Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-12-22 13:45:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

add authenticated DNS-over-TLS to nameservers

Browse Source
This commit is contained in:
Daniel Micay 2023-11-04 22:16:56 -04:00
parent 3a92693611
commit 38bb002a01
10 changed files with 59 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
certbot/0.ns2.grapheneos.org Normal file
View File

@ -0,0 +1,19 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name ns2.grapheneos.org \
-d ns2.attestation.app \
-d ns2.grapheneos.app \
-d ns2.grapheneos.ca \
-d ns2.grapheneos.com \
-d ns2.grapheneos.dev \
-d ns2.grapheneos.info \
-d ns2.grapheneos.net \
-d ns2.grapheneos.network \
-d ns2.grapheneos.online \
-d ns2.grapheneos.org \
-d ns2.grapheneos.ovh \
-d ns2.grapheneos.page \
-d ns2.grapheneos.social \
-d ns2.seamlessupdate.app \
-d ns2.vanadium.app

19
certbot/ns1.grapheneos.org Normal file
View File

@ -0,0 +1,19 @@
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
--cert-name ns1.grapheneos.org \
-d ns1.attestation.app \
-d ns1.grapheneos.app \
-d ns1.grapheneos.ca \
-d ns1.grapheneos.com \
-d ns1.grapheneos.dev \
-d ns1.grapheneos.info \
-d ns1.grapheneos.net \
-d ns1.grapheneos.network \
-d ns1.grapheneos.online \
-d ns1.grapheneos.org \
-d ns1.grapheneos.ovh \
-d ns1.grapheneos.page \
-d ns1.grapheneos.social \
-d ns1.seamlessupdate.app \
-d ns1.vanadium.app

5
hosts.sh
View File

@ -120,6 +120,9 @@ readonly hosts_staging=(
)
readonly hosts_certbot=(
ns1.staging.grapheneos.org
ns1.grapheneos.org
0.ns2.grapheneos.org
mail.grapheneos.org
staging.grapheneos.org
0.grapheneos.org
@ -151,6 +154,7 @@ readonly hosts_attestation=(
)
readonly hosts_web=(
"${hosts_dns[@]}"
mail.grapheneos.org
"${hosts_grapheneos[@]}"
"${hosts_network[@]}"
@ -162,7 +166,6 @@ readonly hosts_web=(
)
readonly hosts_all=(
"${hosts_dns[@]}"
"${hosts_web[@]}"
)

8
nftables-ns1.conf
View File

@ -28,8 +28,8 @@ table inet filter {
iif lo accept
udp dport 53 ip daddr {{ipv4_address}} accept
udp dport 53 ip6 daddr {{ipv6_address}} accept
tcp dport {22, 53} ip daddr {{ipv4_address}} accept
tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept }
@ -48,12 +48,12 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, powerdns, geoipupdate} counter goto output-reject
skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject
}
chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept

10
nftables-ns2.conf
View File

@ -29,9 +29,9 @@ table inet filter {
udp dport 53 ip daddr {{ipv4_address}} accept
udp dport 53 ip daddr 198.251.90.93 accept
udp dport 53 ip6 daddr {{ipv6_address}} accept
tcp dport {22, 53} ip daddr {{ipv4_address}} accept
tcp dport 53 ip daddr 198.251.90.93 accept
tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
tcp dport {53, 80, 443, 853} ip daddr 198.251.90.93 accept
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept }
@ -50,12 +50,12 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != {root, systemd-network, unbound, chrony, powerdns, geoipupdate} counter goto output-reject
skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject
}
chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept

2
packages/0.ns2.grapheneos.org
View File

@ -1,5 +1,6 @@
base
bash-completion
certbot
chrony
cloud-guest-utils
conntrack-tools
@ -16,6 +17,7 @@ man-db
moreutils
mtr
nftables
nginx
openssh
pacman-contrib
pacutils

1
packages/1.ns2.grapheneos.org
View File

@ -16,6 +16,7 @@ man-db
moreutils
mtr
nftables
nginx
openssh
pacman-contrib
pacutils

1
packages/2.ns2.grapheneos.org
View File

@ -16,6 +16,7 @@ man-db
moreutils
mtr
nftables
nginx
openssh
pacman-contrib
pacutils

2
packages/ns1.grapheneos.org
View File

@ -1,5 +1,6 @@
base
bash-completion
certbot
chrony
cloud-guest-utils
conntrack-tools
@ -16,6 +17,7 @@ man-db
moreutils
mtr
nftables
nginx
openssh
pacman-contrib
pacutils

2
packages/ns1.staging.grapheneos.org
View File

@ -1,5 +1,6 @@
base
bash-completion
certbot
chrony
cloud-guest-utils
conntrack-tools
@ -16,6 +17,7 @@ man-db
moreutils
mtr
nftables
nginx
openssh
pacman-contrib
pacutils