From: Martin Mareš Date: Fri, 21 Nov 2025 21:06:27 +0000 (+0100) Subject: pyinfra: Experimenty X-Git-Url: http://mj.ucw.cz/gitweb/?a=commitdiff_plain;h=83631b36005b4bce56cedb5755f36b7c84cabb8e;p=jablonka.git pyinfra: Experimenty --- diff --git a/pyinfra/configure.py b/pyinfra/configure.py new file mode 100644 index 0000000..1686829 --- /dev/null +++ b/pyinfra/configure.py @@ -0,0 +1,14 @@ +from pyinfra.context import host +from pyinfra.operations import files, systemd + +upload_config = files.put( + src='etc/jablonka.conf', + dest=host.data.unbound_dir + '/jablonka.conf', + mode='644', +) + +systemd.service( + service='unbound', + restarted=True, + _if=upload_config.did_change, +) diff --git a/pyinfra/etc/jablonka.conf b/pyinfra/etc/jablonka.conf new file mode 100644 index 0000000..09d33ba --- /dev/null +++ b/pyinfra/etc/jablonka.conf @@ -0,0 +1,63 @@ +# Maintained by PyInfra, please don't change manually + +server: + access-control: 0.0.0.0/0 refuse + access-control: 10.32.0.0/16 allow + access-control: 10.33.0.0/16 allow + access-control: 10.86.0.0/16 allow + access-control: 127.0.0.0/8 allow + access-control: ::0/0 refuse + access-control: ::1 allow + access-control: ::ffff:127.0.0.1 allow + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + domain-insecure: "czf" + domain-insecure: "10.in-addr.arpa" + + local-zone: "10.in-addr.arpa" nodefault + + num-threads: 4 + + do-ip6: no + + statistics-interval: 300 + extended-statistics: yes + + verbosity: 1 + log-time-ascii: yes + #log-queries: yes + #log-replies: yes + #log-servfail: yes + #log-local-actions: yes + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + + +# Nase nameservery jsou tez neverejne sekundarni pro .czf, navic s nekterymi +# zonami, o kterych oficialni root czf nic nevi. Takze .czf smerujeme na ne +# a jenom vysledky cacheujeme. + +stub-zone: + name: "czf" + stub-addr: 10.33.0.2 + stub-addr: 10.33.0.7 + +stub-zone: + name: "10.in-addr.arpa" + stub-addr: 10.33.0.2 + stub-addr: 10.33.0.7 + +stub-zone: + name: "jablonka.cz" + stub-addr: 10.33.0.2 + stub-addr: 10.33.0.7 diff --git a/pyinfra/known_hosts b/pyinfra/known_hosts new file mode 100644 index 0000000..aeae612 --- /dev/null +++ b/pyinfra/known_hosts @@ -0,0 +1,3 @@ +10.33.160.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMfMxFMPazG1qiiBDZo6fcDEMkUD9OLtDjhN9SZqeEj +10.33.148.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALadb/dog11xNa9IYKysnfYHwXbRQnk7sUtyTT+KpSH +10.32.148.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmYoMgFPnqkD10+shdaIOTtm4aXhqzbEEcU1nBdCE2P diff --git a/pyinfra/resolvers.py b/pyinfra/resolvers.py new file mode 100644 index 0000000..8449870 --- /dev/null +++ b/pyinfra/resolvers.py @@ -0,0 +1,13 @@ +hosts = ( + [ + '10.33.160.2', # resolver6 + ('10.32.148.1', {'unbound_dir': '/etc/unbound/conf.d'}) # dusk + ], + { + 'ssh_user': 'root', + # pyinfra uses paramiko, which is unable to parse my ~/.ssh/authorized_keys + # that contains @cert-authority lines. + 'ssh_known_hosts_file': 'known_hosts', + 'unbound_dir': '/etc/unbound/unbound.conf.d', + } +)