initial commit

.gitattributes

@@ -0,0 +1,3 @@
+*.service	linguist-language=systemd
+*.timer		linguist-language=systemd
+*.path		linguist-language=systemd

LICENSE

@@ -0,0 +1,14 @@
+DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+
+Version 2, December 2004
+
+Copyright (C) 2022 dotya.ml authors
+
+Everyone is permitted to copy and distribute verbatim or modified copies of
+this license document, and changing it is allowed as long as the name is changed.
+
+DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+
+TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+   0. You just DO WHAT THE FUCK YOU WANT TO.

README.md

@@ -0,0 +1,17 @@
+# [`coredns`](https://git.dotya.ml/dotya.ml/coredns)
+
+this repo contains configuration files for [CoreDNS](https://coredns.io/) set
+up as a simple [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS)
+forwarding resolver, that is relying on a locally running
+[`dnscrypt-proxy`](https://github.com/DNSCrypt/dnscrypt-proxy) instance for any
+and all queries.
+
+since the `systemd` service runs under an unprivileged user (here coredns,
+which doesn't by default have access to `/etc/letsencrypt`), certs need to be
+supplied to `coredns` another way: `copycerts_coredns.{path,service,timer}`.
+
+### TO DO
+- [ ] automated deployment (preferably using `ansible` + `drone`)
+
+### LICENSE
+WTFPLv2, see [LICENSE](LICENSE) for details

etc/coredns/Corefile

@@ -0,0 +1,23 @@
+tls://.:853 {
+	reload
+	errors
+
+	# certs need to be either copied or mounted here.
+	tls /var/lib/coredns/certs/fullchain.pem /var/lib/coredns/certs/privkey.pem {
+		client_auth verify_if_given
+	}
+
+	# local dnscrypt-proxy.
+	forward . 127.0.0.50:53 ::1 {
+		health_check 5s
+		expire 600s
+		policy sequential
+	}
+
+	cache {
+		success	2048
+		denial	2048
+	}
+}
+
+# vim: noexpandtab

etc/systemd/system/copy_coredns.path

@@ -0,0 +1,11 @@
+[Unit]
+Description=Watching for changes to dotya.ml certs and triggering copy service
+ConditionPathExists=/etc/letsencrypt/live/dotya.ml
+
+[Path]
+PathChanged=/etc/letsencrypt/live/dotya.ml
+TriggerLimitIntervalSec=30s
+TriggerLimitBurst=30
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/copy_coredns.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Copy dotya.ml certs for coredns.service
+# technically, the below should have no impact
+After=network.target
+PartOf=coredns.service
+ConditionPathExists=/etc/letsencrypt/live/dotya.ml
+
+[Service]
+Type=oneshot
+Environment=DOMAIN=dotya.ml
+ExecStartPre=bash -c "mkdir -pv /var/lib/coredns/certs"
+ExecStart=bash -c "cp -f -v --dereference /etc/letsencrypt/live/${DOMAIN}/* /var/lib/coredns/certs/"
+ExecStopPost=bash -c "chown -Rv coredns:root /var/lib/coredns"
+
+SuccessExitStatus=0

etc/systemd/system/copy_coredns.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Weekly copy of dotya.ml certs for coredns
+
+[Timer]
+OnCalendar=weekly
+RandomizedDelaySec=30m
+Persistent=true
+
+[Install]
+WantedBy=timers.target

etc/systemd/system/coredns.service

@@ -0,0 +1,56 @@
+[Unit]
+Description=CoreDNS server
+Documentation=https://coredns.io
+After=network.target
+
+[Service]
+PermissionsStartOnly=true
+LimitNOFILE=1048576
+LimitNPROC=512
+CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+User=coredns
+
+ExecStart=/usr/local/bin/coredns -conf=/etc/coredns/Corefile
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+Restart=on-failure
+RestartSec=5
+
+WorkingDirectory=/var/lib/coredns
+CacheDirectory=coredns
+RuntimeDirectory=coredns
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+
+RemoveIPC=true
+
+SystemCallFilter=~memfd_create @reboot @swap @mount @resources @privileged @cpu-emulation @debug @module @clock @raw-io @obsolete
+
+NoNewPrivileges=true
+LockPersonality=true
+DeviceAllow=
+MemoryDenyWriteExecute=true
+
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+RestrictAddressFamilies=AF_INET AF_INET6
+
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target