Security: Remove hardcoded credentials, enforcing env vars
This commit is contained in:
Gemini Agent
124
README.md
124
README.md
@@ -1,75 +1,73 @@
|
||||
# CoreDNS NetBox Sync
|
||||
|
||||
Dieser Container synchronisiert DNS-Records aus [NetBox](https://github.com/netbox-community/netbox) in lokale Zonefiles, die von [CoreDNS](https://coredns.io/) (oder BIND) genutzt werden können.
|
||||
This container automates the generation of DNS zone files for CoreDNS (or BIND) by synchronizing data from [NetBox](https://github.com/netbox-community/netbox). It fetches IPAM data (active IPs with DNS names) and DNS Plugin records.
|
||||
|
||||
## Features
|
||||
|
||||
- **Automatische Synchronisation:** Holt alle 10 Minuten (konfigurierbar) Daten aus NetBox.
|
||||
- **Forward & Reverse Zones:** Erstellt A/AAAA und PTR Records.
|
||||
- **Ausfallsicherheit:** Wenn NetBox nicht erreichbar ist oder die API Fehler wirft, werden **keine** leeren Dateien geschrieben. Die alten Zonefiles bleiben erhalten, um `NXDOMAIN` Antworten zu verhindern.
|
||||
- **Fallback NS:** Konfigurierbarer Fallback-Nameserver, falls in NetBox keine NS-Records für die Zone definiert sind.
|
||||
* **Automated Synchronization:** Periodically fetches data from NetBox (Default: 10 minutes).
|
||||
* **Fail-Safe Operation:** If NetBox is unreachable or returns errors, the existing zone files are preserved to prevent `NXDOMAIN` issues.
|
||||
* **Dual Zone Support:** Generates both Forward and Reverse (PTR) zones.
|
||||
* **Intelligent Fallback:** Automatically configures a fallback Nameserver if no NS records are defined in NetBox.
|
||||
|
||||
## Installation & Nutzung
|
||||
## Configuration
|
||||
|
||||
### 1. Image bauen
|
||||
Configuration is handled entirely via environment variables.
|
||||
|
||||
```bash
|
||||
docker build -t local/dns-sync .
|
||||
```
|
||||
### Required Variables
|
||||
|
||||
### 2. Container starten
|
||||
| Variable | Description |
|
||||
| :--- | :--- |
|
||||
| `NETBOX_URL` | The full URL to the NetBox instance (e.g., `http://netbox.local`). |
|
||||
| `NETBOX_TOKEN` | The API Token for authentication (Read-Only permissions are sufficient). |
|
||||
|
||||
Da die Standardwerte im Dockerfile hinterlegt sind, reicht dein bisheriger Befehl völlig aus, solange sich an der Konfiguration nichts geändert hat:
|
||||
### Optional Variables
|
||||
|
||||
```bash
|
||||
docker run -d \
|
||||
--name klzDNS-worker \
|
||||
--restart unless-stopped \
|
||||
--net=container:klzDNS-coredns \
|
||||
-v klzDNS-data:/zones \
|
||||
local/dns-sync
|
||||
```
|
||||
|
||||
### 3. Konfiguration anpassen (Optional)
|
||||
|
||||
Möchtest du Werte ändern (z.B. URL, Token oder Interval), kannst du diese als Umgebungsvariablen (`-e`) übergeben:
|
||||
|
||||
```bash
|
||||
docker run -d \
|
||||
--name klzDNS-worker \
|
||||
--restart unless-stopped \
|
||||
--net=container:klzDNS-coredns \
|
||||
-v klzDNS-data:/zones \
|
||||
-e NETBOX_URL="http://deine-netbox-url" \
|
||||
-e NETBOX_TOKEN="dein-neuer-token" \
|
||||
-e REFRESH_INTERVAL=300 \
|
||||
local/dns-sync
|
||||
```
|
||||
|
||||
Alternativ kannst du eine `.env` Datei erstellen:
|
||||
|
||||
```ini
|
||||
# .env Datei
|
||||
NETBOX_URL=http://192.168.1.50
|
||||
REFRESH_INTERVAL=60
|
||||
```
|
||||
|
||||
Und diese einbinden:
|
||||
|
||||
```bash
|
||||
docker run -d ... --env-file .env local/dns-sync
|
||||
```
|
||||
|
||||
## Verfügbare Variablen
|
||||
|
||||
| Variable | Standardwert | Beschreibung |
|
||||
| Variable | Default | Description |
|
||||
| :--- | :--- | :--- |
|
||||
| `NETBOX_URL` | `http://172.30.242.99` | URL zur NetBox Instanz |
|
||||
| `NETBOX_TOKEN` | `0b74...` | API Token (Read-Only reicht) |
|
||||
| `ZONE_NAME` | `klenzel.net` | Die zu verwaltende DNS-Zone |
|
||||
| `REVERSE_ZONE_NAME` | `172.in-addr.arpa` | Reverse Lookup Zone |
|
||||
| `REFRESH_INTERVAL` | `600` | Sync-Intervall in Sekunden |
|
||||
| `OUTPUT_FILE_FWD` | `/zones/db.klenzel.net` | Pfad zur Forward Zone im Container |
|
||||
| `OUTPUT_FILE_REV` | `/zones/db.reverse.arpa` | Pfad zur Reverse Zone im Container |
|
||||
| `FALLBACK_NS_HOSTNAME`| `fks-01-cl-cdns` | Hostname des NS, falls keiner in NetBox definiert ist |
|
||||
| `FALLBACK_NS_IP` | `172.25.16.152` | IP des Fallback NS (für Glue Record) |
|
||||
| `REFRESH_INTERVAL` | `600` | Synchronization interval in seconds. |
|
||||
| `ZONE_NAME` | `klenzel.net` | The DNS zone name to manage. |
|
||||
| `REVERSE_ZONE_NAME` | `172.in-addr.arpa` | The reverse lookup zone name. |
|
||||
| `OUTPUT_FILE_FWD` | `/zones/db.klenzel.net` | Path inside the container for the forward zone file. |
|
||||
| `OUTPUT_FILE_REV` | `/zones/db.reverse.arpa` | Path inside the container for the reverse zone file. |
|
||||
| `FALLBACK_NS_HOSTNAME`| `fks-01-cl-cdns` | Hostname used for NS record if none exist in NetBox. |
|
||||
| `FALLBACK_NS_IP` | `172.25.16.152` | IP address for the fallback NS glue record. |
|
||||
|
||||
## Usage
|
||||
|
||||
### Docker
|
||||
|
||||
1. **Build the image:**
|
||||
```bash
|
||||
docker build -t local/dns-sync .
|
||||
```
|
||||
|
||||
2. **Run with environment variables:**
|
||||
```bash
|
||||
docker run -d \
|
||||
--name klzDNS-worker \
|
||||
--restart unless-stopped \
|
||||
--net=container:klzDNS-coredns \
|
||||
-v klzDNS-data:/zones \
|
||||
-e NETBOX_URL="http://172.30.242.99" \
|
||||
-e NETBOX_TOKEN="your-secret-token" \
|
||||
local/dns-sync
|
||||
```
|
||||
|
||||
### Using a `.env` file
|
||||
|
||||
1. Create a `.env` file based on the example:
|
||||
```bash
|
||||
cp .env.example .env
|
||||
# Edit .env and add your credentials
|
||||
```
|
||||
|
||||
2. Run the container referencing the file:
|
||||
```bash
|
||||
docker run -d \
|
||||
--name klzDNS-worker \
|
||||
--restart unless-stopped \
|
||||
--net=container:klzDNS-coredns \
|
||||
-v klzDNS-data:/zones \
|
||||
--env-file .env \
|
||||
local/dns-sync
|
||||
```
|
||||
Reference in New Issue
Block a user