jketreno/ketr.services
1
0
Fork 0
Code Issues Activity

DNS working. DHCP working. WEB working. ROUNDCUBE working. IMAP/S working.

Browse Source 
Signed-off-by: James Ketrenos <james_git@ketrenos.com>
This commit is contained in:
James Ketr 2023-10-10 11:45:38 -07:00
parent 97a73102bf
commit 2ca43b8a1a
209 changed files with 2217 additions and 1820 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@ -1,2 +1,2 @@
www
keys

27
README.md
View File

@ -5,10 +5,35 @@
nginx and apache2
monitors keys from ./config/letsencrypt and restarts nginx and apache if changed
apache2 is only being used for mailman, which is currently offline
## ketreweb-roundcube
default container for roundcube
## ketreweb-cron
Runs letsencrypt via cron
Runs letsencrypt via cron once per day
Runs email-check via cron once per day
## ketreweb-mail
uses LDAP to 192.168.1.78
dovecot
postfix
## ketrenet-dns
Runs dhcp and bind
Host needs to have following in /etc/systemd/resolved.conf:
```bash
[Resolve]
DNSStubListener=no
DNSStubListenerExtra=1053
```
```bash
sudo systemctl restart systemd-resolved
```

1
config/letsencrypt/.updated-options-ssl-apache-conf-digest.txt
View File

@ -1 +0,0 @@
c0c022ea6b8a51ecc8f1003d0a04af6c3f2bc1c3ce506b3c2dfc1f11ef931082

1
config/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt
View File

@ -1 +0,0 @@
4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16

1
config/letsencrypt/.updated-ssl-dhparams-pem-digest.txt
View File

@ -1 +0,0 @@
9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b

89
config/mail/etc/dovecot/conf.d/10-logging.conf.ucf-dist
View File

@ -1,89 +0,0 @@
##
## Log destination.
##
# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog
# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =
# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
#syslog_facility = mail
##
## Logging verbosity and debugging.
##
# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = no
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no
# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = no
# Show protocol level SSL errors.
#verbose_ssl = no
# mail_log plugin provides more event logging for mail processes.
plugin {
# Events to log. Also available: flag_change append
#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
# Available fields: uid, box, msgid, from, subject, size, vsize, flags
# size and vsize are available only for expunge and copy events.
#mail_log_fields = uid box msgid size
}
##
## Log formatting.
##
# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "
# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
# Login log format. %s contains login_log_format_elements string, %$ contains
# the data we want to log.
#login_log_format = %$: %s
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = "%s(%u): "
# Format to use for logging mail deliveries:
# %$ - Delivery status message (e.g. "saved to INBOX")
# %m / %{msgid} - Message-ID
# %s / %{subject} - Subject
# %f / %{from} - From address
# %p / %{size} - Physical size
# %w / %{vsize} - Virtual size
# %e / %{from_envelope} - MAIL FROM envelope
# %{to_envelope} - RCPT TO envelope
# %{delivery_time} - How many milliseconds it took to deliver the mail
# %{session_time} - How long LMTP session took, not including delivery_time
# %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
#deliver_log_format = msgid=%m: %$

83
config/mail/etc/dovecot/conf.d/10-logging.conf.ucf-old
View File

@ -1,83 +0,0 @@
##
## Log destination.
##
# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog
# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =
# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
#syslog_facility = mail
##
## Logging verbosity and debugging.
##
# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = no
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
#auth_verbose_passwords = no
# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = yes
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = no
# Show protocol level SSL errors.
#verbose_ssl = no
# mail_log plugin provides more event logging for mail processes.
plugin {
# Events to log. Also available: flag_change append
#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
# Available fields: uid, box, msgid, from, subject, size, vsize, flags
# size and vsize are available only for expunge and copy events.
#mail_log_fields = uid box msgid size
}
##
## Log formatting.
##
# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "
# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
# Login log format. %$ contains login_log_format_elements string, %s contains
# the data we want to log.
#login_log_format = %$: %s
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = "%s(%u): "
# Format to use for logging mail deliveries. You can use variables:
# %$ - Delivery status message (e.g. "saved to INBOX")
# %m - Message-ID
# %s - Subject
# %f - From address
# %p - Physical size
# %w - Virtual size
#deliver_log_format = msgid=%m: %$

119
config/mail/etc/dovecot/conf.d/10-master.conf.ucf-dist
View File

@ -1,119 +0,0 @@
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
#port = 993
#ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service lmtp {
unix_listener lmtp {
#mode = 0666
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
# get the results of everyone's userdb lookups.
#
# The default 0666 mode allows anyone to connect to the socket, but the
# userdb lookups will succeed only if the userdb returns an "uid" field that
# matches the caller process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
#
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
# Auth process is run as this user.
#user = $default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}

58
config/mail/etc/dovecot/conf.d/10-ssl.conf.ucf-dist
View File

@ -1,58 +0,0 @@
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
#ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
#ssl_dh_parameters_length = 1024
# SSL protocols to use
#ssl_protocols = !SSLv2
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

102
config/mail/etc/dovecot/dovecot.conf.ucf-dist
View File

@ -1,102 +0,0 @@
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

1284
config/mail/etc/dovecot/dovecot.conf.ucf-old
View File

File diff suppressed because it is too large Load Diff

1
config/mail/etc/dovecot/dovecot.pem
View File

@ -1 +0,0 @@
/etc/ssl/certs/dovecot.pem

BIN
config/mail/etc/spamassassin/sa-update-keys/pubring.gpg
View File

Binary file not shown.

BIN
config/mail/etc/spamassassin/sa-update-keys/pubring.gpg~
View File

Binary file not shown.

0
config/mail/etc/spamassassin/sa-update-keys/secring.gpg
View File

BIN
config/mail/etc/spamassassin/sa-update-keys/trustdb.gpg
View File

Binary file not shown.

6
Dockerfile.letsencrypt → cron/Dockerfile.cron
View File

@ -9,7 +9,7 @@ RUN apt-get -q update \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log}
COPY /Dockerfile.letsencrypt /Dockerfile.letsencrypt
COPY /letsencrypt.sh /letsencrypt.sh
COPY /Dockerfile.cron /Dockerfile
COPY /entrypoint.sh /entrypoint.sh
ENTRYPOINT [ "/letsencrypt.sh" ]
ENTRYPOINT [ "/entrypoint.sh" ]

137
cron/entrypoint.sh Executable file
View File

@ -0,0 +1,137 @@
#!/bin/bash
CMD=$1
email_check() {
FILE=$1
FILE=${FILE:=mail.log}
NOFILTER=$2
function filterDate {
if [[ "${NOFILTER}" == "" ]]; then
DATE="$*"
else
DATE=""
fi
EXP1="s#^${DATE}"'.*pam\(([^,]*),([^)]*).*((auth_username_chars)|(password mismatch)).*#\1 \2#p'
EXP2="s#^${DATE}"'.*plain\(\?,([^,)]*)\).*disallowed by auth_username_chars.*username: ([^)]*).*#\2 \1#p'
sed -En \
-e "${EXP1}" \
-e "${EXP2}" \
"/var/log/${FILE}" |
sed -E 's,@ketrenos\.com,,g' |
sort |
uniq -f 1 --group=prepend |
sort |
uniq -c |
tail -n +2
}
mapfile -t data < <(
if [[ "${NOFILTER}" == "" ]]; then
filterDate "$(date --date yesterday +"%b %e")"
else
filterDate "$(date +"%b %e")"
fi)
declare -a ip_address=()
threshold=3
echo "IPs with >= ${threshold} hits"
printf "%6s %-17s %s\n" "Count" "IP"
declare -A ips
for line in "${data[@]}"; do
parts=(${line})
count=${parts[0]}
address=${parts[1]}
ip=${parts[2]}
if [[ "${ip}" == "" ]]; then
echo "Bad line: $line"
continue
fi
if [[ ! " ${ip} " =~ " ${ip_addresses[*]} " ]]; then
ip_addresses+=("${ip}")
fi
if [[ "${ips[${ip}]}" == "" ]]; then
ips[${ip}]=1
else
ips[${ip}]=$((ips[${ip}]+1))
fi
done
for key in "${!ips[@]}"; do
if (( ips[${key}] >= threshold )); then
printf "%6d %s\n" "${ips[${key}]}" "${key}"
fi
done | sort -n -r
echo "Addresses attempted to be breached"
printf "%6s %-17s %s\n" "Count" "IP" "Address"
for line in "${data[@]}"; do
parts=(${line})
count=${parts[0]}
address=${parts[1]}
ip=${parts[2]}
printf "%6s %-17s %s\n" "${count}" "${ip}" "${address}"
done
echo -e "\nIn progress netmask determination..."
# Call the Python routine with the IP addresses as arguments
python - "${ip_addresses[@]}" << END
import sys
import socket
import collections
import os
from collections import defaultdict
def validate_ip_addresses(ip_addresses):
for ip in ip_addresses:
try:
socket.inet_aton(ip)
except socket.error:
print("Invalid IP address:", ip)
sys.exit(1)
def calculate_netmask(ip_addresses):
binary_ips = [bin(int(socket.inet_aton(ip).encode('hex'), 16))[2:].zfill(32) for ip in ip_addresses]
common_prefix = os.path.commonprefix(binary_ips)
netmask = common_prefix + '0'*(32-len(common_prefix))
return '.'.join([str(int(netmask[i:i+8], 2)) for i in range(0, 32, 8)])
def count_netmasks(ip_addresses):
netmask_counts = defaultdict(int)
for ip in ip_addresses:
ip_octets = ip.split('.')
binary_ip = ''.join([bin(int(octet))[2:].zfill(8) for octet in ip_octets])
netmask = '1' * binary_ip.count('1') + '0' * (32 - binary_ip.count('1'))
netmask_counts[netmask] += 1
return netmask_counts
def to_bytes(n, length, byteorder='big'):
h = '%x' % n
s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex')
return s if byteorder == 'big' else s[::-1]
ip_addresses = sys.argv[1:]
validate_ip_addresses(ip_addresses)
netmask_counts = count_netmasks(ip_addresses)
# find_greatest_common_netmask(ip_addresses)
sorted_netmask_counts = sorted(netmask_counts.items(), key=lambda x: x[1], reverse=True)
for netmask, count in sorted_netmask_counts:
netmask_str = socket.inet_ntoa(to_bytes(int(str(netmask), 2), 4, byteorder='big'))
print(str(count) + ' ' + netmask_str + '/' + str(32-len(netmask)))
END
}
case "${CMD}" in
email-check)
email_check dovecot.log
;;
*)
while true; do
cron -f
echo "cron died: $?"
sleep 5
done
;;
esac

0
config/letsencrypt/.gitignore → cron/etc/.gitignore vendored
View File

1
cron/etc/cron.d/email-check Normal file
View File

@ -0,0 +1 @@
0 6 * * * /cron.sh email-check

0
config/letsencrypt/etc/cron.d/letsencrypt → cron/etc/cron.d/letsencrypt
View File

0
config/letsencrypt/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/meta.json → cron/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/meta.json
View File

0
config/letsencrypt/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/private_key.json → cron/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/private_key.json
View File

0
config/letsencrypt/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/regr.json → cron/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/regr.json
View File

0
config/letsencrypt/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/meta.json → cron/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/meta.json
View File

0
config/letsencrypt/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/private_key.json → cron/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/private_key.json
View File

0
config/letsencrypt/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/regr.json → cron/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/regr.json
View File

0
config/letsencrypt/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory → cron/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
View File

0
config/letsencrypt/etc/letsencrypt/cli.ini → cron/etc/letsencrypt/cli.ini
View File

0
config/letsencrypt/etc/letsencrypt/options-ssl-apache.conf → cron/etc/letsencrypt/options-ssl-apache.conf
View File

0
config/letsencrypt/etc/letsencrypt/options-ssl-nginx.conf → cron/etc/letsencrypt/options-ssl-nginx.conf
View File

0
config/letsencrypt/etc/letsencrypt/ssl-dhparams.pem → cron/etc/letsencrypt/ssl-dhparams.pem
View File

14
dns.sh
View File

@ -1,14 +0,0 @@
#!/bin/bash
services=(
"/usr/sbin/named -f"
"/usr/sbin/dhcpd -f"
)
for service in "${services[@]}"; do
while true; do
${service}
echo "${service%% *} died: $?"
sleep 5
done &
done

5
Dockerfile.dns → dns/Dockerfile.dns
View File

@ -8,4 +8,7 @@ RUN apt-get -q update \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log}
ENTRYPOINT [ "/dns.sh" ]
COPY ./Dockerfile.dns /Dockerfile
COPY ./entrypoint.sh /entrypoint.sh
ENTRYPOINT [ "/entrypoint.sh" ]

32
dns/entrypoint.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
dirs=(
/var/lib/dhcp
/var/log/bind
)
if [[ -e "/var/run/dhcpd.pid" ]]; then
rm /var/run/dhcpd.pid
fi
for dir in "${dirs[@]}"; do
mkdir -p "${dir}"
chmod a+rwX "${dir}"
done
services=(
"/usr/sbin/named -g"
"/usr/sbin/dhcpd -f"
)
for service in "${services[@]}"; do
while true; do
${service}
echo "${service%% *} died: $?"
sleep 5
done &
done
while true; do
sleep 3600
done

1
dns/etc/bind/Kketrenos.com.+165+55816.key Normal file
View File

@ -0,0 +1 @@
ketrenos.com. IN KEY 0 3 165 zBzAY0WAb2DeOeAQHq8Pg8J61zCFKOE/tcaUhIcLtEF0ajujHFrieSSZ irCNm7ifq1csO1lipc7Ad52MJb8j6w==

69
dns/etc/bind/bind.keys Normal file
View File

@ -0,0 +1,69 @@
/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;
# the key will remain in place but the zone will be otherwise empty.
# Configuring "dnssec-lookaside auto;" to activate this key is
# harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
# the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key should roll to the
# new # one seamlessly. Servers being set up for the first time
# can use either of the keys in this file to verify the root keys
# for the first time; thereafter the keys in the zone will be
# trusted and maintained automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

12
dns/etc/bind/db.0 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

13
dns/etc/bind/db.127 Normal file
View File

@ -0,0 +1,13 @@
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.

12
dns/etc/bind/db.255 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
dns/etc/bind/db.empty Normal file
View File

@ -0,0 +1,14 @@
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
dns/etc/bind/db.local Normal file
View File

@ -0,0 +1,14 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

80
dns/etc/bind/db.named.ca Normal file
View File

@ -0,0 +1,80 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

9
dns/etc/bind/db.named.local Normal file
View File

@ -0,0 +1,9 @@
@ IN SOA localhost. root.localhost. (
1997022700 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; default_ttl
)
@ IN NS localhost.
1 IN PTR localhost.

90
dns/etc/bind/db.root Normal file
View File

@ -0,0 +1,90 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: February 17, 2016
; related version of root zone: 2016021701
;
; formerly NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

80
dns/etc/bind/db.root.cache Normal file
View File

@ -0,0 +1,80 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

12
dns/etc/bind/named.conf Normal file
View File

@ -0,0 +1,12 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//include "/etc/bind/named.conf.logging";

232
dns/etc/bind/named.conf.default-zones Normal file
View File

@ -0,0 +1,232 @@
view "parent" {
match-clients { parent; };
recursion yes;
forwarders {
// Google servers
8.8.8.8;
// Frontier DNS servers
184.16.4.22;
184.16.33.54;
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "1.168.192.in-addr.arpa" {
type slave;
masters { 192.168.1.78 key internal-key; };
file "/var/lib/bind/db.1.168.192-parent";
allow-transfer { any; };
allow-notify { 192.168.1.78; key parent-key; };//any; };
# allow-update { any; };
};
zone "0.10.10.in-addr.arpa" {
type slave;
masters { 192.168.1.78 key internal-key; };
file "/var/lib/bind/db.0.10.10";
allow-transfer { any; };
allow-notify { 192.168.1.78; key parent-key; };//any; };
# allow-update { any; };
};
# 50.39.247.22
# 85.126.50
zone "85.126.50.in-addr.arpa" IN {
type master;
file "/var/lib/bind/85.126.50.in-addr.arpa";
allow-update { none; };
};
zone ketrenos.com {
type master;
file "/var/lib/bind/db.ketrenos.com-internal";
allow-update { key ketrenos.com.; };
};
zone "sketchitect.com" {
type master;
file "/var/lib/bind/db.sketchitect.com-internal";
notify no;
};
zone "portland-werewolf.com" {
type master;
file "/var/lib/bind/db.portland-werewolf.com-internal";
notify no;
};
zone "kiaoramassage.com" {
type master;
file "/var/lib/bind/db.kiaoramassage.com-internal";
notify no;
};
};
view "internal" {
match-clients { ketrenos; };
recursion yes;
# 50.39.247.22
# 85.126.50
zone "85.126.50.in-addr.arpa" IN {
type master;
file "/var/lib/bind/85.126.50.in-addr.arpa";
allow-update { none; };
};
forwarders {
// Cleanbrowsing DNS server
185.228.168.10;
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone ketrenos.com {
in-view "parent";
};
zone "sketchitect.com" {
type master;
file "/var/lib/bind/db.sketchitect.com-internal";
notify no;
};
zone "portland-werewolf.com" {
type master;
file "/var/lib/bind/db.portland-werewolf.com-internal";
notify no;
};
zone "kiaoramassage.com" {
type master;
file "/var/lib/bind/db.kiaoramassage.com-internal";
notify no;
};
zone "1.168.192.in-addr.arpa"{
type master;
file "/var/lib/bind/db.192.168.1";
allow-update { key ketrenos.com.; };
allow-query { 192.168.0.0/16; 127.0.0.1; };
//also-notify { 192.168.1.78 key parent-key; };
notify yes;
};
zone "0.10.10.in-addr.arpa" {
type master;
file "/var/lib/bind/db.10.10.0";
allow-update { key ketrenos.com.; };
allow-query { 10.10.0.0/24; 127.0.0.1; };
//also-notify { 192.168.1.78 key parent-key; };
notify yes;
};
};
view "internet" {
match-clients { "any"; };
recursion no;
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "0.0.127.in-addr.arpa"{
type master;
file "/etc/bind/db.127";
};
# zone "85.126.50.in-addr.arpa"{
# type master;
# file "/var/lib/bind/db.50.39.247";
# notify yes;
# };
# 50.39.247.22
# 85.126.50
zone "85.126.50.in-addr.arpa" IN {
type master;
file "/var/lib/bind/85.126.50.in-addr.arpa";
allow-update { none; };
};
zone ketrenos.com {
type master;
file "/var/lib/bind/db.ketrenos.com";
notify yes;
};
zone "sketchitect.com" {
type master;
file "/var/lib/bind/db.sketchitect.com";
notify yes;
};
zone "portland-werewolf.com" {
type master;
file "/var/lib/bind/db.portland-werewolf.com";
notify yes;
};
zone "kiaoramassage.com" {
type master;
file "/var/lib/bind/db.kiaoramassage.com";
notify yes;
};
};

9
dns/etc/bind/named.conf.local Normal file
View File

@ -0,0 +1,9 @@
//
// Do any local configuration here
//
include "/etc/ddns.key";
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

34
dns/etc/bind/named.conf.logging Normal file
View File

@ -0,0 +1,34 @@
logging {
category lame-servers { null; };
channel security_info {
file "/var/log/named-auth.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category notify { default_log; };
category update { default_debug; };
category security { security_info; };
category queries { queries_log; };
category config { security_info; };
category default { default_log; };
channel default_log {
file "/var/log/named.log";
severity info;
//severity debug;
print-time yes;
};
channel queries_log {
file "/var/log/named-queries.log";
// severity info;
severity debug;
print-time yes;
};
};

51
dns/etc/bind/named.conf.new Normal file
View File

@ -0,0 +1,51 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
logging {
category lame-servers { null; };
channel update_debug {
file "/var/log/named-update.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named-auth.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category update { update_debug; };
category security { security_info; };
category queries { queries_log; };
category config { security_info; };
category default { default_log; };
channel default_log {
file "/var/log/named.log";
severity info;
print-time yes;
};
channel queries_log {
file "/var/log/named-queries.log";
severity info;
print-time yes;
};
};

47
dns/etc/bind/named.conf.options Normal file
View File

@ -0,0 +1,47 @@
#empty-zones-enable no;
key parent-key {
algorithm HMAC-MD5;
secret "aW50ZXJuYWwtc2VjcmV0ZQo=";
};
key internal-key {
algorithm HMAC-MD5;
secret "cGFyZW50LXNlY3JldGUK";
};
acl parent {
!key internal-key;
192.168.1.184; # dg1 laptop
# 192.168.1.154; # unknown
192.168.1.152; # nuc
192.168.1.134; # vr
192.168.1.245; # cell
192.168.1.78; # azurite (tinyproxy)
# 192.168.1.101; # unknown
# 192.168.1.70; # unknown
# 192.168.1.96; # unknown
};
acl ketrenos {
!key parent-key;
192.168.0.0/16;
10.10.0.0/16;
localhost;
};
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
listen-on { any; }; //50.39.247.22; 192.168.1.1; 127.0.0.1; };
allow-query { any; };
notify explicit;
allow-transfer { none; };
};

59
dns/etc/bind/named.conf.options.new Normal file
View File

@ -0,0 +1,59 @@
acl parent {
192.168.1.152/32;
192.168.1.101/32;
}
acl ketrenos {
192.168.0.0/16;
10.0.0.0/24;
localhost;
};
// Options added based on Gentoo configuration
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret N6LHZWHvV7AVTEZECW18Pw==;
};
options {
dnssec-enable yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
listen-on { 50.39.247.22; 192.168.1.1; 127.0.0.1; };
allow-query { any; };
};
view "ketrenos" {
match-clients {
ketrenos;
};
forwarders {
// Cleanbrowsing DNS server
185.228.168.10;
// OpenDNS filtered DNS servers
// 208.67.222.222;
// 208.67.220.220;
// 208.67.222.123;
// 208.67.220.123;
};
};
view "ketrenos" {
match-clients {
parent;
}
forwarders {
// Google servers
8.8.8.8;
// Frontier DNS servers
184.16.4.22;
184.16.33.54;
};
};

20
dns/etc/bind/zones.rfc1918 Normal file
View File

@ -0,0 +1,20 @@
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

4
dns/etc/dhcp/ddns.key Normal file
View File

@ -0,0 +1,4 @@
key ketrenos.com. {
algorithm HMAC-SHA512;
secret "zBzAY0WAb2DeOeAQHq8Pg8J61zCFKOE/tcaUhIcLtEF0ajujHFrieSSZirCNm7ifq1csO1lipc7Ad52MJb8j6w==";
};

38
dns/etc/dhcp/debug Normal file
View File

@ -0,0 +1,38 @@
#
# The purpose of this script is just to show the variables that are
# available to all the scripts in this directory. All these scripts are
# called from dhclient-script, which exports all the variables shown
# before. If you want to debug a problem with your DHCP setup you can
# enable this script and take a look at /tmp/dhclient-script.debug.
# To enable this script set the following variable to "yes"
RUN="no"
if [ "$RUN" = "yes" ]; then
echo "$(date): entering ${1%/*}, dumping variables." \
>> /tmp/dhclient-script.debug
# loop over the 4 possible prefixes: (empty), cur_, new_, old_
for prefix in '' 'cur_' 'new_' 'old_'; do
# loop over the DHCP variables passed to dhclient-script
for basevar in reason interface medium alias_ip_address \
ip_address host_name network_number subnet_mask \
broadcast_address routers static_routes \
rfc3442_classless_static_routes \
domain_name domain_search domain_name_servers \
netbios_name_servers netbios_scope \
ntp_servers \
ip6_address ip6_prefix ip6_prefixlen \
dhcp6_domain_search dhcp6_name_servers ; do
var="${prefix}${basevar}"
eval "content=\$$var"
# show only variables with values set
if [ -n "${content}" ]; then
echo "$var='${content}'" >> /tmp/dhclient-script.debug
fi
done
done
echo '--------------------------' >> /tmp/dhclient-script.debug
fi

1
dns/etc/dhcp/dhclient-enter-hooks.d/debug Symbolic link
View File

@ -0,0 +1 @@
../debug

81
dns/etc/dhcp/dhclient-enter-hooks.d/resolvconf Normal file
View File

@ -0,0 +1,81 @@
#
# Script fragment to make dhclient supply nameserver information to resolvconf
#
# Tips:
# * Be careful about changing the environment since this is sourced
# * This script fragment uses bash features
# * As of isc-dhcp-client 4.2 the "reason" (for running the script) can be one of the following.
# (Listed on man page:) MEDIUM(0) PREINIT(0) BOUND(M) RENEW(M) REBIND(M) REBOOT(M) EXPIRE(D) FAIL(D) RELEASE(D) STOP(D) NBI(-) TIMEOUT(M)
# (Also used in master script:) ARPCHECK(0), ARPSEND(0)
# (Also used in master script:) PREINIT6(0) BOUND6(M) RENEW6(M) REBIND6(M) DEPREF6(0) EXPIRE6(D) RELEASE6(D) STOP6(D)
# (0) = master script does not run make_resolv_conf
# (M) = master script runs make_resolv_conf
# (D) = master script downs interface
# (-) = master script does nothing with this
if [ -x /sbin/resolvconf ] ; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in
BOUND|RENEW|REBIND|REBOOT|TIMEOUT)
# Define a resolvconf-compatible m_r_c() function
# It gets run later (or, in the TIMEOUT case, MAY get run later)
make_resolv_conf() {
local R
local N
R=""
if [ "$new_domain_name_servers" ] && [ "$new_domain_name" ] ; then
R="${R}domain $new_domain_name
"
fi
if [ "$new_domain_name_servers" ] && [ "$new_domain_search" ] ; then
R="${R}search $new_domain_search
"
fi
for N in $new_domain_name_servers ; do
R="${R}nameserver $N
"
done
[ ! "$interface" ] || echo -n "$R" | /sbin/resolvconf -a "${interface}.dhclient"
}
;;
BOUND6|RENEW6|REBIND6)
# Define a resolvconf-compatible m_r_c() function
# It gets run later (or, in the TIMEOUT case, MAY get run later)
make_resolv_conf() {
local R
local N
local N_LOW
local ZONE_ID
R=""
if [ "$new_dhcp6_name_servers" ] && [ "$new_dhcp6_domain_search" ] ; then
R="${R}search $new_dhcp6_domain_search
"
fi
for N in $new_dhcp6_name_servers ; do
# If the nameserver has a link-local address
# then add a zone ID (interface name) to it.
N_LOW="$(echo "$N" | tr '[:upper:]' '[:lower:]')"
if expr "$N_LOW" : ^fe80:: >/dev/null ; then
ZONE_ID="%$interface"
else
ZONE_ID=""
fi
R="${R}nameserver $N$ZONE_ID
"
done
[ ! "$interface" ] || echo -n "$R" | /sbin/resolvconf -a "${interface}.ip6.dhclient"
}
;;
EXPIRE|FAIL|RELEASE|STOP)
# Delete resolv.conf info
[ ! "$interface" ] || /sbin/resolvconf -d "${interface}.dhclient"
;;
EXPIRE6|RELEASE6|STOP6)
# Delete resolv.conf info
[ ! "$interface" ] || /sbin/resolvconf -d "${interface}.ip6.dhclient"
;;
esac
fi

1
dns/etc/dhcp/dhclient-exit-hooks.d/debug Symbolic link
View File

@ -0,0 +1 @@
../debug

45
dns/etc/dhcp/dhclient-exit-hooks.d/ntpdate Normal file
View File

@ -0,0 +1,45 @@
NTPDATE_CONF=/etc/default/ntpdate
NTPDATE_DHCP_CONF=/var/lib/ntpdate/default.dhcp
ntp_servers_setup_remove() {
rm -f $NTPDATE_DHCP_CONF
}
ntp_servers_setup_add() {
if [ -e $NTPDATE_DHCP_CONF ] && [ "$new_ntp_servers" = "$old_ntp_servers" ]; then
return
fi
if [ -z "$new_ntp_servers" ]; then
ntp_servers_setup_remove
return
fi
tmp=$(mktemp "$NTPDATE_DHCP_CONF.XXXXXX") || return
chmod --reference=$NTPDATE_CONF $tmp
chown --reference=$NTPDATE_CONF $tmp
(
echo "# NTP server entries received from DHCP server"
echo "NTPSERVERS='$new_ntp_servers'"
) >>$tmp
mv $tmp $NTPDATE_DHCP_CONF
}
ntp_servers_setup() {
case $reason in
BOUND|RENEW|REBIND|REBOOT)
ntp_servers_setup_add
;;
EXPIRE|FAIL|RELEASE|STOP)
ntp_servers_setup_remove
;;
esac
}
ntp_servers_setup

78
dns/etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes Normal file
View File

@ -0,0 +1,78 @@
# set classless routes based on the format specified in RFC3442
# e.g.:
# new_rfc3442_classless_static_routes='24 192 168 10 192 168 1 1 8 10 10 17 66 41'
# specifies the routes:
# 192.168.10.0/24 via 192.168.1.1
# 10.0.0.0/8 via 10.10.17.66.41
RUN="yes"
if [ "$RUN" = "yes" ]; then
if [ -n "$new_rfc3442_classless_static_routes" ]; then
if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ]; then
set -- $new_rfc3442_classless_static_routes
while [ $# -gt 0 ]; do
net_length=$1
via_arg=''
case $net_length in
32|31|30|29|28|27|26|25)
if [ $# -lt 9 ]; then
return 1
fi
net_address="${2}.${3}.${4}.${5}"
gateway="${6}.${7}.${8}.${9}"
shift 9
;;
24|23|22|21|20|19|18|17)
if [ $# -lt 8 ]; then
return 1
fi
net_address="${2}.${3}.${4}.0"
gateway="${5}.${6}.${7}.${8}"
shift 8
;;
16|15|14|13|12|11|10|9)
if [ $# -lt 7 ]; then
return 1
fi
net_address="${2}.${3}.0.0"
gateway="${4}.${5}.${6}.${7}"
shift 7
;;
8|7|6|5|4|3|2|1)
if [ $# -lt 6 ]; then
return 1
fi
net_address="${2}.0.0.0"
gateway="${3}.${4}.${5}.${6}"
shift 6
;;
0) # default route
if [ $# -lt 5 ]; then
return 1
fi
net_address="0.0.0.0"
gateway="${2}.${3}.${4}.${5}"
shift 5
;;
*) # error
return 1
;;
esac
# take care of link-local routes
if [ "${gateway}" != '0.0.0.0' ]; then
via_arg="via ${gateway}"
fi
# set route (ip detects host routes automatically)
ip -4 route add "${net_address}/${net_length}" \
${via_arg} dev "${interface}" >/dev/null 2>&1
done
fi
fi
fi

42
dns/etc/dhcp/dhclient-exit-hooks.d/timesyncd Normal file
View File

@ -0,0 +1,42 @@
TIMESYNCD_CONF=/run/systemd/timesyncd.conf.d/01-dhclient.conf
timesyncd_servers_setup_remove() {
if [ -e $TIMESYNCD_CONF ]; then
rm -f $TIMESYNCD_CONF
systemctl try-restart systemd-timesyncd.service || true
fi
}
timesyncd_servers_setup_add() {
if [ ! -d /run/systemd/system ]; then
return
fi
if [ -e $TIMESYNCD_CONF ] && [ "$new_ntp_servers" = "$old_ntp_servers" ]; then
return
fi
if [ -z "$new_ntp_servers" ]; then
timesyncd_servers_setup_remove
return
fi
mkdir -p $(dirname $TIMESYNCD_CONF)
cat <<EOF > ${TIMESYNCD_CONF}.new
# NTP server entries received from DHCP server
[Time]
NTP=$new_ntp_servers
EOF
mv ${TIMESYNCD_CONF}.new ${TIMESYNCD_CONF}
systemctl try-restart systemd-timesyncd.service || true
}
case $reason in
BOUND|RENEW|REBIND|REBOOT)
timesyncd_servers_setup_add
;;
EXPIRE|FAIL|RELEASE|STOP)
timesyncd_servers_setup_remove
;;
esac

54
dns/etc/dhcp/dhclient.conf Normal file
View File

@ -0,0 +1,54 @@
# Configuration file for /sbin/dhclient.
#
# This is a sample configuration file for dhclient. See dhclient.conf's
# man page for more information about the syntax of this file
# and a more comprehensive list of the parameters understood by
# dhclient.
#
# Normally, if the DHCP server provides reasonable information and does
# not leave anything out (like the domain name, for example), then
# few changes must be made to this file, if any.
#
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
#prepend domain-name-servers 127.0.0.1;
#require subnet-mask, domain-name-servers;
timeout 300;
#retry 60;
#reboot 10;
#select-timeout 5;
#initial-interval 2;
#script "/sbin/dhclient-script";
#media "-link0 -link1 -link2", "link0 link1";
#reject 192.33.137.209;
#alias {
# interface "eth0";
# fixed-address 192.5.5.213;
# option subnet-mask 255.255.255.255;
#}
#lease {
# interface "eth0";
# fixed-address 192.33.137.200;
# medium "link0 link1";
# option host-name "andare.swiftmedia.com";
# option subnet-mask 255.255.255.0;
# option broadcast-address 192.33.137.255;
# option routers 192.33.137.250;
# option domain-name-servers 127.0.0.1;
# renew 2 2000/1/12 00:00:01;
# rebind 2 2000/1/12 00:00:01;
# expire 2 2000/1/12 00:00:01;
#}

56
dns/etc/dhcp/dhclient.conf.dpkg-old Normal file
View File

@ -0,0 +1,56 @@
# Configuration file for /sbin/dhclient, which is included in Debian's
# dhcp3-client package.
#
# This is a sample configuration file for dhclient. See dhclient.conf's
# man page for more information about the syntax of this file
# and a more comprehensive list of the parameters understood by
# dhclient.
#
# Normally, if the DHCP server provides reasonable information and does
# not leave anything out (like the domain name, for example), then
# few changes must be made to this file, if any.
#
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
send host-name "<hostname>";
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
#prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;
#,
# dhcp6.domain-search, dhcp6.fqdn,
# dhcp6.name-servers, dhcp6.sntp-servers;
#require subnet-mask, domain-name-servers;
#timeout 60;
#retry 60;
#reboot 10;
#select-timeout 5;
#initial-interval 2;
#script "/etc/dhcp3/dhclient-script";
#media "-link0 -link1 -link2", "link0 link1";
#reject 192.33.137.209;
#alias {
# interface "eth0";
# fixed-address 192.5.5.213;
# option subnet-mask 255.255.255.255;
#}
#lease {
# interface "eth0";
# fixed-address 192.33.137.200;
# medium "link0 link1";
# option host-name "andare.swiftmedia.com";
# option subnet-mask 255.255.255.0;
# option broadcast-address 192.33.137.255;
# option routers 192.33.137.250;
# option domain-name-servers 127.0.0.1;
# renew 2 2000/1/12 00:00:01;
# rebind 2 2000/1/12 00:00:01;
# expire 2 2000/1/12 00:00:01;
#}

121
dns/etc/dhcp/dhcpd.conf Normal file
View File

@ -0,0 +1,121 @@
# dhcpd.conf
ddns-update-style interim;
ddns-domainname "ketrenos.com.";
ddns-updates on;
#ignore-client-updates;
update-optimization off;
# option definitions common to all supported networks...
option domain-name "ketrenos.com";
# ketrenos.com";
option domain-name-servers 192.168.1.78;
default-lease-time 21600;
max-lease-time 43200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
include "/etc/dhcp/ddns.key";
subnet 192.168.3.0 netmask 255.255.255.0 {
}
# Ignore docker interface
subnet 172.26.0.0 netmask 255.255.0.0 {
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.64 192.168.1.254;
option routers 192.168.1.10;
option broadcast-address 192.168.1.255;
default-lease-time 7200;
max-lease-time 7200;
zone ketrenos.com. {
primary 127.0.0.1;
key ketrenos.com.;
}
zone ketrenos.net. {
primary 127.0.0.1;
key ketrenos.com.;
}
zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1;
key ketrenos.com.;
}
}
group {
host azurite {
hardware ethernet 00:a0:c9:ca:30:71;
ddns-hostname azurite;
fixed-address 192.168.1.78;
}
host virtualxp {
hardware ethernet 00:50:56:40:7f:b5;
ddns-hostname virtualxp;
fixed-address 192.168.1.20;
}
host gamemaster {
hardware ethernet 00:25:64:e8:e9:ed;
ddns-hostname gamemaster;
fixed-address 192.168.1.134;
}
host webserver {
hardware ethernet 52:54:00:25:99:97;
ddns-hostname webserver;
fixed-address 192.168.1.50;
}
host email {
hardware ethernet 52:54:00:8c:e1:41;
ddns-hostname email;
fixed-address 192.168.1.51;
}
host nuc {
hardware ethernet b8:ae:ed:71:0f:69;
ddns-hostname nuc;
fixed-address 192.168.1.152;
}
host marmot {
hardware ethernet 04:6C:59:38:23:2C;
ddns-hostname marmot;
fixed-address 192.168.1.184;
}
host dmz {
hardware ethernet 52:54:00:e1:18:0e;
ddns-hostname dmz;
fixed-address 192.168.1.1;
}
zone ketrenos.com. {
primary 127.0.0.1;
key ketrenos.com.;
}
zone ketrenos.net. {
primary 127.0.0.1;
key ketrenos.com.;
}
zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1;
key ketrenos.com.;
}
update-static-leases on;
}

111
dns/etc/dhcp/dhcpd.conf.dpkg-dist Normal file
View File

@ -0,0 +1,111 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option subnet-mask 255.255.255.224;
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

114
docker-compose.yml
View File

@ -5,30 +5,31 @@ services:
container_name: ketrenet-web
hostname: webserver
build:
context: .
context: web
dockerfile: Dockerfile.web
restart: always
volumes:
- ./config/web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro
- ./config/web/etc/nginx/sites-available:/etc/nginx/sites-available:ro
- ./config/web/etc/apache2/envvars:/etc/apache2/envvars:ro
- ./config/web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro
- ./config/web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro
- ./config/web/etc/apache2/sites-available:/etc/apache2/sites-available:ro
- ./config/letsencrypt/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- ./config/letsencrypt/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- ./web.sh:/web.sh:ro
- ./web/etc/nginx/sites-enabled:/etc/nginx/sites-enabled:ro
- ./web/etc/nginx/sites-available:/etc/nginx/sites-available:ro
- ./web/etc/apache2/envvars:/etc/apache2/envvars:ro
- ./web/etc/apache2/ports.conf:/etc/apache2/ports.conf:ro
- ./web/etc/apache2/sites-enabled:/etc/apache2/sites-enabled:ro
- ./web/etc/apache2/sites-available:/etc/apache2/sites-available:ro
- ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- ./web/entrypoint.sh:/entrypoint.sh:ro
- ./data/log:/var/log:rw
- ./www:/var/www:ro
ports:
- 80:80
- 443:443
ketrenet-mail:
image: ketrenet-mail
container_name: ketrenet-mail
hostname: email
build:
context: .
context: mail
dockerfile: Dockerfile.mail
restart: always
ports:
@ -38,67 +39,90 @@ services:
- 465:465 # postfix smtps
- 587:587 # postfix submission
volumes:
- ./config/letsencrypt/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- ./config/letsencrypt/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- ./config/mail/etc/mailname:/etc/mailname:ro
- ./config/mail/etc/dovecot:/etc/dovecot:ro
- ./config/mail/etc/amavis:/etc/amavis:ro
- ./config/mail/etc/clamav:/etc/clamav:ro
- ./config/mail/etc/hostname:/etc/hostname:ro
- ./config/mail/etc/dkimkeys:/etc/dkimkeys:ro
- ./config/mail/etc/opendkim.conf:/etc/opendkim.conf:ro
- ./config/mail/etc/opendkim:/etc/opendkim:ro
- ./config/mail/etc/postfix:/etc/postfix:ro
- ./config/mail/etc/postfix-policyd-spf-python:/etc/postfix-policyd-spf-python:ro
- ./config/mail/etc/postgrey:/etc/postgrey:ro
- ./mail.sh:/mail.sh:ro
- ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:ro
- ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
- ./mail/etc/mailname:/etc/mailname:ro
- ./mail/etc/dovecot:/etc/dovecot:ro
- ./mail/etc/amavis:/etc/amavis:ro
- ./mail/etc/clamav:/etc/clamav:ro
- ./mail/etc/hostname:/etc/hostname:ro
- ./mail/etc/opendkim.conf:/etc/opendkim.conf:ro
- ./mail/etc/opendkim:/etc/opendkim:ro
- ./mail/etc/postfix:/etc/postfix:ro
- ./mail/etc/postfix-policyd-spf-python:/etc/postfix-policyd-spf-python:ro
- ./mail/etc/postgrey:/etc/postgrey:ro
- ./mail/entrypoint.sh:/entrypoint.sh:ro
- ./data/log:/var/log:rw
- ./data/mail/var/mail:/var/mail:rw
- ./data/mail/var/spool/mail:/var/spool/mail:rw
- /home:/home:rw
- ./www:/var/www:ro
- ./data/mail/var/lib/clamav:/var/lib/clamav:rw
# Keys
- ./keys/mail/etc/dkimkeys:/etc/dkimkeys:ro
- ./keys/mail/etc/spamassasin/sa-update-keys/:/etc/spamassasin/sa-update-keys:rw
- ./keys/mail/etc/dovecot/private:/etc/dovecot/private:ro
# Authentication of dovecot users via pam
#
#- /etc/passwd:/etc/systempasswd:ro
#- /etc/group:/etc/systemgroup:ro
#- /etc/shadow:/etc/systemshadow:ro
#- /etc/gshadow:/etc/systemgshadow:ro
# etc directories with permissions locked down
ketrenet-roundcube:
image: roundcube/roundcubemail
image: ketrenet-roundcube
container_name: ketrenet-roundcube
user: root
hostname: roundcube
build:
context: roundcube
dockerfile: Dockerfile.roundcube
restart: always
environment:
- ROUNDCUBEMAIL_DEFAULT_HOST=tls://ketrenos.com
- ROUNDCUBEMAIL_SMTP_SERVER=tls://ketrenos.com
- ROUNDCUBEMAIL_SMTP_PORT=587
ports:
- 8124:80
restart: always
volumes:
- ./config/roundcube/var/roundcube:/var/roundcube/config:ro
- ./roundcube/var/roundcube:/var/roundcube/config:ro
- ./data/roundcube/db:/var/roundcube/db:rw
- ./data/roundcube/html:/var/www/html:rw
ketrenet-letsencrypt:
image: ketrenet-letsencrypt
container_name: ketrenet-letsencrypt
ketrenet-cron:
image: ketrenet-cron
container_name: ketrenet-cron
build:
context: .
dockerfile: Dockerfile.letsencrypt
context: cron
dockerfile: Dockerfile.cron
restart: always
volumes:
- ./config/letsencrypt/etc/letsencrypt/etc/letsencrypt:/etc/letsencrypt:rw
- ./config/letsencrypt/etc/letsencrypt/etc/cron.d:/etc/cron.d:ro
- ./cron/etc/letsencrypt:/etc/letsencrypt:rw
- ./keys/cron/etc/letsencrypt/live:/etc/letsencrypt/live:rw
- ./keys/cron/etc/letsencrypt/archive:/etc/letsencrypt/archive:rw
- ./cron/etc/cron.d:/etc/cron.d:ro
- ./data/log:/var/log:rw
- ./keys:/keys:ro
- ./keys/letsencrypt/:/keys:ro
- ./www:/var/www:rw
- ./letsencrypt.sh:/letsencrypt.sh:ro
- ./cron/entrypoint.sh:/entrypoint.sh:ro
ketrenet-dns:
image: ketrenet-dns
container_name: ketrenet-dns
hostname: email
build:
context: .
context: dns
dockerfile: Dockerfile.dns
restart: always
ports:
- 53:53 # named
- 68:67/udp # dhcp
- 53:53 # bind
- 67:67/udp # dhcp
- 68:68/udp # dhcp
volumes:
- ./config/dns/etc/named:/etc/named:ro
- ./config/dns/etc/bind:/etc/bind:ro
- ./dns.sh:/dns.sh:ro
- ./keys/dns/ddns.key:/etc/ddns.key:ro
- ./dns/etc/dhcp:/etc/dhcp:ro
- ./dns/etc/bind:/etc/bind:ro
- ./dns/entrypoint.sh:/entrypoint.sh:ro
- ./data/log:/var/log:rw
- ./data/dns/var/lib/:/var/lib:rw

7
letsencrypt.sh
View File

@ -1,7 +0,0 @@
#!/bin/bash
while true; do
cron -f
echo "cron died: $?"
sleep 5
done

13
Dockerfile.mail → mail/Dockerfile.mail
View File

@ -9,6 +9,13 @@ RUN apt-get -q update \
dovecot-core \
dovecot-managesieved \
dovecot-sieve \
dovecot-imapd \
dovecot-pop3d \
dovecot-ldap \
ldap-auth-client \
ldap-auth-config \
libnss-ldap \
libpam-ldap \
inotify-tools \
milter-greylist \
opendkim \
@ -20,7 +27,7 @@ RUN apt-get -q update \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log}
COPY /Dockerfile.mail /Dockerfile.mail
COPY /mail.sh /mail.sh
COPY ./Dockerfile.mail /Dockerfile
COPY ./entrypoint.sh /entrypoint.sh
ENTRYPOINT [ "/mail.sh" ]
ENTRYPOINT [ "/entrypoint.sh" ]

35
mail.sh → mail/entrypoint.sh
View File

@ -5,12 +5,41 @@ dirs=(
/var/log/clamav
/var/log/opendkim
/var/spool/postfix/opendkim
/var/lib/clamav
)
for dir in "${dirs[@]}"; do
mkdir -p "${dir}"
chmod a+rwX "${dir}"
if [[ ! -d "${dir}" ]]; then
mkdir -p "${dir}"
fi
chmod a+rwX -R "${dir}"
done
if [[ -e /var/run/dovecot/master.pid ]]; then
rm /var/run/dovecot/master.pid
fi
if false; then
# host accounts into the container PAM files
for file in passwd group shadow gshadow; do
cp "/etc/${file}" "/etc/${file}.container"
while IFS= read -r account; do
id="${account%%:*}"
id="${account%%:*}"
if ! grep -q "^${id}:" "/etc/${file}"; then
echo "${account}" >> "/etc/${file}"
fi
done < "/etc/system${file}"
done
sed -i -E 's,(passwd|group|shadow|gshadow):.*files$,\1: files [NOTFOUND=return] system\1: files,g' /etc/nsswitch.conf
else
# use ldap
sed -i -E 's#^base dc=example.*#base dc=ketrenos,dc=net#g' /etc/ldap.conf
sed -i -E 's#^uri ldap.*#uri ldap://192.168.1.78/#g' /etc/ldap.conf
sed -i -E 's#(passwd|group|shadow|gshadow):.*files$#\1: files ldap#g' /etc/nsswitch.conf
fi
while true; do
/usr/sbin/opendkim -x /etc/opendkim.conf -f
echo "opendkim died: $?"
@ -71,4 +100,4 @@ done &
#
while inotifywait -e modify /etc/letsencrypt/archive; do
kill -9 "$(cat /var/run/amavis/amavisd.pid)" "$(cat /var/run/dovecot/master.pid)" "$(cat /var/spool/postfix/pid/master.pid)"
done
done

0
config/mail/etc/amavis/README.l10n → mail/etc/amavis/README.l10n
View File

0
config/mail/etc/amavis/conf.d/01-debian → mail/etc/amavis/conf.d/01-debian
View File

0
config/mail/etc/amavis/conf.d/05-domain_id → mail/etc/amavis/conf.d/05-domain_id
View File

0
config/mail/etc/amavis/conf.d/05-node_id → mail/etc/amavis/conf.d/05-node_id
View File

0
config/mail/etc/amavis/conf.d/15-av_scanners → mail/etc/amavis/conf.d/15-av_scanners
View File

0
config/mail/etc/amavis/conf.d/15-content_filter_mode → mail/etc/amavis/conf.d/15-content_filter_mode
View File

0
config/mail/etc/amavis/conf.d/20-debian_defaults → mail/etc/amavis/conf.d/20-debian_defaults
View File

0
config/mail/etc/amavis/conf.d/21-ubuntu_defaults → mail/etc/amavis/conf.d/21-ubuntu_defaults
View File

0
config/mail/etc/amavis/conf.d/25-amavis_helpers → mail/etc/amavis/conf.d/25-amavis_helpers
View File

0
config/mail/etc/amavis/conf.d/30-template_localization → mail/etc/amavis/conf.d/30-template_localization
View File

0
config/mail/etc/amavis/conf.d/40-policy_banks → mail/etc/amavis/conf.d/40-policy_banks
View File

0
config/mail/etc/amavis/conf.d/50-user → mail/etc/amavis/conf.d/50-user
View File

0
config/mail/etc/amavis/en_US/charset → mail/etc/amavis/en_US/charset
View File

0
config/mail/etc/amavis/en_US/template-auto-response.txt → mail/etc/amavis/en_US/template-auto-response.txt
View File

0
config/mail/etc/amavis/en_US/template-dsn.txt → mail/etc/amavis/en_US/template-dsn.txt
View File

0
config/mail/etc/amavis/en_US/template-problem-feedback.txt → mail/etc/amavis/en_US/template-problem-feedback.txt
View File

0
config/mail/etc/amavis/en_US/template-release-quarantine.txt → mail/etc/amavis/en_US/template-release-quarantine.txt
View File

0
config/mail/etc/amavis/en_US/template-spam-admin.txt → mail/etc/amavis/en_US/template-spam-admin.txt
View File

0
config/mail/etc/amavis/en_US/template-spam-sender.txt → mail/etc/amavis/en_US/template-spam-sender.txt
View File

0
config/mail/etc/amavis/en_US/template-virus-admin.txt → mail/etc/amavis/en_US/template-virus-admin.txt
View File

0
config/mail/etc/amavis/en_US/template-virus-recipient.txt → mail/etc/amavis/en_US/template-virus-recipient.txt
View File

0
config/mail/etc/amavis/en_US/template-virus-sender.txt → mail/etc/amavis/en_US/template-virus-sender.txt
View File

0
config/mail/etc/clamav/clamd.conf → mail/etc/clamav/clamd.conf
View File

0
config/mail/etc/clamav/clamd.conf.ucf-old → mail/etc/clamav/clamd.conf.ucf-old
View File

0
config/mail/etc/clamav/freshclam.conf → mail/etc/clamav/freshclam.conf
View File

0
config/mail/etc/cron.d/mail → mail/etc/cron.d/mail
View File

0
config/mail/etc/dovecot/README → mail/etc/dovecot/README
View File

0
config/mail/etc/dovecot/auth.d/01-mail-stack-delivery.auth → mail/etc/dovecot/auth.d/01-mail-stack-delivery.auth
View File

0
config/mail/etc/dovecot/conf.d/01-mail-stack-delivery.conf → mail/etc/dovecot/conf.d/01-mail-stack-delivery.conf
View File

0
config/mail/etc/dovecot/conf.d/10-auth.conf → mail/etc/dovecot/conf.d/10-auth.conf
View File

Some files were not shown because too many files have changed in this diff Show More