174 lines
4.8 KiB
Groff
174 lines
4.8 KiB
Groff
.\" Some useful macros.
|
|
.de cmd
|
|
.Nd "\\$*"
|
|
.br
|
|
..
|
|
.de path
|
|
.Nm "\\$*"
|
|
..
|
|
.de cmdname
|
|
.Nm "\\$*"
|
|
..
|
|
.de TITLE
|
|
.Sh "\\$*"
|
|
..
|
|
.de SUBTITLE
|
|
.Nm "\\$*"
|
|
.br
|
|
..
|
|
.
|
|
.\" Old manpage style:
|
|
.\" .TH deployment 7 "24th november 2024" "netlib.re" "deployment manual"
|
|
.
|
|
.\" Recent mdoc style:
|
|
.Dd 24 november 2024
|
|
.Dt "netlib.re deployment" 8
|
|
.Os Linux "(Ubuntu and Alpine)"
|
|
.
|
|
.TITLE NETLIB.RE DEPLOYMENT
|
|
This manual page serves as documentation for the deployment and maintenance of the netlib.re service.
|
|
The following subjects will be covered.
|
|
|
|
.Nm "tooling"
|
|
.Nd "both custom and the already packaged ones"
|
|
.br
|
|
.Nm "config"
|
|
.Nd "how to deploy from scratch"
|
|
.br
|
|
.Nm "testing"
|
|
.Nd "how to do some testing"
|
|
.br
|
|
.Nm "limitations"
|
|
.Nd "what could go wrong and what's to anticipate"
|
|
|
|
The deployment was done on two machines:
|
|
.br
|
|
.Nm BAGUETTE
|
|
(primary)
|
|
.Nd 89.234.141.125, ns0.karchnu.fr
|
|
.br
|
|
.Nm GANDI
|
|
(secondary)
|
|
.Nd 92.243.18.19, ns1.karchnu.fr
|
|
|
|
.TITLE TOOLING
|
|
.Nm authd
|
|
(custom)
|
|
.Nd the authentication daemon
|
|
.br
|
|
.Nm dnsmanagerd
|
|
(custom)
|
|
.Nd the dns manager daemon
|
|
.br
|
|
.Nm mailer
|
|
(custom)
|
|
.Nd a simple executable to send template mails
|
|
.br
|
|
.Nm watchdog scripts
|
|
(custom)
|
|
.Nd to sync directories between primary and secondary NS
|
|
.br
|
|
.Nm smtp server
|
|
(such as OpenSMTPd)
|
|
.Nd to send registration and password recovery emails
|
|
.br
|
|
.Nm inotifywait
|
|
.Nd wait for changes on the file system (used for domain sync)
|
|
.br
|
|
.Nm "dig, ss and netstat"
|
|
.Nd to test the name servers and to debug network-related stuff
|
|
|
|
.TITLE DEPLOYMENT
|
|
.SUBTITLE install powerdns
|
|
.cmd ubuntu $ apt install pdns-server pdns-backend-bind
|
|
.cmd alpine $ apk add pdns pdns-backend-bind
|
|
|
|
.SUBTITLE stop (and disable) systemd-resolved
|
|
This tool prevents powerdns to start since it works on the same port (53).
|
|
.br
|
|
.cmd ubuntu $ systemctl stop systemd-resolved
|
|
.cmd ubuntu $ systemctl disable systemd-resolved
|
|
.cmd alpine $ no systemd-resolved by default on this system
|
|
|
|
.SUBTITLE run powerdns
|
|
.cmd ubuntu $ systemctl restart pdns
|
|
.cmd alpine $ service pdns restart
|
|
NOTE : powerdns documentation on alpine is basically just a lot of SQL files in /usr/share/doc/pdns/
|
|
|
|
.SUBTITLE install inotify-tools
|
|
.cmd ubuntu $ apt install inotify-tools
|
|
.cmd alpine $ apk add inotify-tools
|
|
|
|
.SUBTITLE install an smtp server
|
|
.cmd alpine $ apk add opensmtpd
|
|
Actual configuration of the smtp (+SPF, DKIM, etc.) should be taken care of.
|
|
An example of OpenSMTPd configuration is in this repository (infrastructure-doc).
|
|
|
|
.TITLE TESTING TOOLS
|
|
.SUBTITLE testing port 53
|
|
.cmd ubuntu $ ss -pln | grep :53
|
|
.cmd alpine $ netstat -ta
|
|
|
|
.SUBTITLE install dig
|
|
.cmd ubuntu $ apt install dnsutils
|
|
.cmd alpine $ already installed?
|
|
|
|
.SUBTITLE testing the deployment and zone updates
|
|
.cmd $ dig @ns0.karchnu.fr <domain>
|
|
|
|
.TITLE CONFIGURATION and ZONE UPDATES
|
|
Well, there isn't much configuration since both powerdns instances just run "as is" with the bind backend that is filled on-the-fly.
|
|
|
|
.SUBTITLE watchdogs in a few words
|
|
A watchdog is (in this context) a command watching a directory.
|
|
These commands should run either on the primary or secondary name server.
|
|
They are distributed with
|
|
.cmdname dnsmanagerd
|
|
in the
|
|
.path deployment
|
|
directory.
|
|
|
|
.SUBTITLE primary-watchdog.sh (on primary)
|
|
Reads file in
|
|
.path /var/powerdns
|
|
and run a command (pdns_control bind-reload-now) to update the zone, then send the new (or updated) file on the secondary name server.
|
|
In case the domain wasn't already served, the domain is added (pdns_control bind-add-zone).
|
|
|
|
.SUBTITLE secondary-watchdog.sh (on secondary)
|
|
Same as primary-watchdog.sh but without remote operations.
|
|
|
|
.SUBTITLE primary-dnsmanagerd-to-powerdns.sh (on primary)
|
|
TODO: explanations, why doesn't dnsmanagerd use
|
|
.path /var/powerdns
|
|
directly?
|
|
.\" Since there is a migration to handle,
|
|
.\" .cmdname dnsmanagerd
|
|
.\" writes bind9 files in a temporary directory before being sent to /var/powerdns.
|
|
.\" This enables to first load old zones (they are still served as before) then to update them on-the-fly once the users make changes on the new website.
|
|
|
|
.SUBTITLE mailer (on primary)
|
|
This command has to be configured with some templates in
|
|
.path $USER/email-templates
|
|
(available in this repository).
|
|
|
|
.SUBTITLE network configuration
|
|
GANDI doesn't have any running firewall currently.
|
|
BAGUETTE is a virtual machine running with a local IP address, with a physical machine doing NAT.
|
|
TODO: expand the documentation
|
|
|
|
.SUBTITLE netlib.re zone should contain right NS records
|
|
netlib.re should contain ns0.karchnu.fr and ns1.karchnu.fr as NS records.
|
|
|
|
For an unknown reason, netlib.re must have a record "netlib.re. IN A <IP>".
|
|
Otherwise, the NS records don't show up (but others are fine… don't ask me).
|
|
|
|
.SUBTITLE powerdns loglevel
|
|
Just put 'loglevel=3' in the configuration file of powerdns to avoid repeated insignificant warnings about zones being reloaded for some reason.
|
|
|
|
|
|
TODO: expand the documentation
|
|
|
|
|
|
.TITLE LIMITATIONS
|
|
TODO: expand the documentation
|