diff --git a/redxen.eu/config.mk b/redxen.eu/config.mk index a661371..f7d94c2 100644 --- a/redxen.eu/config.mk +++ b/redxen.eu/config.mk @@ -27,12 +27,16 @@ redxen.eu/gameservers/minecraft/minecraft-rx/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} redxen.eu/gameservers/minecraft/spigot/${BUILD_ID_OUT} # DNS +redxen.eu/daemons/unbound/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ + %/unbound.conf \ + redxen.eu/data/dns/${BUILD_ID_OUT} redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ %/nsd.conf \ redxen.eu/data/dns/${BUILD_ID_OUT} redxen.eu/data/dns/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ %/redxen.eu \ + %/internal \ redxen.eu/data/dnssec/${BUILD_ID_OUT} \ redxen.eu/data/opendkim/${BUILD_ID_OUT} diff --git a/redxen.eu/daemons/unbound/Containerfile b/redxen.eu/daemons/unbound/Containerfile new file mode 100644 index 0000000..fe61a1f --- /dev/null +++ b/redxen.eu/daemons/unbound/Containerfile @@ -0,0 +1,17 @@ +FROM alpine:latest + +RUN --network=host apk add \ + ca-certificates-bundle \ + dns-root-hints \ + dnssec-root \ + unbound + +WORKDIR /etc/redxen/unbound/ + +ADD unbound.conf unbound.conf +COPY --from=redxen.eu/data/dns:latest /dns-zones/redxen.eu /etc/redxen/bindzone/redxen.eu +COPY --from=redxen.eu/data/dns:latest /dns-zones/internal /etc/redxen/bindzone/internal + +RUN unbound-checkconf unbound.conf + +CMD ["unbound", "-d", "-p", "-c", "unbound.conf"] diff --git a/redxen.eu/daemons/unbound/unbound.conf b/redxen.eu/daemons/unbound/unbound.conf new file mode 100644 index 0000000..b084687 --- /dev/null +++ b/redxen.eu/daemons/unbound/unbound.conf @@ -0,0 +1,53 @@ +server: + root-hints: /usr/share/dns-root-hints/named.root + trust-anchor-file: /usr/share/dnssec-root/trusted-key.key + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + logfile: "" + log-replies: yes + + interface: 0.0.0.0 + interface: ::0 + port: 53 + + minimal-responses: no + extended-statistics: yes + rrset-roundrobin: yes + cache-min-ttl: 60 + prefetch: yes + prefetch-key: yes + harden-glue: yes + aggressive-nsec: yes + serve-expired: yes + serve-expired-ttl: 86400 + serve-expired-ttl-reset: yes + + access-control: 0.0.0.0/0 refuse_non_local + access-control: ::/0 refuse_non_local + + access-control: 127.0.0.0/8 allow + access-control: ::1/128 allow + + access-control: 172.22.12.1/24 allow + access-control: fd42:42:42::2:1/120 allow + + access-control: 172.24.0.1/24 allow + +remote-control: + control-enable: yes + control-use-cert: no + control-interface: ::1 + +auth-zone: + name: redxen.eu + fallback-enabled: no + for-downstream: yes + for-upstream: yes + zonefile: "/etc/redxen/bindzone/redxen.eu" + +auth-zone: + name: internal + fallback-enabled: no + for-downstream: yes + for-upstream: yes + zonefile: "/etc/redxen/bindzone/internal" diff --git a/redxen.eu/data/dns/Containerfile b/redxen.eu/data/dns/Containerfile index e097a8d..7e2c625 100644 --- a/redxen.eu/data/dns/Containerfile +++ b/redxen.eu/data/dns/Containerfile @@ -6,7 +6,13 @@ RUN --network=host apk add \ RUN mkdir -p /tmp/zones ADD redxen.eu /tmp/zones/redxen.eu -RUN sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/redxen.eu +ADD internal /tmp/zones/internal +RUN for x in redxen.eu internal; do sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/"$x"; done + +# Verify zone after signing +RUN named-checkzone -i local internal /tmp/zones/internal + +# DNSSEC zones need more processing # Add keys to zone RUN \ @@ -29,7 +35,7 @@ RUN \ /tmp/zones/redxen.eu # Verify zone after signing -RUN named-checkzone redxen.eu /tmp/zones/redxen.eu +RUN named-checkzone -i local redxen.eu /tmp/zones/redxen.eu # Copy back only signed zone FROM scratch diff --git a/redxen.eu/data/dns/internal b/redxen.eu/data/dns/internal new file mode 100644 index 0000000..afba0e4 --- /dev/null +++ b/redxen.eu/data/dns/internal @@ -0,0 +1,81 @@ +; +; .internal zonefile for internal RedXen usage +; + +$TTL 120 + +@ 86400 IN SOA 12180625.nbg1-dc3.hetzner admin.redxen.eu. CURRENTSOA ( 86400 + 7200 + 3600000 + 3600 ) + +; NS records +@ 86400 NS @ + +@ 86400 A 127.0.0.1 + 86400 AAAA ::1 + +; Machines +12180623.nbg1-dc3.hetzner 86400 A 10.10.0.2 +12180621.nbg1-dc3.hetzner 86400 A 10.10.0.3 +12180625.nbg1-dc3.hetzner 86400 A 10.10.0.4 +12180710.fsn1-dc14.hetzner 86400 A 10.10.0.5 +12180711.fsn1-dc14.hetzner 86400 A 10.10.0.6 + +; Services +node_exporters.prometheus.routinginfo SRV 0 5 7580 12180623.nbg1-dc3.hetzner + SRV 0 5 7580 12180621.nbg1-dc3.hetzner + SRV 0 5 7580 12180625.nbg1-dc3.hetzner + SRV 0 5 7580 12180710.fsn1-dc14.hetzner + SRV 0 5 7580 12180711.fsn1-dc14.hetzner + SRV 0 5 9100 a89b55b4-e8ba-448a-873c-47278bbc7db1.vultr.redxen.eu. + SRV 0 5 9100 izmaylovo.russia.redxen.eu. + SRV 0 5 9100 lakewood.united-states.redxen.eu. + SRV 0 5 9100 tarui.japan.redxen.eu. + SRV 0 5 9100 thetford-mines.canada.redxen.eu. + SRV 0 5 9100 magong.taiwan.redxen.eu. + SRV 0 5 9100 dongguan.china.redxen.eu. + SRV 0 5 9100 san-jorge.argentina.redxen.eu. +bird_exporters.prometheus.routinginfo SRV 0 5 9324 a89b55b4-e8ba-448a-873c-47278bbc7db1.vultr.redxen.eu. +smartctl_exporters.prometheus.routinginfo SRV 0 5 9633 izmaylovo.russia.redxen.eu. + SRV 0 5 9633 tarui.japan.redxen.eu. +libvirt.prometheus.routinginfo SRV 0 5 9177 tarui.japan.redxen.eu. + SRV 0 5 9177 izmaylovo.russia.redxen.eu. +ipmi.prometheus.routinginfo SRV 0 5 9290 tarui.japan.redxen.eu. + SRV 0 5 9290 izmaylovo.russia.redxen.eu. +unbound.prometheus.routinginfo SRV 0 5 7583 12180623.nbg1-dc3.hetzner + SRV 0 5 7583 12180621.nbg1-dc3.hetzner + SRV 0 5 7583 12180625.nbg1-dc3.hetzner + SRV 0 5 7583 12180710.fsn1-dc14.hetzner + SRV 0 5 7583 12180711.fsn1-dc14.hetzner +frontends.prometheus.routinginfo SRV 0 5 7581 12180621.nbg1-dc3.hetzner + SRV 0 5 7581 12180711.fsn1-dc14.hetzner +postgresql.prometheus.routinginfo SRV 0 5 7582 12180625.nbg1-dc3.hetzner +ceph.prometheus.routinginfo SRV 0 5 9283 tarui.japan.redxen.eu. + SRV 0 5 9283 izmaylovo.russia.redxen.eu. +telegraf.prometheus.routinginfo SRV 0 5 7584 12180623.nbg1-dc3.hetzner + SRV 0 5 7584 12180621.nbg1-dc3.hetzner + SRV 0 5 7584 12180625.nbg1-dc3.hetzner + SRV 0 5 7584 12180710.fsn1-dc14.hetzner + SRV 0 5 7584 12180711.fsn1-dc14.hetzner +_grafana._tcp.routinginfo SRV 0 5 7577 12180621.nbg1-dc3.hetzner + SRV 0 5 7577 12180710.fsn1-dc14.hetzner +_gitea._tcp.routinginfo SRV 0 5 7570 12180711.fsn1-dc14.hetzner +_gitssh._tcp.routinginfo SRV 0 5 7571 12180711.fsn1-dc14.hetzner +_transmission._tcp.routinginfo SRV 0 5 7572 12180710.fsn1-dc14.hetzner +_root._tcp.routinginfo SRV 0 5 7575 12180710.fsn1-dc14.hetzner +_packages._tcp.routinginfo SRV 0 5 7574 12180710.fsn1-dc14.hetzner +_seedown._tcp.routinginfo SRV 0 5 7576 12180710.fsn1-dc14.hetzner +_radicale._tcp.routinginfo SRV 0 5 7578 12180710.fsn1-dc14.hetzner +_wssproxy._tcp.routinginfo SRV 0 5 7591 12180621.nbg1-dc3.hetzner + +postgresql.routinginfo CNAME 12180625.nbg1-dc3.hetzner +redis.routinginfo CNAME 12180625.nbg1-dc3.hetzner +loki.routinginfo CNAME 12180625.nbg1-dc3.hetzner +prometheus.routinginfo CNAME 12180625.nbg1-dc3.hetzner +influxdb.routinginfo CNAME 12180625.nbg1-dc3.hetzner +rspamd.routinginfo CNAME 12180623.nbg1-dc3.hetzner +opendkim.routinginfo CNAME 12180623.nbg1-dc3.hetzner +dovecot.routinginfo CNAME 12180623.nbg1-dc3.hetzner +postfix.routinginfo CNAME 12180623.nbg1-dc3.hetzner +murmur.routinginfo CNAME 12180623.nbg1-dc3.hetzner