From 6b159b1e0eda5e00b97736e24690af3e5f48443d Mon Sep 17 00:00:00 2001 From: dubo-dubon-duponey Date: Thu, 22 Feb 2024 20:43:29 -0800 Subject: [PATCH] Conf cleanup --- Dockerfile | 4 +- README.md | 2 + context/runtime/boot/entrypoint.sh | 17 +++++-- .../runtime/config/coredns-forward+mdns.conf | 18 +++++++ .../runtime/config/coredns-forward+tls.conf | 24 ++++++++++ context/runtime/config/coredns-forward.conf | 16 +++++++ .../config/coredns-no-tls-forward-mdns.conf | 30 ------------ .../config/coredns-no-tls-forward.conf | 25 ---------- .../config/coredns-no-tls-recursive.conf | 22 --------- .../runtime/config/coredns-recursive+tls.conf | 24 ++++++++++ context/runtime/config/coredns-recursive.conf | 15 ++++++ .../runtime/config/coredns-tls-forward.conf | 48 ------------------- .../runtime/config/coredns-tls-recursive.conf | 42 ---------------- context/runtime/config/snips/cache.conf | 2 + context/runtime/config/snips/forward.conf | 5 ++ context/runtime/config/snips/hosts.conf | 4 ++ context/runtime/config/snips/mdns.conf | 4 ++ context/runtime/config/snips/monitor.conf | 13 +++++ context/runtime/config/snips/recursive.conf | 2 + context/runtime/config/{ => snips}/todo.conf | 15 ++---- 20 files changed, 148 insertions(+), 184 deletions(-) create mode 100644 context/runtime/config/coredns-forward+mdns.conf create mode 100644 context/runtime/config/coredns-forward+tls.conf create mode 100644 context/runtime/config/coredns-forward.conf delete mode 100644 context/runtime/config/coredns-no-tls-forward-mdns.conf delete mode 100644 context/runtime/config/coredns-no-tls-forward.conf delete mode 100644 context/runtime/config/coredns-no-tls-recursive.conf create mode 100644 context/runtime/config/coredns-recursive+tls.conf create mode 100644 context/runtime/config/coredns-recursive.conf delete mode 100644 context/runtime/config/coredns-tls-forward.conf delete mode 100644 context/runtime/config/coredns-tls-recursive.conf create mode 100644 context/runtime/config/snips/cache.conf create mode 100644 context/runtime/config/snips/forward.conf create mode 100644 context/runtime/config/snips/hosts.conf create mode 100644 context/runtime/config/snips/mdns.conf create mode 100644 context/runtime/config/snips/monitor.conf create mode 100644 context/runtime/config/snips/recursive.conf rename context/runtime/config/{ => snips}/todo.conf (66%) diff --git a/Dockerfile b/Dockerfile index 8612f6f..03b4280 100644 --- a/Dockerfile +++ b/Dockerfile @@ -199,7 +199,7 @@ ENV DNS_FORWARD_UPSTREAM_IP_1="tls://1.1.1.1" ENV DNS_FORWARD_UPSTREAM_IP_2="tls://1.0.0.1" ENV DNS_PORT=53 -ENV DNS_OVER_GRPC_PORT=553 +# ENV DNS_OVER_GRPC_PORT=553 ENV DNS_STUFF_MDNS=false ENV METRICS_PORT=9253 @@ -209,7 +209,7 @@ ENV METRICS_PORT=9253 EXPOSE $DNS_PORT/udp EXPOSE $DNS_OVER_TLS_PORT/tcp EXPOSE $DNS_OVER_TLS_LEGO_PORT/tcp -EXPOSE $DNS_OVER_GRPC_PORT/tcp +#EXPOSE $DNS_OVER_GRPC_PORT/tcp EXPOSE $METRICS_PORT/tcp # Lego just needs /certs to work diff --git a/README.md b/README.md index d5547f2..cd2d3eb 100644 --- a/README.md +++ b/README.md @@ -171,7 +171,9 @@ For forwarding: You can also tweak the following: * DNS_PORT (default to 53) + * DNS_STUFF_MDNS: convenient little trick to respond for certain mDNS queries over traditional DNS * METRICS_PORT for Prometheuse (default to 9253) diff --git a/context/runtime/boot/entrypoint.sh b/context/runtime/boot/entrypoint.sh index b5e3f1f..bf2d93b 100755 --- a/context/runtime/boot/entrypoint.sh +++ b/context/runtime/boot/entrypoint.sh @@ -8,6 +8,8 @@ source "$root/helpers.sh" helpers::dir::writable /certs +LOG_LEVEL=${LOG_LEVEL:-} + # DNS over tls settings DNS_OVER_TLS_ENABLED="${DNS_OVER_TLS_ENABLED:-}" DNS_OVER_TLS_DOMAIN="${DNS_OVER_TLS_DOMAIN:-}" @@ -24,7 +26,7 @@ DNS_FORWARD_UPSTREAM_IP_2="${DNS_FORWARD_UPSTREAM_IP_2:-}" # Other DNS settings DNS_PORT="${DNS_PORT:-}" -DNS_OVER_GRPC_PORT="${DNS_OVER_GRPC_PORT:-}" +# DNS_OVER_GRPC_PORT="${DNS_OVER_GRPC_PORT:-}" DNS_STUFF_MDNS="${DNS_STUFF_MDNS:-}" # Metrics settings @@ -66,10 +68,10 @@ loop(){ done } -no_tls=-no +with_tls= # If we have a domain, get certificates for that, and the appropriate config if [ "$DNS_OVER_TLS_ENABLED" == true ]; then - no_tls= + with_tls="+tls" # Initial registration, blocking certs::renew "$DNS_OVER_TLS_DOMAIN" "$DNS_OVER_TLS_LEGO_EMAIL" "$DNS_OVER_TLS_PORT" "$DNS_OVER_TLS_LE_USE_STAGING" @@ -80,7 +82,12 @@ fi # Choose config based on environment values [ "$DNS_FORWARD_ENABLED" == true ] && mode=forward || mode=recursive -[ "$DNS_STUFF_MDNS" == true ] && mod=-mdns || mod= +[ "$DNS_STUFF_MDNS" == true ] && with_mdns=+mdns || with_mdns= + +args=(-conf "/config/coredns-${mode}${with_tls}${with_mdns}.conf") + +normalized_log_level="$(printf "%s" "$LOG_LEVEL" | tr '[:upper:]' '[:lower:]')" +[ "$normalized_log_level" != "error" ] && [ "$normalized_log_level" != "warning" ] || args+=(-quiet) # Get coredns started -exec coredns -conf /config/coredns${no_tls}-tls-${mode}${mod}.conf "$@" +exec coredns "${args[@]}" "$@" diff --git a/context/runtime/config/coredns-forward+mdns.conf b/context/runtime/config/coredns-forward+mdns.conf new file mode 100644 index 0000000..b3a8351 --- /dev/null +++ b/context/runtime/config/coredns-forward+mdns.conf @@ -0,0 +1,18 @@ +import snips/mdns.conf + +# Classic DNS on 53, forwarding to an upstream +.:{$DNS_PORT} { + import snips/hosts.conf + import snips/forward.conf + import snips/cache.conf + import snips/monitor.conf +} + +{$HEALTHCHECK_QUESTION}:{$DNS_PORT} { + import snips/forward.conf +} + +whoami:{$DNS_PORT} { + # https://coredns.io/plugins/whoami/ + whoami +} diff --git a/context/runtime/config/coredns-forward+tls.conf b/context/runtime/config/coredns-forward+tls.conf new file mode 100644 index 0000000..f9f721f --- /dev/null +++ b/context/runtime/config/coredns-forward+tls.conf @@ -0,0 +1,24 @@ +tls://.:{$DNS_OVER_TLS_PORT} { + tls /certs/certificates/{$DOMAIN}.crt /certs/certificates/{$DOMAIN}.key /certs/certificates/{$DOMAIN}.issuer.crt + + import snips/hosts.conf + import snips/forward.conf + import snips/cache.conf + import snips/monitor.conf +} + +.:{$DNS_PORT} { + import snips/hosts.conf + import snips/forward.conf + import snips/cache.conf + import snips/monitor.conf +} + +{$HEALTHCHECK_QUESTION}:{$DNS_PORT} { + import snips/forward.conf +} + +whoami:{$DNS_PORT} { + # https://coredns.io/plugins/whoami/ + whoami +} diff --git a/context/runtime/config/coredns-forward.conf b/context/runtime/config/coredns-forward.conf new file mode 100644 index 0000000..fa3fb03 --- /dev/null +++ b/context/runtime/config/coredns-forward.conf @@ -0,0 +1,16 @@ +# Classic DNS on 53, forwarding to an upstream +.:{$DNS_PORT} { + import snips/hosts.conf + import snips/forward.conf + import snips/cache.conf + import snips/monitor.conf +} + +{$HEALTHCHECK_QUESTION}:{$DNS_PORT} { + import snips/forward.conf +} + +whoami:{$DNS_PORT} { + # https://coredns.io/plugins/whoami/ + whoami +} diff --git a/context/runtime/config/coredns-no-tls-forward-mdns.conf b/context/runtime/config/coredns-no-tls-forward-mdns.conf deleted file mode 100644 index e5624ce..0000000 --- a/context/runtime/config/coredns-no-tls-forward-mdns.conf +++ /dev/null @@ -1,30 +0,0 @@ -# experimental: suck up mdns names in -local { - mdns local 1 -} - -# Classic DNS on 53, forwarding to an upstream -.:{$DNS_PORT} { - hosts { - fallthrough - } - - prometheus :{$METRICS_PORT} - - forward . {$DNS_FORWARD_UPSTREAM_IP_1} {$DNS_FORWARD_UPSTREAM_IP_2} { - tls_servername {$DNS_FORWARD_UPSTREAM_NAME} - health_check 5s - } - - cache 3600 - - log - errors - - reload -} - -# GRPC healthcheck endpoint -grpc://.:{$DNS_OVER_GRPC_PORT} { - whoami -} diff --git a/context/runtime/config/coredns-no-tls-forward.conf b/context/runtime/config/coredns-no-tls-forward.conf deleted file mode 100644 index f9de036..0000000 --- a/context/runtime/config/coredns-no-tls-forward.conf +++ /dev/null @@ -1,25 +0,0 @@ -# Classic DNS on 53, forwarding to an upstream -.:{$DNS_PORT} { - hosts { - fallthrough - } - - prometheus :{$METRICS_PORT} - - forward . {$DNS_FORWARD_UPSTREAM_IP_1} {$DNS_FORWARD_UPSTREAM_IP_2} { - tls_servername {$DNS_FORWARD_UPSTREAM_NAME} - health_check 5s - } - - cache 3600 - - log - errors - - reload -} - -# GRPC healthcheck endpoint -grpc://.:{$DNS_OVER_GRPC_PORT} { - whoami -} diff --git a/context/runtime/config/coredns-no-tls-recursive.conf b/context/runtime/config/coredns-no-tls-recursive.conf deleted file mode 100644 index c0f39de..0000000 --- a/context/runtime/config/coredns-no-tls-recursive.conf +++ /dev/null @@ -1,22 +0,0 @@ -# Classic DNS on 53, forwarding to an upstream -.:{$DNS_PORT} { - hosts { - fallthrough - } - - prometheus :{$METRICS_PORT} - - unbound - - cache 3600 - - log - errors - - reload -} - -# GRPC healthcheck endpoint -grpc://.:{$DNS_OVER_GRPC_PORT} { - whoami -} diff --git a/context/runtime/config/coredns-recursive+tls.conf b/context/runtime/config/coredns-recursive+tls.conf new file mode 100644 index 0000000..1ad19e8 --- /dev/null +++ b/context/runtime/config/coredns-recursive+tls.conf @@ -0,0 +1,24 @@ +tls://.:{$DNS_OVER_TLS_PORT} { + tls /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.crt /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.key /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.issuer.crt + + import snips/hosts.conf + import snips/recursive.conf + import snips/cache.conf + import snips/monitor.conf +} + +.:{$DNS_PORT} { + import snips/hosts.conf + import snips/recursive.conf + import snips/cache.conf + import snips/monitor.conf +} + +{$HEALTHCHECK_QUESTION}:{$DNS_PORT} { + import snips/forward.conf +} + +whoami:{$DNS_PORT} { + # https://coredns.io/plugins/whoami/ + whoami +} diff --git a/context/runtime/config/coredns-recursive.conf b/context/runtime/config/coredns-recursive.conf new file mode 100644 index 0000000..d11fdd4 --- /dev/null +++ b/context/runtime/config/coredns-recursive.conf @@ -0,0 +1,15 @@ +.:{$DNS_PORT} { + import snips/hosts.conf + import snips/recursive.conf + import snips/cache.conf + import snips/monitor.conf +} + +{$HEALTHCHECK_QUESTION}:{$DNS_PORT} { + import snips/forward.conf +} + +whoami:{$DNS_PORT} { + # https://coredns.io/plugins/whoami/ + whoami +} diff --git a/context/runtime/config/coredns-tls-forward.conf b/context/runtime/config/coredns-tls-forward.conf deleted file mode 100644 index 462f5b0..0000000 --- a/context/runtime/config/coredns-tls-forward.conf +++ /dev/null @@ -1,48 +0,0 @@ -# Classic DNS on 53, forwarding to an upstream -.:{$DNS_PORT} { - hosts { - fallthrough - } - - prometheus :{$METRICS_PORT} - - forward . {$DNS_FORWARD_UPSTREAM_IP_1} {$DNS_FORWARD_UPSTREAM_IP_2} { - tls_servername {$DNS_FORWARD_UPSTREAM_NAME} - health_check 5s - } - - cache 3600 - - log - errors - - reload -} - -# DoT on 853, forwarding to an upstream -tls://.:{$DNS_OVER_TLS_PORT} { - tls /certs/certificates/{$DOMAIN}.crt /certs/certificates/{$DOMAIN}.key /certs/certificates/{$DOMAIN}.issuer.crt - - hosts { - fallthrough - } - - prometheus :{$METRICS_PORT} - - forward . {$DNS_FORWARD_UPSTREAM_IP_1} {$DNS_FORWARD_UPSTREAM_IP_2} { - tls_servername {$DNS_FORWARD_UPSTREAM_NAME} - health_check 5s - } - - cache 3600 - - log - errors - - reload -} - -# GRPC healthcheck endpoint -grpc://.:{$DNS_OVER_GRPC_PORT} { - whoami -} diff --git a/context/runtime/config/coredns-tls-recursive.conf b/context/runtime/config/coredns-tls-recursive.conf deleted file mode 100644 index 4d029fc..0000000 --- a/context/runtime/config/coredns-tls-recursive.conf +++ /dev/null @@ -1,42 +0,0 @@ -# Classic DNS on 53, forwarding to an upstream -.:{$DNS_PORT} { - hosts { - fallthrough - } - - prometheus :{$METRICS_PORT} - - unbound - - cache 3600 - - log - errors - - reload -} - -# DoT on 853, forwarding to an upstream -tls://.:{$DNS_OVER_TLS_PORT} { - tls /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.crt /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.key /certs/certificates/{$DNS_OVER_TLS_DOMAIN}.issuer.crt - - hosts { - fallthrough - } - - prometheus :{$METRICS_PORT} - - unbound - - cache 3600 - - log - errors - - reload -} - -# GRPC healthcheck endpoint -grpc://.:{$DNS_OVER_GRPC_PORT} { - whoami -} diff --git a/context/runtime/config/snips/cache.conf b/context/runtime/config/snips/cache.conf new file mode 100644 index 0000000..926dfcf --- /dev/null +++ b/context/runtime/config/snips/cache.conf @@ -0,0 +1,2 @@ +# https://coredns.io/plugins/cache/ +cache 3600 diff --git a/context/runtime/config/snips/forward.conf b/context/runtime/config/snips/forward.conf new file mode 100644 index 0000000..de2ed72 --- /dev/null +++ b/context/runtime/config/snips/forward.conf @@ -0,0 +1,5 @@ +# https://coredns.io/plugins/forward/ +forward . {$DNS_FORWARD_UPSTREAM_IP_1} {$DNS_FORWARD_UPSTREAM_IP_2} { + tls_servername {$DNS_FORWARD_UPSTREAM_NAME} + health_check 5s +} diff --git a/context/runtime/config/snips/hosts.conf b/context/runtime/config/snips/hosts.conf new file mode 100644 index 0000000..4695ac9 --- /dev/null +++ b/context/runtime/config/snips/hosts.conf @@ -0,0 +1,4 @@ +# https://coredns.io/plugins/hosts/ +hosts { + fallthrough +} diff --git a/context/runtime/config/snips/mdns.conf b/context/runtime/config/snips/mdns.conf new file mode 100644 index 0000000..d0fa748 --- /dev/null +++ b/context/runtime/config/snips/mdns.conf @@ -0,0 +1,4 @@ +local { + # https://coredns.io/explugins/mdns/ + mdns local 1 +} diff --git a/context/runtime/config/snips/monitor.conf b/context/runtime/config/snips/monitor.conf new file mode 100644 index 0000000..fa53ed4 --- /dev/null +++ b/context/runtime/config/snips/monitor.conf @@ -0,0 +1,13 @@ +# https://coredns.io/plugins/health/ +health localhost:8091 +# https://coredns.io/plugins/pprof/ +pprof localhost:6053 +# https://coredns.io/plugins/metrics/ +prometheus :{$METRICS_PORT} +# https://coredns.io/plugins/log/ +log +# {combined} +# https://coredns.io/plugins/errors/ +errors +# https://coredns.io/plugins/reload/ +reload diff --git a/context/runtime/config/snips/recursive.conf b/context/runtime/config/snips/recursive.conf new file mode 100644 index 0000000..b25d3fd --- /dev/null +++ b/context/runtime/config/snips/recursive.conf @@ -0,0 +1,2 @@ +# https://coredns.io/explugins/unbound/ +unbound diff --git a/context/runtime/config/todo.conf b/context/runtime/config/snips/todo.conf similarity index 66% rename from context/runtime/config/todo.conf rename to context/runtime/config/snips/todo.conf index 9c31649..862dd4b 100644 --- a/context/runtime/config/todo.conf +++ b/context/runtime/config/snips/todo.conf @@ -6,19 +6,14 @@ dnssec [ZONES... ] { cache_capacity CAPACITY } -# https://coredns.io/plugins/health/ -health [ADDRESS] { - lameduck DURATION -} - -# https://coredns.io/plugins/pprof/ -pprof [ADDRESS] { - block [RATE] -} - # https://coredns.io/plugins/trace/ trace [ENDPOINT-TYPE] [ENDPOINT] { every AMOUNT service NAME client_server } + +# GRPC healthcheck endpoint +#grpc://.:{$DNS_OVER_GRPC_PORT} { +# whoami +#}