From cf6ff5f3a33826b9723c7442c880fc446e29f992 Mon Sep 17 00:00:00 2001 From: pettai Date: Thu, 13 Mar 2025 10:33:53 +0100 Subject: [PATCH] add new acls --- .../overlay/etc/hiera/data/local.eyaml | 3 ++ .../etc/knot/conf.d/0sunet.catalog.conf | 33 ++++++++++++++++--- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/dns-rest-api1.sunet.se/overlay/etc/hiera/data/local.eyaml b/dns-rest-api1.sunet.se/overlay/etc/hiera/data/local.eyaml index e96d62f..f4576c3 100644 --- a/dns-rest-api1.sunet.se/overlay/etc/hiera/data/local.eyaml +++ b/dns-rest-api1.sunet.se/overlay/etc/hiera/data/local.eyaml @@ -2,6 +2,9 @@ knot_rest_token_secret: ENC[PKCS7,MIIC8gYJKoZIhvcNAQcDoIIC4zCCAt8CAQAxggJ6MIICdgIBADBeMEYxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxFzAVBgNVBAMMDjE5Mi4zNi4xNzEuMjE5AhQNByDxtRKM7mjQvskJVp1wrj/QxjANBgkqhkiG9w0BAQEFAASCAgBJrZoCKLB9RrjZtwYb5uFxDcuSngzvXVVZe3BtQdSgSq9PzG5dg9me59s7nhIj2WdWFuAdW+BuQ5pa8D+xxeKoqHhUQNCfgIE70tlhI0s9TrWJogDH+QZHE7TC3z8gUNdBo51C8Aq5FqU/Mql8MxnGMe2vgsT79pyM+2PZ6uqMqw1QiOjpFOgQ0uVb1qdYlOx6WbUuuRjGPxvxTogyX+ujdvVPnDmibgAv9UKYkfArsFLYRRB/p6uo4bTvyvwWLu1FLrVH8JSWP5o9otBNAJTCu49ayz09ED8CfnVRyRrgkKOOmqTeh44vyMJtgKjTKvldbypsdbvqFYgIazHBl3aCYlNs0GPyKVFtCNoWaAqv+waZCEccv6uz4q/9XdMLw6vcKYcc38EaYHUc0hp0XbKnGjgojsjhIjCEcqEsvbWyLqkH7Kf6Yot3zE8S3kp1LfV7eHipVysxVyHPTRKZXVl8s6nKvVGk5ZCyXS6B1Ky+aRVk7yt/QvtSAG19RRywhGVEOniugICCASnc4Dyeb1eQq6PBwq6O7b0A7QFIudR2LXNG8YHWqKBBOQMCk1n4sR0S+XgurQ5RX6G3L4hIJf6awZzD9pUdoDlRmnOduv7e1eg6vUstsFU1opEQM3P9BVQThv4wOVTjyJwscXAMFvwXEx2euyYY1qNp9rquBi/FHjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD1ryvEYNdTd0+wpque24SfgDBOr110Jqv+Xq/onLdb1vWs6czuTQsoXqglRuZ9xxl4jcbbTawO9IHpvWug233sWQY=] knot_tsig: knot-ladok: ENC[PKCS7,MIIC8gYJKoZIhvcNAQcDoIIC4zCCAt8CAQAxggJ6MIICdgIBADBeMEYxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxFzAVBgNVBAMMDjE5Mi4zNi4xNzEuMjE5AhQNByDxtRKM7mjQvskJVp1wrj/QxjANBgkqhkiG9w0BAQEFAASCAgArQaSsFq9yJcYkht/l3/FmpgcDcS4u9bWM27LKTgKAb86SSZmnkB9W2nYGqq1RZ9R9HmGrqQrwmT0xdNWWQSXpAHZ/EIg/Xeg/jGRvRuND9upuSLfrY72/dWDPGt1fXGPNXzgozhMIYC8DmPuZ1GfAC3PRJJAFmhq0Ynqe761aj2Bz//K5SGTzuYcTSRz42ZQ8Sojj9pTI7BmtRxISFpgBSO6jf/X0/6Xh/mHpgDQ/Rt4X6X1shqyqfGv4Wqlf81jE+DflXpcs+iPz/irpHKmfiYkKosOFLsPLqxe7esLCx4c/yC2DPS6cmCMVNCgjaL8oQrULnhisXwzl8FBAZIr8lMvPlitxjG4GebToYPIglTbdqaEi1sdDarSpNudjkJwMUAd8ZMGL0Yc5D5iCiCHjNHc6aN/dkBZAF5P53Du+GDlfGuDOoskPjBPkcLhJJkLYKYhx9Kl9X55/3DozXd4jocWz/pvKx8hnIWmpYqDFAgn+ZKg4o/ZoGu6Z1rrSCtlqqGE/ydpiZNdFZ1oY7Mt2hXVOcnJuhbTe1k+1bTTEBfvgp6aEonLgXaYt/59R75W8UZcO3n0fivBuo8KWtkLORgm6L/OrEYPToI6TlqIfGRnCtqgQKmzBs+FoTrTVW/C98G7SzwW5dtkRHglRZp93HUr8Vb50IqjI8jFEKnq3tjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAA7BBQTzi6WiPdXX4fXqMkgDDTkjtTf+zbSFSAuGoDAhRmODplTdJpViYxgnuu3UvX/G4qFRmA4X2giqe591qFXCA=] + alt-ladok: ENC[PKCS7,MIIC8gYJKoZIhvcNAQcDoIIC4zCCAt8CAQAxggJ6MIICdgIBADBeMEYxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxFzAVBgNVBAMMDjE5Mi4zNi4xNzEuMjE5AhQNByDxtRKM7mjQvskJVp1wrj/QxjANBgkqhkiG9w0BAQEFAASCAgBJkVAcgcKO8YR0yr2nGVTSQWb7A1eJMqBbPrjTojKepIJN4zdGhLSjETmcMDDBhOVoWSRoE6U9+FRZSwjtRy2yVyPBvoMo7lENncLbT8vISWlyBhWTsXrk8SctgyaDhjD/lNwfzk1VquVuw7ncAEP/iquS+3oTM8BGs62jmVUdKaug5wJWsGDeEkxXhWwmllXCbqblkLZ2oDVW1cbMrgDAda+YT4XsncKjpyiouyvxyPvWM+6e2/9Ijg/TMljhKBT/2NRSglUH5crqpg2LDBbLavjO1gS9nsgPEUkDcUD1sWVJU4J5o+TTuPuVe69G2M4koFNEzmuM37C9jiGKWUKwzX11ayD2xs4QGWKLfG62MdlPycHcMwTHnF+Cbej9iLx5MobXFhGN1VSpUCMRdPswwrWwPodR8h/19NVYoRegiS6E/h4iWDcWlaA1b/MVk/iBy9vWXR/XHDym+8W0TwNHhYT/U4LhmPJ3BvagP86eNwyjO6XyGPxO9QOqG2f2lkB33XqE39UlJacmwV/ex2Fvej4wG3dL0qN51tH6a4KpYU+kpFYckntm9jnvnclTF8D0WjU/sH19W/GjYVoad5fzrllZr/5wGKRJr+g7X5c1GLGV8Lwu2SU36NVlHQiz5XPCoDKHVR5Qfc03FfWVDsdAJ8fJijVMAUwh/xTuhSaoijBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC/AZcyUWdl4sVHFWcs9xfkgDBwgB9SrJWksAkDU+GCplJz1ZsvqYVfIbzYb4omVc0LT0W4p12k4aCI0diQaBgIgAY=] + infra-utv-ladok: ENC[PKCS7,MIIC8gYJKoZIhvcNAQcDoIIC4zCCAt8CAQAxggJ6MIICdgIBADBeMEYxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxFzAVBgNVBAMMDjE5Mi4zNi4xNzEuMjE5AhQNByDxtRKM7mjQvskJVp1wrj/QxjANBgkqhkiG9w0BAQEFAASCAgC0nCdeNmvlWHOrudr321lWnkSKHQiLL3/QV/a+PGXFH6zvlQQmWIXB/GXbkdqp6LV/9fBUQayW2jW71jqi1eOvkWAUeESaCxj7FEdCJvvIsJWal7Wz5zrlhrPZsDi5KkCi2FDyUnbSNiJ39b6PsG9N4uODGaSn0K+y2t1hX+yvSA/be+nNoIsj5qidv9g554u+hMVLYuv3Ha+5v4NQA+uBQqzeo3k1arzX0XtcAYQza2Se1ZkHyyTfnHx3P2a8PUcnfhJheLFlZGtFYPfS5saNjfjfalvCdOpZ/ptIhTZxQ6qT22d9pVWxppLjJQC8yunO/ZKgj73sXqe8XAww/0rbseqWvwk2TK+aK7TkAt0/m0J9+5PC4F9liCN1oOA/RhgOqcqfT132c4D2Zszol6oKWWp8wFIzE+sNFVM2tv3a+T/z0P4+l0oHkWS6Km+IrWqeR4Z2/I/VPdfGavhOZnjwVb9jy5x0rfcCA/UekCORuHXCIAz/bVFgQ0GpqLZfSATg0CFHU5V6x3JMNbe1QBvN55Q3loWHu8pygPz/fN/fnS59CMU1JBdKHyhzlyj5ooa1eiScX2go60JvYfIcQUTk0ZP45NyLMdpVa10cgYlMCcdhe7KrsjPCj6fvLoj/qrgTse8ws/ihAsTeX1bCWmPe8DIFHCRA1NRVcEGDz+S28DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBtZBGN6rYNGhGlphF+SjkkgDBMoBy/RLBRBGENGaZxZ9vPSUxojCtq0z60nwZT05r/x27+WqNHJ1og6us/xhpVD3Q=] + lab-utv-ladok: ENC[PKCS7,MIIC8gYJKoZIhvcNAQcDoIIC4zCCAt8CAQAxggJ6MIICdgIBADBeMEYxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxFzAVBgNVBAMMDjE5Mi4zNi4xNzEuMjE5AhQNByDxtRKM7mjQvskJVp1wrj/QxjANBgkqhkiG9w0BAQEFAASCAgAV+Z3THlWHgOwWt6+KFt3peYIZkXs+JAzdzoCWhm1qqqMHZQ0lI2wDqvsyHX7ffh1h2hNUh9cFSGl8YSmJLqcFhKIJ3tpCEyIH4vYxY5IyBEXCAvng/fDrK9K46nIsL9oND6lamEDJc/PVEoiSwY4BdLcFGDdM7m8BXmi/vE2V93WRT99BWABhFE9vBtQ3bniphtGVvgraaoaO1e2Pc6Pn15EbRKWRlhGRcLyI3Db/k4DVoQZAbGRAmNUQJf5jPLNqz5kNwAEnsAU06V2ky37o041EMxaIF6zfBfFfhgkk1L8oIqjfRdN520XNCX0pUbYGakIP7OkTlKyoL9p3buUY0F3ou6MHUFHJENBslyXHra1AlOU6oP8VFDX6gWTpRNixTllGEnkuitBYcVFNeFoqqUjCp5wrq0nFDjJHtOiTmieAI9sPwRS+rvs2c5kdDnNpowzyBwFMF3pfH2T3s05KKmuFT04W6ajTXYz3mJ1xVuHnrkR2+jPC3I7t7Bf0edWeusDpGnz9x53NoarL99/FzjSb+Gxmtsao/1LSz0IC/Oe6xH1s4u/VxkDOMcHem4rBgr0bR8jixijdiA604MWiyP/1xvOlE3YhO33I8kus96TeS2YjrjXBAQCTOyIRyst/BpL0ISVUEH1i/j0wAw0XnyPR4nAPegd89Y/UJKMRCDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCoUpXn8Nq9hu0sx22HpLOSgDBksY4jO87KhP9Qws/bBeeRuDNSZo1245AYbBVcF9DZmkjcqZKGFFuLYgj/g4fqrIo=] certbot_acmed_clients: dns-rest-api.sunet.se: allowfrom: [] diff --git a/dns-rest-api1.sunet.se/overlay/etc/knot/conf.d/0sunet.catalog.conf b/dns-rest-api1.sunet.se/overlay/etc/knot/conf.d/0sunet.catalog.conf index 046a9ba..3124498 100644 --- a/dns-rest-api1.sunet.se/overlay/etc/knot/conf.d/0sunet.catalog.conf +++ b/dns-rest-api1.sunet.se/overlay/etc/knot/conf.d/0sunet.catalog.conf @@ -6,9 +6,34 @@ acl: key: knot-ladok update-type: [TXT] update-owner: name - update-owner-name: [ _acme-challenge.*.alt.ladok.se., _acme-challenge.*.*.alt.ladok.se., _acme-challenge.*.infra.utv.ladok.se., _acme-challenge.*.lab.utv.ladok.se. ] + update-owner-name: [ _acme-challenge.*.alternativ.ladok.se. ] update-owner-match: pattern + - id: ddns_allow_alt_ladok + action: update + key: alt-ladok + update-type: [TXT] + update-owner: name + update-owner-name: [ _acme-challenge.*.alt.ladok.se., _acme-challenge.*.*.alt.ladok.se. ] + update-owner-match: pattern + + - id: ddns_allow_infra_utv_ladok + action: update + key: infra-utv-ladok + update-type: [TXT] + update-owner: name + update-owner-name: [ _acme-challenge.*.infra.utv.ladok.se. ] + update-owner-match: pattern + + - id: ddns_allow_lab_utv_ladok + action: update + key: lab-utv-ladok + update-type: [TXT] + update-owner: name + update-owner-name: [ _acme-challenge.*.lab.utv.ladok.se. ] + update-owner-match: pattern + + template: - id: 0sunet-catz catalog-role: member @@ -28,13 +53,13 @@ zone: - domain: alt.ladok.se. template: 0sunet-catz - acl: [txt_ddns_allow] + acl: [ddns_allow_alt_ladok] - domain: infra.utv.ladok.se. template: 0sunet-catz - acl: [txt_ddns_allow] + acl: [ddns_allow_infra_utv_ladok] - domain: lab.utv.ladok.se. template: 0sunet-catz - acl: [txt_ddns_allow] + acl: [ddns_allow_lab_utv_ladok]