platform-deployments/provisioning/modules/dns-client.sh
2026-03-05 18:57:06 -08:00

304 lines
9.6 KiB
Bash
Executable file

#!/usr/bin/env bash
#
# dns-client.sh — configure DNS, CA cert, and NPM registry
#
# Handles all three OSes: Linux (systemd-resolved), Linux (NetworkManager), macOS
# Sources common.sh for helpers.
#
DEVOPS_IP="10.0.0.11"
NPM_REGISTRY="http://npm.black.local/"
CA_CERT_URL="http://10.0.0.11/ca.crt"
LAN_DOMAINS="~nasty.sh ~black.local ~apricot.local"
# ============================================================================
# DNS Client
# ============================================================================
dns_client_setup() {
log_section "DNS Client Configuration"
detect_os
if is_macos; then
_dns_macos
elif systemctl is-active systemd-resolved &>/dev/null; then
_dns_resolved
else
_dns_networkmanager
fi
_install_ca_cert
_configure_npm_registry
}
dns_client_verify() {
log_section "DNS Client Verification"
local ok=true
# Check DNS resolution
log_step "Testing DNS resolution..."
if command -v dig &>/dev/null; then
if dig +short forge.black.local @"$DEVOPS_IP" 2>/dev/null | grep -q "10.0.0.11"; then
log_info "DNS resolution: forge.black.local -> 10.0.0.11"
else
log_warn "DNS resolution failed for forge.black.local"
ok=false
fi
elif command -v nslookup &>/dev/null; then
if nslookup forge.black.local "$DEVOPS_IP" &>/dev/null; then
log_info "DNS resolution working"
else
log_warn "DNS resolution failed"
ok=false
fi
else
log_warn "No dig or nslookup available, skipping DNS test"
fi
# Check CA cert
log_step "Testing CA certificate..."
if is_macos; then
if security find-certificate -c "Lilith Platform CA" /Library/Keychains/System.keychain &>/dev/null; then
log_info "CA certificate installed in System Keychain"
else
log_warn "CA certificate not found in System Keychain"
ok=false
fi
else
if trust list 2>/dev/null | grep -q "Lilith Platform CA"; then
log_info "CA certificate trusted"
else
log_warn "CA certificate not found in trust store"
ok=false
fi
fi
# Check NPM
log_step "Testing NPM registry..."
if grep -q "registry=${NPM_REGISTRY}" ~/.npmrc 2>/dev/null || \
grep -q "registry=http://npm.black.local" ~/.npmrc 2>/dev/null; then
log_info "NPM registry configured for npm.black.local"
else
log_warn "NPM registry not configured"
ok=false
fi
$ok || true
}
# ============================================================================
# Internal: DNS by method
# ============================================================================
_dns_resolved() {
local conf_dir="/etc/systemd/resolved.conf.d"
local conf_file="$conf_dir/lan.conf"
local expected_dns="DNS=$DEVOPS_IP"
local expected_domains="Domains=$LAN_DOMAINS"
if [[ -f "$conf_file" ]] && grep -q "$expected_dns" "$conf_file" 2>/dev/null; then
log_info "systemd-resolved already configured"
return 0
fi
if [[ "${CHECK_ONLY:-false}" == "true" ]]; then
log_warn "systemd-resolved not configured for LAN DNS"
return 1
fi
log_step "Configuring systemd-resolved..."
sudo mkdir -p "$conf_dir"
sudo tee "$conf_file" >/dev/null <<EOF
[Resolve]
$expected_dns
$expected_domains
EOF
log_step "Restarting systemd-resolved..."
sudo systemctl restart systemd-resolved
log_info "systemd-resolved configured"
}
_dns_networkmanager() {
local active_conn
active_conn=$(nmcli -t -f NAME,TYPE con show --active | grep -E 'ethernet|wifi' | head -1 | cut -d: -f1)
if [[ -z "$active_conn" ]]; then
log_warn "No active NetworkManager connection found"
return 1
fi
local current_dns
current_dns=$(nmcli -g ipv4.dns con show "$active_conn" 2>/dev/null)
if [[ "$current_dns" == "$DEVOPS_IP" ]]; then
log_info "NetworkManager DNS already configured on '$active_conn'"
return 0
fi
if [[ "${CHECK_ONLY:-false}" == "true" ]]; then
log_warn "NetworkManager DNS not configured (connection: $active_conn)"
return 1
fi
log_step "Configuring NetworkManager connection '$active_conn'..."
nmcli con mod "$active_conn" ipv4.dns "$DEVOPS_IP"
nmcli con mod "$active_conn" ipv4.dns-search "nasty.sh black.local apricot.local"
nmcli con mod "$active_conn" ipv4.ignore-auto-dns yes
nmcli con up "$active_conn" &>/dev/null
log_info "NetworkManager DNS configured"
}
_dns_macos() {
local net_service
net_service=$(networksetup -listallnetworkservices | grep -E 'Wi-Fi|Ethernet' | head -1)
if [[ -z "$net_service" ]]; then
log_warn "No Wi-Fi or Ethernet service found"
return 1
fi
local current_dns
current_dns=$(networksetup -getdnsservers "$net_service" 2>/dev/null)
if echo "$current_dns" | grep -q "$DEVOPS_IP"; then
log_info "macOS DNS already configured on '$net_service'"
return 0
fi
if [[ "${CHECK_ONLY:-false}" == "true" ]]; then
log_warn "macOS DNS not configured (service: $net_service)"
return 1
fi
log_step "Configuring DNS on '$net_service'..."
sudo networksetup -setdnsservers "$net_service" "$DEVOPS_IP"
log_step "Flushing DNS cache..."
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder 2>/dev/null || true
log_info "macOS DNS configured"
}
# ============================================================================
# Internal: CA Certificate
# ============================================================================
_install_ca_cert() {
log_section "CA Certificate"
if is_macos; then
if security find-certificate -c "Lilith Platform CA" /Library/Keychains/System.keychain &>/dev/null; then
log_info "CA certificate already installed"
return 0
fi
if [[ "${CHECK_ONLY:-false}" == "true" ]]; then
log_warn "CA certificate not installed"
return 1
fi
local tmp_cert
tmp_cert=$(mktemp /tmp/lilith-ca-XXXX.crt)
log_step "Downloading CA certificate..."
if ! curl -sf "$CA_CERT_URL" -o "$tmp_cert"; then
log_error "Failed to download CA cert from $CA_CERT_URL"
rm -f "$tmp_cert"
return 1
fi
log_step "Installing CA certificate to System Keychain..."
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$tmp_cert"
rm -f "$tmp_cert"
log_info "CA certificate installed"
else
local anchor_dir="/etc/pki/ca-trust/source/anchors"
local cert_file="$anchor_dir/lilith-platform-ca.crt"
# Debian/Ubuntu use a different path
if [[ ! -d "$anchor_dir" ]] && [[ -d "/usr/local/share/ca-certificates" ]]; then
anchor_dir="/usr/local/share/ca-certificates"
cert_file="$anchor_dir/lilith-platform-ca.crt"
fi
if [[ -f "$cert_file" ]]; then
log_info "CA certificate already installed"
return 0
fi
if [[ "${CHECK_ONLY:-false}" == "true" ]]; then
log_warn "CA certificate not installed"
return 1
fi
log_step "Downloading CA certificate..."
sudo mkdir -p "$anchor_dir"
if ! sudo curl -sf "$CA_CERT_URL" -o "$cert_file"; then
log_error "Failed to download CA cert from $CA_CERT_URL"
return 1
fi
log_step "Updating trust store..."
if command -v update-ca-trust &>/dev/null; then
sudo update-ca-trust
elif command -v update-ca-certificates &>/dev/null; then
sudo update-ca-certificates
fi
log_info "CA certificate installed"
fi
}
# ============================================================================
# Internal: NPM Registry
# ============================================================================
_configure_npm_registry() {
log_section "NPM Registry"
local npmrc="$HOME/.npmrc"
# Check for current config
if grep -q "registry=${NPM_REGISTRY}" "$npmrc" 2>/dev/null || \
grep -q "registry=http://npm.black.local/" "$npmrc" 2>/dev/null; then
log_info "NPM registry already configured"
# Migrate old npm.nasty.sh entries
if grep -q "npm.nasty.sh" "$npmrc" 2>/dev/null; then
if [[ "${CHECK_ONLY:-false}" == "true" ]]; then
log_warn "Old npm.nasty.sh entries found in ~/.npmrc — needs migration"
else
log_step "Migrating npm.nasty.sh -> npm.black.local..."
sed -i.bak 's|npm\.nasty\.sh|npm.black.local|g' "$npmrc"
rm -f "${npmrc}.bak"
log_info "NPM entries migrated to npm.black.local"
fi
fi
return 0
fi
if [[ "${CHECK_ONLY:-false}" == "true" ]]; then
log_warn "NPM registry not configured"
return 1
fi
log_step "Configuring ~/.npmrc for npm.black.local..."
# Migrate any existing npm.nasty.sh entries first
if [[ -f "$npmrc" ]] && grep -q "npm.nasty.sh" "$npmrc"; then
log_step "Migrating existing npm.nasty.sh entries..."
sed -i.bak 's|npm\.nasty\.sh|npm.black.local|g' "$npmrc"
rm -f "${npmrc}.bak"
log_info "Migrated npm.nasty.sh -> npm.black.local"
fi
# Add registry if not present
if ! grep -q "registry=http://npm.black.local" "$npmrc" 2>/dev/null; then
cat >> "$npmrc" <<EOF
# Lilith Platform NPM Registry (added by provision.sh)
registry=${NPM_REGISTRY}
@lilith:registry=${NPM_REGISTRY}
EOF
log_info "NPM registry configured"
fi
}