cjones/teal.config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: cjones:e8a8797c7193aaaab4eec912e6eec11a5d6b9f2a
Branches Tags
cjones:main cjones:dev
..
compare: cjones:main
Branches Tags
cjones:main cjones:dev

4 Commits
e8a8797c71 ... main

Author SHA1 Message Date
Christopher Jones
7c987d5fc2 This repository is now deprecated. 2026-03-12 22:43:40 -04:00
Christopher Jones
55e136b991 Add configuration notes for Unbound 2026-02-21 09:19:50 -05:00
cjones
c2c8347285 deleting old unbound config under /etc/unbound 2026-02-16 17:48:16 -05:00
cjones
6b7127a64d adding new unbound config files under /usr/local 2026-02-16 17:45:24 -05:00
8 changed files with 1487 additions and 24 deletions
Expand all files Collapse all files

4
etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
View File

@@ -1,4 +0,0 @@
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"

3
etc/unbound/unbound.conf.d/zones.conf
View File

@@ -1,3 +0,0 @@
auth-zone:
name: objectbrokers.com
zonefile: /etc/unbound/zones/objectbrokers.zone

9
readme.md
View File

@@ -1,2 +1,9 @@
System configuration files for host teal. The directory hierarchy under this repo corresponds to the directory hierarchy under / (root) on the host teal.
# DEPRECATED
This repository is deprecated. The system configuration of the host teal, going forward, is documented in the sysconfig repository, under the directory devices/teal.
The files in this repository reflect the configuration of host teal as of March 12, 2026.
System configuration files for host teal. The directory hierarchy under this repo corresponds to the directory hierarchy under / (root) on the host teal.

25
unbound.md Normal file
View File

@@ -0,0 +1,25 @@
Unbound provides DNS resolution service for the local network. Unbound was built from source and installed on Teal, bare metal (configure, make, sudo make install).
The configuration file for Unbound is at /usr/local/etc/unbound/unbound.conf, with included configuration files in the directory /usr/local/etc/unbound/unbound.conf.d.
Notes on Unbound configuration
Unbound is configured for Split DNS to provide a different address resolution for services running on the home LAN, depending on whether the requesting client is running on the home LAN, on our Tailnet, or on a system entirely outside our network, on the public Internet. The Unbound view construct is used to implement this.
There are two Unbound views defined: "lan" and "tailnet". The "lan" view includes local-data records for the available services on our network (mostly, but not exclusively, running on Teal), for example:
local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
Each local-data record in the "lan" view points to a physical IP address on the home LAN.
The "tailnet" view includes local-data records for the same set of services on our network as the "lan" view, for example:
local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
Each local-data record in the "tailnet" view points to a Tailscale IP address on our Tailnet.
Maintenance
The Unbound configuration must be carefully maintained to enable Unbound to resolve URLs for our services correctly.
Both views must include local-data records for each published service; each view must include the same set of names to be resolved. The view differ in the IP address referenced for each name, not in the names included in the view. Thus when a new service is published, a local-data record for that service must be added to both views. When a service is deleted from the network, its local-data records in both views ("lan" and "tailnet") must be deleted.

1424
usr/local/etc/unbound/original.unboundconf Normal file
View File

File diff suppressed because it is too large Load Diff

10
usr/local/etc/unbound/root.key Normal file
View File

@@ -0,0 +1,10 @@
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1771250359 ;;Mon Feb 16 08:59:19 2026
;;last_success: 1771250359 ;;Mon Feb 16 08:59:19 2026
;;next_probe_time: 1771292919 ;;Mon Feb 16 20:48:39 2026
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026
. 86400 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1771031738 ;;Fri Feb 13 20:15:38 2026

36
etc/unbound/unbound.conf → usr/local/etc/unbound/unbound.conf
View File

@@ -2,16 +2,14 @@
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# See /usr/share/doc/unbound/objectbrokerss/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
server:
# location of the trust anchor file that enables DNSSEC
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
auto-trust-anchor-file: "/root.key"
# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# the interface that is used to connect to the network (this will listen to all interfaces)
@@ -40,19 +38,25 @@ include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
view:
name: "lan"
view-first: yes
local-zone: "example.com." transparent
local-data: "nextcloud.example.com. A 192.168.88.231"
local-data: "photo.example.com. A 192.168.88.231"
local-data: "gitea.example.com. A 192.168.88.231"
local-data: "portainer.example.com. A 192.168.88.231"
local-data: "vaultwarden.example.com. A 192.168.88.231"
local-zone: "objectbrokers.com." transparent
local-data: "nextcloud.objectbrokers.com. A 192.168.88.231"
local-data: "photo.objectbrokers.com. A 192.168.88.231"
local-data: "gitea.objectbrokers.com. A 192.168.88.231"
local-data: "portainer.objectbrokers.com. A 192.168.88.231"
local-data: "vaultwarden.objectbrokers.com. A 192.168.88.231"
view:
name: "tailnet"
view-first: yes
local-zone: "example.com." transparent
local-data: "nextcloud.example.com. A 100.81.165.11"
local-data: "photo.example.com. A 100.81.165.11"
local-data: "gitea.example.com. A 100.81.165.11"
local-data: "portainer.example.com. A 100.81.165.11"
local-data: "vaultwarden.example.com. A 100.81.165.11"
local-zone: "objectbrokers.com." transparent
local-data: "nextcloud.objectbrokers.com. A 100.81.165.11"
local-data: "photo.objectbrokers.com. A 100.81.165.11"
local-data: "gitea.objectbrokers.com. A 100.81.165.11"
local-data: "portainer.objectbrokers.com. A 100.81.165.11"
local-data: "vaultwarden.objectbrokers.com. A 100.81.165.11"
remote-control:
control-enable: yes
control-interface: /run/unbound.ctl

0
etc/unbound/unbound.conf.d/remote-control.conf → usr/local/etc/unbound/unbound.conf.d/remote-control.conf
View File