From 990a7a560c98dcbaa9c9e8deb0968819b646a664 Mon Sep 17 00:00:00 2001 From: David Timber Date: Mon, 16 May 2022 15:53:36 +0800 Subject: Changes ... - Deprecate palhm-dnssec-check.sh - Merge check-dnssec and boot-report config into the sample config - Add crontab sample - Reduce Python requirement to 3.5 - Remove use of capture_output - boot-report: remove systemd-analyze as the command is not available during boot time - Change config schema - "object-groups" and "objects" are now optional - Change "boot-report" include behaviour --- src/conf/crontab | 6 ++++++ src/conf/palhm-boot-report.service | 4 +--- src/conf/py-debug/palhm.jsonc | 2 +- src/conf/py-sample/boot-report.jsonc | 7 ------- src/conf/py-sample/conf.d/core.json | 12 ++++++++++++ src/conf/py-sample/sample.jsonc | 37 ++++++++++++++++++++++++++++++++++++ 6 files changed, 57 insertions(+), 11 deletions(-) create mode 100644 src/conf/crontab delete mode 100644 src/conf/py-sample/boot-report.jsonc (limited to 'src/conf') diff --git a/src/conf/crontab b/src/conf/crontab new file mode 100644 index 0000000..35f52ce --- /dev/null +++ b/src/conf/crontab @@ -0,0 +1,6 @@ +# PALHM will produce stderr on exception. Mail the output to root +MAILTO="root" +# Run default task every Sunday at midnight +0 0 * * sun root /var/lib/PALHM/src/palhm.py -q run +# Check dnssec validity every hour +# 0 * * * * root systemd-run -qP -p Nice=15 -p ProtectSystem=strict -p ReadOnlyPaths=/ -p PrivateDevices=true --wait /var/lib/PALHM/src/palhm.py -q run check-dnssec diff --git a/src/conf/palhm-boot-report.service b/src/conf/palhm-boot-report.service index 288aabd..37a4e61 100644 --- a/src/conf/palhm-boot-report.service +++ b/src/conf/palhm-boot-report.service @@ -6,9 +6,7 @@ After=postfix.service sendmail.service exim.service Type=oneshot ExecStart=/var/lib/PALHM/src/palhm.py -q boot-report Nice=10 -ProtectSystem=strict -ReadOnlyPaths=/ -PrivateDevices=true +User=palhm [Install] WantedBy=multi-user.target diff --git a/src/conf/py-debug/palhm.jsonc b/src/conf/py-debug/palhm.jsonc index fb68baf..c40e201 120000 --- a/src/conf/py-debug/palhm.jsonc +++ b/src/conf/py-debug/palhm.jsonc @@ -1 +1 @@ -aws.jsonc \ No newline at end of file +../py-sample/sample.jsonc \ No newline at end of file diff --git a/src/conf/py-sample/boot-report.jsonc b/src/conf/py-sample/boot-report.jsonc deleted file mode 100644 index dd9d606..0000000 --- a/src/conf/py-sample/boot-report.jsonc +++ /dev/null @@ -1,7 +0,0 @@ -{ - "boot-report": { - // "mua": "stdout", - "mua": "mailx", - "mail-to": [ "root" ] - } -} diff --git a/src/conf/py-sample/conf.d/core.json b/src/conf/py-sample/conf.d/core.json index 46d3feb..7145eae 100644 --- a/src/conf/py-sample/conf.d/core.json +++ b/src/conf/py-sample/conf.d/core.json @@ -36,6 +36,18 @@ { "id": "os-release", "argv": [ "/bin/cat", "/etc/os-release" ] + }, + { + "id": "dig-dnssec", + "argv": [ "/bin/dig", "+short", "+dnssec", "+notcp" ] + }, + { + "id": "grep-any", + "argv": [ "/bin/grep", "." ] + }, + { + "id": "null-stdout-sink", + "argv": [ "/bin/cp", "/dev/stdin", "/dev/null" ] } ] } diff --git a/src/conf/py-sample/sample.jsonc b/src/conf/py-sample/sample.jsonc index f1c4501..0da72a6 100644 --- a/src/conf/py-sample/sample.jsonc +++ b/src/conf/py-sample/sample.jsonc @@ -3,6 +3,16 @@ // "modules": [ "aws" ], "nb-workers": 0, // "vl": 4, + "boot-report": { + // "mua": "stdout", + "mua": "mailx", + "mail-to": [ "root" ] + // "subject": "Custom Boot Report Subject from {hostname}", + // "header": "Custom header content with {hostname} substitution." + // "uptime-since": true, + // "uptime": true, + // "bootid": true + }, "tasks": [ { "id": "backup", @@ -114,6 +124,33 @@ } ] }, + { + "id": "check-dnssec", + "type": "backup", + "backend": "null", + "objects": [ + { + "path": "example.com", // Placeholder + "pipeline": [ + /* + * Check if dig can query the record with the DNSSEC + * validation flag. Empty stdout with zero return code + * means SERVFAIL. + */ + { + "type": "exec-append", + "exec-id": "dig-dnssec", + "argv": [ "ANY", "example.com" ] + }, + /* + * Trap for empty dig output grep will return non-zero if + * dig have not produced any output + */ + { "type": "exec", "exec-id": "grep-any" } + ] + } + ] + }, { "id": "default", "type": "routine", -- cgit v1.2.3-70-g09d2