git » debian:dnss » commit cbf886b

Add files to /etc (systemd, default, setup user, etc.)

author Alberto Bertogli (debian)
2016-11-26 13:09:54 UTC
committer Alberto Bertogli (debian)
2016-11-26 14:06:50 UTC
parent fe06c636954e8a8959b250d99b005866a7b1f91a
Add files to /etc (systemd, default, setup user, etc.)
.gitignore +1 -0
debian/.gitignore +4 -3
debian/README.certs +13 -0
debian/default/dnss +6 -0
debian/install +3 -0
debian/postinst +40 -0
debian/rules +5 -0
debian/systemd/dnss-grpc-server.service +25 -0
debian/systemd/dnss-to-grpc.service +37 -0
debian/systemd/dnss-to-grpc.socket +11 -0
debian/systemd/dnss-to-https.service +32 -0
debian/systemd/dnss-to-https.socket +11 -0 
diff --git a/.gitignore b/.gitignore
index 845ca06..41420fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .pc
+obj-*/
diff --git a/debian/.gitignore b/debian/.gitignore
index 31b9805..8aba2ae 100644
--- a/debian/.gitignore
+++ b/debian/.gitignore
@@ -1,6 +1,7 @@
 # Artifacts from package building, that we don't want to track as a part of
 # the repository.
-files
+*.debhelper.log
 debhelper-build-stamp
-*.debhelper
-
+dnss.substvars
+dnss/
+files
diff --git a/debian/README.certs b/debian/README.certs
new file mode 100644
index 0000000..4e2b5c8
--- /dev/null
+++ b/debian/README.certs
@@ -0,0 +1,13 @@
+
+When running in "DNS to GRPC" mode, the file grpc-upstream-cert.pem should
+contain the certificate of the upstream GRPC server, so it can be validated.
+
+When running in "GRPC to DNS" mode, the files grpc-server-cert.pem and
+grpc-server-key.pem should contain the certificate and its corresponding key
+(respectively) for the GRPC server to use.
+
+When running in "DNS to HTTPS" mode (the default), there's no need to put
+anything here, as the systems' database is used.
+
+These settings can be changed by editing the systemd/init scripts.
+
diff --git a/debian/default/dnss b/debian/default/dnss
new file mode 100644
index 0000000..b9cf3ba
--- /dev/null
+++ b/debian/default/dnss
@@ -0,0 +1,6 @@
+
+# When using dnss-to-grpc mode, the address of the upstream GRPC server.
+# Note e expect a certificate for the IP address in
+# /etc/ssl/dnss/grpc-upstream-cert.pem
+# Example: GRPC_UPSTREAM_ADDRESS="1.2.3.4:9953"
+GRPC_UPSTREAM_ADDRESS=
diff --git a/debian/install b/debian/install
new file mode 100644
index 0000000..bede141
--- /dev/null
+++ b/debian/install
@@ -0,0 +1,3 @@
+debian/README.certs	etc/ssl/dnss/
+debian/default/dnss	etc/default/
+debian/systemd/*	lib/systemd/system/
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 0000000..b22e3d0
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+  configure)
+    # Add dnss user
+    if ! getent passwd dnss > /dev/null; then
+        adduser --quiet --system --home /var/lib/dnss --no-create-home \
+            --group --gecos "dnss daemon" dnss || true
+    fi
+  ;;
+
+  abort-upgrade|abort-remove|abort-deconfigure)
+    :
+  ;;
+
+  *)
+    echo "postinst called with unknown argument \`$1'" >&2
+    exit 1
+  ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/rules b/debian/rules
index fabee61..39a5ea0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,3 +6,8 @@
 # No need to install the source files, this is a binary package.
 override_dh_auto_install:
 	dh_auto_install -- --no-source
+
+# By default, enable the dns-over-https mode, which is the most practical to do
+# out of the box (the others require certificate creation and coordination).
+override_dh_systemd_enable:
+	dh_systemd_enable --name dnss-to-https dnss-to-https.service
diff --git a/debian/systemd/dnss-grpc-server.service b/debian/systemd/dnss-grpc-server.service
new file mode 100644
index 0000000..ee1cee0
--- /dev/null
+++ b/debian/systemd/dnss-grpc-server.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=dnss daemon - GRPC to DNS mode
+
+
+[Service]
+ExecStart=/usr/bin/dnss --enable_grpc_to_dns \
+        --grpc_key=/etc/ssl/dnss/grpc-server-key.pem \
+        --grpc_cert=/etc/ssl/dnss/grpc-server-cert.pem \
+        --monitoring_listen_addr=127.0.0.1:9981 \
+        --logtostderr
+
+Type=simple
+Restart=always
+
+User=ddns
+Group=ddns
+
+# Simple security measures just in case.
+CapabilityBoundingSet=
+ProtectSystem=full
+
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/debian/systemd/dnss-to-grpc.service b/debian/systemd/dnss-to-grpc.service
new file mode 100644
index 0000000..00780d1
--- /dev/null
+++ b/debian/systemd/dnss-to-grpc.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=dnss daemon - DNS to GRPC mode
+
+# Note we get the sockets via systemd, see the matching .socket configuration.
+Requires=dnss-to-grpc.socket
+
+
+[Service]
+EnvironmentFile=-/etc/default/dnss
+
+ExecStart=/usr/bin/dnss \
+        --dns_listen_addr=systemd \
+        --logtostderr \
+        --monitoring_listen_addr=127.0.0.1:9981 \
+        --grpc_upstream=${GRPC_UPSTREAM_ADDRESS} \
+        --grpc_client_cafile=/etc/ssl/dnss/grpc-upstream-cert.pem \
+        --enable_dns_to_grpc
+
+
+Type=simple
+Restart=always
+
+# The user can be created with no permissions using:
+#
+#   sudo useradd -U dnss -M -d /nonexistent -s /bin/false
+User=ddns
+Group=ddns
+
+# Simple security measures just in case.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectSystem=full
+
+
+[Install]
+Also=dnss-to-grpc.socket
+WantedBy=multi-user.target
+
diff --git a/debian/systemd/dnss-to-grpc.socket b/debian/systemd/dnss-to-grpc.socket
new file mode 100644
index 0000000..b73523c
--- /dev/null
+++ b/debian/systemd/dnss-to-grpc.socket
@@ -0,0 +1,11 @@
+# Sockets for dnss.
+#
+# This lets dnss run unprivileged.
+# We typically want one UDP and one TCP socket.
+
+[Socket]
+ListenDatagram=53
+ListenStream=53
+
+[Install]
+WantedBy=sockets.target
diff --git a/debian/systemd/dnss-to-https.service b/debian/systemd/dnss-to-https.service
new file mode 100644
index 0000000..8be55c7
--- /dev/null
+++ b/debian/systemd/dnss-to-https.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=dnss daemon - DNS over HTTPS mode
+
+# Note we get the sockets via systemd, see the matching .socket configuration.
+Requires=dnss-to-https.socket
+
+
+[Service]
+ExecStart=/usr/bin/dnss \
+        --dns_listen_addr=systemd \
+        --logtostderr \
+        --monitoring_listen_addr=127.0.0.1:9981 \
+        --enable_dns_to_https
+
+
+Type=simple
+Restart=always
+
+# The user can be created with no permissions using:
+#
+#   sudo useradd -U dnss -M -d /nonexistent -s /bin/false
+User=dnss
+Group=dnss
+
+# Simple security measures just in case.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectSystem=full
+
+
+[Install]
+Also=dnss-to-https.socket
+WantedBy=multi-user.target
diff --git a/debian/systemd/dnss-to-https.socket b/debian/systemd/dnss-to-https.socket
new file mode 100644
index 0000000..b73523c
--- /dev/null
+++ b/debian/systemd/dnss-to-https.socket
@@ -0,0 +1,11 @@
+# Sockets for dnss.
+#
+# This lets dnss run unprivileged.
+# We typically want one UDP and one TCP socket.
+
+[Socket]
+ListenDatagram=53
+ListenStream=53
+
+[Install]
+WantedBy=sockets.target