Add prefetch and serve-expired to unbound config for cranberrypi

design/readme.md

@@ -0,0 +1,33 @@
+# Requirements
+
+* Internet access
+  * DHCP
+  * DNS
+* Robust backup of files, photos, media, etc
+* Secure, private access to data and services on the LAN from devices on the LAN and on the public internet
+* Audio and video media
+* File sharing (WebDAV)
+* System administration tools for remote access, monitoring, etc
+
+# Design
+
+## Network Infrastructure
+
+The family network is a standard home LAN over Ethernet and WiFi, connected to the public Internet through Verizon FiOS.
+
+Components of the network infrastructure:
+
+* Verizon Optical Network Terminal (ONT).  The ONT is owned and managed by Verizon; further technical detail is unavailable.  The ONT is connected to the main Ethernet router (RB5009) via Ethernet cable.
+* Mikrotik RB5009 Ethernet router
+* Mikrotik hAPax3 WiFi access point
+* Cisco/Linksys WiFi router configured in bridge mode to act as a WiFi access point (in Evan's room)
+* Category 6 Ethernet cabling providing the following Ethernet drops:
+  * Downstairs office
+  * Upstairs office
+  * Evan's room
+  * Living room drop 1:  entertainment stack under the main TV
+  * Living room drop 2:  corner near the fireplace
+* Ethernet switches as needed to provide wired Ethernet connectivity to additional devices
+  * On the main rack in the basement
+  * In Evan's room
+  * Behind the entertainment stack in the living room

devices/RB5009/RB5009Config.rsc

@@ -0,0 +1,108 @@
+# 2026-03-10 22:40:31 by RouterOS 7.19.2
+# software id = CIAZ-SUFT
+#
+# model = RB5009UG+S+
+# serial number = HEE08K82CQV
+/interface bridge
+add name=local port-cost-mode=short
+/interface wireless security-profiles
+set [ find default=yes ] supplicant-identity=MikroTik
+/ip pool
+add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
+add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
+/ip dhcp-server
+add address-pool=dhcp_pool1 interface=local lease-time=10m name=dhcp2
+/ip smb users
+add name=cjones
+add name=chris
+/ip smb
+set enabled=yes
+/interface bridge port
+add bridge=local interface=ether2 internal-path-cost=10 path-cost=10
+add bridge=local interface=ether3 internal-path-cost=10 path-cost=10
+add bridge=local interface=ether4 internal-path-cost=10 path-cost=10
+add bridge=local interface=ether5 internal-path-cost=10 path-cost=10
+add bridge=local interface=ether6 internal-path-cost=10 path-cost=10
+add bridge=local interface=ether7 internal-path-cost=10 path-cost=10
+add bridge=local interface=ether8 internal-path-cost=10 path-cost=10
+add bridge=local interface=ether1 internal-path-cost=10 path-cost=10
+/ip firewall connection tracking
+set udp-timeout=10s
+/interface ovpn-server server
+add mac-address=FE:73:F4:5A:2B:60 name=ovpn-server1
+/ip address
+add address=192.168.88.1/24 interface=local network=192.168.88.0
+/ip dhcp-client
+add interface=sfp-sfpplus1
+/ip dhcp-server lease
+add address=192.168.88.239 client-id=1:0:11:32:28:2:98 mac-address=\
+    00:11:32:28:02:98 server=dhcp2
+add address=192.168.88.47 client-id=1:48:a9:8a:c0:95:a mac-address=\
+    48:A9:8A:C0:95:0A server=dhcp2
+add address=192.168.88.232 client-id=1:dc:a6:32:67:1:16 mac-address=\
+    DC:A6:32:67:01:16 server=dhcp2
+add address=192.168.88.231 client-id=1:a8:a1:59:ae:a0:3e mac-address=\
+    A8:A1:59:AE:A0:3E server=dhcp2
+add address=192.168.88.15 client-id=1:dc:cd:2f:b:aa:b1 mac-address=\
+    DC:CD:2F:0B:AA:B1 server=dhcp2
+add address=192.168.88.87 client-id=1:5c:f9:dd:e5:41:eb mac-address=\
+    5C:F9:DD:E5:41:EB server=dhcp2
+add address=192.168.88.26 client-id=1:c8:b2:9b:db:b0:23 mac-address=\
+    C8:B2:9B:DB:B0:23 server=dhcp2
+add address=192.168.88.250 client-id=1:e0:2b:e9:cf:dc:d5 mac-address=\
+    E0:2B:E9:CF:DC:D5 server=dhcp2
+add address=192.168.88.20 client-id=1:dc:21:5c:84:3a:a5 mac-address=\
+    DC:21:5C:84:3A:A5 server=dhcp2
+add address=192.168.88.144 comment="Static IP for Clinitek engine" \
+    mac-address=3E:BE:90:50:0E:47
+add address=192.168.88.138 client-id=\
+    ff:f8:ce:1b:a1:0:2:0:0:ab:11:6f:15:1:e4:34:20:3c:8c mac-address=\
+    A2:53:3A:64:F4:DE server=dhcp2
+add address=192.168.88.25 client-id=1:bc:f8:7e:8f:32:ea mac-address=\
+    BC:F8:7E:8F:32:EA server=dhcp2
+add address=192.168.88.40 client-id=\
+    ff:e4:96:b0:28:0:2:0:0:ab:11:a:d3:57:3f:cd:69:67:6c mac-address=\
+    DC:A6:32:67:01:17 server=dhcp2
+/ip dhcp-server network
+add
+add address=192.168.88.0/24 dns-server=192.168.88.231,192.168.88.40 gateway=\
+    192.168.88.1 wins-server=0.0.0.0
+/ip dns
+set allow-remote-requests=yes servers=8.8.8.8
+/ip firewall filter
+add action=accept chain=input comment="accept established,related" \
+    connection-state=established,related
+add action=drop chain=input connection-state=invalid
+add action=accept chain=input comment="allow ICMP" in-interface=sfp-sfpplus1 \
+    protocol=icmp
+add action=accept chain=input comment="allow Winbox" in-interface=\
+    sfp-sfpplus1 port=8291 protocol=tcp
+add action=accept chain=input comment="allow SSH" in-interface=sfp-sfpplus1 \
+    port=22 protocol=tcp
+add action=drop chain=input comment="block everything else" in-interface=\
+    sfp-sfpplus1
+/ip firewall nat
+add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
+add action=dst-nat chain=dstnat dst-address=173.48.126.187 dst-port=80 \
+    protocol=tcp to-addresses=192.168.88.231 to-ports=80
+add action=dst-nat chain=dstnat dst-address=173.48.126.187 dst-port=8080 \
+    protocol=tcp to-addresses=192.168.88.231 to-ports=8080
+add action=dst-nat chain=dstnat dst-address=173.48.126.187 dst-port=443 \
+    protocol=tcp to-addresses=192.168.88.231 to-ports=443
+add action=dst-nat chain=dstnat dst-address=173.48.126.187 dst-port=8070 \
+    protocol=tcp to-addresses=192.168.88.231 to-ports=8070
+add action=dst-nat chain=dstnat dst-address=173.48.126.187 dst-port=52199 \
+    protocol=tcp to-addresses=192.168.88.231 to-ports=52199
+add action=dst-nat chain=dstnat dst-address=173.48.126.187 dst-port=3389 \
+    protocol=tcp to-addresses=192.168.88.250 to-ports=3389
+add action=dst-nat chain=dstnat dst-address=173.48.126.187 dst-port=443 \
+    protocol=tcp to-addresses=192.168.88.231 to-ports=443
+/ip ipsec profile
+set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
+/ip smb shares
+set [ find default=yes ] directory=/pub disabled=no
+add directory=demoshare name=demoshare
+/system clock
+set time-zone-name=America/New_York
+/system identity
+set name=RB5009

devices/cranberrypi/config/etc/systemd/resolved.conf

@@ -0,0 +1,36 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file (or a copy of it placed in
+# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
+# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
+# recommended. Defaults can be restored by simply deleting the main
+# configuration file and all drop-ins located in /etc/.
+#
+# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
+#
+# See resolved.conf(5) for details.
+
+[Resolve]
+# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
+# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
+# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
+# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+DNS=192.168.88.231 192.168.88.40
+Domains=~objectbrokers.com
+#DNSSEC=no
+#DNSOverTLS=no
+#MulticastDNS=no
+#LLMNR=no
+#Cache=no-negative
+#CacheFromLocalhost=no
+DNSStubListener=no
+#DNSStubListenerExtra=
+#ReadEtcHosts=yes
+#ResolveUnicastSingleLabel=no
+#StaleRetentionSec=0

devices/cranberrypi/config/lib/systemd/system/unbound.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Unbound DNS server
+Documentation=man:unbound(8)
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+
+[Service]
+Type=exec
+Restart=on-failure
+EnvironmentFile=-/usr/local/etc/unbound/unbound_env
+ExecStart=/usr/local/sbin/unbound -d -p $DAEMON_OPTS
+ExecReload=+/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
+

devices/cranberrypi/config/usr/local/etc/unbound/root.key

@@ -0,0 +1,10 @@
+; autotrust trust anchor file
+;;id: . 1
+;;last_queried: 1771250359 ;;Mon Feb 16 08:59:19 2026
+;;last_success: 1771250359 ;;Mon Feb 16 08:59:19 2026
+;;next_probe_time: 1771292919 ;;Mon Feb 16 20:48:39 2026
+;;query_failed: 0
+;;query_interval: 43200
+;;retry_time: 8640
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026
+.	86400	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026

devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf

@@ -0,0 +1,72 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/objectbrokerss/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+    server:
+    # location of the trust anchor file that enables DNSSEC
+    auto-trust-anchor-file: "/root.key"
+    # send minimal amount of information to upstream servers to enhance privacy
+    qname-minimisation: yes
+    prefetch: yes
+    serve-expired: yes
+    # the interface that is used to connect to the network (this will listen to all interfaces)
+    interface: 0.0.0.0
+    # interface: ::0
+    private-address: 192.168.0.0/16
+    private-address: 100.64.0.0/10
+
+    # addresses from the IP range that are allowed to connect to the resolver
+    access-control: 192.168.88.0/24 allow
+    # explicitly allow localhost access
+    access-control: 127.0.0.0/8 allow
+    # allow Tailnet
+    access-control: 100.64.0.0/10 allow
+    # uncomment the following line to allow Tailnet IPv6
+    # access-control: fd7a:115c:a1e0::/48 allow
+
+    access-control-view: 192.168.88.0/24 lan
+    access-control-view: 100.64.0.0/10 tailnet
+    
+    do-ip4: yes
+    do-ip6: no
+    do-udp: yes
+    do-tcp: yes
+
+    forward-zone:
+      name: "ts.net."
+      forward-addr: 100.100.100.100
+
+    forward-zone:
+      name: "100.in-addr.arpa."
+      forward-addr: 100.100.100.100
+
+view:
+  name: "lan"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
+  local-data: "photo.objectbrokers.com. A 192.168.88.231"
+  local-data: "gitea.objectbrokers.com. A 192.168.88.231"
+  local-data: "portainer.objectbrokers.com. A 192.168.88.231"
+  local-data: "vaultwarden.objectbrokers.com. A 192.168.88.231"
+
+view:
+  name: "tailnet"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
+  local-data: "photo.objectbrokers.com. A 100.81.165.11"
+  local-data: "gitea.objectbrokers.com. A 100.81.165.11"
+  local-data: "portainer.objectbrokers.com. A 100.81.165.11"
+  local-data: "vaultwarden.objectbrokers.com. A 100.81.165.11"
+
+remote-control:
+  control-enable: yes
+  control-interface: /run/unbound.ctl
+
+

devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf

@@ -0,0 +1,5 @@
+remote-control:
+  control-enable: yes
+  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
+  # it is possible to use a unix socket too
+  control-interface: /run/unbound.ctl

devices/cranberrypi/config/usr/local/etc/unbound/unbound.conf.txt

@@ -0,0 +1,62 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/examples/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+    server:
+    # location of the trust anchor file that enables DNSSEC
+    auto-trust-anchor-file: "/root.key"
+    # send minimal amount of information to upstream servers to enhance privacy
+    qname-minimisation: yes
+    # the interface that is used to connect to the network (this will listen to all interfaces)
+    interface: 0.0.0.0
+    # interface: ::0
+    private-address: 192.168.0.0/16
+    private-address: 100.64.0.0/10
+
+    # addresses from the IP range that are allowed to connect to the resolver
+    access-control: 192.168.88.0/24 allow
+    # explicitly allow localhost access
+    access-control: 127.0.0.0/8 allow
+    # allow Tailnet
+    access-control: 100.64.0.0/10 allow
+    # uncomment the following line to allow Tailnet IPv6
+    # access-control: fd7a:115c:a1e0::/48 allow
+
+    access-control-view: 192.168.88.0/24 lan
+    access-control-view: 100.64.0.0/10 tailnet
+    
+    do-ip4: yes
+    do-ip6: no
+    do-udp: yes
+    do-tcp: yes
+
+view:
+  name: "lan"
+  view-first: yes
+  local-zone: "example.com." transparent
+  local-data: "nextcloud.example.com. A 192.168.88.231"
+  local-data: "photo.example.com. A 192.168.88.231"
+  local-data: "gitea.example.com. A 192.168.88.231"
+  local-data: "portainer.example.com. A 192.168.88.231"
+  local-data: "vaultwarden.example.com. A 192.168.88.231"
+
+view:
+  name: "tailnet"
+  view-first: yes
+  local-zone: "example.com." transparent
+  local-data: "nextcloud.example.com. A 100.81.165.11"
+  local-data: "photo.example.com. A 100.81.165.11"
+  local-data: "gitea.example.com. A 100.81.165.11"
+  local-data: "portainer.example.com. A 100.81.165.11"
+  local-data: "vaultwarden.example.com. A 100.81.165.11"
+
+remote-control:
+  control-enable: yes
+  control-interface: /run/unbound.ctl
+
+

devices/cranberrypi/readme.md

@@ -0,0 +1,2 @@
+System configuration files for host cranberrypi.  The directory hierarchy under this repo corresponds to the directory hierarchy under / (root) on the host cranberrypi.
+

devices/cranberrypi/unbound.md

@@ -0,0 +1,25 @@
+Unbound provides DNS resolution service for the local network.  Unbound was built from source and installed on cranberrypi, bare metal (configure, make, sudo make install).
+
+The configuration file for Unbound is at /usr/local/etc/unbound/unbound.conf, with included configuration files in the directory /usr/local/etc/unbound/unbound.conf.d.
+
+Notes on Unbound configuration
+
+Unbound is configured for Split DNS to provide a different address resolution for services running on the home LAN, depending on whether the requesting client is running on the home LAN, on our Tailnet, or on a system entirely outside our network, on the public Internet.  The Unbound view construct is used to implement this. 
+
+There are two Unbound views defined:  "lan" and "tailnet".  The "lan" view includes local-data records for the available services on our network (mostly, but not exclusively, running on Teal), for example:
+
+  local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
+
+Each local-data record in the "lan" view points to a physical IP address on the home LAN.
+
+The "tailnet" view includes local-data records for the same set of services on our network as the "lan" view, for example:
+
+  local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
+
+Each local-data record in the "tailnet" view points to a Tailscale IP address on our Tailnet.
+
+Maintenance
+
+The Unbound configuration must be carefully maintained to enable Unbound to resolve URLs for our services correctly.
+
+Both views must include local-data records for each published service; each view must include the same set of names to be resolved.  The view differ in the IP address referenced for each name, not in the names included in the view.  Thus when a new service is published, a local-data record for that service must be added to both views.  When a service is deleted from the network, its local-data records in both views ("lan" and "tailnet") must be deleted.

devices/teal/README.md

@@ -1,17 +1,12 @@
 Principal storage server and host for most services.
 
-
 # Services
 
 ## SystemD Services
 
 * caddy
-* cockpit
-* docker
 * restic-backup
-* restic-check
 * rustdesk
-* samba
 * sanoid
 * tailscale
 * unbound
@@ -23,11 +18,11 @@ Most applications hosted on teal run in Docker containers.  For details of the D
 
 Bound data volumes for Docker-hosted applications are generally found in the ZFS pool in subdirectories of /mnt/storage/appdata.
 
-* Bookstack
-* Gitea
-* Immich
-* Jellyfin
-* JRiver Media Center
-* Nextcloud
-* Portainer
-* Vaultwarden
+* [Bookstack](../../services/bookstack/readme.md)
+* [Gitea](../../services/gitea/readme.md)
+* [Immich](../../services/immich/readme.md)
+* [Jellyfin](../../services/jellyfin/readme.md)
+* [JRiver Media Center](../../services/mc/readme.md)
+* [Nextcloud](../../services/nextcloud/readme.md)
+* [Portainer](../../services/portainer/readme.md)
+* [Vaultwarden](../../services/vaultwarden/readme.md)

devices/teal/config/etc/systemd/resolved.conf

@@ -0,0 +1,36 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file (or a copy of it placed in
+# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
+# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
+# recommended. Defaults can be restored by simply deleting the main
+# configuration file and all drop-ins located in /etc/.
+#
+# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
+#
+# See resolved.conf(5) for details.
+
+[Resolve]
+# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
+# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
+# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
+# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+DNS=192.168.88.231 192.168.88.40
+Domains=~objectbrokers.com
+#DNSSEC=no
+#DNSOverTLS=no
+#MulticastDNS=no
+#LLMNR=no
+#Cache=no-negative
+#CacheFromLocalhost=no
+DNSStubListener=no
+#DNSStubListenerExtra=
+#ReadEtcHosts=yes
+#ResolveUnicastSingleLabel=no
+#StaleRetentionSec=0

devices/teal/config/lib/systemd/system/unbound.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Unbound DNS server
+Documentation=man:unbound(8)
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+
+[Service]
+Type=exec
+Restart=on-failure
+EnvironmentFile=-/usr/local/etc/unbound/unbound_env
+ExecStart=/usr/local/sbin/unbound -d -p $DAEMON_OPTS
+ExecReload=+/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
+

devices/teal/config/usr/local/etc/unbound/root.key

@@ -0,0 +1,10 @@
+; autotrust trust anchor file
+;;id: . 1
+;;last_queried: 1773367002 ;;Thu Mar 12 21:56:42 2026
+;;last_success: 1773367002 ;;Thu Mar 12 21:56:42 2026
+;;next_probe_time: 1773409029 ;;Fri Mar 13 09:37:09 2026
+;;query_failed: 0
+;;query_interval: 43200
+;;retry_time: 8640
+.	86400	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026

devices/teal/config/usr/local/etc/unbound/unbound.conf

@@ -0,0 +1,72 @@
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/objectbrokerss/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+    server:
+    # location of the trust anchor file that enables DNSSEC
+    auto-trust-anchor-file: "/root.key"
+    # send minimal amount of information to upstream servers to enhance privacy
+    qname-minimisation: yes
+    prefetch: yes
+    serve-expired: yes
+    # the interface that is used to connect to the network (this will listen to all interfaces)
+    interface: 0.0.0.0
+    # interface: ::0
+    private-address: 192.168.0.0/16
+    private-address: 100.64.0.0/10
+
+    # addresses from the IP range that are allowed to connect to the resolver
+    access-control: 192.168.88.0/24 allow
+    # explicitly allow localhost access
+    access-control: 127.0.0.0/8 allow
+    # allow Tailnet
+    access-control: 100.64.0.0/10 allow
+    # uncomment the following line to allow Tailnet IPv6
+    # access-control: fd7a:115c:a1e0::/48 allow
+
+    access-control-view: 192.168.88.0/24 lan
+    access-control-view: 100.64.0.0/10 tailnet
+    
+    do-ip4: yes
+    do-ip6: no
+    do-udp: yes
+    do-tcp: yes
+
+    forward-zone:
+      name: "ts.net."
+      forward-addr: 100.100.100.100
+
+    forward-zone:
+      name: "100.in-addr.arpa."
+      forward-addr: 100.100.100.100
+
+view:
+  name: "lan"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
+  local-data: "photo.objectbrokers.com. A 192.168.88.231"
+  local-data: "gitea.objectbrokers.com. A 192.168.88.231"
+  local-data: "portainer.objectbrokers.com. A 192.168.88.231"
+  local-data: "vaultwarden.objectbrokers.com. A 192.168.88.231"
+
+view:
+  name: "tailnet"
+  view-first: yes
+  local-zone: "objectbrokers.com." transparent
+  local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
+  local-data: "photo.objectbrokers.com. A 100.81.165.11"
+  local-data: "gitea.objectbrokers.com. A 100.81.165.11"
+  local-data: "portainer.objectbrokers.com. A 100.81.165.11"
+  local-data: "vaultwarden.objectbrokers.com. A 100.81.165.11"
+
+remote-control:
+  control-enable: yes
+  control-interface: /run/unbound.ctl
+
+

devices/teal/config/usr/local/etc/unbound/unbound.conf.d/remote-control.conf

@@ -0,0 +1,5 @@
+remote-control:
+  control-enable: yes
+  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
+  # it is possible to use a unix socket too
+  control-interface: /run/unbound.ctl

services/bookstack/readme.md

@@ -1 +1 @@
-Bookstack provides a self-hosted wiki.  For general information on Bookstack, see [](https://www.bookstackapp.com/)
+Bookstack provides a self-hosted wiki.  For general information on Bookstack, see [bookstackapp.com](https://www.bookstackapp.com/)

services/caddy/readme.md

@@ -0,0 +1,9 @@
+caddy is a reverse proxy server providing secure access to https-based applications on teal.  Configuration
+
+of the reverse proxy is found in the file /etc/caddy/Caddyfile.
+
+For general information on caddy see [caddy reverse proxy quick start](https://caddyserver.com/docs/quick-starts/reverse-proxy).
+
+```
+
+```

services/gitea/readme.md

@@ -0,0 +1 @@
+Gitea is the Git source control server for the network.  For general information on Gitea, see [Gitea Official Website](https://about.gitea.com/)

services/immich/readme.md

@@ -0,0 +1 @@
+Immich is a photo backup solution.  For general information on Immich, see [Immich.app](https://immich.app//)

services/jellyfin/readme.md

@@ -0,0 +1 @@
+Jellyfin is the home network's media server.  For general information on Jellyfin, see [jellyfin.org](https://jellyfin.org/)

services/mc/readme.md

@@ -0,0 +1 @@
+mc provides a Docker-hosted implementation of the JRiver Media Center application.

services/portainer/readme.md

@@ -0,0 +1 @@
+Portainer is a web-based management application for Docker containers.  For general information on Portainer, see [Portainer](https://www.portainer.io/)

services/restic-backup/readme.md

@@ -0,0 +1,3 @@
+restic-backup is a systemd service to invoke restic to back up selected directories on teal to cygnus (our Synology NAS).  It is based on [restic-automic-backup-scheduler](https://github.com/erikw/restic-automatic-backup-scheduler).
+
+The systemd unit invokes the script /bin/restic_backup.sh.  The specifics of the backup source and target are defined in scripts at /etc/restic.

services/rustdesk/readme.md

@@ -0,0 +1 @@
+systemd service to enable RustDesk for remote access to teal's Gnome desktop.  Installed with the RustDesk package; configuration (if any) is done through the RustDesk UI.

services/sanoid/readme.md

@@ -0,0 +1,3 @@
+Sanoid is a policy-driven snapshot management tool for ZFS filesystems.  It is configured using the TOML file at /etc/sanoid/sanoid.conf.
+
+The sanoid service is currently configured to manage snapshots for the ZFS filesystem at /mnt/storage.

services/tailscale/readme.md

@@ -0,0 +1,3 @@
+The tailscaled service runs the Tailscale Node Agent, which enables the Tailscale VPN.
+
+Configuration of Tailscale is done either through the Tailscale Admin Console or the Tailscale CLI.