updates

cbc02009 · Mar 26, 2024 · e2ea2e5 · e2ea2e5
1 parent e9461b3
commit e2ea2e5
Show file tree

Hide file tree

Showing 11 changed files with 147 additions and 65 deletions.
diff --git a/config-parts/container.sh b/config-parts/container.sh
@@ -32,6 +32,17 @@ set container name bind volume cache source '/tmp/bind/cache'
 set container name bind volume cache destination '/var/cache/bind'
 set container name bind volume cache mode 'rw'
 
+# blocky
+set container name blocky image 'ghcr.io/0xerr0r/blocky:v0.23'
+set container name blocky memory '0'
+set container name blocky network containers address '10.5.0.7'
+set container name blocky shared-memory '0'
+set container name blocky restart 'on-failure'
+set container name blocky environment TZ value ${TZ}
+set container name blocky volume config source '/config/containers/blocky/config/config.yml'
+set container name blocky volume config destination '/app/config.yml'
+set container name blocky volume config mode 'ro'
+
 # dnsdist
 set container name dnsdist cap-add 'net-bind-service'
 set container name dnsdist environment TZ value ${TZ}
@@ -55,6 +66,14 @@ set container name haproxy-k8s-api volume config destination '/usr/local/etc/hap
 set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg'
 set container name haproxy-k8s-api volume config mode 'ro'
 
+# Iperf3
+set container name iperf3 image 'docker.io/tangentsoft/iperf3:v3.16'
+set container name iperf3 allow-host-networks
+set container name iperf3 memory '0'
+set container name iperf3 restart 'on-failure'
+set container name iperf3 shared-memory '0'
+set container name iperf3 environment TZ value ${TZ}
+
 # node-exporter
 set container name node-exporter environment procfs value '/host/proc'
 set container name node-exporter environment rootfs value '/host/rootfs'
@@ -112,37 +131,14 @@ set container name lego-auto volume datadir source '/config/secrets/certs/_.koko
 set container name lego-auto volume datadir destination '/config'
 set container name lego-auto volume datadir mode 'rw'
 
-# pihole/unbound
-set container name pihole image 'ghcr.io/szinn/pihole-unbound:2024.02.1'
-set container name pihole memory '0'
-set container name pihole network containers address '10.5.0.7'
-set container name pihole shared-memory '0'
-set container name pihole restart 'on-failure'
-set container name pihole environment TZ value ${TZ}
-set container name pihole environment HOSTNAME value 'pihole'
-set container name pihole environment PIHOLE_DOMAIN value 'kokoro.wtf'
-set container name pihole environment WEBPASSWORD value "${SECRET_PIHOLE_WEBPASSWORD}"
-set container name pihole environment WEBTHEME value 'default-auto'
-set container name pihole environment DNSSEC value 'true'
-set container name pihole environment DNS_BOGUS_PRIV value 'true'
-set container name pihole environment DNS_FQDN_REQUIRED value 'true'
-set container name pihole environment DNSMASQ_LISTENING value 'single'
-set container name pihole environment FTLCONF_LOCAL_IPV4 value '10.5.0.7'
-set container name pihole environment FTLCONF_BLOCK_ICLOUD_PR value 'false'
-set container name pihole environment REV_SERVER value 'true'
-set container name pihole environment REV_SERVER_DOMAIN value 'ctec.run'
-set container name pihole environment REV_SERVER_TARGET value '10.5.0.3'
-set container name pihole environment REV_SERVER_CIDR value '10.0.0.0/8'
-set container name pihole environment PIHOLE_DNS_ value '127.0.0.1#5335'
-set container name pihole volume pihole source '/config/containers/pihole/pihole'
-set container name pihole volume pihole destination '/etc/pihole'
-set container name pihole volume pihole mode 'rw'
-set container name pihole volume dnsmasq source '/config/containers/pihole/dnsmasq'
-set container name pihole volume dnsmasq destination '/etc/dnsmasq.d'
-set container name pihole volume dnsmasq mode 'rw'
-set container name pihole volume pihole-ssl source '/config/containers/pihole/10-pihole-ssl.conf'
-set container name pihole volume pihole-ssl destination '/etc/lighttpd/conf-enabled/10-pihole-ssl.conf'
-set container name pihole volume pihole-ssl mode 'rw'
-set container name pihole volume certificate-pem source '/config/secrets/certs/_.kokoro.wtf/combined.pem'
-set container name pihole volume certificate-pem destination '/etc/lighttpd/certs/pihole.pem'
-set container name pihole volume certificate-pem mode 'ro'
+# matchbox
+set container name matchbox arguments '-address=0.0.0.0:80 -log-level=debug'
+set container name matchbox cap-add 'net-bind-service'
+set container name matchbox image 'quay.io/poseidon/matchbox:v0.10.0'
+set container name matchbox memory '0'
+set container name matchbox network containers address '10.5.0.8'
+set container name matchbox shared-memory '0'
+set container name matchbox volume matchbox-data destination '/var/lib/matchbox'
+set container name matchbox volume matchbox-data mode 'rw'
+set container name matchbox volume matchbox-data propagation 'private'
+set container name matchbox volume matchbox-data source '/config/containers/matchbox/data'
diff --git a/config-parts/firewall-name.sh b/config-parts/firewall-name.sh
@@ -269,6 +269,10 @@ set firewall ipv4 name lan-local rule 60 action 'accept'
 set firewall ipv4 name lan-local rule 60 description 'Rule: accept_ntp'
 set firewall ipv4 name lan-local rule 60 destination port 'ntp'
 set firewall ipv4 name lan-local rule 60 protocol 'udp'
+set firewall ipv4 name lan-local rule 500 action 'accept'
+set firewall ipv4 name lan-local rule 500 description 'allow iperf3'
+set firewall ipv4 name lan-local rule 500 protocol 'tcp'
+set firewall ipv4 name lan-local rule 500 destination port '5021'
 set firewall ipv4 name lan-local rule 999 action 'drop'
 set firewall ipv4 name lan-local rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name lan-local rule 999 state invalid
@@ -289,6 +293,10 @@ set firewall ipv4 name lan-servers rule 200 description 'allow unifi device disc
 set firewall ipv4 name lan-servers rule 200 destination port '8080'
 set firewall ipv4 name lan-servers rule 200 action 'accept'
 set firewall ipv4 name lan-servers rule 200 protocol 'tcp'
+set firewall ipv4 name lan-servers rule 300 description 'allow unifi device discovery'
+set firewall ipv4 name lan-servers rule 300 destination port '3478'
+set firewall ipv4 name lan-servers rule 300 action 'accept'
+set firewall ipv4 name lan-servers rule 300 protocol 'udp'
 set firewall ipv4 name lan-servers rule 999 action 'drop'
 set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name lan-servers rule 999 state invalid
@@ -501,6 +509,10 @@ set firewall ipv4 name servers-local rule 110 description 'Rule: accept_speedtes
 set firewall ipv4 name servers-local rule 110 destination port '9798'
 set firewall ipv4 name servers-local rule 110 protocol 'tcp'
 set firewall ipv4 name servers-local rule 110 source group address-group 'k8s_nodes'
+set firewall ipv4 name servers-local rule 500 action 'accept'
+set firewall ipv4 name servers-local rule 500 description 'allow iperf3'
+set firewall ipv4 name servers-local rule 500 protocol 'tcp'
+set firewall ipv4 name servers-local rule 500 destination port '5021'
 set firewall ipv4 name servers-local rule 999 action 'drop'
 set firewall ipv4 name servers-local rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name servers-local rule 999 state invalid
@@ -607,6 +619,10 @@ set firewall ipv4 name trusted-local rule 420 action 'accept'
 set firewall ipv4 name trusted-local rule 420 description 'Rule: accept_wireguard'
 set firewall ipv4 name trusted-local rule 420 destination port '51820'
 set firewall ipv4 name trusted-local rule 420 protocol 'udp'
+set firewall ipv4 name trusted-local rule 500 action 'accept'
+set firewall ipv4 name trusted-local rule 500 description 'allow iperf3'
+set firewall ipv4 name trusted-local rule 500 protocol 'tcp'
+set firewall ipv4 name trusted-local rule 500 destination port '5021'
 set firewall ipv4 name trusted-local rule 999 action 'drop'
 set firewall ipv4 name trusted-local rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name trusted-local rule 999 state invalid

diff --git a/config-parts/protocols.sh b/config-parts/protocols.sh
@@ -1,6 +1,9 @@
 #!/bin/vbash
 
 # BGP configuration
+set protocols bgp neighbor 10.0.2.4 address-family ipv4-unicast
+set protocols bgp neighbor 10.0.2.4 description 'shana'
+set protocols bgp neighbor 10.0.2.4 remote-as '64512'
 set protocols bgp neighbor 10.0.2.10 address-family ipv4-unicast
 set protocols bgp neighbor 10.0.2.10 description 'uiharu'
 set protocols bgp neighbor 10.0.2.10 remote-as '64512'

diff --git a/config-parts/service-dhcp_server.sh b/config-parts/service-dhcp_server.sh
@@ -1,5 +1,7 @@
 #!/bin/vbash
 
+# Global options
+set service dhcp-server global-parameters 'option system-arch code 93 = unsigned integer 16;'
 set service dhcp-server dynamic-dns-update
 set service dhcp-server global-parameters "key ddnsupdate { algorithm hmac-md5; secret ${SECRET_DHCP_DDNS_UPDATE}; };"
 set service dhcp-server global-parameters "zone ctec.run. { primary 10.5.0.3; key ddnsupdate; }"
@@ -74,10 +76,10 @@ set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mappin
 set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping u6-lite-2 mac-address '60:22:32:40:D6:8C'
 set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping USP-PDU-Pro ip-address '10.0.0.43'
 set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping USP-PDU-Pro mac-address 'E4:38:83:1C:90:2D'
-set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-1 ip-address '10.0.0.50'
-set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-1 mac-address 'dc:a6:32:c8:36:33'
-set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-2 ip-address '10.0.0.51'
-set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-2 mac-address 'e4:5f:01:41:3f:b6'
+set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm ip-address '10.0.0.50'
+set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm mac-address 'dc:a6:32:7c:e6:e5'
+set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping media-switch ip-address '10.0.0.9'
+set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping media-switch mac-address '8C:3B:AD:30:24:23'
 
 # Servers VLAN
 set service dhcp-server shared-network-name SERVERS authoritative
@@ -89,17 +91,22 @@ set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 name-serv
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 range 0 start '10.0.2.200'
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 range 0 stop '10.0.2.254'
 
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Ram ip-address '10.0.2.14'
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Ram mac-address '68:1D:EF:2D:E3:47'
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Rem ip-address '10.0.2.13'
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Rem mac-address '68:1D:EF:2D:79:3F'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'allow bootp;'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'allow booting;'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'next-server 10.0.2.1;'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'if exists user-class and option user-class = &quot;iPXE&quot; {'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'filename &quot;http://10.5.0.8/boot.ipxe&quot;;'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters '} else {'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'filename &quot;ipxe.efi&quot;;'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters '}'
+
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Sakura ip-address '10.0.2.12'
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Sakura mac-address 'E4:1D:2D:DD:7C:60'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Sakura mac-address '58:47:ca:71:c5:02'
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Uiharu ip-address '10.0.2.10'
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Uiharu mac-address 'E4:1D:2D:12:4B:60'
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Miri ip-address '10.0.2.15'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Uiharu mac-address '58:47:ca:73:bd:aa'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Miri ip-address '10.0.2.11'
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Miri mac-address '58:47:ca:71:c1:b2'
-set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Anya ip-address '10.0.2.11'
+set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Anya ip-address '10.0.2.13'
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Anya mac-address 'FC:3F:DB:0E:7A:79'
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Talos ip-address '10.0.2.93'
 set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Talos mac-address '00:16:3E:FB:30:AA'
@@ -119,7 +126,7 @@ set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 range 0 s
 set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Shinobu ip-address '10.0.1.5'
 set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Shinobu mac-address 'B4:2E:99:3E:A5:4F'
 set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Yuzu ip-address '10.0.1.50'
-set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Yuzu mac-address 'F4:7B:09:9B:DD:9A'
+set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Yuzu mac-address '14:AC:60:29:76:1F'
 set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping claire-iphone ip-address '10.0.1.81'
 set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping claire-iphone mac-address '26:A7:03:FF:99:17'
 set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Sulleta ip-address '10.0.1.64'

diff --git a/config-parts/service.sh b/config-parts/service.sh
@@ -12,3 +12,7 @@ set service ntp server time.cloudflare.com
 # SSH server
 set service ssh disable-password-authentication
 set service ssh port '22'
+
+# TFTP server
+set service tftp-server directory '/config/tftpboot'
+set service tftp-server listen-address 10.0.2.1
diff --git a/containers/.gitignore b/containers/.gitignore
@@ -5,10 +5,12 @@
 !.gitignore
 
 !/bind/
+!/blocky/
 !/coredns/
 !/dnsdist/
 !/flexo/
 !/haproxy/
+!/matchbox/
 !/pihole/
 !/powerdns/
 !/smtp-relay/

diff --git a/containers/bind/config/zones/db.ctec.run b/containers/bind/config/zones/db.ctec.run
@@ -29,11 +29,9 @@ petra                      IN  A 10.0.1.121
 nut-server                 IN  A  10.0.2.3
 shana                      IN  A  10.0.2.4
 uiharu                     IN  A  10.0.2.10
-anya                       IN  A  10.0.2.11
+anya                       IN  A  10.0.2.13
 sakura                     IN  A  10.0.2.12
-rem                        IN  A  10.0.2.13
-ram                        IN  A  10.0.2.14
-miri                       IN  A  10.0.2.15
+miri                       IN  A  10.0.2.11
 
 ; IOT
 prusa                      IN  A  10.0.3.110
@@ -45,7 +43,7 @@ printer                    IN  A  10.0.3.51
 talos                      IN  A  10.0.2.93
 
 ; Containers
-cluster                    IN  A  10.5.0.2
+main                       IN  A  10.5.0.2
 
 ; CNAME records
 nas                        IN  CNAME  shana.ctec.run.

diff --git a/containers/blocky/config/config.yml b/containers/blocky/config/config.yml
@@ -0,0 +1,49 @@
+ports:
+  dns: 53
+  http: 4000
+
+upstreams:
+  groups:
+    # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query
+    default:
+      # Cloudflare
+      - tcp-tls:1.1.1.1:853
+      - tcp-tls:1.0.0.1:853
+
+# configuration of client name resolution
+clientLookup:
+  upstream: 10.5.0.3
+
+ecs:
+  useAsClient: true
+
+prometheus:
+  enable: true
+  path: /metrics
+
+blocking:
+  loading:
+    downloads:
+      timeout: 4m
+
+  blackLists:
+    ads:
+      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+    fakenews:
+      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts
+    gambling:
+      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-only/hosts
+
+  whiteLists:
+    ads:
+      - |
+        rabobank.nl
+
+  clientGroupsBlock:
+    default:
+      - ads
+      - fakenews
+      - gambling
+    manyie*:
+      - fakenews
+      - gambling
diff --git a/containers/dnsdist/config/dnsdist.conf b/containers/dnsdist/config/dnsdist.conf
@@ -1,17 +1,20 @@
 -- udp/tcp dns listening
 setLocal("0.0.0.0:53", {})
 
+-- disable security status polling via DNS
+setSecurityPollSuffix("")
+
 -- Local Bind
 newServer({
   address = "10.5.0.3",
   pool = "bind",
   checkName = "gateway.ctec.run"
 })
 
--- Local PiHole
+-- Local Blocky
 newServer({
   address = "10.5.0.7",
-  pool = "pihole",
+  pool = "blocky",
   healthCheckMode = "lazy",
   checkInterval = 1800,
   maxCheckFailures = 3,
@@ -23,7 +26,7 @@ newServer({
   lazyHealthCheckMode = 'TimeoutOnly',
   useClientSubnet = true
 })
--- PiHole will be given requester IP
+-- Blocky will be given requester IP
 setECSSourcePrefixV4(32)
 
 -- CloudFlare DNS over TLS
@@ -64,13 +67,15 @@ getPool(""):setCache(pc)
 addAction("192.168.2.0/24", PoolAction("cloudflare"))     -- guest vlan
 addAction("192.168.2.0/24", DropAction())                 -- stop processing
 
+addAction("zip", DropAction())                            -- stop processing
+
 addAction('unifi', PoolAction('bind'))
 addAction('kokoro.wtf', PoolAction('bind'))
 addAction('ctec.run', PoolAction('bind'))
 addAction('0.10.in-addr.arpa', PoolAction('bind'))
 
 addAction("10.0.0.0/24", PoolAction("cloudflare"))  -- lan
-addAction("10.0.1.0/24", PoolAction("pihole"))  -- trusted vlan
-addAction("10.0.2.0/24", PoolAction("pihole"))  -- servers vlan
-addAction("10.0.3.0/24", PoolAction("pihole"))  -- iot vlan
-addAction("10.0.11.0/24", PoolAction("pihole")) -- wg_trusted vlan
+addAction("10.0.1.0/24", PoolAction("blocky"))  -- trusted vlan
+addAction("10.0.2.0/24", PoolAction("blocky"))  -- servers vlan
+addAction("10.0.3.0/24", PoolAction("blocky"))  -- iot vlan
+addAction("10.0.11.0/24", PoolAction("blocky")) -- wg_trusted vlan
diff --git a/containers/haproxy/config/haproxy.cfg b/containers/haproxy/config/haproxy.cfg
@@ -51,20 +51,16 @@ backend k8s_controlplane
     mode tcp
     option ssl-hello-chk
     balance     roundrobin
-        server anya 10.0.2.11:6443 check
         server sakura 10.0.2.12:6443 check
         server uiharu 10.0.2.10:6443 check
-        server miri 10.0.2.15:6443 check
+        server miri 10.0.2.11:6443 check
 
 backend talos_controlplane
     option httpchk GET /healthz
     http-check expect status 200
     mode tcp
     option ssl-hello-chk
     balance     roundrobin
-        server anya 10.0.2.11:50000 check
-        server miri 10.0.2.15:50000 check
+        server miri 10.0.2.11:50000 check
         server sakura 10.0.2.12:50000 check
         server uiharu 10.0.2.10:50000 check
-        server rem 10.0.2.13:50000 check
-        server ram 10.0.2.14:50000 check
diff --git a/containers/matchbox/data/.gitignore b/containers/matchbox/data/.gitignore
@@ -0,0 +1,6 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+