From 331a85e469579c02a3fc338a6fb0bade3916c666 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Mon, 4 Mar 2019 22:00:22 +0100 Subject: [PATCH] hydra: Add dns services for guix.gnu.org. * hydra/bayfront.scm (services): Add knot-service. * hydra/berlin.scm (services): Add knot-service. * hydra/modules/sysadmin/dns.scm: New file. --- hydra/bayfront.scm | 16 +++++++- hydra/berlin.scm | 19 ++++++++- hydra/modules/sysadmin/dns.scm | 70 ++++++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+), 4 deletions(-) create mode 100644 hydra/modules/sysadmin/dns.scm diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm index fae5cb5..6ec21f2 100644 --- a/hydra/bayfront.scm +++ b/hydra/bayfront.scm @@ -1,7 +1,7 @@ ;; OS configuration for bayfront, the frontend of the compile farm. -(use-modules (gnu) (guix) (sysadmin people) (sysadmin services)) -(use-service-modules base networking admin shepherd) +(use-modules (gnu) (guix) (sysadmin people) (sysadmin services) (sysadmin dns)) +(use-service-modules base dns networking admin shepherd) (use-package-modules admin certs linux ssh tls vim package-management web wget) (define %sysadmins @@ -124,6 +124,18 @@ Happy hacking!\n")) (service ntp-service-type) + ;; DNS + (service knot-service-type + (knot-configuration + (zones (list (knot-zone-configuration + (inherit guix.gnu.org-zone) + (dnssec-policy "default") + (acl '("transfer-allow"))))) + (acls (list (knot-acl-configuration + (id "transfer-allow") + (address (list berlin-ip4)) + (action '(transfer))))))) + (frontend-services %sysadmins #:nar-ttl (* 45 24 3600) #:motd %motd diff --git a/hydra/berlin.scm b/hydra/berlin.scm index 8d63a14..343e104 100644 --- a/hydra/berlin.scm +++ b/hydra/berlin.scm @@ -1,8 +1,8 @@ ;; OS configuration for "berlin", the frontend of the compile farm ;; hosted at the MDC. -(use-modules (gnu) (guix) (sysadmin services) (sysadmin people)) -(use-service-modules base databases monitoring networking admin shepherd) +(use-modules (gnu) (guix) (sysadmin services) (sysadmin people) (sysadmin dns)) +(use-service-modules base databases dns monitoring networking admin shepherd) (use-package-modules admin certs emacs linux monitoring ssh tls vim package-management web wget ci rsync) @@ -164,6 +164,21 @@ Happy hacking!\n")) (tty "ttyS0") (baud-rate "115200"))) + ;; DNS + (service knot-service-type + (knot-configuration + (zones (list (knot-zone-configuration + (domain "guix.gnu.org") + (master '("bayfront-master")) + (acl '("notify-allow"))))) + (acls (list (knot-acl-configuration + (id "notify-allow") + (address (list bayfront-ip4)) + (action '(notify))))) + (remotes (list (knot-remote-configuration + (id "bayfront-master") + (address (list bayfront-ip4))))))) + ;; Monitoring (service zabbix-agent-service-type) (service zabbix-server-service-type diff --git a/hydra/modules/sysadmin/dns.scm b/hydra/modules/sysadmin/dns.scm new file mode 100644 index 0000000..8ce93e6 --- /dev/null +++ b/hydra/modules/sysadmin/dns.scm @@ -0,0 +1,70 @@ +;;; GNU Guix system administration tools. +;;; +;;; Copyright © 2019 Julien Lepiller +;;; +;;; This program is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; This program is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with this program. If not, see . + +(define-module (sysadmin dns) + #:use-module (gnu services knot) + #:export (guix.gnu.org-zone + berlin-ip4 + bayfront-ip4)) + +;;; Commentary: +;;; +;;; DNS configuration. +;;; +;;; For any change in the zone (an IP, a new record, ...), increment the +;;; the serial in the zone configuration. This is very important for +;;; changes to be taken into account. +;;; +;;; Remember some DNS rules: no other kind of record for a CNAME record. +;;; Always associate a name that resolves to an A or an AAAA record +;;; immediately (it cannot be a CNAME). Same for MX. +;;; +;;; Remember that data is relative to the root of this zone when it +;;; reference another domain name, unless it ends with a dot. +;;; +;;; Ex: "ns1.guix.gnu.org" actually means "ns1.guix.gnu.org.guix.gnu.org" +;;; whereas "ns1.guix.gnu.org." means what it says. +;;; +;;; Code: + +;; Define some IP addresses for easier use later +(define gnu.org-ip4 "209.51.188.148") +(define gnu.org-ip6 "2001:470:142:3::a") +(define hydra-ip4 "18.4.89.46") +(define bayfront-ip4 "185.233.100.56") +(define berlin-ip4 "141.80.181.40") + +(define-zone-entries guix.gnu.org.zone +;; Name TTL Class Type Data + ("@" "" "IN" "A" gnu.org-ip4) + ("@" "" "IN" "AAAA" gnu.org-ip6) + ("@" "" "IN" "NS" "ns1") + ("@" "" "IN" "NS" "ns2") + ("ns1" "" "IN" "A" bayfront-ip4) + ("ns2" "" "IN" "A" berlin-ip4) + ("hydra" "" "IN" "A" hydra-ip4) + ("berlin" "" "IN" "A" berlin-ip4) + ("bayfront" "" "IN" "A" bayfront-ip4) + ("ci" "" "IN" "CNAME" "berlin")) + +(define guix.gnu.org-zone + (knot-zone-configuration + (domain "guix.gnu.org") + (zone (zone-file + (origin "guix.gnu.org") + (entries guix.gnu.org.zone) + (serial 1))))) -- 2.20.1