summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.txt20
-rw-r--r--LICENSE.txt8
-rw-r--r--Makefile22
-rw-r--r--VERSION.txt2
-rw-r--r--dehydrated/TODO3
-rwxr-xr-xdehydrated/bin/dehydrated-nsupdate38
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.chrony (renamed from dehydrated/share/hooks/exit_hook.zz-chrony)15
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.extra52
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.fullchain-privkey28
-rwxr-xr-xdehydrated/share/hooks/deploy_cert.privkey-fullchain28
-rwxr-xr-xdehydrated/share/hooks/deploy_ocsp.extra (renamed from dehydrated/share/hooks/deploy_ocsp.fullchain-privkey)14
-rwxr-xr-xdehydrated/share/hooks/deploy_ocsp.privkey-fullchain27
-rwxr-xr-xdehydrated/share/hooks/exit_hook.fix-permissions10
-rwxr-xr-xdehydrated/share/hooks/exit_hook.service-reload95
-rw-r--r--dehydrated/share/man/dehydrated-nsupdate.1.rst2
-rw-r--r--kea/Makefile80
-rwxr-xr-xkea/bin/kea-leases-reset (renamed from knot/bin/knot-reset-zones)40
-rwxr-xr-xknot/bin/knot-zones-reset75
-rwxr-xr-xknot/share/cron/knot-reset-zones3
-rwxr-xr-xknot/share/cron/knot-zones-reset3
20 files changed, 398 insertions, 167 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 7dae7c7..e1cfab0 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,23 @@
+2022-10-30 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+
+ * Releasing version 20221030.
+
+ [ Daniel Baumann ]
+ * Merging the different extra certificate files into one dehydrated hook handling all extra copies.
+ * Reworking chrony workaround (#1013882) now that we know it's going to be permanent.
+ * Adding postfix to service-reload dehydrated hook.
+ * Reworking service-reload dehydrated hook.
+ * Reworking fix-permission dehydrated hook.
+ * Improving wording of TSIG lookup hierarchy in dehydrated-nsupdate.1.
+ * Temporarily passing tsig string to bind in dehydrated-nsupdate to unbreak bind support, bind requires a different keyfile format as knot.
+ * Updating dig alternative handling similar to nsupdate for consistency.
+ * Updating dehydrated TODO file.
+ * Updating license with newer GPL-3 version containing https instead of http links.
+ * Using variable for service-tools in makefile.
+ * Providing individual root and intermediate certificate files in dehydrated extra hook.
+ * Reworking knot-zones-reset script.
+ * Adding kea tools.
+
2022-07-04 Daniel Baumann <daniel.baumann@open-infrastructure.net>
* Releasing version 20220704.
diff --git a/LICENSE.txt b/LICENSE.txt
index 94a9ed0..f288702 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,7 +1,7 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@@ -645,7 +645,7 @@ the "copyright" line and a pointer to where the full notice is found.
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
@@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
+<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
diff --git a/Makefile b/Makefile
index 5a5df6c..9ad53ec 100644
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,11 @@
SHELL := sh -e
+PROJECT = open-infrastructure
+SOFTWARE = service-tools
+
VERSION := $(shell cat VERSION.txt)
+
TOOLS := $(shell find . -mindepth 1 -maxdepth 1 -type d -and -not -name ".*" -and -not -name debian)
all: build
@@ -65,7 +69,7 @@ clean:
done
distclean:
- rm -rf service-tools-$(VERSION)
+ rm -rf $(SOFTWARE)-$(VERSION)
@for TOOL in $(TOOLS); \
do \
@@ -80,19 +84,19 @@ release: distclean
git commit -a -s -S -m 'Releasing version $(VERSION).' || true
git tag -s -m 'Tagging version $(VERSION).' v$(VERSION) || true
- mkdir service-tools-$(VERSION)
- find . -mindepth 1 -maxdepth 1 -and -not -name ".git*" -and -not -name debian -and -not -name service-tools-$(VERSION) -exec cp \-a {} service-tools-$(VERSION) \;
+ mkdir $(SOFTWARE)-$(VERSION)
+ find . -mindepth 1 -maxdepth 1 -and -not -name ".git*" -and -not -name debian -and -not -name $(SOFTWARE)-$(VERSION) -exec cp \-a {} $(SOFTWARE)-$(VERSION) \;
for FORMAT in xz lzip; \
do \
EXTENSION=$$(echo $${FORMAT} | cut -b-2); \
- tar --$${FORMAT} -cf ../service-tools-$(VERSION).tar.$${EXTENSION} service-tools-$(VERSION); \
- sha512sum ../service-tools-$(VERSION).tar.$${EXTENSION} > ../service-tools-$(VERSION).tar.$${EXTENSION}.sha512; \
- gpg --default-key 0xB62C61A10B93195F --armor -b ../service-tools-$(VERSION).tar.$${EXTENSION}; \
- mv ../service-tools-$(VERSION).tar.$${EXTENSION}.asc ../service-tools-$(VERSION).tar.$${EXTENSION}.sig; \
+ tar --$${FORMAT} -cf ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION} $(SOFTWARE)-$(VERSION); \
+ sha512sum ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION} > ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.sha512; \
+ gpg --default-key 0xB62C61A10B93195F --armor -b ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}; \
+ mv ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.asc ../$(SOFTWARE)-$(VERSION).tar.$${EXTENSION}.sig; \
done
- rm -rf service-tools-$(VERSION)
+ rm -rf $(SOFTWARE)-$(VERSION)
upload:
- scp ../service-tools-$(VERSION).* get.open-infrastructure.net:/srv/get.open-infrastructure.net/software/service-tools/upstream
+ scp ../$(SOFTWARE)-$(VERSION).* get.open-infrastructure.net:/srv/get.open-infrastructure.net/software/$(SOFTWARE)/upstream
diff --git a/VERSION.txt b/VERSION.txt
index d929766..1440bc5 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-20220704
+20221030
diff --git a/dehydrated/TODO b/dehydrated/TODO
index 1a2504f..efbd047 100644
--- a/dehydrated/TODO
+++ b/dehydrated/TODO
@@ -4,5 +4,4 @@ TODO
* add manpages for individual dehydrated hooks
* use /etc/default for dehydrated-cron
* use /etc/default for dehydrated-hook
- * use settings from _dehydrated.$domain.$tld
- * allow specifing multiple certificates in preseeding with e.g. '|' as devider
+ * use settings from _dehydrated.$domain.$tld for automatic configuration
diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate
index 05027ab..c6bf6c5 100755
--- a/dehydrated/bin/dehydrated-nsupdate
+++ b/dehydrated/bin/dehydrated-nsupdate
@@ -45,30 +45,50 @@ esac
if command -v kdig > /dev/null 2>&1
then
# knot-dnsutils
- DIG="kdig +noidn"
+ DIG_VARIANT="knot"
elif command -v dig > /dev/null 2>&1
then
# bind-dnsutils
- DIG="dig +noidnout"
+ DIG_VARIANT="bind"
else
echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2
exit 1
fi
+case "${DIG_VARIANT}" in
+ knot)
+ DIG="kdig +noidn"
+ ;;
+
+ bind)
+ DIG="dig +noidnout"
+ ;;
+esac
+
# alternatives handling for nsupdate
if command -v knsupdate > /dev/null 2>&1
then
# knot-dnsutils
- NSUPDATE="knsupdate"
+ NSUPDATE_VARIANT="knot"
elif command -v nsupdate > /dev/null 2>&1
then
# bind-dnsutils
- NSUPDATE="nsupdate"
+ NSUPDATE_VARIANT="bind"
else
echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2
exit 1
fi
+case "${NSUPDATE_VARIANT}" in
+ knot)
+ NSUPDATE="knsupdate"
+ ;;
+
+ bind)
+ NSUPDATE="nsupdate"
+ ;;
+esac
+
# config
for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/*
do
@@ -168,7 +188,15 @@ do
if [ -n "${KEY}" ] && [ -n "${TSIG}" ]
then
- NSUPDATE_OPTIONS="-k ${KEY}"
+ case "${NSUPDATE_VARIANT}" in
+ knot)
+ NSUPDATE_OPTIONS="-k ${KEY}"
+ ;;
+
+ bind)
+ NSUPDATE_OPTIONS="-y $(cat "${KEY}")"
+ ;;
+ esac
fi
echo -n " + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..."
diff --git a/dehydrated/share/hooks/exit_hook.zz-chrony b/dehydrated/share/hooks/deploy_cert.chrony
index 13a7e9a..9bccf75 100755
--- a/dehydrated/share/hooks/exit_hook.zz-chrony
+++ b/dehydrated/share/hooks/deploy_cert.chrony
@@ -21,22 +21,15 @@
set -e
-if grep -r -qs -E '^ntsserver(cert|key)' /etc/chrony
+if grep -Eqrs '^ *ntsservercert' /etc/chrony
then
- echo -n " + chrony (workaround):"
-
# https://bugs.debian.org/1013882
- HOST="$(cat /etc/hostname)"
+ echo -n " + Copying certificate for chrony..."
- cp -L "/var/lib/dehydrated/certs/${HOST}/fullchain.pem" /etc/chrony/cert.pem
- cp -L "/var/lib/dehydrated/certs/${HOST}/privkey.pem" /etc/chrony/key.pem
+ cp -fL "${FULLCHAINFILE}" /etc/chrony/cert.pem
+ cp -fL "${KEYFILE}" /etc/chrony/key.pem
chown _chrony:_chrony /etc/chrony/cert.pem /etc/chrony/key.pem
- if service chrony status > /dev/null 2>&1
- then
- service chrony restart
- fi
-
echo " done."
fi
diff --git a/dehydrated/share/hooks/deploy_cert.extra b/dehydrated/share/hooks/deploy_cert.extra
new file mode 100755
index 0000000..efca7b0
--- /dev/null
+++ b/dehydrated/share/hooks/deploy_cert.extra
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+echo " + Creating extra certificate files:"
+
+DIRECTORY="$(dirname "${CERTFILE}")"
+
+echo -n " + root and intermediate CA:"
+
+TMPFILE="$(mktemp -p "${DIRECTORY}" -u ca.XXXXXXXXXX)"
+grep -Ev '^$' "${CHAINFILE}" | csplit -f "${TMPFILE}" -s -z - '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+mv "${TMPFILE}00" "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem"
+ln -s "${DIRECTORY}/ca-intermediate-${TIMESTAMP}.pem" "${DIRECTORY}/ca-intermediate.pem"
+
+mv "${TMPFILE}01" "${DIRECTORY}/ca-root-${TIMESTAMP}.pem"
+ln -s "${DIRECTORY}/ca-root-${TIMESTAMP}.pem" "${DIRECTORY}/ca-root.pem"
+
+echo " done."
+
+for EXTRA in fullchain-privkey privkey-fullchain
+do
+ echo -n " + creating ${EXTRA1}-${EXTRA2}:"
+
+ EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')"
+
+ cat "${EXTRA1}-${TIMESTAMP}.pem" "${EXTRA2}-${TIMESTAMP}.pem" > "${DIRECTORY}/${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem"
+ ln -sf "${EXTRA1}-${EXTRA2}-${TIMESTAMP}.pem" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem"
+
+ echo " done."
+done
diff --git a/dehydrated/share/hooks/deploy_cert.fullchain-privkey b/dehydrated/share/hooks/deploy_cert.fullchain-privkey
deleted file mode 100755
index 57d735b..0000000
--- a/dehydrated/share/hooks/deploy_cert.fullchain-privkey
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-
-# Open Infrastructure: service-tools
-
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
-#
-# SPDX-License-Identifier: GPL-3.0+
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-set -e
-
-DIRECTORY="$(dirname "${FULLCHAINFILE}")"
-FILE="cert.fullchain-privkey-${TIMESTAMP}.pem"
-
-cat "${FULLCHAINFILE}" "${KEYFILE}" > "${DIRECTORY}/${FILE}"
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem"
diff --git a/dehydrated/share/hooks/deploy_cert.privkey-fullchain b/dehydrated/share/hooks/deploy_cert.privkey-fullchain
deleted file mode 100755
index bd2c4a0..0000000
--- a/dehydrated/share/hooks/deploy_cert.privkey-fullchain
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-
-# Open Infrastructure: service-tools
-
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
-#
-# SPDX-License-Identifier: GPL-3.0+
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-set -e
-
-DIRECTORY="$(dirname "${FULLCHAINFILE}")"
-FILE="cert.privkey-fullchain-${TIMESTAMP}.pem"
-
-cat "${KEYFILE}" "${FULLCHAINFILE}" > "${DIRECTORY}/${FILE}"
-ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem"
diff --git a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey b/dehydrated/share/hooks/deploy_ocsp.extra
index b408f03..36d0302 100755
--- a/dehydrated/share/hooks/deploy_ocsp.fullchain-privkey
+++ b/dehydrated/share/hooks/deploy_ocsp.extra
@@ -21,7 +21,17 @@
set -e
-FILE="$(readlink "${OCSPFILE}")"
+echo " + Creating extra ocsp links..."
+
DIRECTORY="$(dirname "${OCSPFILE}")"
+OCSP="$(readlink "${OCSPFILE}")"
+
+for EXTRA in fullchain-privkey privkey-fullchain
+do
+ EXTRA1="$(echo ${EXTRA} | awk -F- '{ print $1 }')"
+ EXTRA2="$(echo ${EXTRA} | awk -F- '{ print $2 }')"
+
+ ln -sf "${OCSP}" "${DIRECTORY}/cert.${EXTRA1}-${EXTRA2}.pem.ocsp"
+done
-ln -sf "${FILE}" "${DIRECTORY}/cert.fullchain-privkey.pem.ocsp"
+echo " done."
diff --git a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain b/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain
deleted file mode 100755
index d0dacf1..0000000
--- a/dehydrated/share/hooks/deploy_ocsp.privkey-fullchain
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-
-# Open Infrastructure: service-tools
-
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
-#
-# SPDX-License-Identifier: GPL-3.0+
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-set -e
-
-FILE="$(readlink "${OCSPFILE}")"
-DIRECTORY="$(dirname "${OCSPFILE}")"
-
-ln -sf "${FILE}" "${DIRECTORY}/cert.privkey-fullchain.pem.ocsp"
diff --git a/dehydrated/share/hooks/exit_hook.fix-permissions b/dehydrated/share/hooks/exit_hook.fix-permissions
index 6a1958d..4a467a7 100755
--- a/dehydrated/share/hooks/exit_hook.fix-permissions
+++ b/dehydrated/share/hooks/exit_hook.fix-permissions
@@ -26,17 +26,15 @@ then
exit 0
fi
-echo " + Fixing permissions..."
-
if getent group ssl-cert > /dev/null 2>&1
then
- echo -n " + /var/lib/dehydrated/certs:"
-
- find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \;
- find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \;
+ echo -n " + Fixing file owner and permissions..."
# https://bugs.debian.org/854431
chown -R root:ssl-cert /var/lib/dehydrated/certs
+ find /var/lib/dehydrated/certs -type d -exec chmod 0750 {} \;
+ find /var/lib/dehydrated/certs -type f -exec chmod 0640 {} \;
+
echo " done."
fi
diff --git a/dehydrated/share/hooks/exit_hook.service-reload b/dehydrated/share/hooks/exit_hook.service-reload
index 486c62f..cf297ab 100755
--- a/dehydrated/share/hooks/exit_hook.service-reload
+++ b/dehydrated/share/hooks/exit_hook.service-reload
@@ -21,36 +21,91 @@
set -e
-SERVICES="apache2 haproxy knot postgresql redis-server"
+Run_apache2 ()
+{
+ if grep -Eqrs '^ *SSLCertificateFile' /etc/apache2/sites-enabled
+ then
+ service apache2 reload
+ fi
+}
-echo " + Reloading services..."
+Run_chrony ()
+{
+ if grep -Eqrs '^ *ntsservercert' /etc/chrony/chrony.conf /etc/chrony/conf.d/*
+ then
+ service chrony restart
+ fi
+}
-for SERVICE in ${SERVICES}
-do
- if service "${SERVICE}" status > /dev/null 2>&1
+Run_haproxy ()
+{
+ if grep 'ssl crt' /etc/haproxy/haproxy.cfg | grep -qsv '^#'
then
- echo -n " + ${SERVICE}:"
+ service haproxy reload
+ fi
+}
- service "${SERVICE}" reload || service "${SERVICE}" restart
+Run_knot_resolver ()
+{
+ if grep -Eqrs '^ *net.tls' /etc/knot-resolver/*
+ then
+ INSTANCES="$(systemctl | grep -c 'kresd@*.service')"
- echo " done."
+ if [ "${INSTANCES}" -gt 0 ]
+ then
+ for INSTANCE in $(seq 1 "${INSTANCES}")
+ do
+ service kresd@"${INSTANCE}" restart
+ done
+ fi
fi
-done
+}
+
+Run_postfix ()
+{
+ if grep -Eqrs '^ *smtpd_tls' /etc/postfix/main.cf
+ then
+ service postfix restart
+ fi
+}
-if grep -r -qs '^net.tls' /etc/knot-resolver/* && service kresd@1 status > /dev/null 2>&1
-then
- NUMBER="$(systemctl | grep -c 'kresd@[0-9].service')"
+Run_postgresql ()
+{
+ if grep -Eqrs '^ *ssl_cert_file' /etc/postgresql/*
+ then
+ service postgresql reload
+ fi
+}
+
+Run_redis_sentinel ()
+{
+ if grep -Eqrs '^ *tls-cert-file' /etc/redis/sentinel.conf
+ then
+ service redis-sentinel restart
+ fi
+}
- if [ "${NUMBER}" -gt 0 ]
+Run_redis_server ()
+{
+ if grep -Eqrs '^ *tls-cert-file' /etc/redis/redis.conf
then
- echo -n " + knot-resolver:"
+ service redis-server restart
+ fi
+}
- for NUMBER in $(seq 1 "${NUMBER}")
- do
- echo -n " #${NUMBER}"
- service kresd@"${NUMBER}" restart
- done
+echo " + Reloading services:"
+
+SERVICES="apache2 chrony haproxy knot-resolver postfix postgresql redis-sentinel redis-server"
+
+for SERVICE in ${SERVICES}
+do
+ if service "${SERVICE}" status > /dev/null 2>&1
+ then
+ echo -n " + ${SERVICE}:"
+
+ RELOAD="Run_$(echo "${SERVICE}" | sed -e 's|-|_|g')"
+ ${RELOAD}
echo " done."
fi
-fi
+done
diff --git a/dehydrated/share/man/dehydrated-nsupdate.1.rst b/dehydrated/share/man/dehydrated-nsupdate.1.rst
index 059a269..d4b097b 100644
--- a/dehydrated/share/man/dehydrated-nsupdate.1.rst
+++ b/dehydrated/share/man/dehydrated-nsupdate.1.rst
@@ -115,7 +115,7 @@ A TSIG file consists of one single line containing the key (nsupdate/knsupdate d
Instead of using a global TSIG for all record update, specific TSIGs can be used individually per record, zone, and nameserver.
-The lookup hierarchy is the following (earliest match wins):
+The lookup hierarchy is the following (first match wins):
|
| /etc/dehydrated/tsig/${record}.key
diff --git a/kea/Makefile b/kea/Makefile
new file mode 100644
index 0000000..6b3744b
--- /dev/null
+++ b/kea/Makefile
@@ -0,0 +1,80 @@
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+SHELL := sh -e
+
+SCRIPTS = bin/*
+
+all: build
+
+test:
+ @echo -n "Checking for syntax errors with sh... "
+ @for SCRIPT in $(SCRIPTS); \
+ do \
+ sh -n $${SCRIPT}; \
+ echo -n "."; \
+ done
+ @echo " done."
+
+ @echo -n "Checking for bashisms... "
+ @if [ -x /usr/bin/checkbashisms ]; \
+ then \
+ for SCRIPT in $(SCRIPTS); \
+ do \
+ checkbashisms -f -x $${SCRIPT}; \
+ echo -n "."; \
+ done; \
+ else \
+ echo "Note: devscripts not installed, skipping checkbashisms."; \
+ fi
+ @echo " done."
+
+ @echo -n "Checking with shellcheck... "
+ @if [ -x /usr/bin/shellcheck ]; \
+ then \
+ for SCRIPT in $(SCRIPTS); \
+ do \
+ shellcheck -e SC2039 $${SCRIPT}; \
+ echo -n "."; \
+ done; \
+ else \
+ echo "Note: shellcheck not installed, skipping shellcheck."; \
+ fi
+ @echo " done."
+
+build:
+
+install: build
+ mkdir -p $(DESTDIR)/usr/bin
+ cp -r bin/* $(DESTDIR)/usr/bin
+
+uninstall:
+ for FILE in bin/*; \
+ do \
+ rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \
+ done
+ rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true
+
+ rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true
+
+clean:
+
+distclean:
+
+reinstall: uninstall install
diff --git a/knot/bin/knot-reset-zones b/kea/bin/kea-leases-reset
index 40779cf..92265f4 100755
--- a/knot/bin/knot-reset-zones
+++ b/kea/bin/kea-leases-reset
@@ -21,38 +21,38 @@
set -e
-HOSTS="${*}"
-
-if [ -z "${HOSTS}" ]
-then
- echo "Usage: ${0} localhost|[HOST1 HOST2 ...]" >&2
- exit 1
-fi
+HOSTS="${*:-localhost}"
for HOST in ${HOSTS}
do
case "${HOST}" in
localhost)
- echo -n "Resetting in-memory data for all zones..."
+ echo "Removing all leases..."
+
+ sudo service kea-dhcp6-server stop
+ sudo service kea-dhcp4-server stop
- service knot stop
- rm -rf /var/lib/knot/journal/*.mdb
- rm -rf /var/lib/knot/timers/*.mdb
- service knot start
+ sudo rm -f /var/lib/kea/*.csv*
- echo " done."
+ sudo service kea-dhcp6-server start
+ sudo service kea-dhcp4-server start
+
+ echo
+ echo "done."
;;
*)
- echo -n "'${HOST}': Resetting in-memory data for all zones..."
+ echo "'${HOST}': Removing all leases..."
ssh "${HOST}" \
- "sudo service knot stop && \
- rm -rf /var/lib/knot/journal/*.mdb && \
- rm -rf /var/lib/knot/timers/*.mdb && \
- sudo service knot start"
-
- echo " done."
+ "sudo service kea-dhcp6-server stop; \
+ sudo service kea-dhcp4-server stop; \
+ sudo rm -f /var/lib/kea/*.csv*; \
+ sudo service kea-dhcp6-server start; \
+ sudo service kea-dhcp4-server start"
+
+ echo
+ echo "done."
;;
esac
done
diff --git a/knot/bin/knot-zones-reset b/knot/bin/knot-zones-reset
new file mode 100755
index 0000000..6471cf4
--- /dev/null
+++ b/knot/bin/knot-zones-reset
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+# Open Infrastructure: service-tools
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+set -e
+
+HOSTS="${*:-localhost}"
+
+for HOST in ${HOSTS}
+do
+ case "${HOST}" in
+ localhost)
+ echo "Resetting in-memory data for all zones..."
+
+ sudo service knot stop
+
+ sudo rm -rf /var/lib/knot/journal/*.mdb
+ sudo rm -rf /var/lib/knot/timers/*.mdb
+
+ if [ -e /var/lib/knot/zones/.git ]
+ then
+ sudo chown -R root:root /var/lib/knot/zones/
+
+ cd /var/lib/knot/zones
+ sudo git clean -dxf
+ sudo git checkout -f
+
+ sudo chown -R knot:knot /var/lib/knot/zones/
+ fi
+
+ sudo service knot start
+
+ echo
+ echo "done."
+ ;;
+
+ *)
+ echo "'${HOST}': Resetting in-memory data for all zones..."
+
+ ssh "${HOST}" \
+ "sudo service knot stop && \
+ sudo rm -rf /var/lib/knot/journal/*.mdb && \
+ sudo rm -rf /var/lib/knot/timers/*.mdb && \
+ if [ -e /var/lib/knot/zones/.git ]; \
+ then \
+ sudo chown -R root:root /var/lib/knot/zones/; \
+ cd /var/lib/knot/zones; \
+ sudo git clean -dxf; \
+ sudo git checkout -f; \
+ sudo chown -R knot:knot /var/lib/knot/zones/; \
+ fi; \
+ sudo service knot start"
+
+ echo
+ echo "done."
+ ;;
+ esac
+done
diff --git a/knot/share/cron/knot-reset-zones b/knot/share/cron/knot-reset-zones
deleted file mode 100755
index 9762da4..0000000
--- a/knot/share/cron/knot-reset-zones
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/cron.d/knot-reset-zone
-
-0 0 * * * root /usr/bin/knot-reset-zones localhost > /dev/null 2>&1
diff --git a/knot/share/cron/knot-zones-reset b/knot/share/cron/knot-zones-reset
new file mode 100755
index 0000000..13dfd44
--- /dev/null
+++ b/knot/share/cron/knot-zones-reset
@@ -0,0 +1,3 @@
+# /etc/cron.d/knot-zones-reset
+
+0 0 * * * root /usr/bin/knot-zones-reset > /dev/null 2>&1