Blaming LocalAuthority/scripts/sync_local_hosts.sh at 1e9f236aa11ef7798d501bdc71f7a3d4e5e96f4e · bogdan/LocalAuthority

LocalAuthority / scripts / sync_local_hosts.sh

Newer ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Older

Xdev Host Manager Initial host manager registry

282 lines | 9.235kb

Initial host manager registr... Xdev Host Manager authored 2 days ago	1	#!/usr/bin/env bash
	2	#
	3	# sync_local_hosts.sh - Sync local madagascar DNS records to is-vpn-gw and as01.
	4	#
	5
	6	set -euo pipefail
	7
	8	SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
	9	PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
	10	CONFIG_FILE="$PROJECT_DIR/config/local-hosts.tsv"
	11	IS_VPN_GW="is-vpn-gw"
	12	AS01="admin@192.168.2.2"
	13	APPLY=false
	14	VERIFY=false
	15	TARGET="all"
	16	NEGATIVE_NAME="nohost.madagascar.xdev.ro"
	17
	18	usage() {
	19	cat << EOF
	20	Usage: $0 [--apply] [--verify] [--target all\|is-vpn-gw\|as01] [-c file]
	21
	22	Default mode is dry-run. Use --apply to change remote resolvers.
	23
	24	Examples:
	25	$0
	26	$0 --apply --verify
	27	$0 --target as01 --apply
	28	EOF
	29	}
	30
	31	log() {
	32	printf '[INFO] %s\n' "$*"
	33	}
	34
	35	die() {
	36	printf '[ERROR] %s\n' "$*" >&2
	37	exit 1
	38	}
	39
	40	while [[ $# -gt 0 ]]; do
	41	case "$1" in
	42	--apply) APPLY=true; shift ;;
	43	--verify) VERIFY=true; shift ;;
	44	--target) TARGET="${2:-}"; shift 2 ;;
	45	-c\|--config) CONFIG_FILE="${2:-}"; shift 2 ;;
	46	-h\|--help) usage; exit 0 ;;
	47	*) die "Unknown option: $1" ;;
	48	esac
	49	done
	50
	51	case "$TARGET" in
	52	all\|is-vpn-gw\|as01) ;;
	53	*) die "Invalid target: $TARGET" ;;
	54	esac
	55
	56	[[ -f "$CONFIG_FILE" ]] \|\| die "Missing config file: $CONFIG_FILE"
	57
	58	WORK_DIR="$(mktemp -d)"
	59	trap 'rm -rf "$WORK_DIR"' EXIT
	60
	61	HOSTS_ROWS="$WORK_DIR/hosts.rows"
	62	CLOAK_ROWS="$WORK_DIR/cloak.rows"
	63	NAMES_FILE="$WORK_DIR/names.txt"
	64	MIKROTIK_RSC="$WORK_DIR/as01.rsc"
	65	VERIFY_ROWS="$WORK_DIR/verify.rows"
	66
	67	touch "$HOSTS_ROWS" "$CLOAK_ROWS" "$NAMES_FILE" "$MIKROTIK_RSC" "$VERIFY_ROWS"
	68
	69	quote_ros() {
	70	printf '%s' "$1" \| sed 's/\\/\\\\/g; s/"/\\"/g'
	71	}
	72
	73	while IFS= read -r line \|\| [[ -n "$line" ]]; do
	74	[[ -z "${line//[[:space:]]/}" ]] && continue
	75	[[ "$line" =~ ^[[:space:]]*# ]] && continue
	76
	77	read -r hosts_ip dns_ip names <<< "$line"
	78	[[ -n "${hosts_ip:-}" && -n "${dns_ip:-}" && -n "${names:-}" ]] \|\| die "Invalid row: $line"
	79
	80	printf '%s %s\n' "$hosts_ip" "$names" >> "$HOSTS_ROWS"
	81
	82	for name in $names; do
	83	printf '%s\n' "$name" >> "$NAMES_FILE"
	84	printf '%-40s %s\n' "$name" "$dns_ip" >> "$CLOAK_ROWS"
	85	if [[ "$name" == *.xdev.ro ]]; then
	86	printf '%s %s\n' "$name" "$dns_ip" >> "$VERIFY_ROWS"
	87	fi
	88
	89	ros_name="$(quote_ros "$name")"
	90	ros_ip="$(quote_ros "$dns_ip")"
	91	{
	92	printf '/ip dns static remove [find name="%s"]\n' "$ros_name"
	93	printf '/ip dns static add name="%s" type=A address=%s comment="xdev-local managed"\n' "$ros_name" "$ros_ip"
	94	} >> "$MIKROTIK_RSC"
	95	done
	96	done < "$CONFIG_FILE"
	97
	98	sort -u "$NAMES_FILE" -o "$NAMES_FILE"
	99	printf '/ip dns cache flush\n' >> "$MIKROTIK_RSC"
	100	printf ':put "xdev local dns sync complete"\n' >> "$MIKROTIK_RSC"
	101
	102	sync_is_vpn_gw() {
	103	if ! $APPLY; then
	104	log "Dry-run for $IS_VPN_GW: generated /etc/hosts block"
	105	sed -n '1,80p' "$HOSTS_ROWS"
	106	log "Dry-run for $IS_VPN_GW: generated cloaking-rules block"
	107	sed -n '1,120p' "$CLOAK_ROWS"
	108	return
	109	fi
	110
	111	log "Syncing $IS_VPN_GW"
	112	remote_dir="/tmp/xdev-local-dns.$$"
	113	ssh "$IS_VPN_GW" "mkdir -p '$remote_dir'"
	114	scp "$HOSTS_ROWS" "$CLOAK_ROWS" "$NAMES_FILE" "$IS_VPN_GW:$remote_dir/" >/dev/null
	115	ssh "$IS_VPN_GW" "REMOTE_DIR='$remote_dir' bash -s" <<'REMOTE'
	116	set -euo pipefail
	117	stamp="$(date +%Y%m%d_%H%M%S)"
	118	cp /etc/hosts "/etc/hosts.bak.$stamp"
	119	cp /etc/dnscrypt-proxy/cloaking-rules.txt "/etc/dnscrypt-proxy/cloaking-rules.txt.bak.$stamp"
	120
	121	awk '
	122	NR == FNR { names[$1] = 1; next }
	123	/^# BEGIN XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 1; next }
	124	/^# END XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 0; next }
	125	in_managed { next }
	126	/^[[:space:]]#/ \|\| /^[[:space:]]$/ { print; next }
	127	{
	128	keep = 1
	129	for (i = 2; i <= NF; i++) {
	130	if ($i in names) keep = 0
	131	}
	132	if (keep) print
	133	}
	134	' "$REMOTE_DIR/names.txt" /etc/hosts > "$REMOTE_DIR/hosts.new"
	135	{
	136	cat "$REMOTE_DIR/hosts.new"
	137	printf "\n# BEGIN XDEV LOCAL DNS MANAGED BLOCK\n"
	138	cat "$REMOTE_DIR/hosts.rows"
	139	printf "# END XDEV LOCAL DNS MANAGED BLOCK\n"
	140	} > /etc/hosts
	141
	142	awk '
	143	NR == FNR { names[$1] = 1; next }
	144	/^# BEGIN XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 1; next }
	145	/^# END XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 0; next }
	146	in_managed { next }
	147	/^[[:space:]]#/ \|\| /^[[:space:]]$/ { print; next }
	148	{
	149	if (!($1 in names)) print
	150	}
	151	' "$REMOTE_DIR/names.txt" /etc/dnscrypt-proxy/cloaking-rules.txt > "$REMOTE_DIR/cloak.new"
	152	{
	153	cat "$REMOTE_DIR/cloak.new"
	154	printf "\n# BEGIN XDEV LOCAL DNS MANAGED BLOCK\n"
	155	cat "$REMOTE_DIR/cloak.rows"
	156	printf "# END XDEV LOCAL DNS MANAGED BLOCK\n"
	157	} > /etc/dnscrypt-proxy/cloaking-rules.txt
	158
	159	resolved_backup=""
	160	if ! grep -Eq '^ReadEtcHosts=no$' /etc/systemd/resolved.conf; then
	161	cp /etc/systemd/resolved.conf "/etc/systemd/resolved.conf.bak.$stamp"
	162	resolved_backup=" /etc/systemd/resolved.conf.bak.$stamp"
	163	if grep -Eq '^ReadEtcHosts=' /etc/systemd/resolved.conf; then
	164	sed -i 's/^ReadEtcHosts=.*/ReadEtcHosts=no/' /etc/systemd/resolved.conf
	165	else
	166	printf "\nReadEtcHosts=no\n" >> /etc/systemd/resolved.conf
	167	fi
	168	fi
	169
	170	if grep -Eq '^DNSStubListenerExtra=' /etc/systemd/resolved.conf; then
	171	if [[ -z "$resolved_backup" ]]; then
	172	cp /etc/systemd/resolved.conf "/etc/systemd/resolved.conf.bak.$stamp"
	173	resolved_backup=" /etc/systemd/resolved.conf.bak.$stamp"
	174	fi
	175	sed -i 's/^DNSStubListenerExtra=/#DNSStubListenerExtra=/' /etc/systemd/resolved.conf
	176	fi
	177
	178	dnscrypt_resolved_conf="/etc/systemd/resolved.conf.d/20-dnscrypt.conf"
	179	mkdir -p /etc/systemd/resolved.conf.d
	180	if [[ ! -f "$dnscrypt_resolved_conf" ]] \|\| ! grep -Eq '^DNS=127\.0\.0\.1:5300$' "$dnscrypt_resolved_conf"; then
	181	if [[ -f "$dnscrypt_resolved_conf" ]]; then
	182	cp "$dnscrypt_resolved_conf" "$dnscrypt_resolved_conf.bak.$stamp"
	183	resolved_backup="$resolved_backup $dnscrypt_resolved_conf.bak.$stamp"
	184	fi
	185	cat > "$dnscrypt_resolved_conf" <<'EOF'
	186	[Resolve]
	187	# Send LAN DNS traffic through dnscrypt-proxy so cloaking-rules are authoritative locally.
	188	DNS=127.0.0.1:5300
	189	FallbackDNS=
	190	EOF
	191	fi
	192
	193	dnscrypt_conf="/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
	194	expected_listen="listen_addresses = ['127.0.0.1:5300', '192.168.2.100:53']"
	195	dnscrypt_backup=""
	196	if ! grep -Fqx "$expected_listen" "$dnscrypt_conf"; then
	197	cp "$dnscrypt_conf" "$dnscrypt_conf.bak.$stamp"
	198	dnscrypt_backup=" $dnscrypt_conf.bak.$stamp"
	199	sed -i "s\|^listen_addresses = .*\|$expected_listen\|" "$dnscrypt_conf"
	200	fi
	201
	202	allowed_names_file="/etc/dnscrypt-proxy/allowed-names.txt"
	203	if ! grep -Eq "^allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'$" "$dnscrypt_conf"; then
	204	if [[ -z "$dnscrypt_backup" ]]; then
	205	cp "$dnscrypt_conf" "$dnscrypt_conf.bak.$stamp"
	206	dnscrypt_backup=" $dnscrypt_conf.bak.$stamp"
	207	fi
	208	if grep -Eq '^[#[:space:]]*allowed_names_file =' "$dnscrypt_conf"; then
	209	sed -i "s\|^[#[:space:]]allowed_names_file = .\|allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'\|" "$dnscrypt_conf"
	210	else
	211	sed -i "/^\\[allowed_names\\]/a allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'" "$dnscrypt_conf"
	212	fi
	213	fi
	214
	215	for allowed_name in google.com www.google.com; do
	216	grep -Fxq "$allowed_name" "$allowed_names_file" \|\| printf "%s\n" "$allowed_name" >> "$allowed_names_file"
	217	done
	218
	219	resolvectl flush-caches \|\| true
	220	systemctl restart systemd-resolved
	221
	222	systemctl restart dnscrypt-proxy
	223	rm -rf "$REMOTE_DIR"
	224	printf "backups: /etc/hosts.bak.%s /etc/dnscrypt-proxy/cloaking-rules.txt.bak.%s%s%s\n" "$stamp" "$stamp" "$resolved_backup" "$dnscrypt_backup"
	225	REMOTE
	226	}
	227
	228	sync_as01() {
	229	if ! $APPLY; then
	230	log "Dry-run for as01: generated RouterOS commands"
	231	sed -n '1,160p' "$MIKROTIK_RSC"
	232	return
	233	fi
	234
	235	log "Syncing as01"
	236	ssh "$AS01" "/ip dns static remove [find comment=\"xdev-local managed\"]"$'\n'"$(cat "$MIKROTIK_RSC")"
	237	}
	238
	239	verify_resolver() {
	240	local resolver="$1"
	241	local failures=0
	242
	243	log "Verifying resolver $resolver"
	244	while read -r name expected_ip; do
	245	answers="$(dig @"$resolver" "$name" +short \|\| true)"
	246	if ! grep -Fxq "$expected_ip" <<< "$answers"; then
	247	compact_answers="$(paste -s -d ',' - <<< "$answers")"
	248	printf '[FAIL] %s %s expected %s got %s\n' "$resolver" "$name" "$expected_ip" "${compact_answers:-<empty>}" >&2
	249	failures=$((failures + 1))
	250	fi
	251	done < "$VERIFY_ROWS"
	252
	253	dns_status="$(dig @"$resolver" "$NEGATIVE_NAME" +noall +comments \| awk '/status:/ {print $6}' \| tr -d ',' \|\| true)"
	254	if [[ "$dns_status" != "NXDOMAIN" ]]; then
	255	printf '[FAIL] %s %s expected NXDOMAIN got %s\n' "$resolver" "$NEGATIVE_NAME" "${dns_status:-<empty>}" >&2
	256	failures=$((failures + 1))
	257	fi
	258
	259	[[ "$failures" -eq 0 ]]
	260	}
	261
	262	if $APPLY \|\| ! $VERIFY; then
	263	case "$TARGET" in
	264	all)
	265	sync_is_vpn_gw
	266	sync_as01
	267	;;
	268	is-vpn-gw) sync_is_vpn_gw ;;
	269	as01) sync_as01 ;;
	270	esac
	271	fi
	272
	273	if $VERIFY; then
	274	case "$TARGET" in
	275	all)
	276	verify_resolver 192.168.2.100
	277	verify_resolver 192.168.2.2
	278	;;
	279	is-vpn-gw) verify_resolver 192.168.2.100 ;;
	280	as01) verify_resolver 192.168.2.2 ;;
	281	esac
	282	fi