BREAKING chore(): replace legacy wording with more PC variants

Renames an environment variable, needs update in deployed configurations.

.env.default

@@ -38,5 +38,5 @@ DESECSTACK_NSMASTER_CARBONSERVER=
 DESECSTACK_NSMASTER_CARBONOURNAME=
 
 # monitoring
-DESECSTACK_WATCHDOG_SLAVES=ns1.example.org ns2.example.net
+DESECSTACK_WATCHDOG_SECONDARIES=ns1.example.org ns2.example.net
 DESECSTACK_PROMETHEUS_PASSWORD=

.env.dev

@@ -38,5 +38,5 @@ DESECSTACK_NSMASTER_CARBONSERVER=
 DESECSTACK_NSMASTER_CARBONOURNAME=
 
 # monitoring
-DESECSTACK_WATCHDOG_SLAVES=
+DESECSTACK_WATCHDOG_SECONDARIES=
 DESECSTACK_PROMETHEUS_PASSWORD=insecure

.github/workflows/main.yml

@@ -1,7 +1,7 @@
 name: CI
 
 # Controls when the action will run. Triggers the workflow on push or pull request
-# events but only for the master branch
+# events but only for the main branch
 on:
   push:
     branches: [ main ]

README.md

@@ -11,7 +11,7 @@ This is a docker-compose application providing the basic stack for deSEC name se
 - `celery`: A shadow instance of the `api` code for performing asynchronous tasks (email delivery).
 - `rabbitmq`: `celery`'s queue
 - `memcached`: `api`-wide in-memory cache, currently used to keep API throttling state
-- `openvpn-server`: OpenVPN server used to tunnel replication traffic between this stack and frontend DNS slaves
+- `openvpn-server`: OpenVPN server used to tunnel replication traffic between this stack and frontend DNS secondaries
 - `prometheus`: Prometheus server for monitoring
 
 Requirements
@@ -27,13 +27,13 @@ Although most configuration is contained in this repository, some external depen
     - Then, copy `ca.crt`, `server.crt`, and `server.key` to `openvpn-server/secrets/`.
     - Create a preshared secret using `openvpn --genkey --secret ta.key` inside `openvpn-server/secrets/`.
 
-    For provisioning a slave, use the same `easy-rsa` PKI and create a new `client.key` and `client.crt` pair. Transfer these securely onto the slave, along with `ca.crt` and `ta.key`.
-    (You can also create the key on the slave and only transfer a certificate signing request and the certificate.) 
+    For provisioning a secondary, use the same `easy-rsa` PKI and create a new `client.key` and `client.crt` pair. Transfer these securely onto the secondary, along with `ca.crt` and `ta.key`.
+    (You can also create the key on the secondary and only transfer a certificate signing request and the certificate.)
 
 3.  Set sensitive information and network topology using environment variables or an `.env` file. You need (you can use the `.env.default` file as a template):
     - global
       - `DESECSTACK_DOMAIN`: domain name under which the entire system will be running. The API will be reachable at https://desec.$DESECSTACK_DOMAIN/api/. For development setup, we recommend using `yourname.dedyn.io`
-      - `DESECSTACK_NS`: the names of the authoritative name servers, i.e. names pointing to your slave name servers. Minimum 2.
+      - `DESECSTACK_NS`: the names of the authoritative name servers, i.e. names pointing to your secondary name servers. Minimum 2.
     - network
       - `DESECSTACK_IPV4_REAR_PREFIX16`: IPv4 net, size /16, for assignment of internal container IPv4 addresses. **NOTE:** If you change this in an existing setup, you 
         need to manually update persisted data structures such as the MySQL grant tables! Better don't do it.
@@ -62,11 +62,11 @@ Although most configuration is contained in this repository, some external depen
       - `DESECSTACK_NSLORD_DEFAULT_TTL`: TTL to use by default, including for default NS records
     - nsmaster-related
       - `DESECSTACK_DBMASTER_PASSWORD_pdns`: mysql password for pdns on nsmaster
-      - `DESECSTACK_NSMASTER_APIKEY`: pdns API key on nsmaster (required so that we can execute zone deletions on nsmaster, which replicates to the slaves)
+      - `DESECSTACK_NSMASTER_APIKEY`: pdns API key on nsmaster (required so that we can execute zone deletions on nsmaster, which replicates to the secondaries)
       - `DESECSTACK_NSMASTER_CARBONSERVER`: pdns `carbon-server` setting on nsmaster (optional)
       - `DESECSTACK_NSMASTER_CARBONOURNAME`: pdns `carbon-ourname` setting on nsmaster (optional)
     - monitoring-related
-      - `DESECSTACK_WATCHDOG_SLAVES`: space-separated list of slave hostnames; used to check correct replication of recent DNS changes
+      - `DESECSTACK_WATCHDOG_SECONDARIES`: space-separated list of secondary hostnames; used to check correct replication of recent DNS changes
       - `DESECSTACK_PROMETHEUS_PASSWORD`: basic auth password for user `prometheus` at `https://${DESECSTACK_DOMAIN}/prometheus/`
 
 How to Run
@@ -183,7 +183,7 @@ While there are certainly many ways to get started hacking desec-stack, here is
 
        mkdir -p ~/bin
        cd ~/bin
-       curl https://raw.githubusercontent.com/desec-io/desec-certbot-hook/master/hook.sh > desec_certbot_hook.sh
+       curl https://raw.githubusercontent.com/desec-io/desec-certbot-hook/main/hook.sh > desec_certbot_hook.sh
        touch .dedynauth; chmod 600 .dedynauth
        echo DEDYN_TOKEN=${TOKEN} >> .dedynauth
        echo DEDYN_NAME=${DOMAIN} >> .dedynauth

api/api/settings.py

@@ -230,7 +230,7 @@ VALIDITY_PERIOD_VERIFICATION_SIGNATURE = timedelta(hours=int(os.environ.get('DES
 CAPTCHA_VALIDITY_PERIOD = timedelta(hours=24)
 
 # Watchdog
-WATCHDOG_SLAVES = os.environ.get('DESECSTACK_WATCHDOG_SLAVES', '').split()
+WATCHDOG_SECONDARIES = os.environ.get('DESECSTACK_WATCHDOG_SECONDARIES', '').split()
 WATCHDOG_WINDOW_SEC = 600
 
 # Prometheus (see https://github.com/korfuri/django-prometheus/blob/master/documentation/exports.md)

api/cronhook/crontab

@@ -1,3 +1,3 @@
 */5 * * * * /usr/local/bin/python3 -u /usr/src/app/manage.py chores >> /var/log/cron.log 2>&1
-*/5 * * * * /usr/local/bin/python3 -u /usr/src/app/manage.py check-slaves >> /var/log/cron.log 2>&1
+*/5 * * * * /usr/local/bin/python3 -u /usr/src/app/manage.py check-secondaries >> /var/log/cron.log 2>&1
 7 11 * * * /usr/local/bin/python3 -u /usr/src/app/manage.py scavenge-unused >> /var/log/cron.log 2>&1

api/desecapi/management/commands/check-slaves.py → api/desecapi/management/commands/check-secondaries.py

@@ -30,10 +30,10 @@ def query_serial(zone, server):
 
 
 class Command(BaseCommand):
-    help = 'Check slaves for consistency with nsmaster.'
+    help = 'Check secondaries for consistency with nsmaster.'
 
     def __init__(self, *args, **kwargs):
-        self.servers = {gethostbyname(server): server for server in settings.WATCHDOG_SLAVES}
+        self.servers = {gethostbyname(server): server for server in settings.WATCHDOG_SECONDARIES}
         super().__init__(*args, **kwargs)
 
     def add_arguments(self, parser):
@@ -45,7 +45,7 @@ class Command(BaseCommand):
 
     def find_outdated_servers(self, zone, local_serial):
         """
-        Returns a dict, the key being the outdated slave name, and the value being the slave's current zone serial.
+        Returns a dict, the key being the outdated secondary name, and the value being the node's current zone serial.
         """
         outdated = {}
         for server in self.servers:
@@ -67,7 +67,7 @@ class Command(BaseCommand):
         sleep(options['delay'])
 
         outdated_zone_count = 0
-        outdated_slaves = set()
+        outdated_secondaries = set()
 
         output = []
         timeouts = {}
@@ -80,7 +80,7 @@ class Command(BaseCommand):
             outdated_serials = {k: serial for k, serial in outdated_serials.items() if serial is not False}
 
             if outdated_serials:
-                outdated_slaves.update(outdated_serials.keys())
+                outdated_secondaries.update(outdated_serials.keys())
                 output.append(f'{zone} ({local_serial}) is outdated on {outdated_serials}')
                 print(output[-1])
                 outdated_zone_count += 1
@@ -90,25 +90,25 @@ class Command(BaseCommand):
         output.append(f'Checked {len(serials)} domains, {outdated_zone_count} were outdated.')
         print(output[-1])
 
-        self.report(outdated_slaves, output, timeouts)
+        self.report(outdated_secondaries, output, timeouts)
 
-    def report(self, outdated_slaves, output, timeouts):
-        if not outdated_slaves and not timeouts:
+    def report(self, outdated_secondaries, output, timeouts):
+        if not outdated_secondaries and not timeouts:
             return
 
-        subject = f'{timeouts and "CRITICAL ALERT" or "ALERT"} {len(outdated_slaves)} slaves out of sync'
+        subject = f'{timeouts and "CRITICAL ALERT" or "ALERT"} {len(outdated_secondaries)} secondaries out of sync'
         message = ''
 
         if timeouts:
             message += f'The following servers had timeouts:\n\n{timeouts}\n\n'
 
-        if outdated_slaves:
-            message += f'The following {len(outdated_slaves)} slaves are out of sync:\n'
-            for outdated_slave in outdated_slaves:
-                message += f'* {outdated_slave}\n'
+        if outdated_secondaries:
+            message += f'The following {len(outdated_secondaries)} secondaries are out of sync:\n'
+            for outdated_secondary in outdated_secondaries:
+                message += f'* {outdated_secondary}\n'
             message += '\n'
 
-        message += f'Current slave IPs: {self.servers}\n'
+        message += f'Current secondary IPs: {self.servers}\n'
         message += '\n'.join(output)
 
         mail_admins(subject, message, connection=get_connection('django.core.mail.backends.smtp.EmailBackend'))

docker-compose.yml

@@ -147,7 +147,7 @@ services:
     - DESECSTACK_NSLORD_DEFAULT_TTL
     - DESECSTACK_NSMASTER_APIKEY
     - DESECSTACK_MINIMUM_TTL_DEFAULT
-    - DESECSTACK_WATCHDOG_SLAVES
+    - DESECSTACK_WATCHDOG_SECONDARIES
     networks:
       rearapi_celery:
       rearapi_dbapi:

docs/dyndns/lets-encrypt.rst

@@ -24,8 +24,8 @@ steps.
    the owner/permissions of the file (``chown``/``chmod``), so that it is only
    readable by your certbot user (usually ``root``). ::
 
-     wget https://raw.githubusercontent.com/desec-io/desec-certbot-hook/master/hook.sh
-     wget https://raw.githubusercontent.com/desec-io/desec-certbot-hook/master/.dedynauth
+     wget https://raw.githubusercontent.com/desec-io/desec-certbot-hook/main/hook.sh
+     wget https://raw.githubusercontent.com/desec-io/desec-certbot-hook/main/.dedynauth
 
 #. **Get a token.** You need to configure an API token so that certbot can use
    it to authenticate its requests towards the deSEC API. The easiest way to

nsmaster/conf/pdns.conf.var

@@ -5,8 +5,8 @@ also-notify=239.1.2.3
 only-notify=
 setgid=pdns
 setuid=pdns
-slave=yes
-slave-renotify=yes
+secondary=yes
+secondary-do-renotify=yes
 max-tcp-connections=200
 version-string=powerdns
 webserver=yes

nsmaster/entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Route required for communicating with slave NS through VPN
+# Route required for communicating with secondaries through VPN
 /sbin/ip route add 10.8.0.0/24 via 172.16.7.2
 /sbin/ip route add 239.1.2.0/24 via 172.16.7.2
 

www/entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Figure out how to route responses when slaves access through VPN
+# Correctly route responses when secondaries access through VPN
 /sbin/ip route add 10.8.0.0/24 via 172.16.7.2
 
 # Prometheus basic auth