Feature bind
This commit is contained in:
parent
43482b3c1a
commit
e31a3d8970
11
Dockerfile.bind
Normal file
11
Dockerfile.bind
Normal file
@ -0,0 +1,11 @@
|
||||
FROM alpine:latest
|
||||
MAINTAINER Team Lixo <lixonet@team.lixo>
|
||||
|
||||
RUN apk add bind
|
||||
|
||||
EXPOSE 53/udp 53/tcp
|
||||
|
||||
VOLUME /var/cache/bind
|
||||
VOLUME /etc/bind
|
||||
|
||||
CMD [ "sh", "-c", "/usr/sbin/named -f -c /etc/bind/named.conf" ]
|
@ -136,6 +136,13 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
|
||||
* `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`). If not specified, no password is used for the host.
|
||||
* `bgp_routes`: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated.
|
||||
|
||||
#### BIND options
|
||||
|
||||
These settings are optional, and are already defaulted to general network common practices.
|
||||
|
||||
* `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to. Defaults to the value of `internal_gateway`, which is proper in most if not all cases. Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
|
||||
* `tld`: The network-wide TLD to use. Defaults to `lixo`.
|
||||
|
||||
# Setup
|
||||
|
||||
#### Prerequisites:
|
||||
|
11
bind/lixo.rpz
Normal file
11
bind/lixo.rpz
Normal file
@ -0,0 +1,11 @@
|
||||
$TTL 60
|
||||
@ IN SOA localhost. root.localhost. (
|
||||
4 ; serial
|
||||
3H ; refresh
|
||||
1H ; retry
|
||||
1W ; expiry
|
||||
1H) ; minimum
|
||||
|
||||
IN NS localhost.
|
||||
|
||||
* CNAME .
|
12
bind/lixo.rpz.whitelist.tmpl
Normal file
12
bind/lixo.rpz.whitelist.tmpl
Normal file
@ -0,0 +1,12 @@
|
||||
\$TTL 60
|
||||
@ IN SOA localhost. root.localhost. (
|
||||
4 ; serial
|
||||
3H ; refresh
|
||||
1H ; retry
|
||||
1W ; expiry
|
||||
1H) ; minimum
|
||||
|
||||
IN NS localhost.
|
||||
|
||||
${tld:-lixo} CNAME rpz-passthru.
|
||||
*.${tld:-lixo} CNAME rpz-passthru.
|
76
bind/named.conf.tmpl
Normal file
76
bind/named.conf.tmpl
Normal file
@ -0,0 +1,76 @@
|
||||
acl "lixonet_global" {
|
||||
${network_address}/${global_prefix:-16};
|
||||
};
|
||||
|
||||
acl "lixonet_local" {
|
||||
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}{{.}};
|
||||
{{ end }}{{ end }}
|
||||
};
|
||||
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
listen-on { ${tinc_peer_address}; };
|
||||
|
||||
forward only;
|
||||
forwarders { ${bind_forward_address-"${internal_gateway}"}; };
|
||||
|
||||
dnssec-enable no;
|
||||
dnssec-validation no;
|
||||
};
|
||||
|
||||
logging {
|
||||
channel custom {
|
||||
stderr;
|
||||
print-time yes;
|
||||
print-severity yes;
|
||||
print-category yes;
|
||||
severity debug 9;
|
||||
};
|
||||
category default { custom; };
|
||||
};
|
||||
|
||||
|
||||
|
||||
view "lixonet" {
|
||||
recursion yes;
|
||||
match-clients { lixonet_global; };
|
||||
|
||||
allow-query { any; };
|
||||
allow-recursion { any; };
|
||||
|
||||
response-policy { zone "rpz.whitelist"; zone "rpz"; };
|
||||
|
||||
zone "rpz.whitelist" {
|
||||
type master;
|
||||
file "/etc/bind/lixo.rpz.whitelist";
|
||||
allow-query { none; };
|
||||
};
|
||||
|
||||
zone "rpz" {
|
||||
type master;
|
||||
file "/etc/bind/lixo.rpz";
|
||||
allow-query { none; };
|
||||
};
|
||||
|
||||
# Self zone
|
||||
zone "{{ "$tinc_peer_name" | replace "_" "." }}" {
|
||||
type forward;
|
||||
forward only;
|
||||
forwarders { ${bind_forward_address-"${internal_gateway}"}; };
|
||||
};
|
||||
|
||||
# Forwarders
|
||||
{{ range files "bind/peers" }} {{ if ne . "${tinc_peer_name}" }}
|
||||
zone "{{ . | replace "_" "." }}" {
|
||||
type forward;
|
||||
forward only;
|
||||
{{ include (print "bind/peers/" .) }}
|
||||
};{{ end }}{{ end }}
|
||||
};
|
||||
|
||||
view "default" {
|
||||
recursion no;
|
||||
match-clients { any; };
|
||||
allow-recursion { none; };
|
||||
};
|
12
build.sh
12
build.sh
@ -40,6 +40,7 @@ do
|
||||
# Copy default files
|
||||
cp -r ../tinc/* tinc/
|
||||
cp -r ../bird/* bird/
|
||||
cp -r ../bind/* bind/
|
||||
|
||||
# Tinc
|
||||
# Remove existing configuration
|
||||
@ -60,12 +61,21 @@ do
|
||||
# Bird
|
||||
# Remove existing configuration
|
||||
rm -v -rf /etc/bird/$netname/*
|
||||
# Copy all tinc default files to /etc/(bird)
|
||||
# Copy all bird default files to /etc/(bird)
|
||||
find bird -type d | sed -e "s@bird@bird/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
|
||||
find bird -type f | sed -e "s@bird/@@g" | xargs -I '{}' cp --verbose bird/{} /etc/bird/$netname/{}
|
||||
# Fill out templates and remove them after
|
||||
process_templates "/etc/bird/$netname/" "$sigil_vars"
|
||||
|
||||
# BIND
|
||||
# Remove existing configuration
|
||||
rm -v -rf /etc/bind/$netname/*
|
||||
# Copy all bind default files to /etc/(bind)
|
||||
find bind -type d | sed -e "s@bind@bind/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
|
||||
find bind -type f | sed -e "s@bind/@@g" | xargs -I '{}' cp --verbose bind/{} /etc/bind/$netname/{}
|
||||
# Fill out templates and remove them after
|
||||
process_templates "/etc/bind/$netname/" "$sigil_vars"
|
||||
|
||||
echo "COMPOSE_PROJECT_NAME=$netname" > .env
|
||||
docker-compose -p $netname up -d --build
|
||||
rm .env
|
||||
|
@ -30,3 +30,16 @@ services:
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
restart: always
|
||||
bind:
|
||||
network_mode: host
|
||||
depends_on:
|
||||
- tinc
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile.bind
|
||||
ports:
|
||||
- "53:53/udp"
|
||||
- "53:53/tcp"
|
||||
volumes:
|
||||
- /etc/bind/${COMPOSE_PROJECT_NAME}/:/etc/bind/
|
||||
restart: always
|
||||
|
Loading…
x
Reference in New Issue
Block a user