fickit: add DNS server

2019-01-17 08:10:47 +01:00 · 2019-01-17 08:10:47 +01:00 · 5e9e45da03
parent 5516dfc3f5
commit 5e9e45da03
1 changed files with 18 additions and 10 deletions
--- a/fickit-frontend.yml
+++ b/fickit-frontend.yml
@ -197,16 +197,11 @@ services:
    pid: new
    ipc: new
    uts: new
-#  - name: dns-server
-#    image: sapcc/unbound
-#    binds:
-#      - /etc/unbound/unbound.conf:/etc/unbound/unbound.conf:ro
-#    capabilities:
-#     - CAP_NET_BIND_SERVICE
-#    net: /run/netns/nginx
-#    pid: new
-#    ipc: new
-#    uts: new
+  - name: dns-server
+    image: nemunaire/unbound
+    binds:
+      - /etc/unbound/unbound.d:/etc/unbound/unbound.d:ro
+    net: /run/netns/nginx


 files:
@ -410,6 +405,16 @@ files:
      # wait for ipv4 address
      waitip 4
    mode: "0440"
+  - path: etc/unbound/unbound.d/access-control.conf
+    contents: |
+        access-control: 172.23.0.0/16 allow
+    mode: "0440"
+  - path: etc/unbound/unbound.d/local-zone.conf
+    contents: |
+      local-zone: "srs.epita.fr" typetransparent
+      local-data: "fic.srs.epita.fr A 172.23.42.1"
+      local-data-ptr: "172.23.42.1 fic.srs.epita.fr"
+    mode: "0440"
  - path: etc/iptables/rules.v6
    contents: |
      *filter
@ -456,7 +461,9 @@ files:
      [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
      [0:0] -A INPUT -p icmp --icmp-type 8 -j ACCEPT
      [0:0] -A INPUT -p icmp --icmp-type 0 -j ACCEPT
+      [0:0] -A INPUT -i bond-frontal -p udp -m udp --dport domain -j ACCEPT
      [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+      [0:0] -A INPUT -i bond-frontal -p tcp -m conntrack --ctstate NEW -m tcp --dport domain -j ACCEPT
      [0:0] -A INPUT -i bond-frontal -p tcp -m conntrack --ctstate NEW -m tcp --dport http -j ACCEPT
      [0:0] -A INPUT -i bond-frontal -p tcp -m conntrack --ctstate NEW -m tcp --dport https -j ACCEPT
      [0:0] -A INPUT -j LOG
@ -464,6 +471,7 @@ files:
      [0:0] -A OUTPUT -o lo -j ACCEPT
      [0:0] -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
      [0:0] -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
+      [0:0] -A OUTPUT -o bond-frontal -p udp -m udp --sport domain -j ACCEPT
      [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
      [0:0] -A OUTPUT -o internet -j ACCEPT