unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* DNS delegation
@ 2019-03-04 21:32 Julien Lepiller
  2019-03-13 15:00 ` Ludovic Courtès
  0 siblings, 1 reply; 7+ messages in thread
From: Julien Lepiller @ 2019-03-04 21:32 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 704 bytes --]

Hi,

we've already discussed that multiple times, we'd like to have a DNS
delegation for guix.gnu.org, so that we can manage the zone ourselves
without having to rely too much on fsf sysadmins.

Here is a patch (untested) that aims at doing that. I've configured
bayfront and berlin to be DNS authoritative servers. bayfront is the
master (it is the one that needs to be updated when a change happens in
the zone), and berlin is set as slave (it will automatically follow
changes in bayfront). I've enabled dnssec on bayfront, since it's the
one that's going to sign the zone, and transfer signatures to its slave.

Currently the zone (in modules/sysadmin/dns.scm) is incomplete. What
needs to be there?

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-hydra-Add-dns-services-for-guix.gnu.org.patch --]
[-- Type: text/x-patch, Size: 6960 bytes --]

From 331a85e469579c02a3fc338a6fb0bade3916c666 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Mon, 4 Mar 2019 22:00:22 +0100
Subject: [PATCH] hydra: Add dns services for guix.gnu.org.

* hydra/bayfront.scm (services): Add knot-service.
* hydra/berlin.scm (services): Add knot-service.
* hydra/modules/sysadmin/dns.scm: New file.
---
 hydra/bayfront.scm             | 16 +++++++-
 hydra/berlin.scm               | 19 ++++++++-
 hydra/modules/sysadmin/dns.scm | 70 ++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100644 hydra/modules/sysadmin/dns.scm

diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index fae5cb5..6ec21f2 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -1,7 +1,7 @@
 ;; OS configuration for bayfront, the frontend of the compile farm.
 
-(use-modules (gnu) (guix) (sysadmin people) (sysadmin services))
-(use-service-modules base networking admin shepherd)
+(use-modules (gnu) (guix) (sysadmin people) (sysadmin services) (sysadmin dns))
+(use-service-modules base dns networking admin shepherd)
 (use-package-modules admin certs linux ssh tls vim package-management web wget)
 
 (define %sysadmins
@@ -124,6 +124,18 @@ Happy hacking!\n"))
 
                    (service ntp-service-type)
 
+                   ;; DNS
+                   (service knot-service-type
+                            (knot-configuration
+                              (zones (list (knot-zone-configuration
+                                             (inherit guix.gnu.org-zone)
+                                             (dnssec-policy "default")
+                                             (acl '("transfer-allow")))))
+                              (acls (list (knot-acl-configuration
+                                            (id "transfer-allow")
+                                            (address (list berlin-ip4))
+                                            (action '(transfer)))))))
+
                    (frontend-services %sysadmins
                                       #:nar-ttl (* 45 24 3600)
                                       #:motd %motd
diff --git a/hydra/berlin.scm b/hydra/berlin.scm
index 8d63a14..343e104 100644
--- a/hydra/berlin.scm
+++ b/hydra/berlin.scm
@@ -1,8 +1,8 @@
 ;; OS configuration for "berlin", the frontend of the compile farm
 ;; hosted at the MDC.
 
-(use-modules (gnu) (guix) (sysadmin services) (sysadmin people))
-(use-service-modules base databases monitoring networking admin shepherd)
+(use-modules (gnu) (guix) (sysadmin services) (sysadmin people) (sysadmin dns))
+(use-service-modules base databases dns monitoring networking admin shepherd)
 (use-package-modules admin certs emacs linux monitoring
                      ssh tls vim package-management
                      web wget ci rsync)
@@ -164,6 +164,21 @@ Happy hacking!\n"))
                               (tty "ttyS0")
                               (baud-rate "115200")))
 
+             ;; DNS
+             (service knot-service-type
+                      (knot-configuration
+                        (zones (list (knot-zone-configuration
+                                       (domain "guix.gnu.org")
+                                       (master '("bayfront-master"))
+                                       (acl '("notify-allow")))))
+                        (acls (list (knot-acl-configuration
+                                      (id "notify-allow")
+                                      (address (list bayfront-ip4))
+                                      (action '(notify)))))
+                        (remotes (list (knot-remote-configuration
+                                         (id "bayfront-master")
+                                         (address (list bayfront-ip4)))))))
+
              ;; Monitoring
              (service zabbix-agent-service-type)
              (service zabbix-server-service-type
diff --git a/hydra/modules/sysadmin/dns.scm b/hydra/modules/sysadmin/dns.scm
new file mode 100644
index 0000000..8ce93e6
--- /dev/null
+++ b/hydra/modules/sysadmin/dns.scm
@@ -0,0 +1,70 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin dns)
+  #:use-module (gnu services knot)
+  #:export (guix.gnu.org-zone
+            berlin-ip4
+            bayfront-ip4))
+
+;;; Commentary:
+;;;
+;;; DNS configuration.
+;;;
+;;; For any change in the zone (an IP, a new record, ...), increment the
+;;; the serial in the zone configuration. This is very important for
+;;; changes to be taken into account.
+;;;
+;;; Remember some DNS rules: no other kind of record for a CNAME record.
+;;; Always associate a name that resolves to an A or an AAAA record
+;;; immediately (it cannot be a CNAME).  Same for MX.
+;;;
+;;; Remember that data is relative to the root of this zone when it
+;;; reference another domain name, unless it ends with a dot.
+;;;
+;;; Ex: "ns1.guix.gnu.org" actually means "ns1.guix.gnu.org.guix.gnu.org"
+;;; whereas "ns1.guix.gnu.org." means what it says.
+;;;
+;;; Code:
+
+;; Define some IP addresses for easier use later
+(define gnu.org-ip4 "209.51.188.148")
+(define gnu.org-ip6 "2001:470:142:3::a")
+(define hydra-ip4 "18.4.89.46")
+(define bayfront-ip4 "185.233.100.56")
+(define berlin-ip4 "141.80.181.40")
+
+(define-zone-entries guix.gnu.org.zone
+;; Name       TTL Class Type Data
+  ("@"        ""  "IN"  "A"      gnu.org-ip4)
+  ("@"        ""  "IN"  "AAAA"   gnu.org-ip6)
+  ("@"        ""  "IN"  "NS"     "ns1")
+  ("@"        ""  "IN"  "NS"     "ns2")
+  ("ns1"      ""  "IN"  "A"      bayfront-ip4)
+  ("ns2"      ""  "IN"  "A"      berlin-ip4)
+  ("hydra"    ""  "IN"  "A"      hydra-ip4)
+  ("berlin"   ""  "IN"  "A"      berlin-ip4)
+  ("bayfront" ""  "IN"  "A"      bayfront-ip4)
+  ("ci"       ""  "IN"  "CNAME"  "berlin"))
+
+(define guix.gnu.org-zone
+  (knot-zone-configuration
+    (domain "guix.gnu.org")
+    (zone (zone-file
+            (origin "guix.gnu.org")
+            (entries guix.gnu.org.zone)
+            (serial 1)))))
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2019-03-15 14:11 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-04 21:32 DNS delegation Julien Lepiller
2019-03-13 15:00 ` Ludovic Courtès
2019-03-13 15:28   ` Julien Lepiller
2019-03-15 12:49     ` Ludovic Courtès
2019-03-15 13:42       ` Tobias Geerinckx-Rice
2019-03-15 14:00         ` Julien Lepiller
2019-03-15 14:11           ` Tobias Geerinckx-Rice

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).