diff --git a/config-backups/README.md b/config-backups/README.md new file mode 100644 index 00000000..56dc3a73 --- /dev/null +++ b/config-backups/README.md @@ -0,0 +1,33 @@ +# SecuBox Configuration Backups + +Runtime configuration backups from the SecuBox router for version control. + +## Structure + +``` +config-backups/ +├── bind/ +│ ├── named.conf # Main BIND configuration +│ ├── named.conf.zones # Zone declarations +│ └── zones/ # Zone files +│ ├── maegia.tv.zone +│ ├── ganimed.fr.zone +│ ├── secubox.in.zone +│ └── ... +``` + +## Sync from Router + +```bash +# Sync all BIND config +ssh root@192.168.255.1 "cat /etc/bind/named.conf.zones" > config-backups/bind/named.conf.zones +ssh root@192.168.255.1 "cat /etc/bind/zones/*.zone" # per-file + +# Sync to router (restore) +scp config-backups/bind/zones/*.zone root@192.168.255.1:/etc/bind/zones/ +ssh root@192.168.255.1 "/etc/init.d/named restart" +``` + +## Local Gitea Mirror + +Private config repo: `git.maegia.tv:gandalf/secubox-configs` diff --git a/config-backups/bind/named.conf b/config-backups/bind/named.conf new file mode 100644 index 00000000..629613bf --- /dev/null +++ b/config-backups/bind/named.conf @@ -0,0 +1,47 @@ +options { + directory "/var/cache/bind"; + listen-on port 53 { any; }; + listen-on-v6 port 53 { any; }; + allow-query { any; }; + + // Enable recursion for LAN clients + recursion yes; + allow-recursion { 127.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; 10.0.0.0/8; }; + + // Forward external queries to upstream DNS + forwarders { + 9.9.9.9; // Quad9 (threat-blocking) + 149.112.112.112; // Quad9 secondary + 1.1.1.1; // Cloudflare + }; + forward only; + + allow-transfer { none; }; + pid-file "/var/run/named/named.pid"; + + // Security + dnssec-validation auto; + + // Rate limiting (DDoS protection) + rate-limit { + responses-per-second 10; + window 5; + }; + response-policy { zone "rpz.vortex"; }; +}; + +// Authoritative zone - secubox.in + +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.logging"; +// Authoritative zone - secubox.in +zone "secubox.in" { + type master; + file "/etc/bind/zones/secubox.in.zone"; + allow-query { any; }; + allow-transfer { 217.70.177.40; }; // ns6.gandi.net + also-notify { 217.70.177.40; }; + notify yes; +}; +include "/etc/bind/named.conf.vortex"; +include "/etc/bind/named.conf.zones"; diff --git a/config-backups/bind/named.conf.zones b/config-backups/bind/named.conf.zones new file mode 100644 index 00000000..b0c11a9d --- /dev/null +++ b/config-backups/bind/named.conf.zones @@ -0,0 +1,23 @@ + +// SecuBox Mesh local domain +zone "sblocal" { + type master; + file "/etc/bind/zones/sblocal.zone"; + allow-update { none; }; +}; + +// maegia.tv - authoritative master zone +zone "maegia.tv" { + type master; + file "/etc/bind/zones/maegia.tv.zone"; + allow-query { any; }; + allow-transfer { none; }; +}; + +// ganimed.fr - authoritative master zone +zone "ganimed.fr" { + type master; + file "/etc/bind/zones/ganimed.fr.zone"; + allow-query { any; }; + allow-transfer { none; }; +}; diff --git a/config-backups/bind/zones/ganimed.fr.zone b/config-backups/bind/zones/ganimed.fr.zone new file mode 100644 index 00000000..ea395090 --- /dev/null +++ b/config-backups/bind/zones/ganimed.fr.zone @@ -0,0 +1,32 @@ +$ORIGIN ganimed.fr. +$TTL 3600 + +; Zone file for ganimed.fr +; Generated by vortexctl on 2026-03-08T10:10:04+01:00 +; Source: External DNS query + +@ IN SOA ns1.gandi.net. hostmaster.gandi.net. ( + 2026030801 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 10800 ) ; minimum (3 hours) + +; NS records +@ IN NS ns-17-c.gandi.net. +@ IN NS ns-111-b.gandi.net. +@ IN NS ns-195-a.gandi.net. + +; MX records +@ IN MX 10 spool.mail.gandi.net. +@ IN MX 50 fb.mail.gandi.net. + +; TXT records +@ IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + +; A records +@ IN A 217.70.184.55 + +; Subdomains (from HAProxy vhosts) +lldh IN A 82.67.100.75 +oracle IN A 82.67.100.75 diff --git a/config-backups/bind/zones/maegia.tv.zone b/config-backups/bind/zones/maegia.tv.zone new file mode 100644 index 00000000..36c0a408 --- /dev/null +++ b/config-backups/bind/zones/maegia.tv.zone @@ -0,0 +1,56 @@ +$ORIGIN maegia.tv. +$TTL 3600 + +; Zone file for maegia.tv +; Generated by vortexctl on 2026-03-08T08:44:35+01:00 +; Source: External DNS query + +@ IN SOA ns1.gandi.net. hostmaster.gandi.net. ( + 2026030820 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 10800 ) ; minimum (3 hours) + +; NS records +@ IN NS ns-150-c.gandi.net. +@ IN NS ns-57-a.gandi.net. +@ IN NS ns-250-b.gandi.net. + +; MX records +@ IN MX 50 fb.mail.gandi.net. +@ IN MX 10 spool.mail.gandi.net. + +; TXT records +@ IN TXT "v=spf1 include:_mailcust.gandi.net ?all" + +; A records +@ IN A 82.67.100.75 + +; Subdomains (from HAProxy vhosts) +bw IN A 82.67.100.75 +c3box IN A 82.67.100.75 +coin IN A 82.67.100.75 +crt IN A 82.67.100.75 +cyberzine IN A 82.67.100.75 +devel IN A 82.67.100.75 +diyegg IN A 82.67.100.75 +feed IN A 82.67.100.75 +gandalf IN A 82.67.100.75 +git IN A 82.67.100.75 +gk2 IN A 82.67.100.75 +glances IN A 82.67.100.75 +halt IN A 82.67.100.75 +home IN A 82.67.100.75 +how2 IN A 82.67.100.75 +live IN A 82.67.100.75 +lldh360 IN A 82.67.100.75 +media IN A 82.67.100.75 +meet IN A 82.67.100.75 +play IN A 82.67.100.75 +secubox IN A 82.67.100.75 +shroom IN A 82.67.100.75 +sliders IN A 82.67.100.75 +slides IN A 82.67.100.75 +status IN A 82.67.100.75 +umemox IN A 82.67.100.75 diff --git a/config-backups/bind/zones/sb.local.zone b/config-backups/bind/zones/sb.local.zone new file mode 100644 index 00000000..3454da5a --- /dev/null +++ b/config-backups/bind/zones/sb.local.zone @@ -0,0 +1,16 @@ +$TTL 300 +@ IN SOA ns1.sb.local. admin.sb.local. ( + 2026020601 ; Serial + 3600 ; Refresh + 900 ; Retry + 604800 ; Expire + 300 ) ; Negative Cache TTL + + IN NS ns1.sb.local. + +; Wildcard for *.gk2.sb.local +*.gk2 IN A 192.168.255.1 +gk2 IN A 192.168.255.1 + +; Direct records +ns1 IN A 192.168.255.1 diff --git a/config-backups/bind/zones/sblocal.zone b/config-backups/bind/zones/sblocal.zone new file mode 100644 index 00000000..f685ef8d --- /dev/null +++ b/config-backups/bind/zones/sblocal.zone @@ -0,0 +1,17 @@ +$TTL 86400 +@ IN SOA ns1.sblocal. admin.sblocal. ( + 2026021101 ; Serial + 3600 ; Refresh + 1800 ; Retry + 604800 ; Expire + 86400 ) ; Minimum TTL + + IN NS ns1.sblocal. + +; SecuBox Mesh nodes +ns1 IN A 192.168.255.1 +c3box IN A 192.168.255.1 +@ IN A 192.168.255.1 + +; Wildcard for services +* IN A 192.168.255.1 diff --git a/config-backups/bind/zones/secubox.in.internal.zone b/config-backups/bind/zones/secubox.in.internal.zone new file mode 100644 index 00000000..d34ac41d --- /dev/null +++ b/config-backups/bind/zones/secubox.in.internal.zone @@ -0,0 +1,24 @@ +$TTL 3600 +@ IN SOA ns0.secubox.in. admin.secubox.in. ( + 2026030301 ; Serial + 3600 ; Refresh + 1800 ; Retry + 604800 ; Expire + 3600 ) ; Negative Cache TTL + +; Nameservers +@ IN NS ns0.secubox.in. + +; Internal IPs for LAN access +@ IN A 192.168.255.1 +* IN A 192.168.255.1 +gk2 IN A 192.168.255.1 +*.gk2 IN A 192.168.255.1 + +; Mail goes to mail container +mail IN A 192.168.255.30 +mail.gk2 IN A 192.168.255.30 + +; Jellyfin +jellyfin IN A 192.168.255.31 +jellyfin.gk2 IN A 192.168.255.31 diff --git a/config-backups/bind/zones/secubox.in.zone b/config-backups/bind/zones/secubox.in.zone new file mode 100644 index 00000000..198bcd9d --- /dev/null +++ b/config-backups/bind/zones/secubox.in.zone @@ -0,0 +1,78 @@ +$TTL 300 +@ IN SOA ns0.secubox.in. admin.secubox.in. ( + 2026021704 ; Serial (updated) + 3600 ; Refresh + 600 ; Retry + 604800 ; Expire + 300 ) ; Negative TTL + +; Nameservers +@ IN NS ns0.secubox.in. +@ IN NS ns1.secubox.in. +@ IN NS ns6.gandi.net. + +; CAA records for Let's Encrypt +@ IN CAA 0 issue "letsencrypt.org" +@ IN CAA 0 issuewild "letsencrypt.org" + +; A records - PUBLIC IP for external access +@ IN A 82.67.100.75 +ns0 IN A 82.67.100.75 +ns1 IN A 82.67.100.75 +mail IN A 82.67.100.75 +localai IN A 82.67.100.75 +gk2 IN A 82.67.100.75 + +; Wildcard for all subdomains - PUBLIC IP +* IN A 82.67.100.75 +*.gk2 IN A 82.67.100.75 + +; MX record +@ IN MX 10 mail.secubox.in. + +; SPF record +@ IN TXT "v=spf1 mx a ip4:82.67.100.75 ~all" + +; DMARC record +_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@secubox.in" + +; ACME challenges +_acme-challenge IN TXT "zIRC4aGfihUuFO1XhahHT8NvuC7a3Oi2fDzt1bXEmOA" +_acme-challenge IN TXT "G0iJO-MiKDmYTJtjLdJoW3oWGA2l5d9moQ2H3DQLxyA" + +; IPv6 AAAA records +@ IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f +ns0 IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f +ns1 IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f +mail IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f +* IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f + +; Mail client autoconfig/autodiscover +autoconfig IN A 82.67.100.75 +autoconfig IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f +autodiscover IN A 82.67.100.75 +autodiscover IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f +autoconfig.gk2 IN A 82.67.100.75 +autoconfig.gk2 IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f +autodiscover.gk2 IN A 82.67.100.75 +autodiscover.gk2 IN AAAA 2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f + +; SRV records for mail services (RFC 6186) +_autodiscover._tcp IN SRV 0 0 443 autodiscover.secubox.in. +_autodiscover._tcp.gk2 IN SRV 0 0 443 autodiscover.gk2.secubox.in. + +; IMAP/IMAPS service discovery +_imap._tcp IN SRV 0 0 143 mail.secubox.in. +_imaps._tcp IN SRV 0 0 993 mail.secubox.in. +_imap._tcp.gk2 IN SRV 0 0 143 mail.gk2.secubox.in. +_imaps._tcp.gk2 IN SRV 0 0 993 mail.gk2.secubox.in. + +; SMTP submission service discovery +_submission._tcp IN SRV 0 0 587 mail.secubox.in. +_submissions._tcp IN SRV 0 0 465 mail.secubox.in. +_submission._tcp.gk2 IN SRV 0 0 587 mail.gk2.secubox.in. +_submissions._tcp.gk2 IN SRV 0 0 465 mail.gk2.secubox.in. + +; POP3 (optional, for legacy clients) +_pop3s._tcp IN SRV 0 0 995 mail.secubox.in. +_pop3s._tcp.gk2 IN SRV 0 0 995 mail.gk2.secubox.in.