From 0806fd023dce4a10cce211f85b809425fa874943 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sat, 7 Feb 2026 22:35:00 +0100 Subject: [PATCH] Add serial generation. Add deploy action --- .gitea/workflows/build-test-deploy.yaml | 157 ++++++++++++++++++++++++ .gitea/workflows/build-test.yaml | 78 ------------ README.md | 2 - pvv-domain.nix | 2 +- zones/nucc.org.nix | 2 +- zones/pvv.no.nix | 2 +- zones/reverse-ipv4-parent.nix | 2 +- zones/reverse-ipv4.nix | 2 +- zones/reverse-ipv6.nix | 2 +- 9 files changed, 163 insertions(+), 86 deletions(-) create mode 100644 .gitea/workflows/build-test-deploy.yaml delete mode 100644 .gitea/workflows/build-test.yaml diff --git a/.gitea/workflows/build-test-deploy.yaml b/.gitea/workflows/build-test-deploy.yaml new file mode 100644 index 0000000..44a8ff7 --- /dev/null +++ b/.gitea/workflows/build-test-deploy.yaml @@ -0,0 +1,157 @@ +name: Build and test +run-name: Build ${{ gitea.repository }} @ ${{ gitea.sha }} by ${{ gitea.actor }} + +on: + push: + branches: + - '**' + pull_request: + branches: + - '**' + +jobs: + build: + runs-on: debian-latest + steps: + - name: Debug output + run: | + echo "PVV-DNS build triggered by a ${{ gitea.event_name }} event" + echo "Building ${{ gitea.repository }} on ref ${{ gitea.ref }}" + + - name: Install sudo + run: apt-get install --update --assume-yes sudo + + - name: Install nix + uses: https://github.com/cachix/install-nix-action@v31 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Build zonefiles + run: nix build .#zoneFiles + + - name: Build nsd-config + run: nix build .#nsdConfig + + - name: Build default + run: nix build --out-link /tmp/result .# + + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: build-output + path: /tmp/result + if-no-files-found: error + + test: + runs-on: debian-latest + needs: build + steps: + - name: Download artifact + uses: actions/download-artifact@v3 + with: + name: build-output + path: /tmp/result + + - name: Install nsd + run: apt-get install --update --assume-yes nsd + + - name: Check configuration file + run: | + echo "Checking nsd configuration file" + nsd-checkconf /tmp/result/etc/nsd/nsd.conf && echo "/tmp/result/etc/nsd/nsd.conf is ok" + + - name: Check zonefiles + run: | + declare -a domains=( + "128-255.210.241.129.in-addr.arpa" + "210.241.129.in-addr.arpa" + "9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa" + "nucc.org" + "pvv.no" + "pvv.ntnu.no" + "pvv.org" + ) + for domain in "${domains[@]}" + do + echo "Checking domain '$domain'" + nsd-checkzone "$domain" "/tmp/result/zones/${domain}.zone" + done + + deploy: + runs-on: debian-latest + needs: [build, test] + if: github.ref == 'refs/heads/main' + steps: + - name: Download artifact + uses: actions/download-artifact@v3 + with: + name: build-output + path: /tmp/result + + - name: Install required tools + run: apt-get install --update --assume-yes dnsutils rsync + + - name: Replace placeholder serial + run: | + SERIAL_OLD="$(dig +short SOA pvv.ntnu.no | cut -d" " -f3)" + if [[ -z "$SERIAL_OLD" || ! "$SERIAL_OLD" =~ ^[0-9]+$ || $SERIAL_OLD -lt 1970010101 || $SERIAL_OLD -gt 3000000000 ]]; then + echo "Error: SERIAL_OLD='$SERIAL_OLD' does not look reasonable" + exit 1 + fi + DATE="$(date "+%Y%m%d")" + + if [[ "$SERIAL_OLD" == "$DATE*" ]] + then + SERIAL_NEW="$((SERIAL+1))" + else + SERIAL_NEW="${DATE}01" + fi + + SERIAL_PLACEHOLDER=1970010101 + + echo "Replacing existing zone serial $SERIAL_OLD with new serial $SERIAL_NEW" + find /tmp/result/zones -type f -name "*.zone" -exec sed -i "s/$SERIAL_PLACEHOLDER/$SERIAL_NEW/" {} \; + + + - name: Prepare SSH for deployment + run: | + mkdir -p ~/.ssh + chmod 700 ~/.ssh + + echo "${{ SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts + echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/deploy_key + chmod 600 ~/.ssh/deploy_key + + cat < ~/.ssh/config + Host targethost + User ${{ SSH_USER }} + Hostname ${{ SSH_HOST }} + IdentityFile ~/.ssh/deploy_key + ForwardAgent no + ForwardX11 no + PasswordAuthentication no + StrictHostKeyChecking yes + EOF + + echo "Configured SSH to ${SSH_USER}@${SSH_HOST}" + + - name: Deploy files to host + run: | + echo "Deploying zonefiles" + rsync -avz --delete /tmp/result/zones/ targethost:/var/nsd/zones + + echo "Deploying nsd config" + rsync -avz /tmp/result/etc/nsd/nsd.conf targethost:/var/nsd/etc/nsd/nsd.conf + + echo "Reloading config file" + ssh targethost "doas /usr/sbin/nsd-control reconfig" + + echo "Reloading zone files" + ssh targethost "doas /usr/sbin/nsd-control reload" + + - name: Verifying operation + run: dig "@$SSH_HOST" SOA pvv.ntnu.no diff --git a/.gitea/workflows/build-test.yaml b/.gitea/workflows/build-test.yaml deleted file mode 100644 index 509639c..0000000 --- a/.gitea/workflows/build-test.yaml +++ /dev/null @@ -1,78 +0,0 @@ -name: Build and test -run-name: Build and test ${{ gitea.repository }} @ ${{ gitea.sha }} by ${{ gitea.actor }} -on: - push: - branches: - - main - -jobs: - build: - runs-on: debian-latest - steps: - - name: Debug output - run: | - echo "PVV-DNS build triggered by a ${{ gitea.event_name }} event" - echo "Building ${{ gitea.repository }} on ref ${{ gitea.ref }}" - - - name: Install sudo - run: apt-get install --update --assume-yes sudo - - - name: Install nix - uses: https://github.com/cachix/install-nix-action@v31 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - - name: Checkout repository - uses: actions/checkout@v6 - - - name: Build zonefiles - run: nix build .#zoneFiles - - - name: Build nsd-config - run: nix build .#nsdConfig - - - name: Build default - run: nix build --out-link /tmp/result .# - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: build-output - path: /tmp/result - if-no-files-found: error - - test: - runs-on: debian-latest - needs: build - steps: - - name: Download artifact - uses: actions/download-artifact@v3 - with: - name: build-output - path: /tmp/result - - - name: Install nsd - run: apt-get install --update --assume-yes nsd - - - name: Check configuration file - run: | - echo "Checking nsd configuration file" - nsd-checkconf /tmp/result/etc/nsd/nsd.conf && echo "/tmp/result/etc/nsd/nsd.conf is ok" - - - name: Check zonefiles - run: | - declare -a domains=( - "128-255.210.241.129.in-addr.arpa" - "210.241.129.in-addr.arpa" - "9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa" - "nucc.org" - "pvv.no" - "pvv.ntnu.no" - "pvv.org" - ) - for domain in "${domains[@]}" - do - echo "Checking domain '$domain'" - nsd-checkzone "$domain" "/tmp/result/zones/${domain}.zone" - done diff --git a/README.md b/README.md index 3dbb377..b234122 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,6 @@ result (**TLDR: Files in /var/nsd, run `nsd-control reload`**) - If applicable, make changes to `./hosts.nix` or the appropriate file in `./zones/` - - ... and update the corresponding serial number(s) - Build this project (anywhere, on any host with nix) - `nix build .#` - Install the contents of `./result` into `/var/nsd` @@ -112,7 +111,6 @@ result ## Future plans -- Automate serial generation - Build and verify with CI/CD - Automatically push updated configurations to the DNS server - Also generate DNS server configuration files diff --git a/pvv-domain.nix b/pvv-domain.nix index 22cf560..1a67f1b 100644 --- a/pvv-domain.nix +++ b/pvv-domain.nix @@ -15,7 +15,7 @@ in SOA = { nameServer = "dvask.pvv.ntnu.no."; adminEmail = "drift@pvv.ntnu.no"; - serial = 2026012301; # TODO: Automate + serial = 1970010101; # Placeholder, replaced in deploy step }; NS = [ diff --git a/zones/nucc.org.nix b/zones/nucc.org.nix index 4821753..2b7cd9c 100644 --- a/zones/nucc.org.nix +++ b/zones/nucc.org.nix @@ -7,7 +7,7 @@ with dns.lib.combinators; SOA = { nameServer = "dvask.pvv.ntnu.no"; adminEmail = "drift@pvv.ntnu.no"; - serial = 2026012301; # TODO: Automate + serial = 1970010101; # Placeholder, replaced in deploy step }; NS = [ diff --git a/zones/pvv.no.nix b/zones/pvv.no.nix index 53d1b06..9a6f840 100644 --- a/zones/pvv.no.nix +++ b/zones/pvv.no.nix @@ -7,7 +7,7 @@ with dns.lib.combinators; SOA = { nameServer = "dvask.pvv.ntnu.no"; adminEmail = "drift@pvv.ntnu.no"; - serial = 2026012301; # TODO: Automate + serial = 1970010101; # Placeholder, replaced in deploy step }; NS = [ "dvask.pvv.ntnu.no" diff --git a/zones/reverse-ipv4-parent.nix b/zones/reverse-ipv4-parent.nix index 8f347e0..5c57cd7 100644 --- a/zones/reverse-ipv4-parent.nix +++ b/zones/reverse-ipv4-parent.nix @@ -7,7 +7,7 @@ with dns.lib.combinators; SOA = { nameServer = "dvask.pvv.ntnu.no"; adminEmail = "drift@pvv.ntnu.no"; - serial = 2026012301; # TODO: Automate + serial = 1970010101; # Placeholder, replaced in deploy step }; NS = [ "dvask.pvv.ntnu.no" diff --git a/zones/reverse-ipv4.nix b/zones/reverse-ipv4.nix index 0b34d37..65148a9 100644 --- a/zones/reverse-ipv4.nix +++ b/zones/reverse-ipv4.nix @@ -31,7 +31,7 @@ in SOA = { nameServer = "dvask.pvv.ntnu.no"; adminEmail = "drift@pvv.ntnu.no"; - serial = 2026012301; # TODO: Automate + serial = 1970010101; # Placeholder, replaced in deploy step }; NS = [ "dvask.pvv.ntnu.no" diff --git a/zones/reverse-ipv6.nix b/zones/reverse-ipv6.nix index 33506b5..193d206 100644 --- a/zones/reverse-ipv6.nix +++ b/zones/reverse-ipv6.nix @@ -68,7 +68,7 @@ in SOA = { nameServer = "dvask.pvv.ntnu.no"; adminEmail = "drift@pvv.ntnu.no"; - serial = 2026012301; # TODO: Automate + serial = 1970010101; # Placeholder, replaced in deploy step }; NS = [ "dvask.pvv.ntnu.no"