fix: use configured domain in CoreDNS Corefile generation
Two bugs caused DNS to fail when the domain name changes: 1. generate_corefile() hardcoded 'cell' as the zone name instead of using the configured domain — on startup it would silently reset any domain change back to 'cell' 2. apply_domain() regex replaced ALL non-dot zones (including local.cell) with the new domain → duplicate zone blocks → CoreDNS crash Fix: add a domain parameter to generate_corefile/apply_all_dns_rules, add _configured_domain() helper in app.py, and delegate Corefile updates in apply_domain() to generate_corefile() so the logic is in one place. Also parameterise SERVICE_HOSTS ACL entries via the domain argument. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+21
-21
@@ -212,30 +212,27 @@ def apply_all_peer_rules(peers: List[Dict[str, Any]]) -> None:
|
||||
# DNS ACL (CoreDNS Corefile generation)
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# Map service name → DNS hostname in .cell zone
|
||||
SERVICE_HOSTS = {
|
||||
'calendar': 'calendar.cell.',
|
||||
'files': 'files.cell.',
|
||||
'mail': 'mail.cell.',
|
||||
'webdav': 'webdav.cell.',
|
||||
}
|
||||
# Service subdomains that get per-peer ACL rules in the CoreDNS zone block
|
||||
_ACL_SERVICES = ('calendar', 'files', 'mail', 'webdav')
|
||||
|
||||
|
||||
def _build_acl_block(blocked_peers_by_service: Dict[str, List[str]]) -> str:
|
||||
def _build_acl_block(blocked_peers_by_service: Dict[str, List[str]],
|
||||
domain: str = 'cell') -> str:
|
||||
"""
|
||||
Build CoreDNS ACL plugin stanzas.
|
||||
|
||||
blocked_peers_by_service: { 'calendar': ['10.0.0.2', '10.0.0.3'], ... }
|
||||
Returns a string to embed in the `cell { }` zone block.
|
||||
Returns a string to embed in the primary zone block.
|
||||
"""
|
||||
if not blocked_peers_by_service:
|
||||
return ''
|
||||
|
||||
lines = []
|
||||
for service, peer_ips in blocked_peers_by_service.items():
|
||||
host = SERVICE_HOSTS.get(service)
|
||||
if not host or not peer_ips:
|
||||
for service in _ACL_SERVICES:
|
||||
peer_ips = blocked_peers_by_service.get(service, [])
|
||||
if not peer_ips:
|
||||
continue
|
||||
host = f'{service}.{domain}.'
|
||||
for ip in peer_ips:
|
||||
lines.append(f' acl {host} {{')
|
||||
lines.append(f' block net {ip}/32')
|
||||
@@ -245,10 +242,12 @@ def _build_acl_block(blocked_peers_by_service: Dict[str, List[str]]) -> str:
|
||||
return '\n'.join(lines)
|
||||
|
||||
|
||||
def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE_PATH) -> bool:
|
||||
def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE_PATH,
|
||||
domain: str = 'cell') -> bool:
|
||||
"""
|
||||
Rewrite the CoreDNS Corefile with per-peer ACL rules and reload plugin.
|
||||
The file is written to corefile_path (API-side path mapped into CoreDNS container).
|
||||
domain: the configured cell domain (e.g. 'cell', 'dev') — must match zone file names.
|
||||
"""
|
||||
try:
|
||||
# Collect which peers block which services
|
||||
@@ -262,12 +261,12 @@ def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE
|
||||
if service not in allowed_services:
|
||||
blocked[service].append(ip)
|
||||
|
||||
acl_block = _build_acl_block(blocked)
|
||||
acl_block = _build_acl_block(blocked, domain)
|
||||
|
||||
cell_zone_block = 'cell {\n file /data/cell.zone\n log\n'
|
||||
primary_zone_block = f'{domain} {{\n file /data/{domain}.zone\n log\n'
|
||||
if acl_block:
|
||||
cell_zone_block += acl_block + '\n'
|
||||
cell_zone_block += '}\n'
|
||||
primary_zone_block += acl_block + '\n'
|
||||
primary_zone_block += '}\n'
|
||||
|
||||
corefile = f""". {{
|
||||
forward . 8.8.8.8 1.1.1.1
|
||||
@@ -276,8 +275,8 @@ def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE
|
||||
health
|
||||
}}
|
||||
|
||||
{cell_zone_block}
|
||||
local.cell {{
|
||||
{primary_zone_block}
|
||||
local.{domain} {{
|
||||
file /data/local.zone
|
||||
log
|
||||
}}
|
||||
@@ -307,9 +306,10 @@ def reload_coredns() -> bool:
|
||||
return False
|
||||
|
||||
|
||||
def apply_all_dns_rules(peers: List[Dict[str, Any]], corefile_path: str = COREFILE_PATH) -> bool:
|
||||
def apply_all_dns_rules(peers: List[Dict[str, Any]], corefile_path: str = COREFILE_PATH,
|
||||
domain: str = 'cell') -> bool:
|
||||
"""Regenerate Corefile and reload CoreDNS."""
|
||||
ok = generate_corefile(peers, corefile_path)
|
||||
ok = generate_corefile(peers, corefile_path, domain)
|
||||
if ok:
|
||||
reload_coredns()
|
||||
return ok
|
||||
|
||||
Reference in New Issue
Block a user