initial commit

This commit is contained in:
surtur 2022-08-26 02:52:21 +02:00
commit c40f918804
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
8 changed files with 149 additions and 0 deletions

3
.gitattributes vendored Normal file

@ -0,0 +1,3 @@
*.service linguist-language=systemd
*.timer linguist-language=systemd
*.path linguist-language=systemd

14
LICENSE Normal file

@ -0,0 +1,14 @@
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2022 dotya.ml authors
Everyone is permitted to copy and distribute verbatim or modified copies of
this license document, and changing it is allowed as long as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.

17
README.md Normal file

@ -0,0 +1,17 @@
# [`coredns`](https://git.dotya.ml/dotya.ml/coredns)
this repo contains configuration files for [CoreDNS](https://coredns.io/) set
up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
forwarding resolver, that is relying on a locally running
[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any
and all queries.
since the `systemd` service runs under an unprivileged user (here coredns,
which doesn't by default have access to `/etc/letsencrypt`), certs need to be
supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`.
### TO DO
- [ ] automated deployment (preferably using `ansible` + `drone`)
### LICENSE
WTFPLv2, see [LICENSE](LICENSE) for details

23
etc/coredns/Corefile Normal file

@ -0,0 +1,23 @@
tls://.:853 {
reload
errors
# certs need to be either copied or mounted here.
tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
client_auth verify_if_given
}
# local dnscrypt-proxy.
forward . 127.0.0.50:53 ::1 {
health_check 5s
expire 600s
policy sequential
}
cache {
success 2048
denial 2048
}
}
# vim: noexpandtab

@ -0,0 +1,11 @@
[Unit]
Description=Watching for changes to dotya.ml certs and triggering copy service
ConditionPathExists=/etc/letsencrypt/live/dotya.ml
[Path]
PathChanged=/etc/letsencrypt/live/dotya.ml
TriggerLimitIntervalSec=30s
TriggerLimitBurst=30
[Install]
WantedBy=multi-user.target

@ -0,0 +1,15 @@
[Unit]
Description=Copy dotya.ml certs for coredns.service
# technically, the below should have no impact
After=network.target
PartOf=coredns.service
ConditionPathExists=/etc/letsencrypt/live/dotya.ml
[Service]
Type=oneshot
Environment=DOMAIN=dotya.ml
ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs"
ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/"
ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns"
SuccessExitStatus=0

@ -0,0 +1,10 @@
[Unit]
Description=Weekly copy of dotya.ml certs for coredns
[Timer]
OnCalendar=weekly
RandomizedDelaySec=30m
Persistent=true
[Install]
WantedBy=timers.target

@ -0,0 +1,56 @@
[Unit]
Description=CoreDNS server
Documentation=https://coredns.io
After=network.target
[Service]
PermissionsStartOnly=true
LimitNOFILE=1048576
LimitNPROC=512
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
AmbientCapabilities=CAP_NET_BIND_SERVICE
User=coredns
ExecStart=/usr/local/bin/coredns -conf=/etc/coredns/Corefile
ExecReload=/bin/kill -SIGUSR1 $MAINPID
Restart=on-failure
RestartSec=5
WorkingDirectory=/var/lib/coredns
CacheDirectory=coredns
RuntimeDirectory=coredns
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectHostname=true
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid
RemoveIPC=true
SystemCallFilter=~memfd_create @reboot @swap @mount @resources @privileged @cpu-emulation @debug @module @clock @raw-io @obsolete
NoNewPrivileges=true
LockPersonality=true
DeviceAllow=
MemoryDenyWriteExecute=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target