Feature bind
This commit is contained in:
parent
43482b3c1a
commit
e31a3d8970
11
Dockerfile.bind
Normal file
11
Dockerfile.bind
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
FROM alpine:latest
|
||||||
|
MAINTAINER Team Lixo <lixonet@team.lixo>
|
||||||
|
|
||||||
|
RUN apk add bind
|
||||||
|
|
||||||
|
EXPOSE 53/udp 53/tcp
|
||||||
|
|
||||||
|
VOLUME /var/cache/bind
|
||||||
|
VOLUME /etc/bind
|
||||||
|
|
||||||
|
CMD [ "sh", "-c", "/usr/sbin/named -f -c /etc/bind/named.conf" ]
|
@ -136,6 +136,13 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
|
|||||||
* `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`). If not specified, no password is used for the host.
|
* `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`). If not specified, no password is used for the host.
|
||||||
* `bgp_routes`: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated.
|
* `bgp_routes`: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated.
|
||||||
|
|
||||||
|
#### BIND options
|
||||||
|
|
||||||
|
These settings are optional, and are already defaulted to general network common practices.
|
||||||
|
|
||||||
|
* `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to. Defaults to the value of `internal_gateway`, which is proper in most if not all cases. Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
|
||||||
|
* `tld`: The network-wide TLD to use. Defaults to `lixo`.
|
||||||
|
|
||||||
# Setup
|
# Setup
|
||||||
|
|
||||||
#### Prerequisites:
|
#### Prerequisites:
|
||||||
|
11
bind/lixo.rpz
Normal file
11
bind/lixo.rpz
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
$TTL 60
|
||||||
|
@ IN SOA localhost. root.localhost. (
|
||||||
|
4 ; serial
|
||||||
|
3H ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expiry
|
||||||
|
1H) ; minimum
|
||||||
|
|
||||||
|
IN NS localhost.
|
||||||
|
|
||||||
|
* CNAME .
|
12
bind/lixo.rpz.whitelist.tmpl
Normal file
12
bind/lixo.rpz.whitelist.tmpl
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
\$TTL 60
|
||||||
|
@ IN SOA localhost. root.localhost. (
|
||||||
|
4 ; serial
|
||||||
|
3H ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expiry
|
||||||
|
1H) ; minimum
|
||||||
|
|
||||||
|
IN NS localhost.
|
||||||
|
|
||||||
|
${tld:-lixo} CNAME rpz-passthru.
|
||||||
|
*.${tld:-lixo} CNAME rpz-passthru.
|
76
bind/named.conf.tmpl
Normal file
76
bind/named.conf.tmpl
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
acl "lixonet_global" {
|
||||||
|
${network_address}/${global_prefix:-16};
|
||||||
|
};
|
||||||
|
|
||||||
|
acl "lixonet_local" {
|
||||||
|
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}{{.}};
|
||||||
|
{{ end }}{{ end }}
|
||||||
|
};
|
||||||
|
|
||||||
|
options {
|
||||||
|
directory "/var/cache/bind";
|
||||||
|
|
||||||
|
listen-on { ${tinc_peer_address}; };
|
||||||
|
|
||||||
|
forward only;
|
||||||
|
forwarders { ${bind_forward_address-"${internal_gateway}"}; };
|
||||||
|
|
||||||
|
dnssec-enable no;
|
||||||
|
dnssec-validation no;
|
||||||
|
};
|
||||||
|
|
||||||
|
logging {
|
||||||
|
channel custom {
|
||||||
|
stderr;
|
||||||
|
print-time yes;
|
||||||
|
print-severity yes;
|
||||||
|
print-category yes;
|
||||||
|
severity debug 9;
|
||||||
|
};
|
||||||
|
category default { custom; };
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
view "lixonet" {
|
||||||
|
recursion yes;
|
||||||
|
match-clients { lixonet_global; };
|
||||||
|
|
||||||
|
allow-query { any; };
|
||||||
|
allow-recursion { any; };
|
||||||
|
|
||||||
|
response-policy { zone "rpz.whitelist"; zone "rpz"; };
|
||||||
|
|
||||||
|
zone "rpz.whitelist" {
|
||||||
|
type master;
|
||||||
|
file "/etc/bind/lixo.rpz.whitelist";
|
||||||
|
allow-query { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "rpz" {
|
||||||
|
type master;
|
||||||
|
file "/etc/bind/lixo.rpz";
|
||||||
|
allow-query { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
# Self zone
|
||||||
|
zone "{{ "$tinc_peer_name" | replace "_" "." }}" {
|
||||||
|
type forward;
|
||||||
|
forward only;
|
||||||
|
forwarders { ${bind_forward_address-"${internal_gateway}"}; };
|
||||||
|
};
|
||||||
|
|
||||||
|
# Forwarders
|
||||||
|
{{ range files "bind/peers" }} {{ if ne . "${tinc_peer_name}" }}
|
||||||
|
zone "{{ . | replace "_" "." }}" {
|
||||||
|
type forward;
|
||||||
|
forward only;
|
||||||
|
{{ include (print "bind/peers/" .) }}
|
||||||
|
};{{ end }}{{ end }}
|
||||||
|
};
|
||||||
|
|
||||||
|
view "default" {
|
||||||
|
recursion no;
|
||||||
|
match-clients { any; };
|
||||||
|
allow-recursion { none; };
|
||||||
|
};
|
12
build.sh
12
build.sh
@ -40,6 +40,7 @@ do
|
|||||||
# Copy default files
|
# Copy default files
|
||||||
cp -r ../tinc/* tinc/
|
cp -r ../tinc/* tinc/
|
||||||
cp -r ../bird/* bird/
|
cp -r ../bird/* bird/
|
||||||
|
cp -r ../bind/* bind/
|
||||||
|
|
||||||
# Tinc
|
# Tinc
|
||||||
# Remove existing configuration
|
# Remove existing configuration
|
||||||
@ -60,12 +61,21 @@ do
|
|||||||
# Bird
|
# Bird
|
||||||
# Remove existing configuration
|
# Remove existing configuration
|
||||||
rm -v -rf /etc/bird/$netname/*
|
rm -v -rf /etc/bird/$netname/*
|
||||||
# Copy all tinc default files to /etc/(bird)
|
# Copy all bird default files to /etc/(bird)
|
||||||
find bird -type d | sed -e "s@bird@bird/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
|
find bird -type d | sed -e "s@bird@bird/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
|
||||||
find bird -type f | sed -e "s@bird/@@g" | xargs -I '{}' cp --verbose bird/{} /etc/bird/$netname/{}
|
find bird -type f | sed -e "s@bird/@@g" | xargs -I '{}' cp --verbose bird/{} /etc/bird/$netname/{}
|
||||||
# Fill out templates and remove them after
|
# Fill out templates and remove them after
|
||||||
process_templates "/etc/bird/$netname/" "$sigil_vars"
|
process_templates "/etc/bird/$netname/" "$sigil_vars"
|
||||||
|
|
||||||
|
# BIND
|
||||||
|
# Remove existing configuration
|
||||||
|
rm -v -rf /etc/bind/$netname/*
|
||||||
|
# Copy all bind default files to /etc/(bind)
|
||||||
|
find bind -type d | sed -e "s@bind@bind/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
|
||||||
|
find bind -type f | sed -e "s@bind/@@g" | xargs -I '{}' cp --verbose bind/{} /etc/bind/$netname/{}
|
||||||
|
# Fill out templates and remove them after
|
||||||
|
process_templates "/etc/bind/$netname/" "$sigil_vars"
|
||||||
|
|
||||||
echo "COMPOSE_PROJECT_NAME=$netname" > .env
|
echo "COMPOSE_PROJECT_NAME=$netname" > .env
|
||||||
docker-compose -p $netname up -d --build
|
docker-compose -p $netname up -d --build
|
||||||
rm .env
|
rm .env
|
||||||
|
@ -30,3 +30,16 @@ services:
|
|||||||
cap_add:
|
cap_add:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
restart: always
|
restart: always
|
||||||
|
bind:
|
||||||
|
network_mode: host
|
||||||
|
depends_on:
|
||||||
|
- tinc
|
||||||
|
build:
|
||||||
|
context: .
|
||||||
|
dockerfile: Dockerfile.bind
|
||||||
|
ports:
|
||||||
|
- "53:53/udp"
|
||||||
|
- "53:53/tcp"
|
||||||
|
volumes:
|
||||||
|
- /etc/bind/${COMPOSE_PROJECT_NAME}/:/etc/bind/
|
||||||
|
restart: always
|
||||||
|
Loading…
x
Reference in New Issue
Block a user