PVV-DNS/.gitea/workflows/build-test-deploy.yaml

name: Build and test
run-name: Build ${{ gitea.repository }} @ ${{ gitea.sha }} by ${{ gitea.actor }}

on:
  push:
    branches:
      - '**'
  pull_request:
    branches:
      - '**'

jobs:
  build:
    runs-on: debian-latest
    steps:
      - name: Debug output
        run: |
          echo "PVV-DNS build triggered by a ${{ gitea.event_name }} event"
          echo "Building ${{ gitea.repository }} on ref ${{ gitea.ref }}"

      - name: Install sudo
        run: apt-get install --update --assume-yes sudo

      - name: Install nix
        uses: https://github.com/cachix/install-nix-action@v31
        with:
          extra_nix_config: |
            experimental-features = nix-command flakes

      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Build zonefiles
        run: nix build .#zoneFiles

      - name: Build nsd-config
        run: nix build .#nsdConfig

      - name: Build default
        run: nix build --out-link /tmp/result .#

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: build-output
          path: /tmp/result
          if-no-files-found: error

  test:
    runs-on: debian-latest
    needs: build
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v3
        with:
          name: build-output
          path: /tmp/result

      - name: Install nsd
        run: apt-get install --update --assume-yes nsd

      - name: Check configuration file
        run: |
          echo "Checking nsd configuration file"
          nsd-checkconf /tmp/result/etc/nsd/nsd.conf && echo "/tmp/result/etc/nsd/nsd.conf is ok"

      - name: Check zonefiles
        run: |
          declare -a domains=(
            "128-255.210.241.129.in-addr.arpa"
            "210.241.129.in-addr.arpa"
            "9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa"
            "nuccc.org"
            "pvv.no"
            "pvv.ntnu.no"
            "pvv.org"
          )
          for domain in "${domains[@]}"
          do
            echo "Checking domain '$domain'"
            nsd-checkzone "$domain" "/tmp/result/zones/${domain}.zone"
          done

  deploy:
    runs-on: debian-latest
    needs: [build, test]
    if: github.ref == 'refs/heads/main'
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v3
        with:
          name: build-output
          path: /tmp/result

      - name: Install required tools
        run: apt-get install --update --assume-yes dnsutils rsync

      - name: Replace placeholder serial
        run: |
          SERIAL_OLD="$(dig +short "@${{ vars.DNS_HOST }}" SOA pvv.ntnu.no | cut -d" " -f3)"
          if [[ -z "$SERIAL_OLD" || ! "$SERIAL_OLD" =~ ^[0-9]+$ || $SERIAL_OLD -lt 1970010101 || $SERIAL_OLD -gt 3000000000 ]]; then
            echo "Error: SERIAL_OLD='$SERIAL_OLD' does not look reasonable"
            exit 1
          fi
          DATE="$(date "+%Y%m%d")"

          if [[ "$SERIAL_OLD" -lt "${DATE}01" ]]
          then
            SERIAL_NEW="${DATE}01"
          else
            SERIAL_NEW="$((SERIAL_OLD+1))"
          fi
          echo "$SERIAL_NEW" > /tmp/serial_new

          SERIAL_PLACEHOLDER=1970010101

          echo "Replacing existing zone serial $SERIAL_OLD with new serial $SERIAL_NEW"
          find /tmp/result/zones -type f -name "*.zone" -exec sed -i "s/$SERIAL_PLACEHOLDER/$SERIAL_NEW/" {} \;


      - name: Prepare SSH for deployment
        run: |
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh

          echo "${{ vars.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key

          cat <<EOF > ~/.ssh/config
          Host targethost
            User ${{ vars.SSH_USER }}
            Hostname ${{ vars.SSH_HOST }}
            IdentityFile ~/.ssh/deploy_key
            ForwardAgent no
            ForwardX11 no
            PasswordAuthentication no
            StrictHostKeyChecking yes
          EOF

          echo "Configured SSH to ${{ vars.SSH_USER }}@${{ vars.SSH_HOST }}"

      - name: Deploy files to host
        run: |
          echo "Deploying zonefiles"
          rsync --verbose --recursive --delete /tmp/result/zones/ targethost:/var/nsd/zones

          echo "Deploying nsd config"
          rsync --verbose /tmp/result/etc/nsd/nsd.conf targethost:/var/nsd/etc/nsd.conf

          echo "Reloading config file"
          ssh targethost "doas /usr/sbin/nsd-control reconfig"

          echo "Reloading zone files"
          ssh targethost "doas /usr/sbin/nsd-control reload"

      - name: Verifying operation
        run: |
          SERIAL_ACTIVE="$(dig +short "@${{ vars.DNS_HOST }}" SOA pvv.ntnu.no | cut -d" " -f3)"
          if [[ "$(cat /tmp/serial_new)" == "$SERIAL_ACTIVE" ]]
          then
            echo "Update successful, server reports new active serial number '$SERIAL_ACTIVE'"
          else
            echo "Update failed, server reports serial '$SERIAL_ACTIVE' instead of new serial '$(cat /tmp/serial_new)'"
            exit 1
          fi