servo: trust-dns: implement some dynamic DNS shim

2022-12-12 10:30:08 +00:00
parent acabd34f28
commit f0086dc5bd
2 changed files with 54 additions and 9 deletions
--- a/hosts/servo/services/trust-dns/default.nix
+++ b/hosts/servo/services/trust-dns/default.nix
@@ -4,20 +4,65 @@
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];

+  systemd.services.ddns-trust-dns = {
+    description = "update dynamic DNS entries for self-hosted trust-dns";
+    after = [ "network.target" ];
+    restartTriggers = [ ./uninsane.org.zone ];
+    script = let
+      sed = "${pkgs.gnused}/bin/sed";
+      curl = "${pkgs.curl}/bin/curl -4";
+      sha256sum = "${pkgs.coreutils-full}/bin/sha256sum";
+      cut = "${pkgs.coreutils-full}/bin/cut";
+      zone-state = "/var/lib/trust-dns/uninsane.org.zone";
+      diff = "${pkgs.diffutils}/bin/diff";
+      systemctl = "${pkgs.systemd}/bin/systemctl";
+    in ''
+      mkdir -p /var/lib/trust-dns
+      ip=$(${curl} https://ipinfo.io/ip)
+
+      # TODO: validate that this is really our IP!
+      ${sed} s/%NATIVE%/$ip/ ${./uninsane.org.zone} > ${zone-state}.new
+
+      # see if anything changed
+      touch ${zone-state}
+      old_sha=$(${sha256sum} ${zone-state} | ${cut} -f 1 -d' ' )
+      new_sha=$(${sha256sum} ${zone-state}.new | ${cut} -f 1 -d' ' )
+      cp ${zone-state} ${zone-state}.old
+      mv ${zone-state}.new ${zone-state}
+      # if so, restart trust-dns
+      if [ "$new_sha" != "$old_sha" ]
+      then
+        echo "zone changed: restarting"
+        ${diff} -u ${zone-state}.old ${zone-state} || true
+        ${systemctl} restart trust-dns.service
+      else
+        echo "zone unchanged. ip: $ip"
+      fi
+    '';
+  };
+
+  systemd.timers.ddns-trust-dns = {
+    timerConfig = {
+      OnStartupSec =    "10min";
+      OnUnitActiveSec = "10min";
+    };
+  };
+
  systemd.services.trust-dns = {
    description = "trust-dns DNS server";
    serviceConfig = {
      ExecStart = ''
        ${pkgs.trust-dns}/bin/named \
          --config ${./uninsane.org.toml} \
-          --zonedir ${./.}
+          --zonedir /var/lib/trust-dns
      '';
      Type = "simple";
      Restart = "on-failure";
      RestartSec = "10s";
-      # TODO: hardening
+      # TODO: hardening (like, don't run as root!)
    };
-    after = [ "network.target" ];
+    after = [ "network.target" "ddns-trust-dns.service" ];
+    wants = [ "ddns-trust-dns.timer" ];
    wantedBy = [ "multi-user.target" ];
  };
 }
--- a/hosts/servo/services/trust-dns/uninsane.org.zone
+++ b/hosts/servo/services/trust-dns/uninsane.org.zone
@@ -14,17 +14,17 @@ $TTL 900
                                7d         ; Expire
                                5m)        ; Negative response TTL

-rev             TXT     "2022120801"
+rev             TXT     "2022121206"

-@               A       97.126.41.123
+@               A       %NATIVE%
 ; XXX: RFC's specify that the MX record CANNOT BE A CNAME
 mx              A       185.157.162.178
-; TODO: can we use CNAME for NS records?
-ns1             A       97.126.41.123
-ns2             A       97.126.41.123
+; XXX NS records must also not be CNAME
+ns1             A       %NATIVE%
+ns2             A       %NATIVE%
 ; TODO: we could make native a CNAME of @?
 ; or just make all the `CNAME native`s `CNAME @`s?
-native          A       97.126.41.123
+native          A       %NATIVE%
 ovpns           A       185.157.162.178