feat(bind9): tls

bind9/Dockerfile

@@ -2,7 +2,10 @@ FROM docker.io/debian:12-slim
 RUN apt-get update                                \
     && apt-get install -y --no-install-recommends \
         bind9                                     \
+        bind9-dnsutils                            \
     && rm -rf /var/lib/apt/lists/*
-COPY bind/ /etc/bind/
+COPY named.conf.options /etc/bind/
-VOLUME /cache/
+VOLUME /var/cache/bind/
-CMD ["/usr/sbin/named", "-f"]
+EXPOSE 53/tcp 53/udp 8443/tcp
+RUN chown -R root:bind /etc/bind/ /var/cache/bind/
+CMD ["named", "-g", "-ubind"]

bind9/bind/named.conf

@@ -1,11 +0,0 @@
-// This is the primary configuration file for the BIND DNS server named.
-//
-// Please read /usr/share/doc/bind9/README.Debian for information on the
-// structure of BIND configuration files in Debian, *BEFORE* you customize
-// this configuration file.
-//
-// If you are just adding zones, please do that in /etc/bind/named.conf.local
-
-include "/etc/bind/named.conf.options";
-include "/etc/bind/named.conf.local";
-include "/etc/bind/named.conf.default-zones";

bind9/bind/named.conf.local

@@ -1,7 +0,0 @@
-//
-// Do any local configuration here
-//
-
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";

bind9/bind/named.conf.options

@@ -1,32 +0,0 @@
-http local-http-server {
-	endpoints { "/dns-query"; };
-};
-
-options {
-	directory "/cache";
-	recursion yes;
-	allow-recursion { any; };
-	listen-on port 53 { any; };
-	http-port 80;
-
-	// If there is a firewall between you and nameservers you want
-	// to talk to, you may need to fix the firewall to allow multiple
-	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
-
-	// If your ISP provided one or more IP addresses for stable 
-	// nameservers, you probably want to use them as forwarders.  
-	// Uncomment the following block, and insert the addresses replacing 
-	// the all-0's placeholder.
-
-	// forwarders {
-	// 	0.0.0.0;
-	// };
-
-	//========================================================================
-	// If BIND logs error messages about the root key being expired,
-	// you will need to update your keys.  See https://www.isc.org/bind-keys
-	//========================================================================
-	dnssec-validation auto;
-
-	listen-on-v6 port 53 { any; };
-};

bind9/compose.yaml

@@ -6,8 +6,6 @@ services:
       - BASE_URL
       - EMAIL
     volumes:
-      - ./nginx.conf:/web/bind9.conf
-      - sites:/sites/
       - certs:/etc/letsencrypt/
       - certbotroot:/var/www/certbot/
       - /var/run/docker.sock:/var/run/docker.sock
@@ -16,9 +14,14 @@ services:
     build: .
     restart: unless-stopped
     ports:
-      - "53:53"
+      - "53:53/tcp"
+      - "53:53/udp"
+      - "8443:8443"
+    environment:
+      - BASE_URL
     volumes:
-      - cache:/cache/
+      - cache:/var/cache/bind/
+      - certs:/etc/letsencrypt/:ro
 
 volumes:
   certs:

bind9/entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sed -i "s \$BASE_URL $BASE_URL " /etc/bind/named.conf.options
+
+exec "$@"

bind9/install_site

@@ -0,0 +1 @@
+../_nginx/install_site

bind9/named.conf.options

@@ -0,0 +1,21 @@
+tls le {
+    cert-file /etc/letsencrypt/live/$BASE_URL/fullchain.pem;
+    key-file  /etc/letsencrypt/live/$BASE_URL/privkey.pem;
+};
+
+options {
+    directory "/var/cache/bind";
+    recursion yes;
+    allow-recursion { any; };
+
+    listen-on    { any; };
+    listen-on-v6 { any; };
+
+    listen-on    tls le { any; };
+    listen-on-v6 tls le { any; };
+
+    //listen-on    tls le http default { any; };
+    //listen-on-v6 tls le http default { any; };
+
+    dnssec-validation auto;
+};

bind9/nginx.conf

@@ -1,20 +0,0 @@
-server {
-    listen      80;
-    listen [::]:80;
-    server_name $BASE_URL;
-
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen      443 ssl;
-    listen [::]:443 ssl;
-    server_name $BASE_URL;
-
-    ssl_certificate     /etc/letsencrypt/live/$BASE_URL/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/$BASE_URL/privkey.pem;
-
-    location / {
-        proxy_pass http://bind9:80;
-    }
-}

fdroid/default.conf

@@ -7,7 +7,7 @@ server {
     }
 
     location /repo/ {
-        root /repo;
+        root   /repo;
         index  index.html;
     }
 }

fdroid/nginx.conf

@@ -17,8 +17,8 @@ server {
     location / {
         proxy_pass http://fdroid;
 
-         proxy_set_header Host $host;
+        proxy_set_header Host $host;
-         proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-IP $remote_addr;
-         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
 }

searxng/config/settings.yml

@@ -26,7 +26,7 @@ search:
   # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "yandex", "mwmbl",
   # "seznam", "startpage", "stract", "swisscows", "qwant", "wikipedia" - leave blank to turn it off
   # by default.
-  autocomplete: ""
+  autocomplete: "brave"
   # minimun characters to type before autocompleter starts
   autocomplete_min: 4
   # Default search language - leave blank to detect from browser information or
@@ -73,7 +73,7 @@ server:
   # If your instance owns a /etc/searxng/settings.yml file, then set the following
   # values there.
 
-  secret_key: "ultrasecretkey"  # Is overwritten by ${SEARXNG_SECRET}
+  #secret_key: "ultrasecretkey"  # Is overwritten by ${SEARXNG_SECRET}
   # Proxying image results through searx
   image_proxy: false
   # 1.0 and 1.1 are supported