From c40f9188045f3cb6e255c10108a7c5a5e4bb8f32 Mon Sep 17 00:00:00 2001 From: surtur Date: Fri, 26 Aug 2022 02:52:21 +0200 Subject: [PATCH] initial commit --- .gitattributes | 3 ++ LICENSE | 14 +++++++ README.md | 17 ++++++++ etc/coredns/Corefile | 23 ++++++++++ etc/systemd/system/copy_coredns.path | 11 +++++ etc/systemd/system/copy_coredns.service | 15 +++++++ etc/systemd/system/copy_coredns.timer | 10 +++++ etc/systemd/system/coredns.service | 56 +++++++++++++++++++++++++ 8 files changed, 149 insertions(+) create mode 100644 .gitattributes create mode 100644 LICENSE create mode 100644 README.md create mode 100644 etc/coredns/Corefile create mode 100644 etc/systemd/system/copy_coredns.path create mode 100644 etc/systemd/system/copy_coredns.service create mode 100644 etc/systemd/system/copy_coredns.timer create mode 100644 etc/systemd/system/coredns.service diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..86b8c43 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,3 @@ +*.service linguist-language=systemd +*.timer linguist-language=systemd +*.path linguist-language=systemd diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2fc469c --- /dev/null +++ b/LICENSE @@ -0,0 +1,14 @@ +DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + +Version 2, December 2004 + +Copyright (C) 2022 dotya.ml authors + +Everyone is permitted to copy and distribute verbatim or modified copies of +this license document, and changing it is allowed as long as the name is changed. + +DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. You just DO WHAT THE FUCK YOU WANT TO. diff --git a/README.md b/README.md new file mode 100644 index 0000000..b6a1327 --- /dev/null +++ b/README.md @@ -0,0 +1,17 @@ +# [`coredns`](https://git.dotya.ml/dotya.ml/coredns) + +this repo contains configuration files for [CoreDNS](https://coredns.io/) set +up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) +forwarding resolver, that is relying on a locally running +[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any +and all queries. + +since the `systemd` service runs under an unprivileged user (here coredns, +which doesn't by default have access to `/etc/letsencrypt`), certs need to be +supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`. + +### TO DO +- [ ] automated deployment (preferably using `ansible` + `drone`) + +### LICENSE +WTFPLv2, see [LICENSE](LICENSE) for details diff --git a/etc/coredns/Corefile b/etc/coredns/Corefile new file mode 100644 index 0000000..d2d4877 --- /dev/null +++ b/etc/coredns/Corefile @@ -0,0 +1,23 @@ +tls://.:853 { + reload + errors + + # certs need to be either copied or mounted here. + tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem { + client_auth verify_if_given + } + + # local dnscrypt-proxy. + forward . 127.0.0.50:53 ::1 { + health_check 5s + expire 600s + policy sequential + } + + cache { + success 2048 + denial 2048 + } +} + +# vim: noexpandtab diff --git a/etc/systemd/system/copy_coredns.path b/etc/systemd/system/copy_coredns.path new file mode 100644 index 0000000..2d9944d --- /dev/null +++ b/etc/systemd/system/copy_coredns.path @@ -0,0 +1,11 @@ +[Unit] +Description=Watching for changes to dotya.ml certs and triggering copy service +ConditionPathExists=/etc/letsencrypt/live/dotya.ml + +[Path] +PathChanged=/etc/letsencrypt/live/dotya.ml +TriggerLimitIntervalSec=30s +TriggerLimitBurst=30 + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/copy_coredns.service b/etc/systemd/system/copy_coredns.service new file mode 100644 index 0000000..49fa094 --- /dev/null +++ b/etc/systemd/system/copy_coredns.service @@ -0,0 +1,15 @@ +[Unit] +Description=Copy dotya.ml certs for coredns.service +# technically, the below should have no impact +After=network.target +PartOf=coredns.service +ConditionPathExists=/etc/letsencrypt/live/dotya.ml + +[Service] +Type=oneshot +Environment=DOMAIN=dotya.ml +ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs" +ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/" +ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns" + +SuccessExitStatus=0 diff --git a/etc/systemd/system/copy_coredns.timer b/etc/systemd/system/copy_coredns.timer new file mode 100644 index 0000000..e5d67ba --- /dev/null +++ b/etc/systemd/system/copy_coredns.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Weekly copy of dotya.ml certs for coredns + +[Timer] +OnCalendar=weekly +RandomizedDelaySec=30m +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/etc/systemd/system/coredns.service b/etc/systemd/system/coredns.service new file mode 100644 index 0000000..4ec6297 --- /dev/null +++ b/etc/systemd/system/coredns.service @@ -0,0 +1,56 @@ +[Unit] +Description=CoreDNS server +Documentation=https://coredns.io +After=network.target + +[Service] +PermissionsStartOnly=true +LimitNOFILE=1048576 +LimitNPROC=512 +CapabilityBoundingSet= +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities= +AmbientCapabilities=CAP_NET_BIND_SERVICE +User=coredns + +ExecStart=/usr/local/bin/coredns -conf=/etc/coredns/Corefile +ExecReload=/bin/kill -SIGUSR1 $MAINPID +Restart=on-failure +RestartSec=5 + +WorkingDirectory=/var/lib/coredns +CacheDirectory=coredns +RuntimeDirectory=coredns + +PrivateTmp=true +PrivateDevices=true +ProtectSystem=strict +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectProc=invisible +ProcSubset=pid + +RemoveIPC=true + +SystemCallFilter=~memfd_create @reboot @swap @mount @resources @privileged @cpu-emulation @debug @module @clock @raw-io @obsolete + +NoNewPrivileges=true +LockPersonality=true +DeviceAllow= +MemoryDenyWriteExecute=true + +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectKernelModules=true + +RestrictNamespaces=true +RestrictSUIDSGID=true +RestrictRealtime=true +RestrictAddressFamilies=AF_INET AF_INET6 + +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target