pyinfra: Experimenty

diff --git a/pyinfra/configure.py b/pyinfra/configure.py
new file mode 100644 (file)
index 0000000..1686829
--- /dev/null
+++ b/pyinfra/configure.py
@@ -0,0 +1,14 @@
+from pyinfra.context import host
+from pyinfra.operations import files, systemd
+
+upload_config = files.put(
+    src='etc/jablonka.conf',
+    dest=host.data.unbound_dir + '/jablonka.conf',
+    mode='644',
+)
+
+systemd.service(
+    service='unbound',
+    restarted=True,
+    _if=upload_config.did_change,
+)

diff --git a/pyinfra/etc/jablonka.conf b/pyinfra/etc/jablonka.conf
new file mode 100644 (file)
index 0000000..09d33ba
--- /dev/null
+++ b/pyinfra/etc/jablonka.conf
@@ -0,0 +1,63 @@
+# Maintained by PyInfra, please don't change manually
+
+server:
+       access-control: 0.0.0.0/0 refuse
+       access-control: 10.32.0.0/16 allow
+       access-control: 10.33.0.0/16 allow
+       access-control: 10.86.0.0/16 allow
+       access-control: 127.0.0.0/8 allow
+       access-control: ::0/0 refuse
+       access-control: ::1 allow
+       access-control: ::ffff:127.0.0.1 allow
+
+       # Ignore chain of trust. Domain is treated as insecure.
+       # domain-insecure: "example.com"
+       domain-insecure: "czf"
+       domain-insecure: "10.in-addr.arpa"
+
+       local-zone: "10.in-addr.arpa" nodefault
+
+       num-threads: 4
+
+       do-ip6: no
+
+       statistics-interval: 300
+       extended-statistics: yes
+
+       verbosity: 1
+       log-time-ascii: yes
+       #log-queries: yes
+       #log-replies: yes
+       #log-servfail: yes
+       #log-local-actions: yes
+
+       # Have the validator log failed validations for your diagnosis.
+       # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+       val-log-level: 1
+
+       # Harden the referral path by performing additional queries for
+       # infrastructure data.  Validates the replies (if possible).
+       # Default off, because the lookups burden the server.  Experimental
+       # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+       harden-referral-path: yes
+
+
+
+# Nase nameservery jsou tez neverejne sekundarni pro .czf, navic s nekterymi
+# zonami, o kterych oficialni root czf nic nevi. Takze .czf smerujeme na ne
+# a jenom vysledky cacheujeme.
+
+stub-zone:
+       name: "czf"
+       stub-addr: 10.33.0.2
+       stub-addr: 10.33.0.7
+
+stub-zone:
+       name: "10.in-addr.arpa"
+       stub-addr: 10.33.0.2
+       stub-addr: 10.33.0.7
+
+stub-zone:
+       name: "jablonka.cz"
+       stub-addr: 10.33.0.2
+       stub-addr: 10.33.0.7

diff --git a/pyinfra/known_hosts b/pyinfra/known_hosts
new file mode 100644 (file)
index 0000000..aeae612
--- /dev/null
+++ b/pyinfra/known_hosts
@@ -0,0 +1,3 @@
+10.33.160.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMfMxFMPazG1qiiBDZo6fcDEMkUD9OLtDjhN9SZqeEj
+10.33.148.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALadb/dog11xNa9IYKysnfYHwXbRQnk7sUtyTT+KpSH
+10.32.148.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmYoMgFPnqkD10+shdaIOTtm4aXhqzbEEcU1nBdCE2P

diff --git a/pyinfra/resolvers.py b/pyinfra/resolvers.py
new file mode 100644 (file)
index 0000000..8449870
--- /dev/null
+++ b/pyinfra/resolvers.py
@@ -0,0 +1,13 @@
+hosts = (
+    [
+            '10.33.160.2',  # resolver6
+            ('10.32.148.1', {'unbound_dir': '/etc/unbound/conf.d'})  # dusk
+    ],
+    {
+            'ssh_user': 'root',
+            # pyinfra uses paramiko, which is unable to parse my ~/.ssh/authorized_keys
+            # that contains @cert-authority lines.
+            'ssh_known_hosts_file': 'known_hosts',
+            'unbound_dir': '/etc/unbound/unbound.conf.d',
+    }
+)