Move files from cranberrypi.config repository to devices/cranberrypi in sysconfig repository.

2026-03-12 22:08:38 -04:00
parent 1cfaa77dde
commit 2b1a67f751
7 changed files with 183 additions and 0 deletions
--- a/devices/cranberrypi/config/lib/systemd/system/unbound.service
+++ b/devices/cranberrypi/config/lib/systemd/system/unbound.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Unbound DNS server
+Documentation=man:unbound(8)
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+
+[Service]
+Type=exec
+Restart=on-failure
+EnvironmentFile=-/usr/local/etc/unbound/unbound_env
+ExecStart=/usr/local/sbin/unbound -d -p $DAEMON_OPTS
+ExecReload=+/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
+
--- a/devices/cranberrypi/config/usr/local/etc/unbound/root.key
+++ b/devices/cranberrypi/config/usr/local/etc/unbound/root.key
@@ -0,0 +1,10 @@
+; autotrust trust anchor file
+;;id: . 1
+;;last_queried: 1771250359 ;;Mon Feb 16 08:59:19 2026
+;;last_success: 1771250359 ;;Mon Feb 16 08:59:19 2026
+;;next_probe_time: 1771292919 ;;Mon Feb 16 20:48:39 2026
+;;query_failed: 0
+;;query_interval: 43200
+;;retry_time: 8640
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026
+.	86400	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026
--- a/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf
+++ b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf
@@ -0,0 +1,62 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/objectbrokerss/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+    server:
+    # location of the trust anchor file that enables DNSSEC
+    auto-trust-anchor-file: "/root.key"
+    # send minimal amount of information to upstream servers to enhance privacy
+    qname-minimisation: yes
+    # the interface that is used to connect to the network (this will listen to all interfaces)
+    interface: 0.0.0.0
+    # interface: ::0
+    private-address: 192.168.0.0/16
+    private-address: 100.64.0.0/10
+
+    # addresses from the IP range that are allowed to connect to the resolver
+    access-control: 192.168.88.0/24 allow
+    # explicitly allow localhost access
+    access-control: 127.0.0.0/8 allow
+    # allow Tailnet
+    access-control: 100.64.0.0/10 allow
+    # uncomment the following line to allow Tailnet IPv6
+    # access-control: fd7a:115c:a1e0::/48 allow
+
+    access-control-view: 192.168.88.0/24 lan
+    access-control-view: 100.64.0.0/10 tailnet
+    
+    do-ip4: yes
+    do-ip6: no
+    do-udp: yes
+    do-tcp: yes
+
+view:
+  name: "lan"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
+  local-data: "photo.objectbrokers.com. A 192.168.88.231"
+  local-data: "gitea.objectbrokers.com. A 192.168.88.231"
+  local-data: "portainer.objectbrokers.com. A 192.168.88.231"
+  local-data: "vaultwarden.objectbrokers.com. A 192.168.88.231"
+
+view:
+  name: "tailnet"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
+  local-data: "photo.objectbrokers.com. A 100.81.165.11"
+  local-data: "gitea.objectbrokers.com. A 100.81.165.11"
+  local-data: "portainer.objectbrokers.com. A 100.81.165.11"
+  local-data: "vaultwarden.objectbrokers.com. A 100.81.165.11"
+
+remote-control:
+  control-enable: yes
+  control-interface: /run/unbound.ctl
+
+
--- a/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf
+++ b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf
@@ -0,0 +1,5 @@
+remote-control:
+  control-enable: yes
+  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
+  # it is possible to use a unix socket too
+  control-interface: /run/unbound.ctl
--- a/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.txt
+++ b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.txt
@@ -0,0 +1,62 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/examples/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+    server:
+    # location of the trust anchor file that enables DNSSEC
+    auto-trust-anchor-file: "/root.key"
+    # send minimal amount of information to upstream servers to enhance privacy
+    qname-minimisation: yes
+    # the interface that is used to connect to the network (this will listen to all interfaces)
+    interface: 0.0.0.0
+    # interface: ::0
+    private-address: 192.168.0.0/16
+    private-address: 100.64.0.0/10
+
+    # addresses from the IP range that are allowed to connect to the resolver
+    access-control: 192.168.88.0/24 allow
+    # explicitly allow localhost access
+    access-control: 127.0.0.0/8 allow
+    # allow Tailnet
+    access-control: 100.64.0.0/10 allow
+    # uncomment the following line to allow Tailnet IPv6
+    # access-control: fd7a:115c:a1e0::/48 allow
+
+    access-control-view: 192.168.88.0/24 lan
+    access-control-view: 100.64.0.0/10 tailnet
+    
+    do-ip4: yes
+    do-ip6: no
+    do-udp: yes
+    do-tcp: yes
+
+view:
+  name: "lan"
+  view-first: yes
+  local-zone: "example.com." transparent
+  local-data: "nextcloud.example.com. A 192.168.88.231"
+  local-data: "photo.example.com. A 192.168.88.231"
+  local-data: "gitea.example.com. A 192.168.88.231"
+  local-data: "portainer.example.com. A 192.168.88.231"
+  local-data: "vaultwarden.example.com. A 192.168.88.231"
+
+view:
+  name: "tailnet"
+  view-first: yes
+  local-zone: "example.com." transparent
+  local-data: "nextcloud.example.com. A 100.81.165.11"
+  local-data: "photo.example.com. A 100.81.165.11"
+  local-data: "gitea.example.com. A 100.81.165.11"
+  local-data: "portainer.example.com. A 100.81.165.11"
+  local-data: "vaultwarden.example.com. A 100.81.165.11"
+
+remote-control:
+  control-enable: yes
+  control-interface: /run/unbound.ctl
+
+
--- a/devices/cranberrypi/readme.md
+++ b/devices/cranberrypi/readme.md
@@ -0,0 +1,2 @@
+System configuration files for host cranberrypi.  The directory hierarchy under this repo corresponds to the directory hierarchy under / (root) on the host cranberrypi.
+
--- a/devices/cranberrypi/unbound.md
+++ b/devices/cranberrypi/unbound.md
@@ -0,0 +1,25 @@
+Unbound provides DNS resolution service for the local network.  Unbound was built from source and installed on cranberrypi, bare metal (configure, make, sudo make install).
+
+The configuration file for Unbound is at /usr/local/etc/unbound/unbound.conf, with included configuration files in the directory /usr/local/etc/unbound/unbound.conf.d.
+
+Notes on Unbound configuration
+
+Unbound is configured for Split DNS to provide a different address resolution for services running on the home LAN, depending on whether the requesting client is running on the home LAN, on our Tailnet, or on a system entirely outside our network, on the public Internet.  The Unbound view construct is used to implement this. 
+
+There are two Unbound views defined:  "lan" and "tailnet".  The "lan" view includes local-data records for the available services on our network (mostly, but not exclusively, running on Teal), for example:
+
+  local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
+
+Each local-data record in the "lan" view points to a physical IP address on the home LAN.
+
+The "tailnet" view includes local-data records for the same set of services on our network as the "lan" view, for example:
+
+  local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
+
+Each local-data record in the "tailnet" view points to a Tailscale IP address on our Tailnet.
+
+Maintenance
+
+The Unbound configuration must be carefully maintained to enable Unbound to resolve URLs for our services correctly.
+
+Both views must include local-data records for each published service; each view must include the same set of names to be resolved.  The view differ in the IP address referenced for each name, not in the names included in the view.  Thus when a new service is published, a local-data record for that service must be added to both views.  When a service is deleted from the network, its local-data records in both views ("lan" and "tailnet") must be deleted.
				`@@ -0,0 +1,2 @@`
				`System configuration files for host cranberrypi. The directory hierarchy under this repo corresponds to the directory hierarchy under / (root) on the host cranberrypi.`