain zonefile)
`onChange` Service.reloaded "bind9"
- cleanup = cleanupPrimary domain
- `onChange` toProp (revert (zoneSigned domain (zoneFile domain)))
+ cleanup = cleanupPrimary zonefile domain
+ `onChange` toProp (revert (zoneSigned domain zonefile))
`onChange` Service.reloaded "bind9"
-- Include the public keys into the zone file.
rs' = include PubKSK : include PubZSK : rs
include k = (RootDomain, INCLUDE (keyFn domain k))
+ -- Put DNSSEC zone files in a different directory than is used for
+ -- the regular ones. This allows 'primary' to be reverted and
+ -- 'signedPrimary' enabled, without the reverted property stomping
+ -- on the new one's settings.
+ zonefile = "/etc/bind/propellor/dnssec/db." ++ domain
+
-- | Secondary dns server for a domain.
--
-- The primary server is determined by looking at the properties of other
diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs
index ba9c2a1b..f76a28ff 100644
--- a/src/Propellor/Property/DnsSec.hs
+++ b/src/Propellor/Property/DnsSec.hs
@@ -96,7 +96,7 @@ saltSha1 = readProcess "sh"
-- | The file used for a given key.
keyFn :: Domain -> DnsSecKey -> FilePath
-keyFn domain k = "/etc/bind/propellor" </>
+keyFn domain k = "/etc/bind/propellor/dnssec" </>
"K" ++ domain ++ "." ++ show k ++ keyExt k
-- | These are the extensions that dnssec-keygen looks for.