Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-07-22 22:40:35 -04:00
Code Issues Projects Releases Packages Wiki Activity

replace nginx with dnsdist for DNS-over-TLS

Browse source
This commit is contained in:
Daniel Micay 2025-05-13 19:37:34 -04:00
parent 27fe524af6
commit e75172d57c
10 changed files with 14 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

6
etc/nftables/nftables-ns1.conf
View file

@ -119,7 +119,7 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo goto output-raw-loopback oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate, zerotier-one, bird } counter goto graceful-reject skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate, zerotier-one, bird } counter goto graceful-reject
udp sport 53 notrack accept udp sport 53 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -128,8 +128,8 @@ table inet filter {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { alpm, chrony, geoipupdate, zerotier-one } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid { alpm, chrony, geoipupdate, zerotier-one } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept
skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept

6
etc/nftables/nftables-ns2.conf
View file

@ -117,7 +117,7 @@ table inet filter {
type filter hook output priority raw type filter hook output priority raw
oif lo goto output-raw-loopback oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, dnsdist, geoipupdate } counter goto graceful-reject
udp sport 53 notrack accept udp sport 53 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept
} }
@ -126,8 +126,8 @@ table inet filter {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept
skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept

2
packages/0.ns1.grapheneos.org
View file

@ -4,6 +4,7 @@ certbot
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -21,7 +22,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib

2
packages/0.ns2.grapheneos.org
View file

@ -3,6 +3,7 @@ certbot
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -20,7 +21,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib

2
packages/1.ns1.grapheneos.org
View file

@ -3,6 +3,7 @@ bird
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -20,7 +21,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib

2
packages/1.ns2.grapheneos.org
View file

@ -2,6 +2,7 @@ base
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -19,7 +20,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib

2
packages/2.ns1.grapheneos.org
View file

@ -3,6 +3,7 @@ bird
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -20,7 +21,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib

2
packages/2.ns2.grapheneos.org
View file

@ -2,6 +2,7 @@ base
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -19,7 +20,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib

2
packages/3.ns1.grapheneos.org
View file

@ -3,6 +3,7 @@ bird
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -20,7 +21,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib

2
packages/ns1.staging.grapheneos.org
View file

@ -4,6 +4,7 @@ certbot
chrony chrony
cloud-guest-utils cloud-guest-utils
conntrack-tools conntrack-tools
dnsdist
fish fish
geoip geoip
geoipupdate geoipupdate
@ -21,7 +22,6 @@ mtr
neovim neovim
nftables nftables
nginx nginx
nginx-mod-stream
nmap nmap
openssh openssh
pacman-contrib pacman-contrib