| author | Alberto Bertogli (debian)
<albertito@blitiri.com.ar> 2016-11-29 09:59:13 UTC |
| committer | Alberto Bertogli (debian)
<albertito@blitiri.com.ar> 2016-11-29 10:15:17 UTC |
| parent | 8282d39edb24ab787dfdc3afaa8f2a2d1f09ef3e |
| debian/README.certs | +0 | -13 |
| debian/default | +6 | -5 |
| debian/install | +0 | -1 |
| debian/rules | +1 | -6 |
| debian/systemd/dnss-grpc-server.service | +0 | -25 |
| debian/systemd/dnss-to-grpc.service | +0 | -31 |
| debian/systemd/dnss-to-https.socket | +0 | -11 |
| debian/systemd/{dnss-to-https.service => dnss.service} | +4 | -6 |
| debian/systemd/{dnss-to-grpc.socket => dnss.socket} | +0 | -0 |
diff --git a/debian/README.certs b/debian/README.certs deleted file mode 100644 index 4e2b5c8..0000000 --- a/debian/README.certs +++ /dev/null @@ -1,13 +0,0 @@ - -When running in "DNS to GRPC" mode, the file grpc-upstream-cert.pem should -contain the certificate of the upstream GRPC server, so it can be validated. - -When running in "GRPC to DNS" mode, the files grpc-server-cert.pem and -grpc-server-key.pem should contain the certificate and its corresponding key -(respectively) for the GRPC server to use. - -When running in "DNS to HTTPS" mode (the default), there's no need to put -anything here, as the systems' database is used. - -These settings can be changed by editing the systemd/init scripts. - diff --git a/debian/default b/debian/default index 6713cf3..2c4e8b2 100644 --- a/debian/default +++ b/debian/default @@ -1,8 +1,9 @@ -# When using dnss-to-grpc mode, the address of the upstream GRPC server. -# Note we expect a certificate for the IP address in -# /etc/ssl/dnss/grpc-upstream-cert.pem -# Example: GRPC_UPSTREAM_ADDRESS="1.2.3.4:9953" -GRPC_UPSTREAM_ADDRESS= +# dnss can be run in 3 different modes, depending on the flags given to it: +# DNS to HTTPS (default), DNS to GRPC, and GRPC to DNS. +# This variable controls the mode, and its parameters. +# The default is DNS to HTTPS mode, which requires no additional +# configuration. For the other modes, see dnss' documentation and help. +MODE_FLAGS="--enable_dns_to_https" # Flag to configure monitoring. # By default, we listen on 127.0.0.1:9981, but this variable allows you to diff --git a/debian/install b/debian/install index c0ea4ab..1d1c9dc 100644 --- a/debian/install +++ b/debian/install @@ -1,2 +1 @@ -debian/README.certs etc/ssl/dnss/ debian/systemd/* lib/systemd/system/ diff --git a/debian/rules b/debian/rules index 39a5ea0..9458751 100755 --- a/debian/rules +++ b/debian/rules @@ -1,13 +1,8 @@ #!/usr/bin/make -f %: - dh $@ --buildsystem=golang --with=golang + dh $@ --buildsystem=golang --with=golang --with=systemd # No need to install the source files, this is a binary package. override_dh_auto_install: dh_auto_install -- --no-source - -# By default, enable the dns-over-https mode, which is the most practical to do -# out of the box (the others require certificate creation and coordination). -override_dh_systemd_enable: - dh_systemd_enable --name dnss-to-https dnss-to-https.service diff --git a/debian/systemd/dnss-grpc-server.service b/debian/systemd/dnss-grpc-server.service deleted file mode 100644 index 57511b4..0000000 --- a/debian/systemd/dnss-grpc-server.service +++ /dev/null @@ -1,25 +0,0 @@ -[Unit] -Description=dnss daemon - GRPC to DNS mode - - -[Service] -EnvironmentFile=-/etc/default/dnss -ExecStart=/usr/bin/dnss --enable_grpc_to_dns \ - --grpc_key=/etc/ssl/dnss/grpc-server-key.pem \ - --grpc_cert=/etc/ssl/dnss/grpc-server-cert.pem \ - ${MONITORING_FLAG} \ - --logtostderr - -Type=simple -Restart=always - -User=ddns -Group=ddns - -# Simple security measures just in case. -CapabilityBoundingSet= -ProtectSystem=full - - -[Install] -WantedBy=multi-user.target diff --git a/debian/systemd/dnss-to-grpc.service b/debian/systemd/dnss-to-grpc.service deleted file mode 100644 index bed4520..0000000 --- a/debian/systemd/dnss-to-grpc.service +++ /dev/null @@ -1,31 +0,0 @@ -[Unit] -Description=dnss daemon - DNS to GRPC mode - -# Note we get the sockets via systemd, see the matching .socket configuration. -Requires=dnss-to-grpc.socket - - -[Service] -EnvironmentFile=-/etc/default/dnss -ExecStart=/usr/bin/dnss \ - --dns_listen_addr=systemd \ - --logtostderr \ - ${MONITORING_FLAG} \ - --grpc_upstream=${GRPC_UPSTREAM_ADDRESS} \ - --grpc_client_cafile=/etc/ssl/dnss/grpc-upstream-cert.pem \ - --enable_dns_to_grpc - -Type=simple -Restart=always - -User=ddns -Group=ddns - -# Simple security measures just in case. -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -ProtectSystem=full - - -[Install] -Also=dnss-to-grpc.socket -WantedBy=multi-user.target diff --git a/debian/systemd/dnss-to-https.socket b/debian/systemd/dnss-to-https.socket deleted file mode 100644 index b73523c..0000000 --- a/debian/systemd/dnss-to-https.socket +++ /dev/null @@ -1,11 +0,0 @@ -# Sockets for dnss. -# -# This lets dnss run unprivileged. -# We typically want one UDP and one TCP socket. - -[Socket] -ListenDatagram=53 -ListenStream=53 - -[Install] -WantedBy=sockets.target diff --git a/debian/systemd/dnss-to-https.service b/debian/systemd/dnss.service similarity index 62% rename from debian/systemd/dnss-to-https.service rename to debian/systemd/dnss.service index f77111b..8ad3214 100644 --- a/debian/systemd/dnss-to-https.service +++ b/debian/systemd/dnss.service @@ -1,8 +1,6 @@ [Unit] -Description=dnss daemon - DNS over HTTPS mode - -# Note we get the sockets via systemd, see the matching .socket configuration. -Requires=dnss-to-https.socket +Description=dnss daemon +Requires=dnss.socket [Service] @@ -11,7 +9,7 @@ ExecStart=/usr/bin/dnss \ --dns_listen_addr=systemd \ --logtostderr \ ${MONITORING_FLAG} \ - --enable_dns_to_https + ${MODE_FLAGS} Type=simple Restart=always @@ -25,5 +23,5 @@ ProtectSystem=full [Install] -Also=dnss-to-https.socket +Also=dnss.socket WantedBy=multi-user.target diff --git a/debian/systemd/dnss-to-grpc.socket b/debian/systemd/dnss.socket similarity index 100% rename from debian/systemd/dnss-to-grpc.socket rename to debian/systemd/dnss.socket