From 1ded407b604a3447deea8fe99b6f4c5cb2164298 Mon Sep 17 00:00:00 2001 From: ange Date: Tue, 6 Feb 2024 11:04:11 +0100 Subject: [PATCH] feat(bind9): tls --- bind9/Dockerfile | 9 ++++++--- bind9/bind/named.conf | 11 ----------- bind9/bind/named.conf.local | 7 ------- bind9/bind/named.conf.options | 32 -------------------------------- bind9/compose.yaml | 11 +++++++---- bind9/entrypoint.sh | 5 +++++ bind9/install_site | 1 + bind9/named.conf.options | 21 +++++++++++++++++++++ bind9/nginx.conf | 20 -------------------- fdroid/default.conf | 2 +- fdroid/nginx.conf | 6 +++--- searxng/config/settings.yml | 4 ++-- 12 files changed, 46 insertions(+), 83 deletions(-) delete mode 100644 bind9/bind/named.conf delete mode 100644 bind9/bind/named.conf.local delete mode 100644 bind9/bind/named.conf.options create mode 100644 bind9/entrypoint.sh create mode 120000 bind9/install_site create mode 100644 bind9/named.conf.options delete mode 100644 bind9/nginx.conf diff --git a/bind9/Dockerfile b/bind9/Dockerfile index 21ab87d..c719888 100644 --- a/bind9/Dockerfile +++ b/bind9/Dockerfile @@ -2,7 +2,10 @@ FROM docker.io/debian:12-slim RUN apt-get update \ && apt-get install -y --no-install-recommends \ bind9 \ + bind9-dnsutils \ && rm -rf /var/lib/apt/lists/* -COPY bind/ /etc/bind/ -VOLUME /cache/ -CMD ["/usr/sbin/named", "-f"] +COPY named.conf.options /etc/bind/ +VOLUME /var/cache/bind/ +EXPOSE 53/tcp 53/udp 8443/tcp +RUN chown -R root:bind /etc/bind/ /var/cache/bind/ +CMD ["named", "-g", "-ubind"] diff --git a/bind9/bind/named.conf b/bind9/bind/named.conf deleted file mode 100644 index bc71baa..0000000 --- a/bind9/bind/named.conf +++ /dev/null @@ -1,11 +0,0 @@ -// This is the primary configuration file for the BIND DNS server named. -// -// Please read /usr/share/doc/bind9/README.Debian for information on the -// structure of BIND configuration files in Debian, *BEFORE* you customize -// this configuration file. -// -// If you are just adding zones, please do that in /etc/bind/named.conf.local - -include "/etc/bind/named.conf.options"; -include "/etc/bind/named.conf.local"; -include "/etc/bind/named.conf.default-zones"; diff --git a/bind9/bind/named.conf.local b/bind9/bind/named.conf.local deleted file mode 100644 index a1250e3..0000000 --- a/bind9/bind/named.conf.local +++ /dev/null @@ -1,7 +0,0 @@ -// -// Do any local configuration here -// - -// Consider adding the 1918 zones here, if they are not used in your -// organization -//include "/etc/bind/zones.rfc1918"; diff --git a/bind9/bind/named.conf.options b/bind9/bind/named.conf.options deleted file mode 100644 index 6ccb1ca..0000000 --- a/bind9/bind/named.conf.options +++ /dev/null @@ -1,32 +0,0 @@ -http local-http-server { - endpoints { "/dns-query"; }; -}; - -options { - directory "/cache"; - recursion yes; - allow-recursion { any; }; - listen-on port 53 { any; }; - http-port 80; - - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing - // the all-0's placeholder. - - // forwarders { - // 0.0.0.0; - // }; - - //======================================================================== - // If BIND logs error messages about the root key being expired, - // you will need to update your keys. See https://www.isc.org/bind-keys - //======================================================================== - dnssec-validation auto; - - listen-on-v6 port 53 { any; }; -}; diff --git a/bind9/compose.yaml b/bind9/compose.yaml index 5fdcdbc..38c6037 100644 --- a/bind9/compose.yaml +++ b/bind9/compose.yaml @@ -6,8 +6,6 @@ services: - BASE_URL - EMAIL volumes: - - ./nginx.conf:/web/bind9.conf - - sites:/sites/ - certs:/etc/letsencrypt/ - certbotroot:/var/www/certbot/ - /var/run/docker.sock:/var/run/docker.sock @@ -16,9 +14,14 @@ services: build: . restart: unless-stopped ports: - - "53:53" + - "53:53/tcp" + - "53:53/udp" + - "8443:8443" + environment: + - BASE_URL volumes: - - cache:/cache/ + - cache:/var/cache/bind/ + - certs:/etc/letsencrypt/:ro volumes: certs: diff --git a/bind9/entrypoint.sh b/bind9/entrypoint.sh new file mode 100644 index 0000000..b51d19b --- /dev/null +++ b/bind9/entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +sed -i "s \$BASE_URL $BASE_URL " /etc/bind/named.conf.options + +exec "$@" diff --git a/bind9/install_site b/bind9/install_site new file mode 120000 index 0000000..846f55c --- /dev/null +++ b/bind9/install_site @@ -0,0 +1 @@ +../_nginx/install_site \ No newline at end of file diff --git a/bind9/named.conf.options b/bind9/named.conf.options new file mode 100644 index 0000000..a4f538a --- /dev/null +++ b/bind9/named.conf.options @@ -0,0 +1,21 @@ +tls le { + cert-file /etc/letsencrypt/live/$BASE_URL/fullchain.pem; + key-file /etc/letsencrypt/live/$BASE_URL/privkey.pem; +}; + +options { + directory "/var/cache/bind"; + recursion yes; + allow-recursion { any; }; + + listen-on { any; }; + listen-on-v6 { any; }; + + listen-on tls le { any; }; + listen-on-v6 tls le { any; }; + + //listen-on tls le http default { any; }; + //listen-on-v6 tls le http default { any; }; + + dnssec-validation auto; +}; diff --git a/bind9/nginx.conf b/bind9/nginx.conf deleted file mode 100644 index 09e1939..0000000 --- a/bind9/nginx.conf +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name $BASE_URL; - - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - server_name $BASE_URL; - - ssl_certificate /etc/letsencrypt/live/$BASE_URL/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$BASE_URL/privkey.pem; - - location / { - proxy_pass http://bind9:80; - } -} diff --git a/fdroid/default.conf b/fdroid/default.conf index 3be7505..125cdc1 100644 --- a/fdroid/default.conf +++ b/fdroid/default.conf @@ -7,7 +7,7 @@ server { } location /repo/ { - root /repo; + root /repo; index index.html; } } diff --git a/fdroid/nginx.conf b/fdroid/nginx.conf index 40aaf7e..e6ef781 100644 --- a/fdroid/nginx.conf +++ b/fdroid/nginx.conf @@ -17,8 +17,8 @@ server { location / { proxy_pass http://fdroid; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } diff --git a/searxng/config/settings.yml b/searxng/config/settings.yml index 9aa9a9a..c13b8e1 100644 --- a/searxng/config/settings.yml +++ b/searxng/config/settings.yml @@ -26,7 +26,7 @@ search: # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "yandex", "mwmbl", # "seznam", "startpage", "stract", "swisscows", "qwant", "wikipedia" - leave blank to turn it off # by default. - autocomplete: "" + autocomplete: "brave" # minimun characters to type before autocompleter starts autocomplete_min: 4 # Default search language - leave blank to detect from browser information or @@ -73,7 +73,7 @@ server: # If your instance owns a /etc/searxng/settings.yml file, then set the following # values there. - secret_key: "ultrasecretkey" # Is overwritten by ${SEARXNG_SECRET} + #secret_key: "ultrasecretkey" # Is overwritten by ${SEARXNG_SECRET} # Proxying image results through searx image_proxy: false # 1.0 and 1.1 are supported