[#3] [#4] install wip

Makefile

@@ -2,9 +2,8 @@
 
 # Put overrides in "Makefile.local"
 
-PREFIX ?=	/usr/local
 GH_PROJECT ?=	dithematic
-#MAN =		man/${SCRIPT}.8
+PREFIX ?=	/usr/local
 MANDIR ?=	${PREFIX}/man/man
 BINDIR ?=	${PREFIX}/bin
 BASESYSCONFDIR ?=	/etc
@@ -16,22 +15,19 @@ EXAMPLESDIR ?=	${PREFIX}/share/examples/${GH_PROJECT}
 
 EGRESS =	vio0
 
-MASTER =	yes
 DOMAIN_NAME =	example.com
 
+MASTER =	yes
 MASTER_HOST =	dot
-MASTER_IPv4 =	203.0.113.3
-MASTER_IPv6 =	2001:0db8::3
 
-SLAVE_HOST =	dig
-SLAVE_IPv4 =	203.0.113.4
-SLAVE_IPv6 =	2001:0db8::4
+IPv4 =		203.0.113.3
+IPv6 =		2001:0db8::3
 
 UPGRADE =	yes
 
 DITHEMATIC =	${SCRIPT} ${SYSCONF} ${PFCONF} ${AUTHPFCONF} ${MAILCONF} \
-		${PDNSCONF} ${SSHCONF} ${MTREECONF} ${NSDCONF} ${FREECONF} \
-		${UNBOUNDCONF} ${CRONALLOW} ${CRONTAB} ${DOC}
+		${PDNSCONF} ${SSHCONF} ${MTREECONF} ${NSDCONF} ${UNBOUNDCONF} \
+		${CRONALLOW} ${CRONTAB} ${DOC} ${EXAMPLES}
 
 # Dithematic
 
@@ -76,49 +72,48 @@ SSHCONF =	${BASESYSCONFDIR:S|^/||}/ssh/sshd_banner \
 
 MTREECONF =	${BASESYSCONFDIR:S|^/||}/mtree/special.local
 
-NSDCONF =	${VARBASE:S|^/||}/nsd/etc/nsd.conf \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.master.PowerDNS \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.master.${DOMAIN_NAME} \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.PowerDNS \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.${DOMAIN_NAME} \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.zone.${DOMAIN_NAME}
-
-FREECONF =	${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.1984.is \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.FreeDNS.afraid.org \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.GratisDNS.com \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.HE.net \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.PowerDNS \
-		${VARBASE:S|^/||}/nsd/etc/nsd.conf.slave.Puck.nether.net
+NSDCONF =	${VARBASE:S|^/||}/nsd/etc/nsd.conf
 
 UNBOUNDCONF =	${VARBASE:S|^/||}/unbound/etc/unbound.conf
 
 CRONALLOW =	${VARBASE:S|^/||}/cron/cron.allow
 CRONTAB =	${VARBASE:S|^/||}/cron/tabs/root
 
-DOC =		${DOCDIR:S|^/||}/validate.tsig
-EXAMPLES =	${VARBASE:S|^/||}/nsd/etc/*.example.com \
-		${EXAMPLESDIR:S|^/||}/*example.com.zone
-
-HOSTNAME !!=	hostname
-WRKSRC ?=	${HOSTNAME:S|^|${.CURDIR}/|}
-RELEASE !!=	uname -r
+DOC =		${DOCDIR:S|^/||}/validate.tsig \
+		${DOCDIR:S|^/||}/nsd.conf.master.PowerDNS \
+		${DOCDIR:S|^/||}/nsd.conf.slave.PowerDNS \
+		${DOCDIR:S|^/||}/nsd.conf.slave.1984.is \
+		${DOCDIR:S|^/||}/nsd.conf.slave.FreeDNS.afraid.org \
+		${DOCDIR:S|^/||}/nsd.conf.slave.GratisDNS.com \
+		${DOCDIR:S|^/||}/nsd.conf.slave.HE.net \
+		${DOCDIR:S|^/||}/nsd.conf.slave.Puck.nether.net
+
+EXAMPLES =	${EXAMPLESDIR:S|^/||}/ddns.example.com.zone \
+		${EXAMPLESDIR:S|^/||}/example.com.zone \
+		${EXAMPLESDIR:S|^/||}/nsd.conf.master.example.com \
+		${EXAMPLESDIR:S|^/||}/nsd.conf.slave.example.com \
+		${EXAMPLESDIR:S|^/||}/nsd.conf.zone.example.com
 
 PKG =		powerdns \
 		ldns-utils \
 		drill
 
+HOSTNAME !!=	hostname -s
+WRKSRC ?=	${HOSTNAME:S|^|${.CURDIR}/|}
+RELEASE !!=	uname -r
+
 #-8<-----------	[ cut here ] --------------------------------------------------^
 
 .if exists(Makefile.local)
 . include "Makefile.local"
 .endif
 
-# Specifications (target rules)
-
 .if ${MASTER} == "yes"
 SYSCONF +=	${BASESYSCONFDIR:S|^/||}/weekly.local
 .endif
 
+# Specifications (target rules)
+
 .if defined(UPGRADE) && ${UPGRADE} == "yes"
 upgrade: config .WAIT ${DITHEMATIC}
 	@echo Upgrade
@@ -130,44 +125,42 @@ upgrade: config
 config:
 	mkdir -m750 ${WRKSRC}
 	(umask 077; cp -R ${.CURDIR}/src/* ${WRKSRC})
-	find ${WRKSRC} -type f -exec sed -i \
-		-e 's|vio0|${EGRESS}|g' \
-		-e 's|example.com|${DOMAIN_NAME}|g' \
-		-e 's|dot|${MASTER_HOST}|g' \
-		-e 's|203.0.113.3|${MASTER_IPv4}|g' \
-		-e 's|2001:0db8::3|${MASTER_IPv6}|g' \
-		-e 's|dig|${SLAVE_HOST}|g' \
-		-e 's|203.0.113.4|${SLAVE_IPv4}|g' \
-		-e 's|2001:0db8::4|${SLAVE_IPv6}|g' \
-		{} +
-.if ${MASTER} != "yes"
 	sed -i \
-		-e 's|^master=yes|#master=yes|' \
-		-e 's|^#slave=yes|slave=yes|' \
-		${WRKSRC}/${PDNSCONF:M*pdns.conf}
+		's|vio0|${EGRESS}|' \
+		${WRKSRC}/${PFCONF:M*pf.conf}
 	sed -i \
-		-e 's|${SLAVE_HOST}|${MASTER_HOST}|g' \
-		${WRKSRC}/${SCRIPT:M*tsig-share}
+		's|example.com|${DOMAIN_NAME}|' \
+		${SYSCONF:M*doas.conf:S|^|${WRKSRC}/|} \
+		${PFCONF:M*pf.conf.table.dns:S|^|${WRKSRC}/|} \
+		${AUTHPFCONF:M*authpf.problem:S|^|${WRKSRC}/|} \
+		${MAILCONF:M*smtpd.conf:S|^|${WRKSRC}/|} \
+		${PDNSCONF:M*pdns.conf:S|^|${WRKSRC}/|} \
+		${SSHCONF:M*sshd_config:S|^|${WRKSRC}/|} \
+		${MTREECONF:M*special.local:S|^|${WRKSRC}/|} \
+		${NSDCONF:M*nsd.conf:S|^|${WRKSRC}/|} \
+		${DOC:M*nsd.conf.*.PowerDNS:S|^|${WRKSRC}/|}
 	sed -i \
-		-e 's|${MASTER_IPv4}|${SLAVE_IPv4}|g' \
-		-e 's|${MASTER_IPv6}|${SLAVE_IPv6}|g' \
-		${WRKSRC}/${NSDCONF:M*nsd.conf}
+		's|dot|${MASTER_HOST}|' \
+		${PDNSCONF:M*pdns.conf:S|^|${WRKSRC}/|}
 	sed -i \
-		-e '/slave\.PowerDNS/s|^#||' \
-		-e '/master\.${DOMAIN_NAME}/s|^#||' \
-		-e '/master\.PowerDNS/s|^|#|' \
-		-e '/slave\.${DOMAIN_NAME}/s|^|#|' \
-		${WRKSRC}${VARBASE}/nsd/etc/nsd.conf.zone.example.com \
-		${WRKSRC}${VARBASE}/nsd/etc/nsd.conf.zone.ddns.example.com
-	@echo Super-Slave
-.else
+		-e 's|203.0.113.3|${IPv4}|' \
+		-e 's|2001:0db8::3|${IPv6}|' \
+		${NSDCONF:M*nsd.conf:S|^|${WRKSRC}/|}
+	sed -i \
+		's|dot|${HOSTNAME}|' \
+		${MAILCONF:M*smtpd.conf:S|^|${WRKSRC}/|} \
+		${MTREECONF:M*special.local:S|^|${WRKSRC}/|}
+.if ${MASTER} == "yes"
+	sed -i \
+		's|example.com|${DOMAIN_NAME}|' \
+		${SYSCONF:M*weekly.local:S|^|${WRKSRC}/|}
 	@echo Super-Master
-.endif
-.if ${DOMAIN_NAME} != "example.com"
-. for _NSDCONF in ${NSDCONF:N*nsd.conf:N*.PowerDNS}
-	cp -p ${_NSDCONF:S|${DOMAIN_NAME}|example.com|:S|^|${WRKSRC}/|} \
-		${_NSDCONF:S|^|${WRKSRC}/|}
-. endfor
+.else
+	sed -i \
+		-e 's|^master=yes|#master=yes|' \
+		-e 's|^#slave=yes|slave=yes|' \
+		${PDNSCONF:M*pdns.conf:S|^|${WRKSRC}/|}
+	@echo Super-Slave
 .endif
 	@echo Configured
 
@@ -199,8 +192,6 @@ beforeinstall: upgrade
 realinstall:
 	${INSTALL} -d -m ${DIRMODE} ${DOCDIR}
 	${INSTALL} -d -m ${DIRMODE} ${EXAMPLESDIR}
-	${INSTALL} -S -o ${DOCOWN} -g ${DOCGRP} -m ${DOCMODE} \
-		${EXAMPLES:S|^|${.CURDIR}/src/|} ${EXAMPLESDIR}
 .for _DITHEMATIC in ${DITHEMATIC:N*cron/tabs*}
 	${INSTALL} -S -o ${LOCALEOWN} -g ${LOCALEGRP} -m 440 \
 		${_DITHEMATIC:S|^|${WRKSRC}/|} \
@@ -219,6 +210,9 @@ afterinstall:
 	[[ -r ${VARBASE}/pdns/pdns.sqlite ]] \
 		|| sqlite3 ${VARBASE}/pdns/pdns.sqlite \
 			-init ${PREFIX}/share/doc/pdns/schema.sqlite3.sql ".exit"
+	[[ -r ${VARBASE}/pdns/pdnssec.sqlite ]] \
+		|| sqlite3 ${VARBASE}/pdns/pdnssec.sqlite \
+			-init ${PREFIX}/share/doc/pdns/dnssec-3.x_to_3.4.0_schema.sqlite3.sql ".exit"
 	group info -e tsig || user info -e tsig \
 		|| { user add -u 25353 -g =uid -c "TSIG Wizard" -s /bin/ksh -m tsig; \
 			mkdir -m700 /home/tsig/.key; chown tsig:tsig /home/tsig/.key; }

README.md

@@ -25,16 +25,13 @@ Grab a copy of this repository, and put overrides in "[Makefile](Makefile).local
 
 EGRESS =	vio0
 
-MASTER =	yes
 DOMAIN_NAME =	example.com
 
+MASTER =	yes
 MASTER_HOST =	dot
-MASTER_IPv4 =	203.0.113.3
-MASTER_IPv6 =	2001:0db8::3
 
-SLAVE_HOST =	dig
-SLAVE_IPv4 =	203.0.113.4
-SLAVE_IPv6 =	2001:0db8::4
+IPv4 =		203.0.113.3
+IPv6 =		2001:0db8::3
 
 UPGRADE =	yes
 ```
@@ -51,41 +48,71 @@ Install
 make install
 ```
 
+Edit [`zoneadd`](src/usr/local/bin/zoneadd) to match (or use `env`)
+```console
+# Dithematic IP
+MASTER_IP="${MASTER_IP:-\
+ 203.0.113.3 \
+ 2001:0db8::3 \
+ }"
+SLAVE_IP="${SLAVE_IP:-\
+ 203.0.113.4 \
+ 2001:0db8::4 \
+ }" # empty to disable
+
+# Vendor
+FREE_SLAVE="${FREE_SLAVE:-\
+ 1984.is \
+ FreeDNS.afraid.org \
+ GratisDNS.com \
+ HE.net \
+ Puck.nether.net \
+ }" # empty to disable
+```
+
 *n.b.* rename and place [zone templates](https://github.com/vedetta-com/dithematic/tree/master/src/usr/local/share/examples/dithematic) in `/var/nsd/zones/master` (or start with a blank slate.)
 
 Install DNS zone(s), e.g. on master: `example.com` and `ddns.example.com`
-```console
-env ROLE=master DDNS=false zoneadd example.com
-env ROLE=master DDNS=true zoneadd ddns.example.com
+```sh
+env zoneadd example.com
+env DDNS=true zoneadd ddns.example.com
 ```
 
 *n.b.* place existing TSIG key as `tsig.example.com`, CSK (or ZSK) as `example.com.CSK` in `/etc/ssl/dns/private` (or let [`zoneadd`](src/usr/local/bin/zoneadd) generate new keys.)
 
 Setup the [TSIG](https://tools.ietf.org/html/rfc2845) user on all dithematic nameservers, i.e. `tsig`
-```console
+```sh
 su - tsig
 ssh-keygen -t ed25519 -C tsig@example.com
 exit
 ```
 
 Share TSIG user's public key with all dithematic slave nameservers, and update "known_hosts"
-```console
+```sh
 ssh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
 ssh -6 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
 ```
 
-Share master TSIG secret with nameservers, e.g.: `dig.example.com`
+Edit [`tsig-share`](src/usr/local/bin/tsig-share) on master to add slave nameserver names
 ```console
+NS="${NS:-dig.example.com}" # (space-separated) domain name(s), or IP(s)
+```
+
+Share master TSIG secret with slave nameservers, e.g.: `dig.example.com`
+```sh
 env NS="dig.example.com" tsig-share tsig.example.com
 ```
 
 [DNS UPDATE](https://tools.ietf.org/html/rfc2136) allowed IPs are managed with authpf(8) i.e. user "puffy" first needs to SSH login on the master name server host to authenticate the IP from which they will next update ddns.example.com zone using e.g. nsupdate (`pkg_add ics-bind`) or dnspython (`pkg_add py-dnspython`) on their device (skip if not using dynamic DNS)
-```console
+```sh
 user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy
 ```
 
+Edit ["smtpd.conf"](src/etc/mail/smtpd.conf) and "secrets"
+Edit pf table ["msa"](src/etc/pf.conf.table.msa) to add Message Submission Agent IP(s)
+
 Enjoy:
-```console
+```sh
 rcctl enable nsd pdns_server
 rcctl restart nsd pdns_server
 ```

src/etc/dhclient.conf

@@ -4,11 +4,9 @@
 #
 # See dhclient.conf(5) for possible contents of this file.
 
-interface "vio0"
- {
-  # rebound for unbound
-  ignore domain-name;
-  ignore domain-name-servers;
-  # A ServerID is required by RFC2131
-  require dhcp-server-identifier;
- }
+# rebound for unbound
+ignore domain-name;
+ignore domain-name-servers;
+# A ServerID is required by RFC2131
+require dhcp-server-identifier;
+

src/etc/mail/smtpd.conf

@@ -10,7 +10,7 @@ listen on socket
 
 action "local" mbox alias <aliases>
 action "relay" \
-	relay host smtp+tls://dot@mercury.example.com:587 tls auth <secrets>
+	relay host smtps://dot@mercury.example.com:465 auth <secrets>
 
 match for local action "local"
 match from local for domain "example.com" action "relay"

src/etc/mtree/special.local

@@ -117,6 +117,7 @@ doc		type=dir mode=0755
 
 # ./usr/local/share/doc/dithematic
 dithematic	type=dir mode=0755
+    nsd.conf.*	mode=0644
     validate.tsig \
 		mode=0644
 # ./usr/local/share/doc/dithematic
@@ -125,6 +126,22 @@ dithematic	type=dir mode=0755
 # ./usr/local/share/doc
 ..
 
+
+# ./usr/local/share/examples
+examples	type=dir mode=0755
+
+# ./usr/local/share/examples/dithematic
+dithematic	type=dir mode=0755
+    *example.com.zone \
+		mode=0644
+    nsd.conf.*.example.com \
+		mode=0644
+# ./usr/local/share/examples/dithematic
+..
+
+# ./usr/local/share/examples
+..
+
 # ./usr/local/share
 ..
 

src/etc/pdns/pdns.conf

@@ -20,6 +20,7 @@ setuid=_powerdns
 # SQLite 3
 launch=gsqlite3
 gsqlite3-database=/var/pdns/pdns.sqlite
+gsqlite3-dnssec=/var/pdns/pdnssec.sqlite
 
 # BIND zone files
 #launch=bind

src/etc/pf.conf

@@ -102,7 +102,7 @@ anchor "external" on egress {
 
   # MSA
   pass log proto tcp \
-    to <msa> port submission \
+    to <msa> port { smtps submission } \
     user _smtpd \
     tag SELF_INET
  }