fix set raw.dnsmasq breaks nftables

recipes/cagettepei/crud.sh

@@ -33,9 +33,9 @@ function _create() {
     APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/cagettepei/cagettepei-host.j2" -o "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml"
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$container/etc/apache2/sites-available/$longname.conf"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-maria list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "

recipes/discourse/crud.sh

@@ -28,7 +28,7 @@ function _create() {
 
     echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/discourse/$longname.yml" "$container/var/discourse/containers/$longname.yml"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-psql list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "

recipes/dmz/install.sh

@@ -64,7 +64,7 @@ function install() {
     lxc exec "$CONTAINER" -- bash <<EOF
         set -Eeuo pipefail
         apt-get update && apt-get dist-upgrade -y
-        apt-get install -y nftables nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
+        apt-get install -y nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
 
         echo "registering with your default credential email <$credential_email>"
         certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"
@@ -80,37 +80,10 @@ EOF
         echo "copying Nginx banner to container <$CONTAINER> ... "
         lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
         lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf"
-        echo "copying files over container <$CONTAINER> ... OK"
+        echo "copying files to container <$CONTAINER> ... OK"
     else
         echo "no Nginx banner on PROD!"
     fi
-
-    echo "populate nftables entries into yaml"
-    local wan_interface dmz_ip
-    wan_interface=$(ip route show default | cut -d ' ' -f5)
-    dmz_ip=$(host "$CONTAINER.lxd" | cut -d ' ' -f4)
-    yq ".nftables.wan_interface=\"$wan_interface\"" "$EXPANDED_CONF" -i
-    yq ".nftables.dmz_ip=\"$dmz_ip\"" "$EXPANDED_CONF" -i
-
-    local nftables_reloading=false
-    if [[ "$TARGET" != "dev" ]]; then
-        mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d"
-        echo "nat http/s port to dmz"
-        tera -t "$MIAOU_BASEDIR/templates/nftables/nat.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" &>/dev/null
-        sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" /etc/nftables.rules.d/nat.table
-        nftables_reloading=true
-    else
-        if [[ -f /etc/nftables.rules.d/nat.table ]]; then
-            sudo_required "remove previous nat.table"
-            sudo rm -f /etc/nftables.rules.d/nat.table
-            nftables_reloading=true
-        fi
-    fi
-    if [[ "$nftables_reloading" == true ]]; then
-        sudo_required "reload nftables"
-        sudo systemctl reload nftables.service
-    fi
-
 }
 
 # MAIN

recipes/dolibarr/crud.sh

@@ -64,7 +64,7 @@ EOF
 
     echo "copying configuration files to container <$container>... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/dolibarr/$shortname/host.conf" "$container/etc/nginx/sites-available/$longname.conf"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-psql list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "

recipes/odoo12/crud.sh

@@ -34,10 +34,10 @@ function _create() {
     APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo12/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" >/dev/null
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$shortname.conf" "$container/etc/odoo12/$shortname.conf"
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" "$container/etc/systemd/system/$longname.service"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-psql list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "

recipes/odoo15/crud.sh

@@ -34,10 +34,10 @@ function _create() {
     APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo15/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" >/dev/null
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$shortname.conf" "$container/etc/odoo15/$shortname.conf"
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" "$container/etc/systemd/system/$longname.service"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     echo "create data folder for $shortname"
     cat <<EOF | lxc_exec "$container"

recipes/postgresql/install.sh

@@ -45,7 +45,7 @@ function install() {
         systemctl restart postgresql.service
 EOF
 
-    echo -n "copying <autopostgresqlbackup> files over container <$CONTAINER> ... "
+    echo -n "copying <autopostgresqlbackup> files to container <$CONTAINER> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/script" "$CONTAINER/usr/sbin/autopostgresqlbackup"
     lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/cron.daily" "$CONTAINER/etc/cron.daily/autopostgresqlbackup"
     lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/default.conf" "$CONTAINER/etc/default/autopostgresqlbackup"

recipes/wordpress/crud.sh

@@ -32,9 +32,9 @@ function _create() {
     APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/wordpress/wp-host.j2" -o "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml"
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$container/etc/nginx/sites-available/$longname.conf"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-maria list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "

scripts/lxc-miaou-enable-ssh

@@ -54,7 +54,7 @@ EOF
         echo -n "building template for sshd_config..."
         USERS=${previous_users[*]} tera -e --env-key env -t "$MIAOU_BASEDIR/templates/dev-container-ssh/sshd_config.j2" -o "/tmp/sshd_config" "$MIAOU_CONFIGDIR/miaou.expanded.yaml" >/dev/null
         echo 'OK'
-        echo -n "copying sshd_config over container <$CONTAINER> ... "
+        echo -n "copying sshd_config to container <$CONTAINER> ... "
         lxc file push --uid 0 --gid 0 "/tmp/sshd_config" "$CONTAINER/etc/ssh/sshd_config" &>/dev/null
         echo 'OK'
         lxc exec "$CONTAINER" -- systemctl reload sshd.service

scripts/lxd-restart-dnsmasq

@@ -10,3 +10,7 @@ function restart_dnsmasq() {
 ## MAIN
 . "$MIAOU_BASEDIR/lib/init.sh"
 restart_dnsmasq
+
+echo "WARNING: restarting dnsmasq may break your NFT ruleset!"
+echo "You should reload NFTables as well..."
+echo "sudo systemctl reload nftables.service"

scripts/miaou

@@ -165,6 +165,8 @@ function expand_conf() {
 function build_routes() {
     PREFIX="miaou:routes"
 
+    mkdir -p "$MIAOU_CONFIGDIR/dnsmasq"
+
     mapfile -t fqdns < <(yqm '.expanded.services[].fqdn')
     echo "found <${#fqdns[@]}> fqdn"
     raw_dnsmasq=''
@@ -174,7 +176,17 @@ function build_routes() {
         echo "re-routing any connection from <$i> to internal container <$DMZ_CONTAINER.lxd>"
     done
 
-    builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq -
+    builtin echo -e "$raw_dnsmasq" >"$MIAOU_CONFIGDIR/dnsmasq/raw.new"
+    lxc network get $BRIDGE raw.dnsmasq | head -n-1 >"$MIAOU_CONFIGDIR/dnsmasq/raw.old"
+
+    if ! diff -q "$MIAOU_CONFIGDIR/dnsmasq/raw.old" "$MIAOU_CONFIGDIR/dnsmasq/raw.new"; then
+        echo "reload dnsmasq"
+        builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq -
+        echo "reload nftables"
+        sudo systemctl reload nftables.service
+    else
+        echo "no changes"
+    fi
 }
 
 function build_dmz_certbot {
@@ -548,10 +560,8 @@ if check_expand_conf; then
     check_resolv_conf
     build_nftables
     prepare_containers
-
     DMZ_CONTAINER=$(get_unique_container_dmz)
     build_dmz_reverseproxy
-
     DMZ_IP=$(get_dmz_ip)
     build_services
     build_dmz_certbot

templates/nftables/nat.table.j2

@@ -1,6 +0,0 @@
-table ip nat {
-        chain prerouting {
-                type nat hook prerouting priority dstnat; policy accept;
-                iif "{{ nftables.wan_interface }}" tcp dport { 80, 443 } dnat to {{ nftables.dmz_ip }}
-        }
-}