split-zone, dn42-routes and more

This commit is contained in:
Jörg Thalheim 2015-03-30 22:02:32 +00:00
parent 7f654d8997
commit 17426c3eeb
12 changed files with 247 additions and 44 deletions

View File

@ -1,14 +1,18 @@
{
"zone": {
"soa": "ns1.higgsboson.tk.",
"serial": 124,
"serial": 149,
"refresh": "1H",
"hostmaster": "hostmaster.higgsboson.tk",
"domain": "eve.higgsboson.tk",
"ttl": 300,
"a": "148.251.132.243",
"aaaa": "2a01:4f8:210:31fd::1",
"retry": "4H",
"expire": "3W",
"minimum": "1D",
"v4_subnet": "192.168.66.0/24",
"dn42_v4_subnet": "172.23.75.0/24",
"v6_subnet": "2a01:4f8:210:31fd:1::/80"
},
"network": {
@ -19,17 +23,17 @@
},
"tinc2": {
"ipv4": "188.166.16.37",
"ipv6": "2a03:b0c0:2:d0::2a5:f004",
"ipv6": "2a03:b0c0:0:1010::3d:b003",
"lxc": false
},
"eve": {
"ipv4": "192.168.66.1",
"ipv6": "2a01:4f8:210:31fd::1",
"ipv4": "148.251.132.243",
"lxc": false
},
"eva": {
"ipv4": "192.168.67.1",
"ipv6": "2a03:b0c0:2:d0::2a5:f001",
"ipv4": "188.166.16.37",
"lxc": false
},
"bridge": {
@ -68,23 +72,27 @@
"ns1": {
"ns": true,
"lxc": false,
"rdns6": "ns1.higgsboson.tk",
"ipv4": "192.168.66.6/32",
"ipv4": "148.251.132.243/32",
"ipv6": "2a01:4f8:210:31fd:1::6/128"
},
"ns2": {
"ns": true,
"lxc": false,
"ipv4": "192.168.67.1/32",
"ipv6": "2a03:b0c0:2:d0:1::1/128"
"ipv4": "188.226.214.194/32",
"ipv6": "2a03:b0c0:0:1010::3d:b002/128"
},
"dns": {
"ipv4": "192.168.66.6/32",
"ipv6": "2a01:4f8:210:31fd:1::6/128",
"rdns6": "ns1.higgsboson.tk",
"dn42_ipv4": "172.23.75.6/32",
"dn42_ipv6": "fdc0:4992:6a6d:6::1/64"
},
"dn42": {
"ipv4": "172.23.75.4"
}
"ipv4": "192.168.66.31/32",
"ipv6": "2a01:4f8:210:31fd:1::1f/128",
"dn42_ipv4": "172.23.75.1/32",
"dn42_ipv6": "fdc0:4992:6a6d:1::1/64"
},
"faces": {
"ipv4": "192.168.66.7/32",
@ -132,7 +140,8 @@
"mysql",
"pdo_mysql"
]
}
},
"lxc": false
},
"phppgadmin": {
"ipv4": "192.168.66.13/32",
@ -143,7 +152,8 @@
"pgsql",
"pdo_pgsql"
]
}
},
"lxc": false
},
"adminer": {
"ipv4": "192.168.66.14/32",
@ -339,6 +349,10 @@
]
}
},
"terraria": {
"ipv4": "192.168.66.34/32",
"ipv6": "2a01:4f8:210:31fd:1::22/128"
}
}
}

View File

@ -1,6 +1,20 @@
lxc.autodev = 1
lxc.kmsg = 0
lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin
lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin setfcap sys_nice sys_pacct sys_rawio
# Setup the LXC devices in /dev/lxc/
lxc.devttydir = lxc
# Set the halt/stop signals
lxc.haltsignal=SIGRTMIN+4
lxc.stopsignal=SIGRTMIN+14
# Set the pivot directory
lxc.pivotdir = lxc_putold
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.network.type = veth
lxc.network.link = br0
@ -12,30 +26,45 @@ lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1
# cgroups
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.cgroup.memory.soft_limit_in_bytes = 1500M
lxc.cgroup.memory.limit_in_bytes = 2000M
lxc.cgroup.cpu.shares = 256
lxc.cgroup.blkio.weight = 500
lxc.mount.entry = /data/pacman-cache var/cache/pacman/pkg none bind 0 0
# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.mount.entry = /data/pacman/pkg var/cache/pacman/pkg none bind 0 0
lxc.mount.entry = /data/pacman/sync var/lib/pacman/sync none bind 0 0
lxc.mount.entry = /data/repo srv/repo none bind,ro,create=dir 0 0
lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
lxc.hook.autodev = /etc/lxc/hooks/dn42-routes
lxc.hook.clone = /etc/lxc/hooks/setup-machine-id
lxc.hook.clone = /etc/lxc/hooks/remove-journal
lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config

View File

@ -3,3 +3,4 @@ lxc.network.link = evenet
lxc.network.flags = up
lxc.network.name = eth1
lxc.network.mtu = 1500
lxc.hook.autodev = /etc/lxc/hooks/dn42-routes

51
hooks/build-split-zone Executable file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env ruby
require "resolv"
require_relative "lib/lxc"
class Resolver
def initialize
@stub_resolver = Resolv::DNS.new
@cache = {}
end
def resolve(name, delegated_subdomain, typeclass)
if name == "@"
fqdn = delegated_subdomain
else
fqdn = "#{name}.#{delegated_subdomain}"
end
result = @cache[fqdn + typeclass.to_s] ||= @stub_resolver.getresource(fqdn, typeclass)
if result == :no_record
nil
else
result
end
rescue Resolv::ResolvError => e
puts "warning: #{e}"
@cache[fqdn + typeclass.to_s] = :no_record
return nil
end
def a(name, delegated_subdomain)
result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::A)
return "" unless result
"#{name} A #{result.address.to_s}\n"
end
def aaaa(name, delegated_subdomain)
result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::AAAA)
return "" unless result
"#{name} AAAA #{result.address.to_s}\n"
end
end
template_path = Lxc::CONFIG_ROOT.join("templates/higgsboson.tk.zone.erb")
template = Lxc::Template.new(template_path)
serial = Time.new.to_i
resolver = Resolver.new
zones = [
["zones/higgsboson.tk.zone", :pub],
["zones/internal-eve.higgsboson.tk.zone", :eve],
["zones/internal-eva.higgsboson.tk.zone", :eva],
]
zones.each do |zone, type|
template.write(zone, resolver: resolver, serial: serial, type: type)
end
Lxc::Utils.sh("lxc-attach", "-n", "dns", "--", "rndc", "reload")

View File

@ -1,5 +1,7 @@
#!/bin/bash
/usr/bin/ip route add 172.16.0.0/12 via 172.16.75.1 proto static metric 200
/usr/bin/ip route add 10.0.0.0/8 via 172.16.75.1 proto static metric 200
exit 0
ip rule add from 172.23.75.0/24 table 42
ip route add 192.168.66.0/24 via 172.23.75.4 dev eth1 table 42
ip route add 172.16.0.0/12 via 172.23.75.1
ip route add 10.0.0.0/8 via 172.23.75.1
ip route flush cache

View File

@ -16,13 +16,13 @@ module Lxc
@ipv4_subnet = NetAddr::CIDR.create(zone["v4_subnet"] || "192.168.10.0/24")
@ipv6_subnet = NetAddr::CIDR.create(zone["v6_subnet"] || "fd7d:aed0:18aa::/48")
if subnet = zone["dn42_ipv4_subnet"]
if subnet = zone["dn42_v4_subnet"]
@dn42_ipv4_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
else
@dn42_ipv4_netmask = 24
end
if subnet = zone["dn42_ipv6_subnet"]
if subnet = zone["dn42_v6_subnet"]
@dn42_ipv6_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
else
@dn42_ipv6_netmask = 48
@ -47,12 +47,12 @@ module Lxc
ipv4: format_address(@ipv4, @ipv4_subnet.to_i(:netmask)),
ipv6: format_address(@ipv6, @ipv6_subnet.to_i(:netmask)))
if @dn42_ipv4
opts[:dn42_ipv4] = format_address(dn42_ipv6, dn42_ipv4_netmask)
opts[:dn42_ipv4] = format_address(@dn42_ipv4, @dn42_ipv4_netmask)
c["dn42_ipv4"] = NetAddr::CIDR.create(@dn42_ipv4).to_s(Short: true)
end
if @dn42_ipv6
opts[:dn42_ipv6] = format_address(dn42_ipv4, dn42_ipv6_netmask)
opts[:dn42_ipv6] = format_address(@dn42_ipv6, @dn42_ipv6_netmask)
c["dn42_ipv6"] = NetAddr::CIDR.create(@dn42_ipv6).to_s(Short: true)
end

View File

@ -8,12 +8,13 @@ module Lxc
end
class Template
def initialize(path)
def initialize(path, context: nil)
@path = path
@erb = ERB.new(File.read(path), nil, "-")
end
def render(params={})
@erb.result(TemplateContext.new(params).get_binding)
context = TemplateContext.new(params)
@erb.result(context.get_binding)
rescue => e
raise StandardError.new("fail to render '#{@path}': #{e}")
end

6
hooks/tun-device Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

View File

@ -5,3 +5,13 @@ lxc.rootfs = <%= rootfs %>
lxc.network.ipv4 = <%= ipv4 %>
lxc.network.ipv6 = <%= ipv6 %>
lxc.network.veth.pair = lxc_<%= name[0..(16-4)] %>
<% if dn42_ipv4 || dn42_ipv6 -%>
lxc.include = /etc/lxc/evenet.conf
<% if dn42_ipv4 -%>
lxc.network.ipv4 = <%= dn42_ipv4 %>
<% end -%>
<% if dn42_ipv6 -%>
lxc.network.ipv6 = <%= dn42_ipv6 %>
<% end -%>
<% end -%>

View File

@ -0,0 +1,89 @@
$TTL 300
@ 3600 IN SOA ns1 admin.higgsboson.tk. (
<%= serial %> ; serial
7200 ; refresh
3600 ; retry
86400 ; expire
3600) ; minimum
;; NS Records (YOU MUST CHANGE THIS)
NS ns1
NS ns2
;; MX Records
MX 10 mail
;; TXT Records
TXT "v=spf1 mx a:mail.higgsboson.tk aaaa:mail.higgsboson.tk -all"
_adsp._domainkey TXT "dkim=all\;"
default._domainkey TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhqBgbSEMgdWYmBSBsNbI2opjEZSFuZiqnAzv2yxLYyXB0l1uL4tw9npNkC4w5cNehc87qhuuzADsSOJoFUQ+H3oWOnENcGKatQqRKzLxKLBWwUf+TnC21AKGHXD4eABZk3ahfYnlR7li3Wh/JSMsAxWmaikLj3uLHd/WN9eH4rwIDAQAB"
_dmarc TXT "v=DMARC1\; p=none\; adkim=r\; aspf=r\; rua=mailto:admin@higgsboson.tk\; ruf=mailto:admin@higgsboson.tk\; pct=100"
joerg._pka TXT "v=pka1\;fpr=4ABA07382AD57E6B9AA4E88DCA4106B8D7CC79FA\;uri=http://higgsboson.tk/joerg/joerg.asc"
;; SRV Records (Service locator)
_xmpp-client._tcp.muc SRV 0 5 5222 jabber
_xmpp-client._tcp SRV 0 5 5222 jabber
_xmpp-server._tcp.muc SRV 0 5 5269 jabber
_xmpp-server._tcp SRV 0 5 5269 jabber
;; CNAME Records
*.jabber CNAME jabber
anon CNAME jabber
proxy CNAME jabber
pubsub CNAME jabber
imap CNAME mail
smtp CNAME mail
tinc1 CNAME dn42
archfeed CNAME arch-pkg-feed.herokuapp.com.
githubtags CNAME github-tags-feed.herokuapp.com.
reisekosten CNAME reisekosten.herokuapp.com.
;; A Records (IPv4 addresses)
<% if type == :eve -%>
* A 192.168.66.5
<% else -%>
* A 148.251.132.243
<% end -%>
dn42 A 148.251.132.243
<%= resolver.aaaa("dn42", "eve.higgsboson.tk") -%>
;; eve -->
<% eve_services = %w{@ classifier eve jabber login mail ns1 web} -%>
<% if type == :eve -%>
<% eve_services.each do |name| -%>
<%= resolver.a(name, "eve.higgsboson.tk") -%>
<% end -%>
<% else -%>
<% eve_services.each do |name| -%>
<%= name %> A 148.251.132.243
<% end -%>
<% end -%>
;; <-- eve
;; eva -->
<% eva_services = %w{eva ns2 tinc2} -%>
<% if type == :eva -%>
<% eva_services.each do |name| -%>
<%= resolver.a(name, "eva.higgsboson.tk") -%>
<% end -%>
<% else -%>
<% eva_services.each do |name| -%>
<%= name %> A 188.166.16.37
<% end -%>
<% end -%>
;; <-- eva
;; AAAA Records (IPv6 addresses)
* AAAA 2a01:4f8:210:31fd:1::5
<% eve_services.each do |name| -%>
<%= resolver.aaaa(name, "eve.higgsboson.tk") -%>
<% end -%>
<% eva_services.each do |name| -%>
<%= resolver.aaaa(name, "eva.higgsboson.tk") -%>
<% end -%>

View File

@ -1,15 +1,26 @@
<% if data["zone"]["ttl"] -%>
$TTL <%= data["zone"]["ttl"] %>
<% end -%>
@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> (
<%= data["zone"]["serial"] %> ; serial
<%= data["zone"]["refresh"] %> ; refresh
<%= data["zone"]["retry"] %> ; retry
<%= data["zone"]["expire"] %> ; expire
<%= data["zone"]["minimum"] %>) ; minimum
<% data["network"].each do |name, value| -%>
<% if value["ns"] -%>
IN NS <%= name %>
NS <%= name %>
<% end -%>
<% end -%>
<% if data["zone"]["a"] -%>
A <%= data["zone"]["a"] %>
<% end -%>
<% if data["zone"]["aaaa"] -%>
AAAA <%= data["zone"]["aaaa"]%>
<% end -%>
<% data["network"].each do |name, value| %>
<% if value["cname"] -%>
<%= name %> CNAME <%= value["cname"] %>

View File

@ -6,18 +6,7 @@
<%= data["zone"]["minimum"] %>) ; minimum
<% data["network"].each do |name, value| -%>
<% if value["ns"] -%>
IN NS <%= name %>
<% end -%>
<% end -%>
<% data["network"].each do |name, value| -%>
<% if value["ns"] -%>
<% if value["ipv4"] -%>
<%= name %> A <%= NetAddr::CIDR.create(value["ipv4"]).ip(Short: true) %>
<% end -%>
<% if value["ipv6"] -%>
<%= name %> AAAA <%= NetAddr::CIDR.create(value["ipv6"]).ip(Short: true) %>
<% end -%>
IN NS <%= name %>.<%= data["zone"]["domain"] %>.
<% end -%>
<% end -%>