diff options
20 files changed, 398 insertions, 167 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 7dae7c7..e1cfab0 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,23 @@ +2022-10-30 Daniel Baumann <daniel.baumann@open-infrastructure.net> + + * Releasing version 20221030. + + [ Daniel Baumann ] + * Merging the different extra certificate files into one dehydrated hook handling all extra copies. + * Reworking chrony workaround (#1013882) now that we know it's going to be permanent. + * Adding postfix to service-reload dehydrated hook. + * Reworking service-reload dehydrated hook. + * Reworking fix-permission dehydrated hook. + * Improving wording of TSIG lookup hierarchy in dehydrated-nsupdate.1. + * Temporarily passing tsig string to bind in dehydrated-nsupdate to unbreak bind support, bind requires a different keyfile format as knot. + * Updating dig alternative handling similar to nsupdate for consistency. + * Updating dehydrated TODO file. + * Updating license with newer GPL-3 version containing https instead of http links. + * Using variable for service-tools in makefile. + * Providing individual root and intermediate certificate files in dehydrated extra hook. + * Reworking knot-zones-reset script. + * Adding kea tools. + 2022-07-04 Daniel Baumann <daniel.baumann@open-infrastructure.net> * Releasing version 20220704. diff --git a/LICENSE.txt b/LICENSE.txt index 94a9ed0..f288702 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,7 +1,7 @@ GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 - Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -645,7 +645,7 @@ the "copyright" line and a pointer to where the full notice is found. GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. + along with this program. If not, see <https://www.gnu.org/licenses/>. Also add information on how to contact you by electronic and paper mail. @@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see -<http://www.gnu.org/licenses/>. +<https://www.gnu.org/licenses/>. The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read -<http://www.gnu.org/philosophy/why-not-lgpl.html>. +<https://www.gnu.org/licenses/why-not-lgpl.html>. @@ -19,7 +19,11 @@ SHELL := sh -e +PROJECT = open-infrastructure +SOFTWARE = service-tools + VERSION := $(shell cat VERSION.txt) + TOOLS := $(shell find . -mindepth 1 -maxdepth 1 -type d -and -not -name ".*" -and -not -name debian) all: build @@ -65,7 +69,7 @@ clean: done distclean: - rm -rf service-tools-$(VERSION) + rm -rf $(SOFTWARE)-$(VERSION) @for TOOL in $(TOOLS); \ do \ @@ -80,19 +84,19 @@ release: distclean git commit -a -s -S -m 'Releasing version $(VERSION).' || true git tag -s -m 'Tagging version $(VERSION).' v$(VERSION) || true - mkdir service-tools-$(VERSION) - find . -mindepth 1 -maxdepth 1 -and -not -name ".git*" -and -not -name debian -and -not -name service-tools-$(VERSION) -exec cp \-a {} service-tools-$(VERSION) \; + mkdir $(SOFTWARE)-$(VERSION) + find . -mindepth 1 -maxdepth 1 -and -not -name ".git*" -and -not -name debian -and -not -name $(SOFTWARE)-$(VERSION) -exec cp \-a {} $(SOFTWARE)-$(VERSION) \; for FORMAT in xz lzip; \ do \ EXTENSION=$$(echo $${FORMAT} | cut -b-2); \ - tar --$${FORMAT} -cf ../service-tools-$(VERSION).tar.$${EXTENSION} service-tools-$(VERSION); \ - sha512sum ../service-tools-$(VERSION).tar.$${EXTENSION} > ../service-tools-$(VERSION).tar.$${EXTENSION}.sha512; \ - gpg --default-key 0xB62C61A10B93195F --armor -b ../service-tools-$(VERSION).tar.$${EXTENSION}; \ - mv ../service-tools-$(VERSION).tar.$${EXTENSION}.asc ../service-tools-$(VERSION).tar.$${EXTENSION}.sig; \ + tar --$${FORMAT} -cf ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION} $(SOFTWARE)-$(VERSION); \ + sha512sum ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION} > ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.sha512; \ + gpg --default-key 0xB62C61A10B93195F --armor -b ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}; \ + mv ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.asc ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.sig; \ done - rm -rf service-tools-$(VERSION) + rm -rf $(SOFTWARE)-$(VERSION) upload: - scp ../service-tools-$(VERSION).* get.open-infrastructure.net:/srv/get.open-infrastructure.net/software/service-tools/upstream + scp ../$(SOFTWARE)-$(VERSION).* get.open-infrastructure.net:/srv/get.open-infrastructure.net/software/$(SOFTWARE)/upstream diff --git a/VERSION.txt b/VERSION.txt index d929766..1440bc5 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20220704 +20221030 diff --git a/dehydrated/TODO b/dehydrated/TODO index 1a2504f..efbd047 100644 --- a/dehydrated/TODO +++ b/dehydrated/TODO @@ -4,5 +4,4 @@ TODO * add manpages for individual dehydrated hooks * use /etc/default for dehydrated-cron * use /etc/default for dehydrated-hook - * use settings from _dehydrated.$domain.$tld - * allow specifing multiple certificates in preseeding with e.g. '|' as devider + * use settings from _dehydrated.$domain.$tld for automatic configuration diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate index 05027ab..c6bf6c5 100755 --- a/dehydrated/bin/dehydrated-nsupdate +++ b/dehydrated/bin/dehydrated-nsupdate @@ -45,30 +45,50 @@ esac if command -v kdig > /dev/null 2>&1 then # knot-dnsutils - DIG="kdig +noidn" + DIG_VARIANT="knot" elif command -v dig > /dev/null 2>&1 then # bind-dnsutils - DIG="dig +noidnout" + DIG_VARIANT="bind" else echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${DIG_VARIANT}" in + knot) + DIG="kdig +noidn" + ;; + + bind) + DIG="dig +noidnout" + ;; +esac + # alternatives handling for nsupdate if command -v knsupdate > /dev/null 2>&1 then # knot-dnsutils - NSUPDATE="knsupdate" + NSUPDATE_VARIANT="knot" elif command -v nsupdate > /dev/null 2>&1 then # bind-dnsutils - NSUPDATE="nsupdate" + NSUPDATE_VARIANT="bind" else echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2 exit 1 fi +case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE="knsupdate" + ;; + + bind) + NSUPDATE="nsupdate" + ;; +esac + # config for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/* do @@ -168,7 +188,15 @@ do if [ -n "${KEY}" ] && [ -n "${TSIG}" ] then - NSUPDATE_OPTIONS="-k ${KEY}" + case "${NSUPDATE_VARIANT}" in + knot) + NSUPDATE_OPTIONS="-k ${KEY}" + ;; + + bind) + NSUPDATE_OPTIONS="-y $(cat "${KEY}")" + ;; + esac fi echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..." diff --git a/dehydrated/share/hooks/exit_hook.zz-chrony b/dehydrated/share/hooks/deploy_cert.chrony index 13a7e9a..9bccf75 100755 --- a/dehydrated/share/hooks/exit_hook.zz-chrony +++ b/dehydrated/share/hooks/deploy_cert.chrony @@ -21,22 +21,15 @@ set -e -if grep -r -qs -E '^ntsserver(cert|key)' /etc/chrony +if grep -Eqrs '^ *ntsservercert' /etc/chrony then - echo -n " + chrony (workaround):" - # https://bugs.debian.org/1013882 - HOST="$(cat /etc/hostname)" + echo -n " + Copying certificate for chrony..." - cp -L "/var/lib/dehydrated/certs/${HOST}/fullchain.pem" /etc/chrony/cert.pem - cp -L "/var/lib/dehydrated/certs/${HOST}/privkey.pem" /etc/chrony/key.pem + cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem + cp -fL "${KEYFILE}" /etc/chrony/key.pem chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem - if service chrony status > /dev/null 2>&1 - then - service chrony restart - fi - echo " done." fi diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra new file mode 100755 index 0000000..efca7b0 --- /dev/null +++ b/dehydrated/share/hooks/deploy_cert.extra @@ -0,0 +1,52 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +echo " + Creating extra certificate files:" + +DIRECTORY="$(dirname "${CERTFILE}")" + +echo -n " + root and intermediate CA:" + +TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)" +grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}' + +mv "${TMPFILE}00" "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem" +ln -s "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/ca-intermediate.pem" + +mv "${TMPFILE}01" "${DIRECTORY}/ca-root-${TIMESTAMP}.pem" +ln -s "${DIRECTORY}/ca-root-${TIMESTAMP}.pem" "${DIRECTORY}/ca-root.pem" + +echo " done." + +for EXTRA in fullchain-privkey privkey-fullchain +do + echo -n " + creating ${EXTRA1}-${EXTRA2}:" + + EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + + cat "${EXTRA1}-${TIMESTAMP}.pem" "${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" + ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem" + + echo " done." +done diff --git a/dehydrated/share/hooks/deploy_cert.fullchain-privkey b/dehydrated/share/hooks/deploy_cert.fullchain-privkey deleted file mode 100755 index 57d735b..0000000 --- a/dehydrated/share/hooks/deploy_cert.fullchain-privkey +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -DIRECTORY="$(dirname "${FULLCHAINFILE}")" -FILE="cert.fullchain-privkey-${TIMESTAMP}.pem" - -cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}" -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem" diff --git a/dehydrated/share/hooks/deploy_cert.privkey-fullchain b/dehydrated/share/hooks/deploy_cert.privkey-fullchain deleted file mode 100755 index bd2c4a0..0000000 --- a/dehydrated/share/hooks/deploy_cert.privkey-fullchain +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -DIRECTORY="$(dirname "${FULLCHAINFILE}")" -FILE="cert.privkey-fullchain-${TIMESTAMP}.pem" - -cat "${KEYFILE}" "${FULLCHAINFILE}" > "${DIRECTORY}/${FILE}" -ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem" diff --git a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey b/dehydrated/share/hooks/deploy_ocsp.extra index b408f03..36d0302 100755 --- a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey +++ b/dehydrated/share/hooks/deploy_ocsp.extra @@ -21,7 +21,17 @@ set -e -FILE="$(readlink "${OCSPFILE}")" +echo " + Creating extra ocsp links..." + DIRECTORY="$(dirname "${OCSPFILE}")" +OCSP="$(readlink "${OCSPFILE}")" + +for EXTRA in fullchain-privkey privkey-fullchain +do + EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')" + EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')" + + ln -sf "${OCSP}" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem.ocsp" +done -ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp" +echo " done." diff --git a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain b/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain deleted file mode 100755 index d0dacf1..0000000 --- a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -# Open Infrastructure: service-tools - -# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> -# -# SPDX-License-Identifier: GPL-3.0+ -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <https://www.gnu.org/licenses/>. - -set -e - -FILE="$(readlink "${OCSPFILE}")" -DIRECTORY="$(dirname "${OCSPFILE}")" - -ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem.ocsp" diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions index 6a1958d..4a467a7 100755 --- a/dehydrated/share/hooks/exit_hook.fix-permissions +++ b/dehydrated/share/hooks/exit_hook.fix-permissions @@ -26,17 +26,15 @@ then exit 0 fi -echo " + Fixing permissions..." - if getent group ssl-cert > /dev/null 2>&1 then - echo -n " + /var/lib/dehydrated/certs:" - - find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; - find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + echo -n " + Fixing file owner and permissions..." # https://bugs.debian.org/854431 chown -R root:ssl-cert /var/lib/dehydrated/certs + find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \; + find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \; + echo " done." fi diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload index 486c62f..cf297ab 100755 --- a/dehydrated/share/hooks/exit_hook.service-reload +++ b/dehydrated/share/hooks/exit_hook.service-reload @@ -21,36 +21,91 @@ set -e -SERVICES="apache2 haproxy knot postgresql redis-server" +Run_apache2 () +{ + if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled + then + service apache2 reload + fi +} -echo " + Reloading services..." +Run_chrony () +{ + if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/* + then + service chrony restart + fi +} -for SERVICE in ${SERVICES} -do - if service "${SERVICE}" status > /dev/null 2>&1 +Run_haproxy () +{ + if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#' then - echo -n " + ${SERVICE}:" + service haproxy reload + fi +} - service "${SERVICE}" reload || service "${SERVICE}" restart +Run_knot_resolver () +{ + if grep -Eqrs '^ *net.tls' /etc/knot-resolver/* + then + INSTANCES="$(systemctl | grep -c 'kresd@*.service')" - echo " done." + if [ "${INSTANCES}" -gt 0 ] + then + for INSTANCE in $(seq 1 "${INSTANCES}") + do + service kresd@"${INSTANCE}" restart + done + fi fi -done +} + +Run_postfix () +{ + if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf + then + service postfix restart + fi +} -if grep -r -qs '^net.tls' /etc/knot-resolver/* && service kresd@1 status > /dev/null 2>&1 -then - NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')" +Run_postgresql () +{ + if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/* + then + service postgresql reload + fi +} + +Run_redis_sentinel () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf + then + service redis-sentinel restart + fi +} - if [ "${NUMBER}" -gt 0 ] +Run_redis_server () +{ + if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf then - echo -n " + knot-resolver:" + service redis-server restart + fi +} - for NUMBER in $(seq 1 "${NUMBER}") - do - echo -n " #${NUMBER}" - service kresd@"${NUMBER}" restart - done +echo " + Reloading services:" + +SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server" + +for SERVICE in ${SERVICES} +do + if service "${SERVICE}" status > /dev/null 2>&1 + then + echo -n " + ${SERVICE}:" + + RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')" + ${RELOAD} echo " done." fi -fi +done diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst index 059a269..d4b097b 100644 --- a/dehydrated/share/man/dehydrated-nsupdate.1.rst +++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst @@ -115,7 +115,7 @@ A TSIG file consists of one single line containing the key (nsupdate/knsupdate d Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver. -The lookup hierarchy is the following (earliest match wins): +The lookup hierarchy is the following (first match wins): | | /etc/dehydrated/tsig/${record}.key diff --git a/kea/Makefile b/kea/Makefile new file mode 100644 index 0000000..6b3744b --- /dev/null +++ b/kea/Makefile @@ -0,0 +1,80 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + +uninstall: + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/knot/bin/knot-reset-zones b/kea/bin/kea-leases-reset index 40779cf..92265f4 100755 --- a/knot/bin/knot-reset-zones +++ b/kea/bin/kea-leases-reset @@ -21,38 +21,38 @@ set -e -HOSTS="${*}" - -if [ -z "${HOSTS}" ] -then - echo "Usage: ${0} localhost|[HOST1 HOST2 ...]" >&2 - exit 1 -fi +HOSTS="${*:-localhost}" for HOST in ${HOSTS} do case "${HOST}" in localhost) - echo -n "Resetting in-memory data for all zones..." + echo "Removing all leases..." + + sudo service kea-dhcp6-server stop + sudo service kea-dhcp4-server stop - service knot stop - rm -rf /var/lib/knot/journal/*.mdb - rm -rf /var/lib/knot/timers/*.mdb - service knot start + sudo rm -f /var/lib/kea/*.csv* - echo " done." + sudo service kea-dhcp6-server start + sudo service kea-dhcp4-server start + + echo + echo "done." ;; *) - echo -n "'${HOST}': Resetting in-memory data for all zones..." + echo "'${HOST}': Removing all leases..." ssh "${HOST}" \ - "sudo service knot stop && \ - rm -rf /var/lib/knot/journal/*.mdb && \ - rm -rf /var/lib/knot/timers/*.mdb && \ - sudo service knot start" - - echo " done." + "sudo service kea-dhcp6-server stop; \ + sudo service kea-dhcp4-server stop; \ + sudo rm -f /var/lib/kea/*.csv*; \ + sudo service kea-dhcp6-server start; \ + sudo service kea-dhcp4-server start" + + echo + echo "done." ;; esac done diff --git a/knot/bin/knot-zones-reset b/knot/bin/knot-zones-reset new file mode 100755 index 0000000..6471cf4 --- /dev/null +++ b/knot/bin/knot-zones-reset @@ -0,0 +1,75 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +HOSTS="${*:-localhost}" + +for HOST in ${HOSTS} +do + case "${HOST}" in + localhost) + echo "Resetting in-memory data for all zones..." + + sudo service knot stop + + sudo rm -rf /var/lib/knot/journal/*.mdb + sudo rm -rf /var/lib/knot/timers/*.mdb + + if [ -e /var/lib/knot/zones/.git ] + then + sudo chown -R root:root /var/lib/knot/zones/ + + cd /var/lib/knot/zones + sudo git clean -dxf + sudo git checkout -f + + sudo chown -R knot:knot /var/lib/knot/zones/ + fi + + sudo service knot start + + echo + echo "done." + ;; + + *) + echo "'${HOST}': Resetting in-memory data for all zones..." + + ssh "${HOST}" \ + "sudo service knot stop && \ + sudo rm -rf /var/lib/knot/journal/*.mdb && \ + sudo rm -rf /var/lib/knot/timers/*.mdb && \ + if [ -e /var/lib/knot/zones/.git ]; \ + then \ + sudo chown -R root:root /var/lib/knot/zones/; \ + cd /var/lib/knot/zones; \ + sudo git clean -dxf; \ + sudo git checkout -f; \ + sudo chown -R knot:knot /var/lib/knot/zones/; \ + fi; \ + sudo service knot start" + + echo + echo "done." + ;; + esac +done diff --git a/knot/share/cron/knot-reset-zones b/knot/share/cron/knot-reset-zones deleted file mode 100755 index 9762da4..0000000 --- a/knot/share/cron/knot-reset-zones +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/cron.d/knot-reset-zone - -0 0 * * * root /usr/bin/knot-reset-zones localhost > /dev/null 2>&1 diff --git a/knot/share/cron/knot-zones-reset b/knot/share/cron/knot-zones-reset new file mode 100755 index 0000000..13dfd44 --- /dev/null +++ b/knot/share/cron/knot-zones-reset @@ -0,0 +1,3 @@ +# /etc/cron.d/knot-zones-reset + +0 0 * * * root /usr/bin/knot-zones-reset > /dev/null 2>&1 |