Took a while to get here, but Propellor 0.4.0 can deploy DNS servers and I just had it deploy mine. Including generating DNS zone files.
Configuration is dead simple, as far as DNS goes:
& alias "ns1.example.com" & Dns.secondary hosts "joeyh.name" & Dns.primary hosts "example.com" (Dns.mkSOA "ns1.example.com" 100) [ (RootDomain, NS $ AbsDomain "ns1.example.com") , (RootDomain, NS $ AbsDomain "ns2.example.com") ]
The awesome thing is that propellor fills in all the other information in the zone file by looking at the properties of the hosts it knows about.
, host "blue.example.com" & ipv4 "192.168.1.1" & ipv6 "fe80::26fd:52ff:feea:2294" & alias "example.com" & alias "www.example.com" & alias "example.museum" & Docker.docked hosts "webserver" `requres` backedup "/var/www" & alias "ns2.example.com" & Dns.secondary hosts "example.com"
When it sees this host, Propellor adds its IP addresses to the example.com DNS zone file, for both its main hostname ("blue.example.com"), and also its relevant aliases. (The .museum alias would go into a different zone file.)
Multiple hosts can define the same alias, and then you automaticlly get round-robin DNS.
The web server part of of the blue.example.com config can be cut and pasted to another host in order to move its web server to the other host, including updating the DNS. That's really all there is to is, just cut, paste, and commit!
I'm quite happy with how that worked out. And curious if Puppet etc have anything similar.
One tricky part of this was how to ensure that the serial number automtically updates when changes are made. The way this is handled is Propellor starts with a base serial number (100 in the example above), and then it adds to it the number of commits in its git repository. The zone file is only updated when something in it besides the serial number needs to change.
The result is nice small serial numbers that don't risk overflowing the (so 90's) 32 bit limit, and will be consistent even if the configuration had Propellor setting up multiple independent master DNS servers for the same domain.
Another recent feature in Propellor is that it can use Obnam to back up a directory. With the awesome feature that if the backed up directory is empty/missing, Propellor will automcatically restore it from the backup.
Here's how the
backedup property used in the example above
might be implemented:
backedup :: FilePath -> Property backedup dir = Obnam.backup dir daily [ "--repository=sftp://rsync.example.com/~/webserver.obnam" ] Obnam.OnlyClient `requires` Ssh.keyImported SshRsa "root" `requires` Ssh.knownHost hosts "rsync.example.com" "root" `requires` Gpg.keyImported "1B169BE1" "root"
Notice that the
Ssh.knownHost makes root trust the ssh host key
belonging to rsync.example.com. So Propellor needs to be told what that
host key is, like so:
, host "rsync.example.com" & ipv4 "192.168.1.4" & sshPubKey "ssh-rsa blahblahblah"
Which of course ties back into the DNS and gets this hostname set in it. But also, the ssh public key is available for this host and visible to the DNS zone file generator, and that could also be set in the DNS, in a SSHFP record. I haven't gotten around to implementing that, but hope at some point to make Propellor support DNSSEC, and then this will all combine even more nicely.
By the way, Propellor is now up to 3 thousand lines of code (not including Utility library). In 20 days, as a 10% time side project.