10h30/wirehole-ui
1
0
Fork 0
mirror of https://github.com/10h30/wirehole-ui.git synced 2026-06-05 15:09:48 +09:00
Code Issues Packages Projects Releases Wiki Activity

initial

Browse Source
This commit is contained in:
Ubuntu
2020-09-03 05:02:51 +00:00
commit a1d9781944
3 changed files with 449 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
View File
docker-compose.yml
+81
View File
@@ -0,0 +1,81 @@
version: "3"
networks:
piguard:
ipam:
driver: default
config:
- subnet: 10.1.0.0/24
services:
wireguard:
depends_on: [unbound]
privileged: false
image: linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=America/Los_Angeles
# - SERVERURL=wireguard.domain.com #optional
- SERVERPORT=5555 #optional
- PEERS=1 #optional
- PEERDNS=10.1.0.100 # Set it to point to pihole
- INTERNAL_SUBNET=10.6.0.0 #optional
volumes:
- ./wireguard:/config
- /lib/modules:/lib/modules
ports:
- 5555:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
networks:
piguard:
ipv4_address: 10.1.0.3
unbound:
container_name: unbound
privileged: false
volumes:
- "./unbound:/opt/unbound/etc/unbound/"
# ports:
# - "53:53/tcp"
# - "53:53/udp"
restart: unless-stopped
image: "mvance/unbound:latest"
networks:
piguard:
ipv4_address: 10.1.0.200
pihole:
depends_on: [unbound]
container_name: pihole
image: pihole/pihole:latest
privileged: false
ports:
- "53:53/tcp"
- "53:53/udp"
# - "67:67/udp" # Uncomment for pihole dhcp
- "80:80/tcp"
- "443:443/tcp"
environment:
TZ: "America/Los_Angeles"
WEBPASSWORD: ''
ServerIP: 10.1.0.100
DNS1: 10.1.0.200
DNS2: 10.1.0.200
# Volumes store your data between container upgrades
volumes:
- "./etc-pihole/:/etc/pihole/"
- "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
piguard:
ipv4_address: 10.1.0.100
unbound/unbound.conf
+368
View File
@@ -0,0 +1,368 @@
# server:
# ###########################################################################
# # BASIC SETTINGS
# ###########################################################################
# # Time to live maximum for RRsets and messages in the cache. If the maximum
# # kicks in, responses to clients still get decrementing TTLs based on the
# # original (larger) values. When the internal TTL expires, the cache item
# # has expired. Can be set lower to force the resolver to query for data
# # often, and not trust (very large) TTL values.
# cache-max-ttl: 86400
# # Time to live minimum for RRsets and messages in the cache. If the minimum
# # kicks in, the data is cached for longer than the domain owner intended,
# # and thus less queries are made to look up the data. Zero makes sure the
# # data in the cache is as the domain owner intended, higher values,
# # especially more than an hour or so, can lead to trouble as the data in
# # the cache does not match up with the actual data any more.
# cache-min-ttl: 300
# # Set the working directory for the program.
# directory: "/opt/unbound/etc/unbound"
# # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer
# # size. This is the value put into datagrams over UDP towards peers.
# # 4096 is RFC recommended. 1472 has a reasonable chance to fit within a
# # single Ethernet frame, thus lessing the chance of fragmentation
# # reassembly problems (usually seen as timeouts). Setting to 512 bypasses
# # even the most stringent path MTU problems, but is not recommended since
# # the amount of TCP fallback generated is excessive.
# edns-buffer-size: 1472
# # Listen to for queries from clients and answer from this network interface
# # and port.
# interface: 0.0.0.0@53
# # Rotates RRSet order in response (the pseudo-random number is taken from
# # the query ID, for speed and thread safety).
# rrset-roundrobin: yes
# # Drop user privileges after binding the port.
# username: "_unbound"
# ###########################################################################
# # LOGGING
# ###########################################################################
# # Do not print log lines to inform about local zone actions
# log-local-actions: no
# # Do not print one line per query to the log
# log-queries: no
# # Do not print one line per reply to the log
# log-replies: no
# # Do not print log lines that say why queries return SERVFAIL to clients
# log-servfail: no
# # Further limit logging
# logfile: /dev/null
# # Only log errors
# verbosity: 5
# ###########################################################################
# # PRIVACY SETTINGS
# ###########################################################################
# # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
# # denials, using information from previous NXDO-MAINs answers. In other
# # words, use cached NSEC records to generate negative answers within a
# # range and positive answers from wildcards. This increases performance,
# # decreases latency and resource utilization on both authoritative and
# # recursive servers, and increases privacy. Also, it may help increase
# # resilience to certain DoS attacks in some circumstances.
# aggressive-nsec: yes
# # Extra delay for timeouted UDP ports before they are closed, in msec.
# # This prevents very delayed answer packets from the upstream (recursive)
# # servers from bouncing against closed ports and setting off all sort of
# # close-port counters, with eg. 1500 msec. When timeouts happen you need
# # extra sockets, it checks the ID and remote IP of packets, and unwanted
# # packets are added to the unwanted packet counter.
# delay-close: 10000
# # Prevent the unbound server from forking into the background as a daemon
# do-daemonize: no
# # Add localhost to the do-not-query-address list.
# do-not-query-localhost: no
# # Number of bytes size of the aggressive negative cache.
# neg-cache-size: 4M
# # Send minimum amount of information to upstream servers to enhance
# # privacy (best privacy).
# qname-minimisation: yes
# ###########################################################################
# # SECURITY SETTINGS
# ###########################################################################
# # Only give access to recursion clients from LAN IPs
# access-control: 127.0.0.1/32 allow
# access-control: 192.168.0.0/16 allow
# access-control: 172.16.0.0/12 allow
# access-control: 10.0.0.0/8 allow
# # access-control: fc00::/7 allow
# # access-control: ::1/128 allow
# # File with trust anchor for one zone, which is tracked with RFC5011
# # probes.
# auto-trust-anchor-file: "var/root.key"
# # Enable chroot (i.e, change apparent root directory for the current
# # running process and its children)
# chroot: "/opt/unbound/etc/unbound"
# # Deny queries of type ANY with an empty response.
# deny-any: yes
# # Harden against algorithm downgrade when multiple algorithms are
# # advertised in the DS record.
# harden-algo-downgrade: yes
# # RFC 8020. returns nxdomain to queries for a name below another name that
# # is already known to be nxdomain.
# harden-below-nxdomain: yes
# # Require DNSSEC data for trust-anchored zones, if such data is absent, the
# # zone becomes bogus. If turned off you run the risk of a downgrade attack
# # that disables security for a zone.
# harden-dnssec-stripped: yes
# # Only trust glue if it is within the servers authority.
# harden-glue: yes
# # Ignore very large queries.
# harden-large-queries: yes
# # Perform additional queries for infrastructure data to harden the referral
# # path. Validates the replies if trust anchors are configured and the zones
# # are signed. This enforces DNSSEC validation on nameserver NS sets and the
# # nameserver addresses that are encountered on the referral path to the
# # answer. Experimental option.
# harden-referral-path: no
# # Ignore very small EDNS buffer sizes from queries.
# harden-short-bufsize: yes
# # Refuse id.server and hostname.bind queries
# hide-identity: yes
# # Refuse version.server and version.bind queries
# hide-version: yes
# # Report this identity rather than the hostname of the server.
# identity: "DNS"
# # These private network addresses are not allowed to be returned for public
# # internet names. Any occurrence of such addresses are removed from DNS
# # answers. Additionally, the DNSSEC validator may mark the answers bogus.
# # This protects against DNS Rebinding
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
# private-address: 192.168.0.0/16
# private-address: 169.254.0.0/16
# # private-address: fd00::/8
# # private-address: fe80::/10
# # private-address: ::ffff:0:0/96
# # Enable ratelimiting of queries (per second) sent to nameserver for
# # performing recursion. More queries are turned away with an error
# # (servfail). This stops recursive floods (e.g., random query names), but
# # not spoofed reflection floods. Cached responses are not rate limited by
# # this setting. Experimental option.
# ratelimit: 1000
# # Use this certificate bundle for authenticating connections made to
# # outside peers (e.g., auth-zone urls, DNS over TLS connections).
# tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
# # Set the total number of unwanted replies to eep track of in every thread.
# # When it reaches the threshold, a defensive action of clearing the rrset
# # and message caches is taken, hopefully flushing away any poison.
# # Unbound suggests a value of 10 million.
# unwanted-reply-threshold: 10000
# # Use 0x20-encoded random bits in the query to foil spoof attempts. This
# # perturbs the lowercase and uppercase of query names sent to authority
# # servers and checks if the reply still has the correct casing.
# # This feature is an experimental implementation of draft dns-0x20.
# # Experimental option.
# use-caps-for-id: yes
# # Help protect users that rely on this validator for authentication from
# # potentially bad data in the additional section. Instruct the validator to
# # remove data from the additional section of secure messages that are not
# # signed properly. Messages that are insecure, bogus, indeterminate or
# # unchecked are not affected.
# val-clean-additional: yes
# ###########################################################################
# # PERFORMANCE SETTINGS
# ###########################################################################
# # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
# # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/
# # Number of slabs in the infrastructure cache. Slabs reduce lock contention
# # by threads. Must be set to a power of 2.
# infra-cache-slabs: 4
# # Number of incoming TCP buffers to allocate per thread. Default
# # is 10. If set to 0, or if do-tcp is "no", no TCP queries from
# # clients are accepted. For larger installations increasing this
# # value is a good idea.
# incoming-num-tcp: 10
# # Number of slabs in the key cache. Slabs reduce lock contention by
# # threads. Must be set to a power of 2. Setting (close) to the number
# # of cpus is a reasonable guess.
# key-cache-slabs: 4
# # Number of bytes size of the message cache.
# # Unbound recommendation is to Use roughly twice as much rrset cache memory
# # as you use msg cache memory.
# msg-cache-size: 855658496
# # Number of slabs in the message cache. Slabs reduce lock contention by
# # threads. Must be set to a power of 2. Setting (close) to the number of
# # cpus is a reasonable guess.
# msg-cache-slabs: 4
# # The number of queries that every thread will service simultaneously. If
# # more queries arrive that need servicing, and no queries can be jostled
# # out (see jostle-timeout), then the queries are dropped.
# # This is best set at half the number of the outgoing-range.
# # This Unbound instance was compiled with libevent so it can efficiently
# # use more than 1024 file descriptors.
# num-queries-per-thread: 4096
# # The number of threads to create to serve clients.
# # This is set dynamically at run time to effectively use available CPUs
# # resources
# num-threads: 2
# # Number of ports to open. This number of file descriptors can be opened
# # per thread.
# # This Unbound instance was compiled with libevent so it can efficiently
# # use more than 1024 file descriptors.
# outgoing-range: 8192
# # Number of bytes size of the RRset cache.
# # Use roughly twice as much rrset cache memory as msg cache memory
# rrset-cache-size: 1711316992
# # Number of slabs in the RRset cache. Slabs reduce lock contention by
# # threads. Must be set to a power of 2.
# rrset-cache-slabs: 4
# # Do no insert authority/additional sections into response messages when
# # those sections are not required. This reduces response size
# # significantly, and may avoid TCP fallback for some responses. This may
# # cause a slight speedup.
# minimal-responses: yes
# # # Fetch the DNSKEYs earlier in the validation process, when a DS record
# # is encountered. This lowers the latency of requests at the expense of
# # little more CPU usage.
# prefetch: yes
# # Fetch the DNSKEYs earlier in the validation process, when a DS record is
# # encountered. This lowers the latency of requests at the expense of little
# # more CPU usage.
# prefetch-key: yes
# # Have unbound attempt to serve old responses from cache with a TTL of 0 in
# # the response without waiting for the actual resolution to finish. The
# # actual resolution answer ends up in the cache later on.
# serve-expired: yes
# # Open dedicated listening sockets for incoming queries for each thread and
# # try to set the SO_REUSEPORT socket option on each socket. May distribute
# # incoming queries to threads more evenly.
# so-reuseport: yes
# ###########################################################################
# # LOCAL ZONE
# ###########################################################################
# # # Include file for local-data and local-data-ptr
# # include: /opt/unbound/etc/unbound/a-records.conf
# # include: /opt/unbound/etc/unbound/srv-records.conf
# # ###########################################################################
# # # FORWARD ZONE
# # ###########################################################################
# # include: /opt/unbound/etc/unbound/forward-records.conf
# remote-control:
# control-enable: no
server:
verbosity: 1
num-threads: 3
interface: 0.0.0.0@53
so-reuseport: yes
edns-buffer-size: 1472
delay-close: 10000
cache-min-ttl: 60
cache-max-ttl: 86400
do-daemonize: no
username: "_unbound"
log-queries: no
hide-version: yes
hide-identity: yes
identity: "DNS"
harden-algo-downgrade: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: no
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
aggressive-nsec: yes
ratelimit: 1000
rrset-roundrobin: yes
minimal-responses: yes
chroot: "/opt/unbound/etc/unbound"
directory: "/opt/unbound/etc/unbound"
auto-trust-anchor-file: "var/root.key"
num-queries-per-thread: 4096
outgoing-range: 8192
msg-cache-size: 260991658
rrset-cache-size: 260991658
neg-cache-size: 4M
serve-expired: yes
unwanted-reply-threshold: 10000
use-caps-for-id: yes
val-clean-additional: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
access-control: 127.0.0.1/32 allow
access-control: 192.168.1.1/24 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
logfile: /var/log/unbound.log
#include: /opt/unbound/etc/unbound/a-records.conf
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-tls-upstream: yes
remote-control:
control-enable: no