mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 13:45:02 -05:00
add authenticated DNS-over-TLS to nameservers
This commit is contained in:
parent
3a92693611
commit
38bb002a01
19
certbot/0.ns2.grapheneos.org
Normal file
19
certbot/0.ns2.grapheneos.org
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||||
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
|
--cert-name ns2.grapheneos.org \
|
||||||
|
-d ns2.attestation.app \
|
||||||
|
-d ns2.grapheneos.app \
|
||||||
|
-d ns2.grapheneos.ca \
|
||||||
|
-d ns2.grapheneos.com \
|
||||||
|
-d ns2.grapheneos.dev \
|
||||||
|
-d ns2.grapheneos.info \
|
||||||
|
-d ns2.grapheneos.net \
|
||||||
|
-d ns2.grapheneos.network \
|
||||||
|
-d ns2.grapheneos.online \
|
||||||
|
-d ns2.grapheneos.org \
|
||||||
|
-d ns2.grapheneos.ovh \
|
||||||
|
-d ns2.grapheneos.page \
|
||||||
|
-d ns2.grapheneos.social \
|
||||||
|
-d ns2.seamlessupdate.app \
|
||||||
|
-d ns2.vanadium.app
|
19
certbot/ns1.grapheneos.org
Normal file
19
certbot/ns1.grapheneos.org
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
|
||||||
|
--key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
|
||||||
|
--deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
|
||||||
|
--cert-name ns1.grapheneos.org \
|
||||||
|
-d ns1.attestation.app \
|
||||||
|
-d ns1.grapheneos.app \
|
||||||
|
-d ns1.grapheneos.ca \
|
||||||
|
-d ns1.grapheneos.com \
|
||||||
|
-d ns1.grapheneos.dev \
|
||||||
|
-d ns1.grapheneos.info \
|
||||||
|
-d ns1.grapheneos.net \
|
||||||
|
-d ns1.grapheneos.network \
|
||||||
|
-d ns1.grapheneos.online \
|
||||||
|
-d ns1.grapheneos.org \
|
||||||
|
-d ns1.grapheneos.ovh \
|
||||||
|
-d ns1.grapheneos.page \
|
||||||
|
-d ns1.grapheneos.social \
|
||||||
|
-d ns1.seamlessupdate.app \
|
||||||
|
-d ns1.vanadium.app
|
5
hosts.sh
5
hosts.sh
@ -120,6 +120,9 @@ readonly hosts_staging=(
|
|||||||
)
|
)
|
||||||
|
|
||||||
readonly hosts_certbot=(
|
readonly hosts_certbot=(
|
||||||
|
ns1.staging.grapheneos.org
|
||||||
|
ns1.grapheneos.org
|
||||||
|
0.ns2.grapheneos.org
|
||||||
mail.grapheneos.org
|
mail.grapheneos.org
|
||||||
staging.grapheneos.org
|
staging.grapheneos.org
|
||||||
0.grapheneos.org
|
0.grapheneos.org
|
||||||
@ -151,6 +154,7 @@ readonly hosts_attestation=(
|
|||||||
)
|
)
|
||||||
|
|
||||||
readonly hosts_web=(
|
readonly hosts_web=(
|
||||||
|
"${hosts_dns[@]}"
|
||||||
mail.grapheneos.org
|
mail.grapheneos.org
|
||||||
"${hosts_grapheneos[@]}"
|
"${hosts_grapheneos[@]}"
|
||||||
"${hosts_network[@]}"
|
"${hosts_network[@]}"
|
||||||
@ -162,7 +166,6 @@ readonly hosts_web=(
|
|||||||
)
|
)
|
||||||
|
|
||||||
readonly hosts_all=(
|
readonly hosts_all=(
|
||||||
"${hosts_dns[@]}"
|
|
||||||
"${hosts_web[@]}"
|
"${hosts_web[@]}"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -28,8 +28,8 @@ table inet filter {
|
|||||||
iif lo accept
|
iif lo accept
|
||||||
udp dport 53 ip daddr {{ipv4_address}} accept
|
udp dport 53 ip daddr {{ipv4_address}} accept
|
||||||
udp dport 53 ip6 daddr {{ipv6_address}} accept
|
udp dport 53 ip6 daddr {{ipv6_address}} accept
|
||||||
tcp dport {22, 53} ip daddr {{ipv4_address}} accept
|
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
|
||||||
tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
|
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
|
||||||
meta l4proto {icmp, ipv6-icmp} accept
|
meta l4proto {icmp, ipv6-icmp} accept
|
||||||
|
|
||||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||||
@ -48,12 +48,12 @@ table inet filter {
|
|||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
oif lo goto output-internal
|
oif lo goto output-internal
|
||||||
skuid != {root, systemd-network, unbound, chrony, powerdns, geoipupdate} counter goto output-reject
|
skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-internal {
|
chain output-internal {
|
||||||
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
||||||
skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
||||||
|
|
||||||
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
||||||
|
|
||||||
|
@ -29,9 +29,9 @@ table inet filter {
|
|||||||
udp dport 53 ip daddr {{ipv4_address}} accept
|
udp dport 53 ip daddr {{ipv4_address}} accept
|
||||||
udp dport 53 ip daddr 198.251.90.93 accept
|
udp dport 53 ip daddr 198.251.90.93 accept
|
||||||
udp dport 53 ip6 daddr {{ipv6_address}} accept
|
udp dport 53 ip6 daddr {{ipv6_address}} accept
|
||||||
tcp dport {22, 53} ip daddr {{ipv4_address}} accept
|
tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
|
||||||
tcp dport 53 ip daddr 198.251.90.93 accept
|
tcp dport {53, 80, 443, 853} ip daddr 198.251.90.93 accept
|
||||||
tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
|
tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
|
||||||
meta l4proto {icmp, ipv6-icmp} accept
|
meta l4proto {icmp, ipv6-icmp} accept
|
||||||
|
|
||||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||||
@ -50,12 +50,12 @@ table inet filter {
|
|||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
oif lo goto output-internal
|
oif lo goto output-internal
|
||||||
skuid != {root, systemd-network, unbound, chrony, powerdns, geoipupdate} counter goto output-reject
|
skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-internal {
|
chain output-internal {
|
||||||
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
|
||||||
skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
|
||||||
|
|
||||||
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
||||||
|
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
base
|
base
|
||||||
bash-completion
|
bash-completion
|
||||||
|
certbot
|
||||||
chrony
|
chrony
|
||||||
cloud-guest-utils
|
cloud-guest-utils
|
||||||
conntrack-tools
|
conntrack-tools
|
||||||
@ -16,6 +17,7 @@ man-db
|
|||||||
moreutils
|
moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
|
nginx
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
@ -16,6 +16,7 @@ man-db
|
|||||||
moreutils
|
moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
|
nginx
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
@ -16,6 +16,7 @@ man-db
|
|||||||
moreutils
|
moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
|
nginx
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
base
|
base
|
||||||
bash-completion
|
bash-completion
|
||||||
|
certbot
|
||||||
chrony
|
chrony
|
||||||
cloud-guest-utils
|
cloud-guest-utils
|
||||||
conntrack-tools
|
conntrack-tools
|
||||||
@ -16,6 +17,7 @@ man-db
|
|||||||
moreutils
|
moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
|
nginx
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
base
|
base
|
||||||
bash-completion
|
bash-completion
|
||||||
|
certbot
|
||||||
chrony
|
chrony
|
||||||
cloud-guest-utils
|
cloud-guest-utils
|
||||||
conntrack-tools
|
conntrack-tools
|
||||||
@ -16,6 +17,7 @@ man-db
|
|||||||
moreutils
|
moreutils
|
||||||
mtr
|
mtr
|
||||||
nftables
|
nftables
|
||||||
|
nginx
|
||||||
openssh
|
openssh
|
||||||
pacman-contrib
|
pacman-contrib
|
||||||
pacutils
|
pacutils
|
||||||
|
Loading…
Reference in New Issue
Block a user