From fd86ed48374863dfcb12c70ae5b496f890189ee1 Mon Sep 17 00:00:00 2001
From: pvincent <pvincent@artcode.re>
Date: Thu, 10 Oct 2024 12:46:32 +0400
Subject: [PATCH] fix set raw.dnsmasq breaks nftables

---
 recipes/cagettepei/crud.sh      |  4 ++--
 recipes/discourse/crud.sh       |  2 +-
 recipes/dmz/install.sh          | 31 ++-----------------------------
 recipes/dolibarr/crud.sh        |  2 +-
 recipes/odoo12/crud.sh          |  4 ++--
 recipes/odoo15/crud.sh          |  4 ++--
 recipes/postgresql/install.sh   |  2 +-
 recipes/wordpress/crud.sh       |  4 ++--
 scripts/lxc-miaou-enable-ssh    |  2 +-
 scripts/lxd-restart-dnsmasq     |  4 ++++
 scripts/miaou                   | 16 +++++++++++++---
 templates/nftables/nat.table.j2 |  6 ------
 12 files changed, 31 insertions(+), 50 deletions(-)
 delete mode 100644 templates/nftables/nat.table.j2

diff --git a/recipes/cagettepei/crud.sh b/recipes/cagettepei/crud.sh
index 28e8de4..5be3b06 100755
--- a/recipes/cagettepei/crud.sh
+++ b/recipes/cagettepei/crud.sh
@@ -33,9 +33,9 @@ function _create() {
     APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/cagettepei/cagettepei-host.j2" -o "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml"
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/cagettepei/$longname.conf" "$container/etc/apache2/sites-available/$longname.conf"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-maria list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "
diff --git a/recipes/discourse/crud.sh b/recipes/discourse/crud.sh
index bc5b804..8eae0a9 100755
--- a/recipes/discourse/crud.sh
+++ b/recipes/discourse/crud.sh
@@ -28,7 +28,7 @@ function _create() {
 
     echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/discourse/$longname.yml" "$container/var/discourse/containers/$longname.yml"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-psql list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "
diff --git a/recipes/dmz/install.sh b/recipes/dmz/install.sh
index 847b65e..1a8c806 100755
--- a/recipes/dmz/install.sh
+++ b/recipes/dmz/install.sh
@@ -64,7 +64,7 @@ function install() {
     lxc exec "$CONTAINER" -- bash <<EOF
         set -Eeuo pipefail
         apt-get update && apt-get dist-upgrade -y
-        apt-get install -y nftables nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
+        apt-get install -y nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx
 
         echo "registering with your default credential email <$credential_email>"
         certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"
@@ -80,37 +80,10 @@ EOF
         echo "copying Nginx banner to container <$CONTAINER> ... "
         lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
         lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_exp.conf" "$CONTAINER/etc/nginx/snippets/banner_exp.conf"
-        echo "copying files over container <$CONTAINER> ... OK"
+        echo "copying files to container <$CONTAINER> ... OK"
     else
         echo "no Nginx banner on PROD!"
     fi
-
-    echo "populate nftables entries into yaml"
-    local wan_interface dmz_ip
-    wan_interface=$(ip route show default | cut -d ' ' -f5)
-    dmz_ip=$(host "$CONTAINER.lxd" | cut -d ' ' -f4)
-    yq ".nftables.wan_interface=\"$wan_interface\"" "$EXPANDED_CONF" -i
-    yq ".nftables.dmz_ip=\"$dmz_ip\"" "$EXPANDED_CONF" -i
-
-    local nftables_reloading=false
-    if [[ "$TARGET" != "dev" ]]; then
-        mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d"
-        echo "nat http/s port to dmz"
-        tera -t "$MIAOU_BASEDIR/templates/nftables/nat.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" &>/dev/null
-        sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" /etc/nftables.rules.d/nat.table
-        nftables_reloading=true
-    else
-        if [[ -f /etc/nftables.rules.d/nat.table ]]; then
-            sudo_required "remove previous nat.table"
-            sudo rm -f /etc/nftables.rules.d/nat.table
-            nftables_reloading=true
-        fi
-    fi
-    if [[ "$nftables_reloading" == true ]]; then
-        sudo_required "reload nftables"
-        sudo systemctl reload nftables.service
-    fi
-
 }
 
 # MAIN
diff --git a/recipes/dolibarr/crud.sh b/recipes/dolibarr/crud.sh
index 7eb374d..53989ba 100755
--- a/recipes/dolibarr/crud.sh
+++ b/recipes/dolibarr/crud.sh
@@ -64,7 +64,7 @@ EOF
 
     echo "copying configuration files to container <$container>... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/dolibarr/$shortname/host.conf" "$container/etc/nginx/sites-available/$longname.conf"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-psql list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "
diff --git a/recipes/odoo12/crud.sh b/recipes/odoo12/crud.sh
index 02fc912..0df4fda 100755
--- a/recipes/odoo12/crud.sh
+++ b/recipes/odoo12/crud.sh
@@ -34,10 +34,10 @@ function _create() {
     APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo12/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" >/dev/null
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$shortname.conf" "$container/etc/odoo12/$shortname.conf"
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo12/$longname.service" "$container/etc/systemd/system/$longname.service"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-psql list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "
diff --git a/recipes/odoo15/crud.sh b/recipes/odoo15/crud.sh
index e49f88a..2653d2a 100755
--- a/recipes/odoo15/crud.sh
+++ b/recipes/odoo15/crud.sh
@@ -34,10 +34,10 @@ function _create() {
     APP_NAME=$shortname tera -t "$MIAOU_BASEDIR/templates/apps/odoo15/odoo.service.j2" --env-only -o "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" >/dev/null
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$shortname.conf" "$container/etc/odoo15/$shortname.conf"
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/odoo15/$longname.service" "$container/etc/systemd/system/$longname.service"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     echo "create data folder for $shortname"
     cat <<EOF | lxc_exec "$container"
diff --git a/recipes/postgresql/install.sh b/recipes/postgresql/install.sh
index b51b904..fe4b306 100755
--- a/recipes/postgresql/install.sh
+++ b/recipes/postgresql/install.sh
@@ -45,7 +45,7 @@ function install() {
         systemctl restart postgresql.service
 EOF
 
-    echo -n "copying <autopostgresqlbackup> files over container <$CONTAINER> ... "
+    echo -n "copying <autopostgresqlbackup> files to container <$CONTAINER> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/script" "$CONTAINER/usr/sbin/autopostgresqlbackup"
     lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/cron.daily" "$CONTAINER/etc/cron.daily/autopostgresqlbackup"
     lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/autopostgresqlbackup/default.conf" "$CONTAINER/etc/default/autopostgresqlbackup"
diff --git a/recipes/wordpress/crud.sh b/recipes/wordpress/crud.sh
index fe4fd99..72c421e 100755
--- a/recipes/wordpress/crud.sh
+++ b/recipes/wordpress/crud.sh
@@ -32,9 +32,9 @@ function _create() {
     APP_PORT=$port APP_NAME=$shortname tera -e --env-key env -t "$MIAOU_BASEDIR/templates/apps/wordpress/wp-host.j2" -o "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$MIAOU_CONFIGDIR/miaou.expanded.yaml"
     echo "creating templates ... OK"
 
-    echo "copying files over container <$container> ... "
+    echo "copying files to container <$container> ... "
     lxc file push --uid 0 --gid 0 "$MIAOU_CONFIGDIR/apps/wordpress/$longname.conf" "$container/etc/nginx/sites-available/$longname.conf"
-    echo "copying files over container <$container> ... OK"
+    echo "copying files to container <$container> ... OK"
 
     if ! (db-maria list | grep -q "$longname"); then
         echo "create empty database <$longname> ... "
diff --git a/scripts/lxc-miaou-enable-ssh b/scripts/lxc-miaou-enable-ssh
index 72941f5..035348c 100755
--- a/scripts/lxc-miaou-enable-ssh
+++ b/scripts/lxc-miaou-enable-ssh
@@ -54,7 +54,7 @@ EOF
         echo -n "building template for sshd_config..."
         USERS=${previous_users[*]} tera -e --env-key env -t "$MIAOU_BASEDIR/templates/dev-container-ssh/sshd_config.j2" -o "/tmp/sshd_config" "$MIAOU_CONFIGDIR/miaou.expanded.yaml" >/dev/null
         echo 'OK'
-        echo -n "copying sshd_config over container <$CONTAINER> ... "
+        echo -n "copying sshd_config to container <$CONTAINER> ... "
         lxc file push --uid 0 --gid 0 "/tmp/sshd_config" "$CONTAINER/etc/ssh/sshd_config" &>/dev/null
         echo 'OK'
         lxc exec "$CONTAINER" -- systemctl reload sshd.service
diff --git a/scripts/lxd-restart-dnsmasq b/scripts/lxd-restart-dnsmasq
index a1e022b..d9f4555 100755
--- a/scripts/lxd-restart-dnsmasq
+++ b/scripts/lxd-restart-dnsmasq
@@ -10,3 +10,7 @@ function restart_dnsmasq() {
 ## MAIN
 . "$MIAOU_BASEDIR/lib/init.sh"
 restart_dnsmasq
+
+echo "WARNING: restarting dnsmasq may break your NFT ruleset!"
+echo "You should reload NFTables as well..."
+echo "sudo systemctl reload nftables.service"
diff --git a/scripts/miaou b/scripts/miaou
index 01082ee..be09eae 100755
--- a/scripts/miaou
+++ b/scripts/miaou
@@ -165,6 +165,8 @@ function expand_conf() {
 function build_routes() {
     PREFIX="miaou:routes"
 
+    mkdir -p "$MIAOU_CONFIGDIR/dnsmasq"
+
     mapfile -t fqdns < <(yqm '.expanded.services[].fqdn')
     echo "found <${#fqdns[@]}> fqdn"
     raw_dnsmasq=''
@@ -174,7 +176,17 @@ function build_routes() {
         echo "re-routing any connection from <$i> to internal container <$DMZ_CONTAINER.lxd>"
     done
 
-    builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq -
+    builtin echo -e "$raw_dnsmasq" >"$MIAOU_CONFIGDIR/dnsmasq/raw.new"
+    lxc network get $BRIDGE raw.dnsmasq | head -n-1 >"$MIAOU_CONFIGDIR/dnsmasq/raw.old"
+
+    if ! diff -q "$MIAOU_CONFIGDIR/dnsmasq/raw.old" "$MIAOU_CONFIGDIR/dnsmasq/raw.new"; then
+        echo "reload dnsmasq"
+        builtin echo -e "$raw_dnsmasq" | lxc network set $BRIDGE raw.dnsmasq -
+        echo "reload nftables"
+        sudo systemctl reload nftables.service
+    else
+        echo "no changes"
+    fi
 }
 
 function build_dmz_certbot {
@@ -548,10 +560,8 @@ if check_expand_conf; then
     check_resolv_conf
     build_nftables
     prepare_containers
-
     DMZ_CONTAINER=$(get_unique_container_dmz)
     build_dmz_reverseproxy
-
     DMZ_IP=$(get_dmz_ip)
     build_services
     build_dmz_certbot
diff --git a/templates/nftables/nat.table.j2 b/templates/nftables/nat.table.j2
deleted file mode 100644
index ed1c713..0000000
--- a/templates/nftables/nat.table.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-table ip nat {
-        chain prerouting {
-                type nat hook prerouting priority dstnat; policy accept;
-                iif "{{ nftables.wan_interface }}" tcp dport { 80, 443 } dnat to {{ nftables.dmz_ip }}
-        }
-}