mirror of
https://github.com/meienberger/runtipi.git
synced 2024-09-21 01:01:31 +03:00
New app: Tailscale
This commit is contained in:
parent
21a871f682
commit
2a003b0cd1
@ -29,15 +29,15 @@
|
|||||||
|
|
||||||
- name: Check if app is already running
|
- name: Check if app is already running
|
||||||
become_user: "{{ username }}"
|
become_user: "{{ username }}"
|
||||||
shell: pm2 list
|
shell: pm2 status system-api
|
||||||
register: pm2_result
|
register: pm2_result
|
||||||
|
|
||||||
- name: Start app
|
- name: Start app
|
||||||
become_user: "{{ username }}"
|
become_user: "{{ username }}"
|
||||||
shell: cd {{ playbook_dir }}/../system-api && pm2 start npm --name "system-api" -- start
|
shell: cd {{ playbook_dir }}/../system-api && pm2 start npm --name "system-api" -- start
|
||||||
when: pm2_result.stdout.find("system-api") == -1
|
when: pm2_result.stdout.find("online") == -1
|
||||||
|
|
||||||
- name: Reload app
|
- name: Reload app
|
||||||
become_user: "{{ username }}"
|
become_user: "{{ username }}"
|
||||||
shell: pm2 reload system-api
|
shell: pm2 reload system-api
|
||||||
when: pm2_result.stdout.find("system-api") != -1
|
when: pm2_result.stdout.find("online") != -1
|
||||||
|
6
apps/pihole/data/unbound/a-records.conf
Normal file
6
apps/pihole/data/unbound/a-records.conf
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
|
||||||
|
# A Record
|
||||||
|
#local-data: "somecomputer.local. A 192.168.1.1"
|
||||||
|
|
||||||
|
# PTR Record
|
||||||
|
#local-data-ptr: "192.168.1.1 somecomputer.local."
|
92
apps/pihole/data/unbound/root.hints
Normal file
92
apps/pihole/data/unbound/root.hints
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
; This file holds the information on root name servers needed to
|
||||||
|
; initialize cache of Internet domain name servers
|
||||||
|
; (e.g. reference this file in the "cache . <file>"
|
||||||
|
; configuration file of BIND domain name servers).
|
||||||
|
;
|
||||||
|
; This file is made available by InterNIC
|
||||||
|
; under anonymous FTP as
|
||||||
|
; file /domain/named.cache
|
||||||
|
; on server FTP.INTERNIC.NET
|
||||||
|
; -OR- RS.INTERNIC.NET
|
||||||
|
;
|
||||||
|
; last update: December 07, 2021
|
||||||
|
; related version of root zone: 2021120701
|
||||||
|
;
|
||||||
|
; FORMERLY NS.INTERNIC.NET
|
||||||
|
;
|
||||||
|
. 3600000 NS A.ROOT-SERVERS.NET.
|
||||||
|
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
|
||||||
|
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
|
||||||
|
;
|
||||||
|
; FORMERLY NS1.ISI.EDU
|
||||||
|
;
|
||||||
|
. 3600000 NS B.ROOT-SERVERS.NET.
|
||||||
|
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
|
||||||
|
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
|
||||||
|
;
|
||||||
|
; FORMERLY C.PSI.NET
|
||||||
|
;
|
||||||
|
. 3600000 NS C.ROOT-SERVERS.NET.
|
||||||
|
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
|
||||||
|
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
|
||||||
|
;
|
||||||
|
; FORMERLY TERP.UMD.EDU
|
||||||
|
;
|
||||||
|
. 3600000 NS D.ROOT-SERVERS.NET.
|
||||||
|
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
|
||||||
|
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
|
||||||
|
;
|
||||||
|
; FORMERLY NS.NASA.GOV
|
||||||
|
;
|
||||||
|
. 3600000 NS E.ROOT-SERVERS.NET.
|
||||||
|
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
|
||||||
|
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
|
||||||
|
;
|
||||||
|
; FORMERLY NS.ISC.ORG
|
||||||
|
;
|
||||||
|
. 3600000 NS F.ROOT-SERVERS.NET.
|
||||||
|
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
|
||||||
|
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
|
||||||
|
;
|
||||||
|
; FORMERLY NS.NIC.DDN.MIL
|
||||||
|
;
|
||||||
|
. 3600000 NS G.ROOT-SERVERS.NET.
|
||||||
|
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
|
||||||
|
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
|
||||||
|
;
|
||||||
|
; FORMERLY AOS.ARL.ARMY.MIL
|
||||||
|
;
|
||||||
|
. 3600000 NS H.ROOT-SERVERS.NET.
|
||||||
|
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
|
||||||
|
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
|
||||||
|
;
|
||||||
|
; FORMERLY NIC.NORDU.NET
|
||||||
|
;
|
||||||
|
. 3600000 NS I.ROOT-SERVERS.NET.
|
||||||
|
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
|
||||||
|
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
|
||||||
|
;
|
||||||
|
; OPERATED BY VERISIGN, INC.
|
||||||
|
;
|
||||||
|
. 3600000 NS J.ROOT-SERVERS.NET.
|
||||||
|
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
|
||||||
|
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
|
||||||
|
;
|
||||||
|
; OPERATED BY RIPE NCC
|
||||||
|
;
|
||||||
|
. 3600000 NS K.ROOT-SERVERS.NET.
|
||||||
|
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
|
||||||
|
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
|
||||||
|
;
|
||||||
|
; OPERATED BY ICANN
|
||||||
|
;
|
||||||
|
. 3600000 NS L.ROOT-SERVERS.NET.
|
||||||
|
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
|
||||||
|
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
|
||||||
|
;
|
||||||
|
; OPERATED BY WIDE
|
||||||
|
;
|
||||||
|
. 3600000 NS M.ROOT-SERVERS.NET.
|
||||||
|
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
|
||||||
|
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
|
||||||
|
; End of file
|
9
apps/pihole/data/unbound/root.key
Normal file
9
apps/pihole/data/unbound/root.key
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
; autotrust trust anchor file
|
||||||
|
;;id: . 1
|
||||||
|
;;last_queried: 1650921300 ;;Mon Apr 25 21:15:00 2022
|
||||||
|
;;last_success: 1650921300 ;;Mon Apr 25 21:15:00 2022
|
||||||
|
;;next_probe_time: 1650962281 ;;Tue Apr 26 08:38:01 2022
|
||||||
|
;;query_failed: 0
|
||||||
|
;;query_interval: 43200
|
||||||
|
;;retry_time: 8640
|
||||||
|
. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1650921210 ;;Mon Apr 25 21:13:30 2022
|
@ -1,315 +1,136 @@
|
|||||||
|
# https://linux.die.net/man/5/unbound.conf
|
||||||
|
# https://docs.pi-hole.net/guides/unbound/
|
||||||
|
|
||||||
server:
|
server:
|
||||||
###########################################################################
|
# Enable or disable whether the unbound server forks into the background
|
||||||
# BASIC SETTINGS
|
# as a daemon. Default is yes.
|
||||||
###########################################################################
|
|
||||||
# Time to live maximum for RRsets and messages in the cache. If the maximum
|
|
||||||
# kicks in, responses to clients still get decrementing TTLs based on the
|
|
||||||
# original (larger) values. When the internal TTL expires, the cache item
|
|
||||||
# has expired. Can be set lower to force the resolver to query for data
|
|
||||||
# often, and not trust (very large) TTL values.
|
|
||||||
cache-max-ttl: 86400
|
|
||||||
|
|
||||||
# Time to live minimum for RRsets and messages in the cache. If the minimum
|
|
||||||
# kicks in, the data is cached for longer than the domain owner intended,
|
|
||||||
# and thus less queries are made to look up the data. Zero makes sure the
|
|
||||||
# data in the cache is as the domain owner intended, higher values,
|
|
||||||
# especially more than an hour or so, can lead to trouble as the data in
|
|
||||||
# the cache does not match up with the actual data any more.
|
|
||||||
cache-min-ttl: 60
|
|
||||||
|
|
||||||
# Set the working directory for the program.
|
|
||||||
directory: "/opt/unbound/etc/unbound"
|
|
||||||
|
|
||||||
# RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer
|
|
||||||
# size. This is the value put into datagrams over UDP towards peers.
|
|
||||||
# 4096 is RFC recommended. 1472 has a reasonable chance to fit within a
|
|
||||||
# single Ethernet frame, thus lessing the chance of fragmentation
|
|
||||||
# reassembly problems (usually seen as timeouts). Setting to 512 bypasses
|
|
||||||
# even the most stringent path MTU problems, but is not recommended since
|
|
||||||
# the amount of TCP fallback generated is excessive.
|
|
||||||
edns-buffer-size: 1472
|
|
||||||
|
|
||||||
# Listen to for queries from clients and answer from this network interface
|
|
||||||
# and port.
|
|
||||||
interface: 0.0.0.0@53
|
|
||||||
|
|
||||||
# Rotates RRSet order in response (the pseudo-random number is taken from
|
|
||||||
# the query ID, for speed and thread safety).
|
|
||||||
rrset-roundrobin: yes
|
|
||||||
|
|
||||||
# Drop user privileges after binding the port.
|
|
||||||
username: "_unbound"
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# LOGGING
|
|
||||||
###########################################################################
|
|
||||||
|
|
||||||
# Do not print log lines to inform about local zone actions
|
|
||||||
log-local-actions: no
|
|
||||||
|
|
||||||
# Do not print one line per query to the log
|
|
||||||
log-queries: no
|
|
||||||
|
|
||||||
# Do not print one line per reply to the log
|
|
||||||
log-replies: no
|
|
||||||
|
|
||||||
# Do not print log lines that say why queries return SERVFAIL to clients
|
|
||||||
log-servfail: no
|
|
||||||
|
|
||||||
# Further limit logging
|
|
||||||
logfile: /dev/null
|
|
||||||
|
|
||||||
# Only log errors
|
|
||||||
verbosity: 0
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# PRIVACY SETTINGS
|
|
||||||
###########################################################################
|
|
||||||
|
|
||||||
# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
|
|
||||||
# denials, using information from previous NXDO-MAINs answers. In other
|
|
||||||
# words, use cached NSEC records to generate negative answers within a
|
|
||||||
# range and positive answers from wildcards. This increases performance,
|
|
||||||
# decreases latency and resource utilization on both authoritative and
|
|
||||||
# recursive servers, and increases privacy. Also, it may help increase
|
|
||||||
# resilience to certain DoS attacks in some circumstances.
|
|
||||||
aggressive-nsec: yes
|
|
||||||
|
|
||||||
# Extra delay for timeouted UDP ports before they are closed, in msec.
|
|
||||||
# This prevents very delayed answer packets from the upstream (recursive)
|
|
||||||
# servers from bouncing against closed ports and setting off all sort of
|
|
||||||
# close-port counters, with eg. 1500 msec. When timeouts happen you need
|
|
||||||
# extra sockets, it checks the ID and remote IP of packets, and unwanted
|
|
||||||
# packets are added to the unwanted packet counter.
|
|
||||||
delay-close: 10000
|
|
||||||
|
|
||||||
# Prevent the unbound server from forking into the background as a daemon
|
|
||||||
do-daemonize: no
|
do-daemonize: no
|
||||||
|
|
||||||
# Add localhost to the do-not-query-address list.
|
# If given, after binding the port the user privileges are dropped.
|
||||||
do-not-query-localhost: no
|
# Default is "unbound". If you give username: "" no user change is performed.
|
||||||
|
username: ""
|
||||||
|
|
||||||
# Number of bytes size of the aggressive negative cache.
|
# No need to chroot as this container has been stripped of all other binaries.
|
||||||
neg-cache-size: 4M
|
chroot: ""
|
||||||
|
|
||||||
# Send minimum amount of information to upstream servers to enhance
|
# If "" is given, logging goes to stderr, or nowhere once daemonized.
|
||||||
# privacy (best privacy).
|
logfile: ""
|
||||||
qname-minimisation: yes
|
|
||||||
|
|
||||||
###########################################################################
|
# The process id is written to the file. Not required since we are running
|
||||||
# SECURITY SETTINGS
|
# in a container with one process.
|
||||||
###########################################################################
|
pidfile: ""
|
||||||
# Only give access to recursion clients from LAN IPs
|
|
||||||
|
# The verbosity number, level 0 means no verbosity, only errors.
|
||||||
|
# Level 1 gives operational information.
|
||||||
|
# Level 2 gives detailed operational information.
|
||||||
|
# Level 3 gives query level information, output per query.
|
||||||
|
# Level 4 gives algorithm level information.
|
||||||
|
# Level 5 logs client identification for cache misses.
|
||||||
|
# Default is level 1. The verbosity can also be increased from the commandline.
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
# Listen on all ipv4 interfaces, answer queries from the local subnet.
|
||||||
|
interface: 0.0.0.0
|
||||||
|
|
||||||
|
# The port number, default 53, on which the server responds to queries.
|
||||||
|
port: 53
|
||||||
|
|
||||||
|
do-ip4: yes
|
||||||
|
do-udp: yes
|
||||||
|
do-tcp: yes
|
||||||
|
do-ip6: no
|
||||||
|
|
||||||
|
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
|
||||||
|
# Terredo tunnels your web browser should favor IPv4 for the same reasons
|
||||||
|
prefer-ip6: no
|
||||||
|
|
||||||
|
# Trust glue only if it is within the server's authority
|
||||||
|
harden-glue: yes
|
||||||
|
|
||||||
|
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
|
||||||
|
harden-dnssec-stripped: yes
|
||||||
|
|
||||||
|
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
|
||||||
|
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
|
||||||
|
use-caps-for-id: no
|
||||||
|
|
||||||
|
# Reduce EDNS reassembly buffer size (see also https://docs.pi-hole.net/guides/dns/unbound/ )
|
||||||
|
# IP fragmentation is unreliable on the Internet today, and can cause
|
||||||
|
# transmission failures when large DNS messages are sent via UDP. Even
|
||||||
|
# when fragmentation does work, it may not be secure; it is theoretically
|
||||||
|
# possible to spoof parts of a fragmented DNS message, without easy
|
||||||
|
# detection at the receiving end. Recently, there was an excellent study
|
||||||
|
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
|
||||||
|
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
|
||||||
|
# in collaboration with NLnet Labs explored DNS using real world data from the
|
||||||
|
# the RIPE Atlas probes and the researchers suggested different values for
|
||||||
|
# IPv4 and IPv6 and in different scenarios. They advise that servers should
|
||||||
|
# be configured to limit DNS messages sent over UDP to a size that will not
|
||||||
|
# trigger fragmentation on typical network links. DNS servers can switch
|
||||||
|
# from UDP to TCP when a DNS response is too big to fit in this limited
|
||||||
|
# buffer size. This value has also been suggested in DNS Flag Day 2020.
|
||||||
|
edns-buffer-size: 1232
|
||||||
|
|
||||||
|
# Perform prefetching of close to expired message cache entries
|
||||||
|
# This only applies to domains that have been frequently queried
|
||||||
|
prefetch: yes
|
||||||
|
|
||||||
|
# One thread should be sufficient, can be increased on beefy machines.
|
||||||
|
# In reality for most users running on small networks or on a single machine,
|
||||||
|
# it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
|
||||||
|
num-threads: 1
|
||||||
|
|
||||||
|
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
|
||||||
|
# (requires CAP_NET_ADMIN or privileged)
|
||||||
|
# so-rcvbuf: 1m
|
||||||
|
|
||||||
|
# The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||||
|
# classless network block. The action can be deny, refuse, allow or allow_snoop.
|
||||||
access-control: 127.0.0.1/32 allow
|
access-control: 127.0.0.1/32 allow
|
||||||
access-control: 192.168.0.0/16 allow
|
access-control: 192.168.0.0/16 allow
|
||||||
access-control: 172.16.0.0/12 allow
|
access-control: 172.16.0.0/12 allow
|
||||||
access-control: 10.0.0.0/8 allow
|
access-control: 10.0.0.0/8 allow
|
||||||
# access-control: fc00::/7 allow
|
access-control: 100.64.0.0/10 allow
|
||||||
# access-control: ::1/128 allow
|
access-control: 10.21.21.0/24 allow
|
||||||
|
|
||||||
# File with trust anchor for one zone, which is tracked with RFC5011
|
# Ensure privacy of local IP ranges
|
||||||
# probes.
|
|
||||||
auto-trust-anchor-file: "var/root.key"
|
|
||||||
|
|
||||||
# Enable chroot (i.e, change apparent root directory for the current
|
|
||||||
# running process and its children)
|
|
||||||
chroot: "/opt/unbound/etc/unbound"
|
|
||||||
|
|
||||||
# Deny queries of type ANY with an empty response.
|
|
||||||
#deny-any: yes
|
|
||||||
|
|
||||||
# Harden against algorithm downgrade when multiple algorithms are
|
|
||||||
# advertised in the DS record.
|
|
||||||
harden-algo-downgrade: yes
|
|
||||||
|
|
||||||
# RFC 8020. returns nxdomain to queries for a name below another name that
|
|
||||||
# is already known to be nxdomain.
|
|
||||||
harden-below-nxdomain: yes
|
|
||||||
|
|
||||||
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
|
|
||||||
# zone becomes bogus. If turned off you run the risk of a downgrade attack
|
|
||||||
# that disables security for a zone.
|
|
||||||
harden-dnssec-stripped: yes
|
|
||||||
|
|
||||||
# Only trust glue if it is within the servers authority.
|
|
||||||
harden-glue: yes
|
|
||||||
|
|
||||||
# Ignore very large queries.
|
|
||||||
harden-large-queries: yes
|
|
||||||
|
|
||||||
# Perform additional queries for infrastructure data to harden the referral
|
|
||||||
# path. Validates the replies if trust anchors are configured and the zones
|
|
||||||
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
|
|
||||||
# nameserver addresses that are encountered on the referral path to the
|
|
||||||
# answer. Experimental option.
|
|
||||||
harden-referral-path: no
|
|
||||||
|
|
||||||
# Ignore very small EDNS buffer sizes from queries.
|
|
||||||
harden-short-bufsize: yes
|
|
||||||
|
|
||||||
# Refuse id.server and hostname.bind queries
|
|
||||||
hide-identity: yes
|
|
||||||
|
|
||||||
# Refuse version.server and version.bind queries
|
|
||||||
hide-version: yes
|
|
||||||
|
|
||||||
# Report this identity rather than the hostname of the server.
|
|
||||||
identity: "DNS"
|
|
||||||
|
|
||||||
# These private network addresses are not allowed to be returned for public
|
|
||||||
# internet names. Any occurrence of such addresses are removed from DNS
|
|
||||||
# answers. Additionally, the DNSSEC validator may mark the answers bogus.
|
|
||||||
# This protects against DNS Rebinding
|
|
||||||
private-address: 10.0.0.0/8
|
|
||||||
private-address: 172.16.0.0/12
|
|
||||||
private-address: 192.168.0.0/16
|
private-address: 192.168.0.0/16
|
||||||
private-address: 169.254.0.0/16
|
private-address: 169.254.0.0/16
|
||||||
|
private-address: 172.16.0.0/12
|
||||||
|
private-address: 10.0.0.0/8
|
||||||
private-address: fd00::/8
|
private-address: fd00::/8
|
||||||
private-address: fe80::/10
|
private-address: fe80::/10
|
||||||
private-address: ::ffff:0:0/96
|
|
||||||
|
|
||||||
# Enable ratelimiting of queries (per second) sent to nameserver for
|
# Read the root hints from this file. Default is nothing, using built in
|
||||||
# performing recursion. More queries are turned away with an error
|
# hints for the IN class. The file has the format of zone files, with root
|
||||||
# (servfail). This stops recursive floods (e.g., random query names), but
|
# nameserver names and addresses only. The default may become outdated,
|
||||||
# not spoofed reflection floods. Cached responses are not rate limited by
|
# when servers change, therefore it is good practice to use a root-hints
|
||||||
# this setting. Experimental option.
|
# file. get one from https://www.internic.net/domain/named.root
|
||||||
#ratelimit: 1000
|
root-hints: /etc/unbound/root.hints
|
||||||
|
|
||||||
# Use this certificate bundle for authenticating connections made to
|
# File with trust anchor for one zone, which is tracked with RFC5011 probes.
|
||||||
# outside peers (e.g., auth-zone urls, DNS over TLS connections).
|
# The probes are several times per month, thus the machine must be online frequently.
|
||||||
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
# The initial file can be one with contents as described in trust-anchor-file.
|
||||||
|
# The file is written to when the anchor is updated, so the unbound user must
|
||||||
|
# have write permission.
|
||||||
|
auto-trust-anchor-file: /etc/unbound/root.key
|
||||||
|
|
||||||
# Set the total number of unwanted replies to eep track of in every thread.
|
# Number of ports to open. This number of file descriptors can be opened per thread.
|
||||||
# When it reaches the threshold, a defensive action of clearing the rrset
|
# Must be at least 1. Default depends on compile options. Larger numbers need extra
|
||||||
# and message caches is taken, hopefully flushing away any poison.
|
# resources from the operating system. For performance a very large value is best,
|
||||||
# Unbound suggests a value of 10 million.
|
# use libevent to make this possible.
|
||||||
unwanted-reply-threshold: 10000000
|
|
||||||
|
|
||||||
# Use 0x20-encoded random bits in the query to foil spoof attempts. This
|
|
||||||
# perturbs the lowercase and uppercase of query names sent to authority
|
|
||||||
# servers and checks if the reply still has the correct casing.
|
|
||||||
# This feature is an experimental implementation of draft dns-0x20.
|
|
||||||
# Experimental option.
|
|
||||||
#use-caps-for-id: yes
|
|
||||||
|
|
||||||
# Help protect users that rely on this validator for authentication from
|
|
||||||
# potentially bad data in the additional section. Instruct the validator to
|
|
||||||
# remove data from the additional section of secure messages that are not
|
|
||||||
# signed properly. Messages that are insecure, bogus, indeterminate or
|
|
||||||
# unchecked are not affected.
|
|
||||||
val-clean-additional: yes
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# PERFORMANCE SETTINGS
|
|
||||||
###########################################################################
|
|
||||||
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/
|
|
||||||
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
|
|
||||||
|
|
||||||
# Number of slabs in the infrastructure cache. Slabs reduce lock contention
|
|
||||||
# by threads. Must be set to a power of 2.
|
|
||||||
# infra-cache-slabs: 4
|
|
||||||
|
|
||||||
# Number of incoming TCP buffers to allocate per thread. Default
|
|
||||||
# is 10. If set to 0, or if do-tcp is "no", no TCP queries from
|
|
||||||
# clients are accepted. For larger installations increasing this
|
|
||||||
# value is a good idea.
|
|
||||||
# incoming-num-tcp: 10
|
|
||||||
|
|
||||||
# Number of slabs in the key cache. Slabs reduce lock contention by
|
|
||||||
# threads. Must be set to a power of 2. Setting (close) to the number
|
|
||||||
# of cpus is a reasonable guess.
|
|
||||||
# key-cache-slabs: 4
|
|
||||||
|
|
||||||
# Number of bytes size of the message cache.
|
|
||||||
# Unbound recommendation is to Use roughly twice as much rrset cache memory
|
|
||||||
# as you use msg cache memory.
|
|
||||||
msg-cache-size: 260991658
|
|
||||||
|
|
||||||
# Number of slabs in the message cache. Slabs reduce lock contention by
|
|
||||||
# threads. Must be set to a power of 2. Setting (close) to the number of
|
|
||||||
# cpus is a reasonable guess.
|
|
||||||
#msg-cache-slabs: 4
|
|
||||||
|
|
||||||
# The number of queries that every thread will service simultaneously. If
|
|
||||||
# more queries arrive that need servicing, and no queries can be jostled
|
|
||||||
# out (see jostle-timeout), then the queries are dropped.
|
|
||||||
# This is best set at half the number of the outgoing-range.
|
|
||||||
# This Unbound instance was compiled with libevent so it can efficiently
|
|
||||||
# use more than 1024 file descriptors.
|
|
||||||
num-queries-per-thread: 4096
|
|
||||||
|
|
||||||
# The number of threads to create to serve clients.
|
|
||||||
# This is set dynamically at run time to effectively use available CPUs
|
|
||||||
# resources
|
|
||||||
#num-threads: 3
|
|
||||||
|
|
||||||
# Number of ports to open. This number of file descriptors can be opened
|
|
||||||
# per thread.
|
|
||||||
# This Unbound instance was compiled with libevent so it can efficiently
|
|
||||||
# use more than 1024 file descriptors.
|
|
||||||
outgoing-range: 8192
|
outgoing-range: 8192
|
||||||
|
|
||||||
# Number of bytes size of the RRset cache.
|
# The number of queries that every thread will service simultaneously. If more queries
|
||||||
# Use roughly twice as much rrset cache memory as msg cache memory
|
# arrive that need servicing, and no queries can be jostled out (see jostle-timeout),
|
||||||
rrset-cache-size: 260991658
|
# then the queries are dropped. This forces the client to resend after a timeout;
|
||||||
|
# allowing the server time to work on the existing queries. Default depends on
|
||||||
|
# compile options, 512 or 1024.
|
||||||
|
num-queries-per-thread: 4096
|
||||||
|
|
||||||
# Number of slabs in the RRset cache. Slabs reduce lock contention by
|
include: /etc/unbound/a-records.conf
|
||||||
# threads. Must be set to a power of 2.
|
|
||||||
#rrset-cache-slabs: 4
|
|
||||||
|
|
||||||
# Do no insert authority/additional sections into response messages when
|
|
||||||
# those sections are not required. This reduces response size
|
|
||||||
# significantly, and may avoid TCP fallback for some responses. This may
|
|
||||||
# cause a slight speedup.
|
|
||||||
minimal-responses: yes
|
|
||||||
|
|
||||||
# # Fetch the DNSKEYs earlier in the validation process, when a DS record
|
|
||||||
# is encountered. This lowers the latency of requests at the expense of
|
|
||||||
# little more CPU usage.
|
|
||||||
prefetch: yes
|
|
||||||
|
|
||||||
# Fetch the DNSKEYs earlier in the validation process, when a DS record is
|
|
||||||
# encountered. This lowers the latency of requests at the expense of little
|
|
||||||
# more CPU usage.
|
|
||||||
prefetch-key: yes
|
|
||||||
|
|
||||||
# Have unbound attempt to serve old responses from cache with a TTL of 0 in
|
|
||||||
# the response without waiting for the actual resolution to finish. The
|
|
||||||
# actual resolution answer ends up in the cache later on.
|
|
||||||
serve-expired: yes
|
|
||||||
|
|
||||||
# Open dedicated listening sockets for incoming queries for each thread and
|
|
||||||
# try to set the SO_REUSEPORT socket option on each socket. May distribute
|
|
||||||
# incoming queries to threads more evenly.
|
|
||||||
so-reuseport: yes
|
|
||||||
|
|
||||||
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
|
|
||||||
so-rcvbuf: 1m
|
|
||||||
|
|
||||||
###########################################################################
|
|
||||||
# LOCAL ZONE
|
|
||||||
###########################################################################
|
|
||||||
|
|
||||||
# # Include file for local-data and local-data-ptr
|
|
||||||
# include: /opt/unbound/etc/unbound/a-records.conf
|
|
||||||
# include: /opt/unbound/etc/unbound/srv-records.conf
|
|
||||||
|
|
||||||
# ###########################################################################
|
|
||||||
# # FORWARD ZONE
|
|
||||||
# ###########################################################################
|
|
||||||
|
|
||||||
# include: /opt/unbound/etc/unbound/forward-records.conf
|
|
||||||
|
|
||||||
# OPTIONAL:
|
|
||||||
# Forward Secure DNS to upstream provider Cloudflare DNS
|
|
||||||
|
|
||||||
# forward-zone:
|
# forward-zone:
|
||||||
# name: "."
|
# name: "."
|
||||||
# forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
# forward-addr: 194.242.2.3@853 # Mullvad primary
|
||||||
# forward-addr: 1.0.0.1@853#cloudflare-dns.com
|
# forward-addr: 193.19.108.3@853 # Mullvad secondary
|
||||||
# forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
|
|
||||||
# forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
|
|
||||||
# forward-tls-upstream: yes
|
|
||||||
|
|
||||||
remote-control:
|
|
||||||
control-enable: no
|
|
||||||
|
@ -2,12 +2,11 @@ version: "3.7"
|
|||||||
|
|
||||||
services:
|
services:
|
||||||
unbound:
|
unbound:
|
||||||
image: "klutchell/unbound:1.15.0"
|
image: "klutchell/unbound"
|
||||||
container_name: unbound
|
container_name: unbound
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
hostname: "unbound"
|
|
||||||
volumes:
|
volumes:
|
||||||
- "${APP_DATA_DIR}/data/unbound:/opt/unbound/etc/unbound/"
|
- "${APP_DATA_DIR}/data/unbound:/etc/unbound"
|
||||||
networks:
|
networks:
|
||||||
tipi_main_network:
|
tipi_main_network:
|
||||||
ipv4_address: 10.21.21.200
|
ipv4_address: 10.21.21.200
|
||||||
|
12
apps/tailscale/config.json
Normal file
12
apps/tailscale/config.json
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
{
|
||||||
|
"name": "Tailscale",
|
||||||
|
"port": 8093,
|
||||||
|
"id": "tailscale",
|
||||||
|
"description": "",
|
||||||
|
"short_desc": "",
|
||||||
|
"author": "",
|
||||||
|
"source": "https://github.com/tailscale/tailscale",
|
||||||
|
"website": "https://tailscale.com/",
|
||||||
|
"image": "https://avatars.githubusercontent.com/u/48932923?s=200&v=4",
|
||||||
|
"form_fields": {}
|
||||||
|
}
|
14
apps/tailscale/docker-compose.yml
Normal file
14
apps/tailscale/docker-compose.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
version: "2"
|
||||||
|
|
||||||
|
services:
|
||||||
|
tailscale:
|
||||||
|
container_name: tailscale
|
||||||
|
network_mode: "host" # TODO: Find a way to remove this
|
||||||
|
image: tailscale/tailscale:v1.24.0
|
||||||
|
privileged: true
|
||||||
|
restart: on-failure
|
||||||
|
stop_grace_period: 1m
|
||||||
|
command: "sh -c 'tailscale web --listen 0.0.0.0:${APP_PORT} & exec tailscaled --tun=userspace-networking'"
|
||||||
|
volumes:
|
||||||
|
- /var/lib:/var/lib
|
||||||
|
- /dev/net/tun:/dev/net/tun
|
@ -59,6 +59,9 @@ services:
|
|||||||
networks:
|
networks:
|
||||||
tipi_main_network:
|
tipi_main_network:
|
||||||
driver: bridge
|
driver: bridge
|
||||||
|
driver_opts:
|
||||||
|
com.docker.network.bridge.enable_ip_masquerade: "true"
|
||||||
|
com.docker.network.bridge.enable_icc: "true"
|
||||||
ipam:
|
ipam:
|
||||||
driver: default
|
driver: default
|
||||||
config:
|
config:
|
||||||
|
@ -1 +1 @@
|
|||||||
export const appNames = ['nextcloud', 'freshrss', 'anonaddy', 'filerun', 'wg-easy', 'radarr', 'transmission', 'jellyfin', 'pihole', 'busybox'];
|
export const appNames = ['nextcloud', 'freshrss', 'anonaddy', 'filerun', 'wg-easy', 'radarr', 'transmission', 'jellyfin', 'pihole', 'tailscale'];
|
||||||
|
Loading…
Reference in New Issue
Block a user