From ef2dc3745aab2d5d7adc8295314b5125ad08fd43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Jan 2019 10:39:22 +0200 Subject: [PATCH] Check DNS SRV record for _matrix-identity._tcp when mxisd enabled --- .../tasks/self_check/self_check_dns.yml | 40 ++++++++++--------- .../tasks/self_check/self_check_dns_srv.yml | 26 ++++++++++++ 2 files changed, 48 insertions(+), 18 deletions(-) create mode 100644 roles/matrix-server/tasks/self_check/self_check_dns_srv.yml diff --git a/roles/matrix-server/tasks/self_check/self_check_dns.yml b/roles/matrix-server/tasks/self_check/self_check_dns.yml index e38496196..b9f1706e1 100644 --- a/roles/matrix-server/tasks/self_check/self_check_dns.yml +++ b/roles/matrix-server/tasks/self_check/self_check_dns.yml @@ -1,24 +1,28 @@ --- -# This requires the dnspython library and will fail with a friendly error when unavailable. -- name: Check DNS SRV record +- name: Determine DNS SRV records to check (Matrix) set_fact: - result_dig_srv: "{{ lookup('dig', ('_matrix._tcp.' + hostname_identity + './SRV'), 'flat=0', wantlist=False) }}" + dns_srv_record_checks: + - service_and_protocol: "_matrix._tcp" + domain: "{{ (hostname_identity + '.') }}" + expected_target: "{{ (hostname_matrix + '.') }}" + expected_port: 8448 -- name: Fail if DNS SRV record missing - fail: - msg: "It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook." - when: "result_dig_srv == 'NXDOMAIN'" +- block: + - set_fact: + dns_srv_record_check_mxisd: + service_and_protocol: "_matrix-identity._tcp" + domain: "{{ (hostname_identity + '.') }}" + expected_target: "{{ (hostname_matrix + '.') }}" + expected_port: 443 -- name: Fail if DNS SRV record incorrect - fail: - msg: > - It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly. - Expected it to point to `{{ (hostname_matrix + '.') }}` (port 8448). - Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}). - See the 'Configuring DNS' documentation for this playbook. - when: "result_dig_srv.target != (hostname_matrix + '.') or result_dig_srv.port != 8448" + - name: Determine domains that we require certificates for (mxisd) + set_fact: + dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_mxisd] }}" + when: "matrix_mxisd_enabled" -- name: Report correct DNS SRV record - debug: - msg: "The DNS SRV record for {{ hostname_identity }} points to {{ hostname_matrix }}, as expected" \ No newline at end of file +- name: Perform DNS SRV checks + include_tasks: "{{ role_path }}/tasks/self_check/self_check_dns_srv.yml" + with_items: "{{ dns_srv_record_checks }}" + loop_control: + loop_var: dns_srv_record_check \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_dns_srv.yml b/roles/matrix-server/tasks/self_check/self_check_dns_srv.yml new file mode 100644 index 000000000..249b10ee8 --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_dns_srv.yml @@ -0,0 +1,26 @@ +--- + +# This requires the dnspython library and will fail with a friendly error when unavailable. +- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} + set_fact: + result_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" + +- name: Fail if DNS SRV record missing + fail: + msg: "It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook." + when: "result_dig_srv == 'NXDOMAIN'" + +- name: Fail if DNS SRV record incorrect + fail: + msg: > + It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. + Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). + Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}). + See the 'Configuring DNS' documentation for this playbook. + when: "result_dig_srv.target != dns_srv_record_check.expected_target or result_dig_srv.port != dns_srv_record_check.expected_port" + +- name: Report correct DNS SRV record + debug: + msg: > + The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}` + points to `{{ result_dig_srv.target }}` (port {{ dns_srv_record_check.expected_port }}), as expected \ No newline at end of file