Add internal Traefik ingress for Pangolin and Authelia
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-23 10:59:20 +00:00
parent 889783e621
commit 5c6b3cab4d
14 changed files with 499 additions and 6 deletions

View File

@@ -0,0 +1,160 @@
#!/usr/bin/env python3
import argparse
import json
import os
import sys
from typing import Any
from urllib import parse, request, error
def api_request(base_url: str, method: str, path: str, *, token: str | None = None, query: dict | None = None) -> tuple[int, Any]:
url = base_url.rstrip('/') + path
if query:
url += '?' + parse.urlencode(query, doseq=True)
headers = {'Accept': 'application/json'}
if token:
headers['Authorization'] = f'Bearer {token}'
req = request.Request(url, headers=headers, method=method)
try:
with request.urlopen(req, timeout=30) as resp:
return resp.status, json.load(resp)
except error.HTTPError as exc:
body = exc.read().decode('utf-8', 'replace')
try:
payload = json.loads(body)
except Exception:
payload = body
return exc.code, payload
def expect_ok(status, payload, context):
if status != 200 or payload.get('status') != 'ok':
print(f'{context} failed: http={status}', file=sys.stderr)
print(json.dumps(payload, indent=2, sort_keys=True), file=sys.stderr)
raise SystemExit(1)
def bool_s(v: bool) -> str:
return 'true' if v else 'false'
def main() -> int:
ap = argparse.ArgumentParser(description='Idempotent Technitium baseline config for the homelab pilot')
ap.add_argument('--base-url', default='http://127.0.0.1:5380')
ap.add_argument('--admin-user', default='admin')
ap.add_argument('--admin-pass', default=os.environ.get('DNS_SERVER_ADMIN_PASSWORD'))
ap.add_argument('--server-domain', default='dns.home.paccoco.com')
ap.add_argument('--zone', default='home.paccoco.com')
ap.add_argument('--record-host', default='dns.home.paccoco.com')
ap.add_argument('--record-ip', default='10.5.30.8')
ap.add_argument('--web-port', type=int, default=80)
ap.add_argument('--blocklist', action='append', default=None)
args = ap.parse_args()
if not args.admin_pass:
print('Missing admin password: pass --admin-pass or set DNS_SERVER_ADMIN_PASSWORD', file=sys.stderr)
return 1
desired_blocklists = args.blocklist or ['https://big.oisd.nl/']
st, login = api_request(args.base_url, 'GET', '/api/user/login', query={
'user': args.admin_user,
'pass': args.admin_pass,
'includeInfo': 'true',
})
expect_ok(st, login, 'login')
token = login['token']
st, settings = api_request(args.base_url, 'GET', '/api/settings/get', token=token)
expect_ok(st, settings, 'settings/get')
resp = settings['response']
query = {
'dnsServerDomain': args.server_domain,
'webServiceLocalAddresses': ','.join(resp.get('webServiceLocalAddresses') or ['[::]']),
'webServiceHttpPort': str(args.web_port),
'webServiceEnableTls': bool_s(False),
'webServiceTlsPort': str(resp.get('webServiceTlsPort', 53443)),
'webServiceHttpToTlsRedirect': bool_s(False),
'webServiceUseSelfSignedTlsCertificate': bool_s(False),
'preferIPv6': bool_s(bool(resp.get('preferIPv6', False))),
'dnssecValidation': bool_s(True),
'enableBlocking': bool_s(True),
'allowTxtBlockingReport': bool_s(True),
'blockListUrls': ','.join(desired_blocklists),
'blockListUpdateIntervalHours': str(resp.get('blockListUpdateIntervalHours', 24)),
'logQueries': bool_s(False),
'allowRecursion': bool_s(True),
'allowRecursionOnlyForPrivateNetworks': bool_s(True),
'qnameMinimization': bool_s(True),
'serveStale': bool_s(True),
}
st, updated = api_request(args.base_url, 'GET', '/api/settings/set', token=token, query=query)
expect_ok(st, updated, 'settings/set')
verify_base_url = args.base_url
parsed_base = parse.urlparse(args.base_url)
if parsed_base.port and parsed_base.port != args.web_port:
host = parsed_base.hostname or '127.0.0.1'
verify_base_url = f'{parsed_base.scheme}://{host}:{args.web_port}'
st, zones = api_request(verify_base_url, 'GET', '/api/zones/list', token=token)
expect_ok(st, zones, 'zones/list')
zone_names = {z['name'] for z in zones['response']['zones']}
if args.zone not in zone_names:
st, created = api_request(verify_base_url, 'GET', '/api/zones/create', token=token, query={
'zone': args.zone,
'type': 'Primary',
})
expect_ok(st, created, 'zones/create')
st, current_records = api_request(verify_base_url, 'GET', '/api/zones/records/get', token=token, query={
'domain': args.record_host,
'zone': args.zone,
'listZone': 'false',
})
expect_ok(st, current_records, 'zones/records/get')
for record in current_records['response'].get('records', []):
if record.get('type') == 'A':
ip = (record.get('rData') or {}).get('ipAddress')
if ip and ip != args.record_ip:
st, deleted = api_request(verify_base_url, 'GET', '/api/zones/records/delete', token=token, query={
'domain': args.record_host,
'zone': args.zone,
'type': 'A',
'ipAddress': ip,
})
expect_ok(st, deleted, 'zones/records/delete')
st, added = api_request(verify_base_url, 'GET', '/api/zones/records/add', token=token, query={
'domain': args.record_host,
'zone': args.zone,
'type': 'A',
'ipAddress': args.record_ip,
'overwrite': 'true',
'ttl': '300',
})
expect_ok(st, added, 'zones/records/add')
st, verify = api_request(verify_base_url, 'GET', '/api/settings/get', token=token)
expect_ok(st, verify, 'settings/get verify')
v = verify['response']
summary = {
'dnsServerDomain': v.get('dnsServerDomain'),
'webServiceHttpPort': v.get('webServiceHttpPort'),
'webServiceEnableTls': v.get('webServiceEnableTls'),
'recursion': v.get('recursion'),
'dnssecValidation': v.get('dnssecValidation'),
'enableBlocking': v.get('enableBlocking'),
'allowTxtBlockingReport': v.get('allowTxtBlockingReport'),
'blockListUrls': v.get('blockListUrls'),
'zone': args.zone,
'record': {args.record_host: args.record_ip},
}
print(json.dumps(summary, indent=2, sort_keys=True))
return 0
if __name__ == '__main__':
raise SystemExit(main())