add knot-secondary container
This commit is contained in:
parent
30ffd732c3
commit
bebfe9d6fb
15 changed files with 161 additions and 13 deletions
10
.gitignore
vendored
10
.gitignore
vendored
|
@ -1,5 +1,4 @@
|
|||
/*.tar.gz
|
||||
/data/servnest.db
|
||||
/logs/certbot/letsencrypt.log*
|
||||
/data/certbot/live/*/*.pem
|
||||
/data/certbot/archive/*/*.pem
|
||||
|
@ -19,13 +18,22 @@
|
|||
/logs/nginx/servnest-access.log
|
||||
/logs/nginx/error.log
|
||||
/logs/apache/error.log
|
||||
/logs/knot/knot.log
|
||||
/logs/knot-secondary/knot.log
|
||||
/data/certbot/accounts/acme-staging-v02.api.letsencrypt.org/directory/*/*.json
|
||||
/sock/knot/knot.pid
|
||||
/sock/knot-secondary/knot.pid
|
||||
/data/knot/*/*.mdb
|
||||
/data/knot/keys/quic_key.pem
|
||||
/data/knot/keys/keys/*.pem
|
||||
/data/knot/servnest.test.invalid.zone
|
||||
/data/knot-secondary/*.zone
|
||||
/data/knot-secondary/*/*.mdb
|
||||
/data/knot-secondary/keys/quic_key.pem
|
||||
/tmp/tor/*
|
||||
/tmp/cronie/cron.reboot
|
||||
/tmp/php/exec.txt
|
||||
/tmp/php/index.html
|
||||
/tmp/php/sess_*
|
||||
/tmp/php/cookie-*
|
||||
/tmp/*/*.pid
|
||||
|
|
|
@ -11,12 +11,7 @@ no_hosts=true
|
|||
```
|
||||
|
||||
```shell
|
||||
knotc --confdb data/knot/confdb conf-import conf/knot.conf
|
||||
cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
|
||||
cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
|
||||
chmod u=rwX,g=rX,o=rX -R conf core
|
||||
chmod u=rwX,g=rwX,o=rwX logs/sftpgo logs/php sock/php logs/apache logs/nginx sock/tor-client sock/nginx-onion sock/knot data/knot data/knot/confdb data/knot/confdb/*.mdb tmp/nginx tmp/certbot tmp/acme tmp/apache tmp/nginx-run tmp/php data/reg data/reg/*.zone core/db core/db/servnest.db
|
||||
chmod u=rwX,g=rX,o= sock/tor-control
|
||||
./reset.sh
|
||||
wget https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/x86_64/alpine-minirootfs-3.21.0-x86_64.tar.gz
|
||||
wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.4.tar.gz -O sftpgo-v2.6.4.tar.gz
|
||||
sha256sum -c sha256sums
|
||||
|
@ -32,6 +27,8 @@ podman-compose build # build services images
|
|||
### Run
|
||||
|
||||
```shell
|
||||
podman-compose up knot knot-secondary # generate QUIC keys
|
||||
./setup-xoq.sh # setup mutual XFR over QUIC
|
||||
podman-compose up # start containers
|
||||
podman-compose exec php php /srv/servnest/core/jobs/check.php # test main features
|
||||
```
|
||||
|
|
34
compose.yaml
34
compose.yaml
|
@ -39,13 +39,35 @@ services:
|
|||
build:
|
||||
dockerfile: knot.Containerfile
|
||||
ports:
|
||||
- "[::1]:42053:42053/udp"
|
||||
- "[::1]:42053:42053/tcp"
|
||||
- "[::1]:42053:53/udp"
|
||||
- "[::1]:42053:53/tcp"
|
||||
- "[::1]:42853:853/udp"
|
||||
volumes:
|
||||
- ./data/reg/:/srv/servnest/reg/:rw
|
||||
- ./data/ns/:/srv/servnest/ns/:rw
|
||||
- ./data/knot/:/var/lib/knot/:rw
|
||||
- ./logs/knot/:/var/log/knot/:rw
|
||||
- ./sock/knot/:/run/knot/:rw
|
||||
networks:
|
||||
snet:
|
||||
ipv4_address: 10.5.0.51
|
||||
knot-secondary:
|
||||
extends:
|
||||
file: base.yaml
|
||||
service: base
|
||||
build:
|
||||
dockerfile: knot.Containerfile
|
||||
ports:
|
||||
- "[::1]:42054:53/udp"
|
||||
- "[::1]:42054:53/tcp"
|
||||
- "[::1]:42854:853/udp"
|
||||
volumes:
|
||||
- ./data/knot-secondary/:/var/lib/knot/:rw
|
||||
- ./logs/knot-secondary/:/var/log/knot/:rw
|
||||
- ./sock/knot-secondary/:/run/knot/:rw
|
||||
networks:
|
||||
snet:
|
||||
ipv4_address: 10.5.0.52
|
||||
apache:
|
||||
extends:
|
||||
file: base.yaml
|
||||
|
@ -90,6 +112,7 @@ services:
|
|||
- ./sock/tor-client/:/run/tor-client/:rw
|
||||
- ./sock/tor-control/:/run/tor-control/:rw
|
||||
- ./sock/knot/:/run/knot/:rw
|
||||
- ./sock/knot-secondary/:/run/knot-secondary/:rw
|
||||
- ./logs/php/:/var/log/php83/:rw
|
||||
- ./logs/certbot/:/var/log/letsencrypt/:rw
|
||||
- ./tmp/acme/:/srv/servnest/acme/:rw
|
||||
|
@ -134,3 +157,10 @@ services:
|
|||
- ./tmp/nginx/:/var/lib/nginx/tmp/:rw
|
||||
- ./tmp/nginx-run/:/run/nginx/:rw
|
||||
- ./tmp/acme/:/srv/servnest/acme/:ro
|
||||
networks:
|
||||
snet:
|
||||
driver: bridge
|
||||
ipam:
|
||||
config:
|
||||
- subnet: 10.5.0.0/16
|
||||
gateway: 10.5.0.1
|
||||
|
|
33
conf/knot-secondary.conf
Normal file
33
conf/knot-secondary.conf
Normal file
|
@ -0,0 +1,33 @@
|
|||
server:
|
||||
version: ""
|
||||
nsid: ""
|
||||
rundir: "/run/knot"
|
||||
listen: [ "::@53", "0.0.0.0@53", "/run/knot/dns.sock" ]
|
||||
listen-quic: [ "::@853", "0.0.0.0@853" ]
|
||||
automatic-acl: "on"
|
||||
|
||||
log:
|
||||
- target: stderr
|
||||
any: warning
|
||||
- target: "/var/log/knot/knot.log"
|
||||
any: debug
|
||||
|
||||
database:
|
||||
storage: "/var/lib/knot"
|
||||
|
||||
remote:
|
||||
- id: "primary"
|
||||
address: [ "10.5.0.51@853" ]
|
||||
quic: on
|
||||
cert-key: "0000000000000000000000000000000000000000000=" # will be replaced by setup-xoq.sh
|
||||
|
||||
template:
|
||||
- id: "servnest"
|
||||
storage: "/var/lib/knot"
|
||||
master: "primary"
|
||||
|
||||
zone:
|
||||
- domain: "servnest.test.invalid."
|
||||
master: "primary"
|
||||
catalog-role: interpret
|
||||
catalog-template: "servnest"
|
|
@ -2,12 +2,15 @@ server:
|
|||
version: ""
|
||||
nsid: ""
|
||||
rundir: "/run/knot"
|
||||
# user: "knot:knot"
|
||||
listen: [ "::1@42053", "127.0.0.1@42053", "/run/knot/dns.sock" ]
|
||||
listen: [ "::@53", "0.0.0.0@53", "/run/knot/dns.sock" ]
|
||||
listen-quic: [ "::@853", "0.0.0.0@853" ]
|
||||
automatic-acl: "on"
|
||||
|
||||
log:
|
||||
- target: stderr
|
||||
any: warning
|
||||
- target: "/var/log/knot/knot.log"
|
||||
any: debug
|
||||
|
||||
database:
|
||||
storage: "/var/lib/knot"
|
||||
|
@ -21,10 +24,16 @@ policy:
|
|||
delete-delay: 60d
|
||||
dnskey-management: "incremental"
|
||||
|
||||
remote:
|
||||
- id: "secondary"
|
||||
address: [ "10.5.0.52@853" ]
|
||||
quic: on
|
||||
cert-key: "1111111111111111111111111111111111111111111=" # will be replaced by setup-xoq.sh
|
||||
|
||||
template:
|
||||
- id: "servnest"
|
||||
storage: "/srv/servnest/ns"
|
||||
file: "%s.zone"
|
||||
notify: "secondary"
|
||||
zonefile-load: "whole"
|
||||
journal-content: "all"
|
||||
dnssec-signing: "on"
|
||||
|
@ -34,6 +43,7 @@ template:
|
|||
|
||||
zone:
|
||||
- domain: "servnest.test.invalid."
|
||||
notify: "secondary"
|
||||
zonefile-load: "whole"
|
||||
journal-content: "all"
|
||||
catalog-role: "generate"
|
||||
|
|
0
data/knot-secondary/.gitkeep
Normal file
0
data/knot-secondary/.gitkeep
Normal file
0
data/knot-secondary/journal/.gitkeep
Normal file
0
data/knot-secondary/journal/.gitkeep
Normal file
0
data/knot-secondary/keys/keys/.gitkeep
Normal file
0
data/knot-secondary/keys/keys/.gitkeep
Normal file
0
data/knot/journal/.gitkeep
Normal file
0
data/knot/journal/.gitkeep
Normal file
0
data/knot/keys/keys/.gitkeep
Normal file
0
data/knot/keys/keys/.gitkeep
Normal file
|
@ -1,4 +1,4 @@
|
|||
FROM servnest-alpine
|
||||
RUN apk add knot
|
||||
RUN apk add knot knot-utils
|
||||
USER knot
|
||||
CMD ["knotd", "--confdb", "/var/lib/knot/confdb/"]
|
||||
|
|
0
logs/knot/.gitkeep
Normal file
0
logs/knot/.gitkeep
Normal file
42
permissions.sh
Executable file
42
permissions.sh
Executable file
|
@ -0,0 +1,42 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
chmod u=rwX,g=rX,o=rX -R conf core
|
||||
chmod u=rwX,g=rwX,o=rwX \
|
||||
logs/sftpgo \
|
||||
logs/php \
|
||||
sock/php \
|
||||
logs/apache \
|
||||
logs/nginx \
|
||||
logs/knot \
|
||||
logs/knot-secondary \
|
||||
sock/tor-client \
|
||||
sock/nginx-onion \
|
||||
sock/knot \
|
||||
sock/knot-secondary \
|
||||
data/ht/fs \
|
||||
data/knot \
|
||||
data/knot-secondary \
|
||||
data/knot/journal \
|
||||
data/knot-secondary/journal \
|
||||
data/knot/confdb \
|
||||
data/knot-secondary/confdb \
|
||||
data/knot/confdb/*.mdb \
|
||||
data/knot-secondary/confdb/*.mdb \
|
||||
data/knot/keys \
|
||||
data/knot-secondary/keys \
|
||||
data/knot/keys/keys \
|
||||
data/knot-secondary/keys/keys \
|
||||
tmp/nginx \
|
||||
tmp/certbot \
|
||||
tmp/acme \
|
||||
tmp/apache \
|
||||
tmp/nsd \
|
||||
tmp/nsd-run \
|
||||
tmp/nsd-run/nsd \
|
||||
tmp/nginx-run \
|
||||
tmp/php \
|
||||
data/reg \
|
||||
data/reg/*.zone \
|
||||
core/db \
|
||||
core/db/servnest.db
|
||||
chmod u=rwX,g=rX,o= sock/tor-control
|
15
reset.sh
Executable file
15
reset.sh
Executable file
|
@ -0,0 +1,15 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
rm -f data/knot/*/*.mdb
|
||||
rm -f data/knot/keys/keys/*.pem
|
||||
rm -f data/knot/keys/quic_key.pem
|
||||
rm -f data/reg/servnest.test.zone
|
||||
rm -f data/reg/test.servnest.test.zone
|
||||
rm -f data/knot-secondary/*/*.mdb
|
||||
rm -f data/knot-secondary/keys/keys/*.pem
|
||||
rm -f data/knot-secondary/keys/quic_key.pem
|
||||
|
||||
knotc --confdb data/knot/confdb conf-import conf/knot.conf
|
||||
knotc --confdb data/knot-secondary/confdb conf-import conf/knot-secondary.conf
|
||||
cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
|
||||
cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
|
13
setup-xoq.sh
Executable file
13
setup-xoq.sh
Executable file
|
@ -0,0 +1,13 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
ENGINE="docker"
|
||||
|
||||
$ENGINE-compose exec knot-secondary knotc conf-begin
|
||||
$ENGINE-compose exec knot-secondary knotc conf-unset remote[primary].cert-key
|
||||
$ENGINE-compose exec knot-secondary knotc conf-set remote[primary].cert-key $($ENGINE-compose exec knot cat /var/log/knot/knot.log | grep "certificate public key" | cut -d " " -f 7 | tail -1)
|
||||
$ENGINE-compose exec knot-secondary knotc conf-commit
|
||||
|
||||
$ENGINE-compose exec knot knotc conf-begin
|
||||
$ENGINE-compose exec knot knotc conf-unset remote[secondary].cert-key
|
||||
$ENGINE-compose exec knot knotc conf-set remote[secondary].cert-key $($ENGINE-compose exec knot-secondary cat /var/log/knot/knot.log | grep "certificate public key" | cut -d " " -f 7 | tail -1)
|
||||
$ENGINE-compose exec knot knotc conf-commit
|
Loading…
Add table
Reference in a new issue