DNSCrypt - set networking and firewall.

Add README
2025-04-15 05:03:13 -04:00 · 2025-03-20 12:06:44 +00:00 · 2025-03-20 12:06:44 +00:00 · de5ade5c20
commit de5ade5c20
parent 9e840fc763
7 changed files with 135 additions and 0 deletions
--- a/dnscrypt/README.md
+++ b/dnscrypt/README.md
@ -0,0 +1,56 @@
+# Introduction
+These files create a template, with dnscrypt-proxy installed.
+An AppVM named sys-dnscrypt, is created from that template.
+
+## Template
+The template, template-dnscrypt, is cloned from the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
+
+## Usage
+sys-dnscrypt is created with `provides_network` set, so you can attach qubes to it, setting it as netvm.
+
+As with all Debian templates, services are masked in the template.
+This is done in `create.sls`
+
+By default sys-dnscrypt has sys-net as netvm, but you can change this if you wish.
+
+## Installation
+Copy the dnscrypt folder to /srv/salt.
+```
+qubesctl state.apply dnscrypt.clone
+qubesctl --skip-dom0 --targets=template-dnscrypt state.apply dnscrypt.install
+qubesctl state.apply dnscrypt.create
+qubesctl --skip-dom0 --targets=sys-dnscrypt state.apply dnscrypt.configure
+```
+### Template creation
+Clone the debian-12-minimal template - note the use of `qvm.template_installed` which will install the template if it is not already present
+```
+sudo qubesctl state.apply dnscrypt.clone
+```
+
+### Installation
+```
+sudo qubesctl --skip-dom0 --targets=template-dnscrypt state.apply dnscrypt.install
+```
+This state uses `archive.extracted` to extract the tarfile to `/etc/skel`.
+This ensures that the dnscrypt-proxy application will be available in /home/user in all qubes created from the template.
+Note that `archive.extracted` can take the source file specified using `salt://` to target files on the host.
+
+The service is installed with all files in a single source directory, and uses default parameters.
+
+### Qube creation
+`create.sls` is a standard way of creating `sys-dnscrypt` - qvm.present is used to create the qube, and preferences and features are set.
+
+
+### Configuration
+`configure.sls` sets the firewall rules to drop forwarded DNS traffic, to dnat incoming DNS traffic to the service on sys-dnscrypt, and to allow that traffic to reach the server.
+DNAT rules are also set in /rw/config/network-hooks.d to ensure they are not overwritten, and to keep traffic from vif* interfaces set on localnet.
+
+## Notes
+The service is installed from a release tarball, not from a system package.
+This means that updating requires some manual intervention.
+
+The service is to be manually started on sys-dnscrypt, as preferred by the developers.
+The application has not been set to run as a service.
+This could be done with use of `bind-dirs`.
--- a/dnscrypt/configure.sls
+++ b/dnscrypt/configure.sls
@ -13,5 +13,49 @@ dnscrypt_update_rc.local:
        cp /etc/resolv.conf /etc/resolv.conf.backup
        cp /rw/config/resolv.conf /etc/resolv.conf
  
+/rw/config/qubes-firewall.d/update_nft.sh:
+  file.managed:
+    - source:
+      - salt://dnscrypt/update_nft.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/qubes-firewall.d/update_nft.nft:
+  file.managed:
+    - source:
+      - salt://dnscrypt/update_nft.nft
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/update_nft.sh:
+  file.managed:
+    - source:
+      - salt://dnscrypt/update_nft.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/internalise.sh:
+  file.managed:
+    - source:
+      - salt://dnscrypt/internalise.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+dnscrypt-set-localnet:
+  cmd.run:
+    - name: /usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1
+
+dnscrypt-configure:
+  file.copy:
+    - name:  /home/user/linux-x86_64/dnscrypt-proxy.toml
+    - source: /home/user/linux-x86_64/example-dnscrypt-proxy.toml

 {% endif %}
--- a/dnscrypt/install.sls
+++ b/dnscrypt/install.sls
@ -44,6 +44,20 @@ dnscrypt_extract:
    - user: user
    - group: user

+/etc/resolv.conf.backup:
+  file.copy:
+    - source: /etc/resolv.conf
+
+remove_resolv.conf:
+  file.absent:
+    - name: /etc/resolv.conf
+
+new_resolv.conf:
+  file.managed:
+    - name: /etc/resolv.conf
+    - source: salt://dnscrypt/resolv.conf
+
+
 {% endif %}
 {% endif %}
 {% endif %}
--- a/dnscrypt/internalise.sh
+++ b/dnscrypt/internalise.sh
@ -0,0 +1,2 @@
+#!/bin/sh
+find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
--- a/dnscrypt/resolv.conf
+++ b/dnscrypt/resolv.conf
@ -0,0 +1,2 @@
+nameserver 127.0.0.1
+options edns0
--- a/dnscrypt/update_nft.nft
+++ b/dnscrypt/update_nft.nft
@ -0,0 +1,14 @@
+#!/usr/sbin/nft -f
+flush chain qubes dnat-dns
+
+flush chain qubes custom-forward
+insert rule qubes custom-forward tcp dport 53 drop
+insert rule qubes custom-forward udp dport 53 drop
+
+flush chain qubes custom-input
+insert rule qubes custom-input tcp dport 53 accept
+insert rule qubes custom-input udp dport 53 accept
+
+flush chain qubes dnat-dns
+insert rule qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
--- a/dnscrypt/update_nft.sh
+++ b/dnscrypt/update_nft.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+nft -f /rw/config/qubes-firewall.d/update_nft.nft
+