From 2b1a67f751243e7310004ded4efb0ddc0d0ac29d Mon Sep 17 00:00:00 2001 From: Christopher Jones Date: Thu, 12 Mar 2026 22:08:38 -0400 Subject: [PATCH] Move files from cranberrypi.config repository to devices/cranberrypi in sysconfig repository. --- .../config/lib/systemd/system/unbound.service | 17 +++++ .../config/usr/local/etc/unbound/root.key | 10 +++ .../config/usr/local/etc/unbound/unbound.conf | 62 +++++++++++++++++++ .../unbound.conf.d/remote-control.conf | 5 ++ .../usr/local/etc/unbound/unbound.conf.txt | 62 +++++++++++++++++++ devices/cranberrypi/readme.md | 2 + devices/cranberrypi/unbound.md | 25 ++++++++ 7 files changed, 183 insertions(+) create mode 100644 devices/cranberrypi/config/lib/systemd/system/unbound.service create mode 100644 devices/cranberrypi/config/usr/local/etc/unbound/root.key create mode 100644 devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf create mode 100644 devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf create mode 100644 devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.txt create mode 100644 devices/cranberrypi/readme.md create mode 100644 devices/cranberrypi/unbound.md diff --git a/devices/cranberrypi/config/lib/systemd/system/unbound.service b/devices/cranberrypi/config/lib/systemd/system/unbound.service new file mode 100644 index 0000000..a11e193 --- /dev/null +++ b/devices/cranberrypi/config/lib/systemd/system/unbound.service @@ -0,0 +1,17 @@ +[Unit] +Description=Unbound DNS server +Documentation=man:unbound(8) +After=network.target +Before=nss-lookup.target +Wants=nss-lookup.target + +[Service] +Type=exec +Restart=on-failure +EnvironmentFile=-/usr/local/etc/unbound/unbound_env +ExecStart=/usr/local/sbin/unbound -d -p $DAEMON_OPTS +ExecReload=+/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target + diff --git a/devices/cranberrypi/config/usr/local/etc/unbound/root.key b/devices/cranberrypi/config/usr/local/etc/unbound/root.key new file mode 100644 index 0000000..b92d198 --- /dev/null +++ b/devices/cranberrypi/config/usr/local/etc/unbound/root.key @@ -0,0 +1,10 @@ +; autotrust trust anchor file +;;id: . 1 +;;last_queried: 1771250359 ;;Mon Feb 16 08:59:19 2026 +;;last_success: 1771250359 ;;Mon Feb 16 08:59:19 2026 +;;next_probe_time: 1771292919 ;;Mon Feb 16 20:48:39 2026 +;;query_failed: 0 +;;query_interval: 43200 +;;retry_time: 8640 +. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026 +. 86400 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026 diff --git a/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf new file mode 100644 index 0000000..616ce4f --- /dev/null +++ b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf @@ -0,0 +1,62 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/objectbrokerss/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. + server: + # location of the trust anchor file that enables DNSSEC + auto-trust-anchor-file: "/root.key" + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes + # the interface that is used to connect to the network (this will listen to all interfaces) + interface: 0.0.0.0 + # interface: ::0 + private-address: 192.168.0.0/16 + private-address: 100.64.0.0/10 + + # addresses from the IP range that are allowed to connect to the resolver + access-control: 192.168.88.0/24 allow + # explicitly allow localhost access + access-control: 127.0.0.0/8 allow + # allow Tailnet + access-control: 100.64.0.0/10 allow + # uncomment the following line to allow Tailnet IPv6 + # access-control: fd7a:115c:a1e0::/48 allow + + access-control-view: 192.168.88.0/24 lan + access-control-view: 100.64.0.0/10 tailnet + + do-ip4: yes + do-ip6: no + do-udp: yes + do-tcp: yes + +view: + name: "lan" + view-first: yes + local-zone: "objectbrokers.com." transparent + local-data: "nextcloud.objectbrokers.com. A 192.168.88.231" + local-data: "photo.objectbrokers.com. A 192.168.88.231" + local-data: "gitea.objectbrokers.com. A 192.168.88.231" + local-data: "portainer.objectbrokers.com. A 192.168.88.231" + local-data: "vaultwarden.objectbrokers.com. A 192.168.88.231" + +view: + name: "tailnet" + view-first: yes + local-zone: "objectbrokers.com." transparent + local-data: "nextcloud.objectbrokers.com. A 100.81.165.11" + local-data: "photo.objectbrokers.com. A 100.81.165.11" + local-data: "gitea.objectbrokers.com. A 100.81.165.11" + local-data: "portainer.objectbrokers.com. A 100.81.165.11" + local-data: "vaultwarden.objectbrokers.com. A 100.81.165.11" + +remote-control: + control-enable: yes + control-interface: /run/unbound.ctl + + diff --git a/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf new file mode 100644 index 0000000..6c18bd7 --- /dev/null +++ b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf @@ -0,0 +1,5 @@ +remote-control: + control-enable: yes + # by default the control interface is is 127.0.0.1 and ::1 and port 8953 + # it is possible to use a unix socket too + control-interface: /run/unbound.ctl diff --git a/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.txt b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.txt new file mode 100644 index 0000000..54a951a --- /dev/null +++ b/devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.txt @@ -0,0 +1,62 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. + server: + # location of the trust anchor file that enables DNSSEC + auto-trust-anchor-file: "/root.key" + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes + # the interface that is used to connect to the network (this will listen to all interfaces) + interface: 0.0.0.0 + # interface: ::0 + private-address: 192.168.0.0/16 + private-address: 100.64.0.0/10 + + # addresses from the IP range that are allowed to connect to the resolver + access-control: 192.168.88.0/24 allow + # explicitly allow localhost access + access-control: 127.0.0.0/8 allow + # allow Tailnet + access-control: 100.64.0.0/10 allow + # uncomment the following line to allow Tailnet IPv6 + # access-control: fd7a:115c:a1e0::/48 allow + + access-control-view: 192.168.88.0/24 lan + access-control-view: 100.64.0.0/10 tailnet + + do-ip4: yes + do-ip6: no + do-udp: yes + do-tcp: yes + +view: + name: "lan" + view-first: yes + local-zone: "example.com." transparent + local-data: "nextcloud.example.com. A 192.168.88.231" + local-data: "photo.example.com. A 192.168.88.231" + local-data: "gitea.example.com. A 192.168.88.231" + local-data: "portainer.example.com. A 192.168.88.231" + local-data: "vaultwarden.example.com. A 192.168.88.231" + +view: + name: "tailnet" + view-first: yes + local-zone: "example.com." transparent + local-data: "nextcloud.example.com. A 100.81.165.11" + local-data: "photo.example.com. A 100.81.165.11" + local-data: "gitea.example.com. A 100.81.165.11" + local-data: "portainer.example.com. A 100.81.165.11" + local-data: "vaultwarden.example.com. A 100.81.165.11" + +remote-control: + control-enable: yes + control-interface: /run/unbound.ctl + + diff --git a/devices/cranberrypi/readme.md b/devices/cranberrypi/readme.md new file mode 100644 index 0000000..d400ed3 --- /dev/null +++ b/devices/cranberrypi/readme.md @@ -0,0 +1,2 @@ +System configuration files for host cranberrypi. The directory hierarchy under this repo corresponds to the directory hierarchy under / (root) on the host cranberrypi. + diff --git a/devices/cranberrypi/unbound.md b/devices/cranberrypi/unbound.md new file mode 100644 index 0000000..237238d --- /dev/null +++ b/devices/cranberrypi/unbound.md @@ -0,0 +1,25 @@ +Unbound provides DNS resolution service for the local network. Unbound was built from source and installed on cranberrypi, bare metal (configure, make, sudo make install). + +The configuration file for Unbound is at /usr/local/etc/unbound/unbound.conf, with included configuration files in the directory /usr/local/etc/unbound/unbound.conf.d. + +Notes on Unbound configuration + +Unbound is configured for Split DNS to provide a different address resolution for services running on the home LAN, depending on whether the requesting client is running on the home LAN, on our Tailnet, or on a system entirely outside our network, on the public Internet. The Unbound view construct is used to implement this. + +There are two Unbound views defined: "lan" and "tailnet". The "lan" view includes local-data records for the available services on our network (mostly, but not exclusively, running on Teal), for example: + + local-data: "nextcloud.objectbrokers.com. A 192.168.88.231" + +Each local-data record in the "lan" view points to a physical IP address on the home LAN. + +The "tailnet" view includes local-data records for the same set of services on our network as the "lan" view, for example: + + local-data: "nextcloud.objectbrokers.com. A 100.81.165.11" + +Each local-data record in the "tailnet" view points to a Tailscale IP address on our Tailnet. + +Maintenance + +The Unbound configuration must be carefully maintained to enable Unbound to resolve URLs for our services correctly. + +Both views must include local-data records for each published service; each view must include the same set of names to be resolved. The view differ in the IP address referenced for each name, not in the names included in the view. Thus when a new service is published, a local-data record for that service must be added to both views. When a service is deleted from the network, its local-data records in both views ("lan" and "tailnet") must be deleted. \ No newline at end of file