diff --git a/config-parts/container.sh b/config-parts/container.sh index f2c1b86..8011444 100755 --- a/config-parts/container.sh +++ b/config-parts/container.sh @@ -32,6 +32,17 @@ set container name bind volume cache source '/tmp/bind/cache' set container name bind volume cache destination '/var/cache/bind' set container name bind volume cache mode 'rw' +# blocky +set container name blocky image 'ghcr.io/0xerr0r/blocky:v0.23' +set container name blocky memory '0' +set container name blocky network containers address '10.5.0.7' +set container name blocky shared-memory '0' +set container name blocky restart 'on-failure' +set container name blocky environment TZ value ${TZ} +set container name blocky volume config source '/config/containers/blocky/config/config.yml' +set container name blocky volume config destination '/app/config.yml' +set container name blocky volume config mode 'ro' + # dnsdist set container name dnsdist cap-add 'net-bind-service' set container name dnsdist environment TZ value ${TZ} @@ -55,6 +66,14 @@ set container name haproxy-k8s-api volume config destination '/usr/local/etc/hap set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg' set container name haproxy-k8s-api volume config mode 'ro' +# Iperf3 +set container name iperf3 image 'docker.io/tangentsoft/iperf3:v3.16' +set container name iperf3 allow-host-networks +set container name iperf3 memory '0' +set container name iperf3 restart 'on-failure' +set container name iperf3 shared-memory '0' +set container name iperf3 environment TZ value ${TZ} + # node-exporter set container name node-exporter environment procfs value '/host/proc' set container name node-exporter environment rootfs value '/host/rootfs' @@ -112,37 +131,14 @@ set container name lego-auto volume datadir source '/config/secrets/certs/_.koko set container name lego-auto volume datadir destination '/config' set container name lego-auto volume datadir mode 'rw' -# pihole/unbound -set container name pihole image 'ghcr.io/szinn/pihole-unbound:2024.02.1' -set container name pihole memory '0' -set container name pihole network containers address '10.5.0.7' -set container name pihole shared-memory '0' -set container name pihole restart 'on-failure' -set container name pihole environment TZ value ${TZ} -set container name pihole environment HOSTNAME value 'pihole' -set container name pihole environment PIHOLE_DOMAIN value 'kokoro.wtf' -set container name pihole environment WEBPASSWORD value "${SECRET_PIHOLE_WEBPASSWORD}" -set container name pihole environment WEBTHEME value 'default-auto' -set container name pihole environment DNSSEC value 'true' -set container name pihole environment DNS_BOGUS_PRIV value 'true' -set container name pihole environment DNS_FQDN_REQUIRED value 'true' -set container name pihole environment DNSMASQ_LISTENING value 'single' -set container name pihole environment FTLCONF_LOCAL_IPV4 value '10.5.0.7' -set container name pihole environment FTLCONF_BLOCK_ICLOUD_PR value 'false' -set container name pihole environment REV_SERVER value 'true' -set container name pihole environment REV_SERVER_DOMAIN value 'ctec.run' -set container name pihole environment REV_SERVER_TARGET value '10.5.0.3' -set container name pihole environment REV_SERVER_CIDR value '10.0.0.0/8' -set container name pihole environment PIHOLE_DNS_ value '127.0.0.1#5335' -set container name pihole volume pihole source '/config/containers/pihole/pihole' -set container name pihole volume pihole destination '/etc/pihole' -set container name pihole volume pihole mode 'rw' -set container name pihole volume dnsmasq source '/config/containers/pihole/dnsmasq' -set container name pihole volume dnsmasq destination '/etc/dnsmasq.d' -set container name pihole volume dnsmasq mode 'rw' -set container name pihole volume pihole-ssl source '/config/containers/pihole/10-pihole-ssl.conf' -set container name pihole volume pihole-ssl destination '/etc/lighttpd/conf-enabled/10-pihole-ssl.conf' -set container name pihole volume pihole-ssl mode 'rw' -set container name pihole volume certificate-pem source '/config/secrets/certs/_.kokoro.wtf/combined.pem' -set container name pihole volume certificate-pem destination '/etc/lighttpd/certs/pihole.pem' -set container name pihole volume certificate-pem mode 'ro' \ No newline at end of file +# matchbox +set container name matchbox arguments '-address=0.0.0.0:80 -log-level=debug' +set container name matchbox cap-add 'net-bind-service' +set container name matchbox image 'quay.io/poseidon/matchbox:v0.10.0' +set container name matchbox memory '0' +set container name matchbox network containers address '10.5.0.8' +set container name matchbox shared-memory '0' +set container name matchbox volume matchbox-data destination '/var/lib/matchbox' +set container name matchbox volume matchbox-data mode 'rw' +set container name matchbox volume matchbox-data propagation 'private' +set container name matchbox volume matchbox-data source '/config/containers/matchbox/data' \ No newline at end of file diff --git a/config-parts/firewall-name.sh b/config-parts/firewall-name.sh index 26a53c2..abedb0b 100755 --- a/config-parts/firewall-name.sh +++ b/config-parts/firewall-name.sh @@ -269,6 +269,10 @@ set firewall ipv4 name lan-local rule 60 action 'accept' set firewall ipv4 name lan-local rule 60 description 'Rule: accept_ntp' set firewall ipv4 name lan-local rule 60 destination port 'ntp' set firewall ipv4 name lan-local rule 60 protocol 'udp' +set firewall ipv4 name lan-local rule 500 action 'accept' +set firewall ipv4 name lan-local rule 500 description 'allow iperf3' +set firewall ipv4 name lan-local rule 500 protocol 'tcp' +set firewall ipv4 name lan-local rule 500 destination port '5021' set firewall ipv4 name lan-local rule 999 action 'drop' set firewall ipv4 name lan-local rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-local rule 999 state invalid @@ -289,6 +293,10 @@ set firewall ipv4 name lan-servers rule 200 description 'allow unifi device disc set firewall ipv4 name lan-servers rule 200 destination port '8080' set firewall ipv4 name lan-servers rule 200 action 'accept' set firewall ipv4 name lan-servers rule 200 protocol 'tcp' +set firewall ipv4 name lan-servers rule 300 description 'allow unifi device discovery' +set firewall ipv4 name lan-servers rule 300 destination port '3478' +set firewall ipv4 name lan-servers rule 300 action 'accept' +set firewall ipv4 name lan-servers rule 300 protocol 'udp' set firewall ipv4 name lan-servers rule 999 action 'drop' set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-servers rule 999 state invalid @@ -501,6 +509,10 @@ set firewall ipv4 name servers-local rule 110 description 'Rule: accept_speedtes set firewall ipv4 name servers-local rule 110 destination port '9798' set firewall ipv4 name servers-local rule 110 protocol 'tcp' set firewall ipv4 name servers-local rule 110 source group address-group 'k8s_nodes' +set firewall ipv4 name servers-local rule 500 action 'accept' +set firewall ipv4 name servers-local rule 500 description 'allow iperf3' +set firewall ipv4 name servers-local rule 500 protocol 'tcp' +set firewall ipv4 name servers-local rule 500 destination port '5021' set firewall ipv4 name servers-local rule 999 action 'drop' set firewall ipv4 name servers-local rule 999 description 'Rule: drop_invalid' set firewall ipv4 name servers-local rule 999 state invalid @@ -607,6 +619,10 @@ set firewall ipv4 name trusted-local rule 420 action 'accept' set firewall ipv4 name trusted-local rule 420 description 'Rule: accept_wireguard' set firewall ipv4 name trusted-local rule 420 destination port '51820' set firewall ipv4 name trusted-local rule 420 protocol 'udp' +set firewall ipv4 name trusted-local rule 500 action 'accept' +set firewall ipv4 name trusted-local rule 500 description 'allow iperf3' +set firewall ipv4 name trusted-local rule 500 protocol 'tcp' +set firewall ipv4 name trusted-local rule 500 destination port '5021' set firewall ipv4 name trusted-local rule 999 action 'drop' set firewall ipv4 name trusted-local rule 999 description 'Rule: drop_invalid' set firewall ipv4 name trusted-local rule 999 state invalid diff --git a/config-parts/protocols.sh b/config-parts/protocols.sh index d6c25db..e0108b8 100755 --- a/config-parts/protocols.sh +++ b/config-parts/protocols.sh @@ -1,6 +1,9 @@ #!/bin/vbash # BGP configuration +set protocols bgp neighbor 10.0.2.4 address-family ipv4-unicast +set protocols bgp neighbor 10.0.2.4 description 'shana' +set protocols bgp neighbor 10.0.2.4 remote-as '64512' set protocols bgp neighbor 10.0.2.10 address-family ipv4-unicast set protocols bgp neighbor 10.0.2.10 description 'uiharu' set protocols bgp neighbor 10.0.2.10 remote-as '64512' diff --git a/config-parts/service-dhcp_server.sh b/config-parts/service-dhcp_server.sh index d2b101e..8aa4ad8 100755 --- a/config-parts/service-dhcp_server.sh +++ b/config-parts/service-dhcp_server.sh @@ -1,5 +1,7 @@ #!/bin/vbash +# Global options +set service dhcp-server global-parameters 'option system-arch code 93 = unsigned integer 16;' set service dhcp-server dynamic-dns-update set service dhcp-server global-parameters "key ddnsupdate { algorithm hmac-md5; secret ${SECRET_DHCP_DDNS_UPDATE}; };" set service dhcp-server global-parameters "zone ctec.run. { primary 10.5.0.3; key ddnsupdate; }" @@ -74,10 +76,10 @@ set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mappin set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping u6-lite-2 mac-address '60:22:32:40:D6:8C' set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping USP-PDU-Pro ip-address '10.0.0.43' set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping USP-PDU-Pro mac-address 'E4:38:83:1C:90:2D' -set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-1 ip-address '10.0.0.50' -set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-1 mac-address 'dc:a6:32:c8:36:33' -set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-2 ip-address '10.0.0.51' -set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm-2 mac-address 'e4:5f:01:41:3f:b6' +set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm ip-address '10.0.0.50' +set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping pikvm mac-address 'dc:a6:32:7c:e6:e5' +set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping media-switch ip-address '10.0.0.9' +set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 static-mapping media-switch mac-address '8C:3B:AD:30:24:23' # Servers VLAN set service dhcp-server shared-network-name SERVERS authoritative @@ -89,17 +91,22 @@ set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 name-serv set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 range 0 start '10.0.2.200' set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 range 0 stop '10.0.2.254' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Ram ip-address '10.0.2.14' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Ram mac-address '68:1D:EF:2D:E3:47' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Rem ip-address '10.0.2.13' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Rem mac-address '68:1D:EF:2D:79:3F' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'allow bootp;' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'allow booting;' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'next-server 10.0.2.1;' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'if exists user-class and option user-class = "iPXE" {' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'filename "http://10.5.0.8/boot.ipxe";' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters '} else {' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters 'filename "ipxe.efi";' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 subnet-parameters '}' + set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Sakura ip-address '10.0.2.12' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Sakura mac-address 'E4:1D:2D:DD:7C:60' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Sakura mac-address '58:47:ca:71:c5:02' set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Uiharu ip-address '10.0.2.10' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Uiharu mac-address 'E4:1D:2D:12:4B:60' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Miri ip-address '10.0.2.15' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Uiharu mac-address '58:47:ca:73:bd:aa' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Miri ip-address '10.0.2.11' set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Miri mac-address '58:47:ca:71:c1:b2' -set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Anya ip-address '10.0.2.11' +set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Anya ip-address '10.0.2.13' set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Anya mac-address 'FC:3F:DB:0E:7A:79' set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Talos ip-address '10.0.2.93' set service dhcp-server shared-network-name SERVERS subnet 10.0.2.0/24 static-mapping Talos mac-address '00:16:3E:FB:30:AA' @@ -119,7 +126,7 @@ set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 range 0 s set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Shinobu ip-address '10.0.1.5' set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Shinobu mac-address 'B4:2E:99:3E:A5:4F' set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Yuzu ip-address '10.0.1.50' -set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Yuzu mac-address 'F4:7B:09:9B:DD:9A' +set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Yuzu mac-address '14:AC:60:29:76:1F' set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping claire-iphone ip-address '10.0.1.81' set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping claire-iphone mac-address '26:A7:03:FF:99:17' set service dhcp-server shared-network-name TRUSTED subnet 10.0.1.0/24 static-mapping Sulleta ip-address '10.0.1.64' diff --git a/config-parts/service.sh b/config-parts/service.sh index 16c0936..80754e4 100755 --- a/config-parts/service.sh +++ b/config-parts/service.sh @@ -12,3 +12,7 @@ set service ntp server time.cloudflare.com # SSH server set service ssh disable-password-authentication set service ssh port '22' + +# TFTP server +set service tftp-server directory '/config/tftpboot' +set service tftp-server listen-address 10.0.2.1 diff --git a/containers/.gitignore b/containers/.gitignore index f689c3e..5f97901 100755 --- a/containers/.gitignore +++ b/containers/.gitignore @@ -5,10 +5,12 @@ !.gitignore !/bind/ +!/blocky/ !/coredns/ !/dnsdist/ !/flexo/ !/haproxy/ +!/matchbox/ !/pihole/ !/powerdns/ !/smtp-relay/ diff --git a/containers/bind/config/zones/db.ctec.run b/containers/bind/config/zones/db.ctec.run index bdd15ae..9cd02d9 100755 --- a/containers/bind/config/zones/db.ctec.run +++ b/containers/bind/config/zones/db.ctec.run @@ -29,11 +29,9 @@ petra IN A 10.0.1.121 nut-server IN A 10.0.2.3 shana IN A 10.0.2.4 uiharu IN A 10.0.2.10 -anya IN A 10.0.2.11 +anya IN A 10.0.2.13 sakura IN A 10.0.2.12 -rem IN A 10.0.2.13 -ram IN A 10.0.2.14 -miri IN A 10.0.2.15 +miri IN A 10.0.2.11 ; IOT prusa IN A 10.0.3.110 @@ -45,7 +43,7 @@ printer IN A 10.0.3.51 talos IN A 10.0.2.93 ; Containers -cluster IN A 10.5.0.2 +main IN A 10.5.0.2 ; CNAME records nas IN CNAME shana.ctec.run. diff --git a/containers/blocky/config/config.yml b/containers/blocky/config/config.yml new file mode 100644 index 0000000..929b54b --- /dev/null +++ b/containers/blocky/config/config.yml @@ -0,0 +1,49 @@ +ports: + dns: 53 + http: 4000 + +upstreams: + groups: + # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query + default: + # Cloudflare + - tcp-tls:1.1.1.1:853 + - tcp-tls:1.0.0.1:853 + +# configuration of client name resolution +clientLookup: + upstream: 10.5.0.3 + +ecs: + useAsClient: true + +prometheus: + enable: true + path: /metrics + +blocking: + loading: + downloads: + timeout: 4m + + blackLists: + ads: + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + fakenews: + - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts + gambling: + - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-only/hosts + + whiteLists: + ads: + - | + rabobank.nl + + clientGroupsBlock: + default: + - ads + - fakenews + - gambling + manyie*: + - fakenews + - gambling \ No newline at end of file diff --git a/containers/dnsdist/config/dnsdist.conf b/containers/dnsdist/config/dnsdist.conf index 9f232e1..5b400cf 100755 --- a/containers/dnsdist/config/dnsdist.conf +++ b/containers/dnsdist/config/dnsdist.conf @@ -1,6 +1,9 @@ -- udp/tcp dns listening setLocal("0.0.0.0:53", {}) +-- disable security status polling via DNS +setSecurityPollSuffix("") + -- Local Bind newServer({ address = "10.5.0.3", @@ -8,10 +11,10 @@ newServer({ checkName = "gateway.ctec.run" }) --- Local PiHole +-- Local Blocky newServer({ address = "10.5.0.7", - pool = "pihole", + pool = "blocky", healthCheckMode = "lazy", checkInterval = 1800, maxCheckFailures = 3, @@ -23,7 +26,7 @@ newServer({ lazyHealthCheckMode = 'TimeoutOnly', useClientSubnet = true }) --- PiHole will be given requester IP +-- Blocky will be given requester IP setECSSourcePrefixV4(32) -- CloudFlare DNS over TLS @@ -64,13 +67,15 @@ getPool(""):setCache(pc) addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan addAction("192.168.2.0/24", DropAction()) -- stop processing +addAction("zip", DropAction()) -- stop processing + addAction('unifi', PoolAction('bind')) addAction('kokoro.wtf', PoolAction('bind')) addAction('ctec.run', PoolAction('bind')) addAction('0.10.in-addr.arpa', PoolAction('bind')) addAction("10.0.0.0/24", PoolAction("cloudflare")) -- lan -addAction("10.0.1.0/24", PoolAction("pihole")) -- trusted vlan -addAction("10.0.2.0/24", PoolAction("pihole")) -- servers vlan -addAction("10.0.3.0/24", PoolAction("pihole")) -- iot vlan -addAction("10.0.11.0/24", PoolAction("pihole")) -- wg_trusted vlan +addAction("10.0.1.0/24", PoolAction("blocky")) -- trusted vlan +addAction("10.0.2.0/24", PoolAction("blocky")) -- servers vlan +addAction("10.0.3.0/24", PoolAction("blocky")) -- iot vlan +addAction("10.0.11.0/24", PoolAction("blocky")) -- wg_trusted vlan diff --git a/containers/haproxy/config/haproxy.cfg b/containers/haproxy/config/haproxy.cfg index beddd6f..a301246 100755 --- a/containers/haproxy/config/haproxy.cfg +++ b/containers/haproxy/config/haproxy.cfg @@ -51,10 +51,9 @@ backend k8s_controlplane mode tcp option ssl-hello-chk balance roundrobin - server anya 10.0.2.11:6443 check server sakura 10.0.2.12:6443 check server uiharu 10.0.2.10:6443 check - server miri 10.0.2.15:6443 check + server miri 10.0.2.11:6443 check backend talos_controlplane option httpchk GET /healthz @@ -62,9 +61,6 @@ backend talos_controlplane mode tcp option ssl-hello-chk balance roundrobin - server anya 10.0.2.11:50000 check - server miri 10.0.2.15:50000 check + server miri 10.0.2.11:50000 check server sakura 10.0.2.12:50000 check server uiharu 10.0.2.10:50000 check - server rem 10.0.2.13:50000 check - server ram 10.0.2.14:50000 check diff --git a/containers/matchbox/data/.gitignore b/containers/matchbox/data/.gitignore new file mode 100755 index 0000000..96d6033 --- /dev/null +++ b/containers/matchbox/data/.gitignore @@ -0,0 +1,6 @@ +# Ignore everything +/* + +# Track certain files and directories +!.gitignore +