feat(config-backups): Add BIND DNS configuration backups

- Add named.conf and named.conf.zones from router - Add all zone files (maegia.tv, ganimed.fr, secubox.in, etc.) - Include README with sync instructions - Fixed zone path in named.conf.zones for LuCI DNS Master compatibility - Added ganimed.fr zone declaration to BIND config Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-09 11:20:51 +01:00 · 2026-03-09 11:20:51 +01:00 · ff8f4944ea
commit ff8f4944ea
parent d7524d6300
9 changed files with 326 additions and 0 deletions
--- a/config-backups/README.md
+++ b/config-backups/README.md
@ -0,0 +1,33 @@
+# SecuBox Configuration Backups
+
+Runtime configuration backups from the SecuBox router for version control.
+
+## Structure
+
+```
+config-backups/
+├── bind/
+│   ├── named.conf           # Main BIND configuration
+│   ├── named.conf.zones     # Zone declarations
+│   └── zones/               # Zone files
+│       ├── maegia.tv.zone
+│       ├── ganimed.fr.zone
+│       ├── secubox.in.zone
+│       └── ...
+```
+
+## Sync from Router
+
+```bash
+# Sync all BIND config
+ssh root@192.168.255.1 "cat /etc/bind/named.conf.zones" > config-backups/bind/named.conf.zones
+ssh root@192.168.255.1 "cat /etc/bind/zones/*.zone" # per-file
+
+# Sync to router (restore)
+scp config-backups/bind/zones/*.zone root@192.168.255.1:/etc/bind/zones/
+ssh root@192.168.255.1 "/etc/init.d/named restart"
+```
+
+## Local Gitea Mirror
+
+Private config repo: `git.maegia.tv:gandalf/secubox-configs`
--- a/config-backups/bind/named.conf
+++ b/config-backups/bind/named.conf
@ -0,0 +1,47 @@
+options {
+    directory "/var/cache/bind";
+    listen-on port 53 { any; };
+    listen-on-v6 port 53 { any; };
+    allow-query { any; };
+    
+    // Enable recursion for LAN clients
+    recursion yes;
+    allow-recursion { 127.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; 10.0.0.0/8; };
+    
+    // Forward external queries to upstream DNS
+    forwarders {
+        9.9.9.9;        // Quad9 (threat-blocking)
+        149.112.112.112; // Quad9 secondary
+        1.1.1.1;        // Cloudflare
+    };
+    forward only;
+    
+    allow-transfer { none; };
+    pid-file "/var/run/named/named.pid";
+    
+    // Security
+    dnssec-validation auto;
+    
+    // Rate limiting (DDoS protection)
+    rate-limit {
+        responses-per-second 10;
+        window 5;
+    };
+    response-policy { zone "rpz.vortex"; };
+};
+
+// Authoritative zone - secubox.in
+
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.logging";
+// Authoritative zone - secubox.in
+zone "secubox.in" {
+    type master;
+    file "/etc/bind/zones/secubox.in.zone";
+    allow-query { any; };
+    allow-transfer { 217.70.177.40; };  // ns6.gandi.net
+    also-notify { 217.70.177.40; };
+    notify yes;
+};
+include "/etc/bind/named.conf.vortex";
+include "/etc/bind/named.conf.zones";
--- a/config-backups/bind/named.conf.zones
+++ b/config-backups/bind/named.conf.zones
@ -0,0 +1,23 @@
+
+// SecuBox Mesh local domain
+zone "sblocal" {
+    type master;
+    file "/etc/bind/zones/sblocal.zone";
+    allow-update { none; };
+};
+
+// maegia.tv - authoritative master zone
+zone "maegia.tv" {
+    type master;
+    file "/etc/bind/zones/maegia.tv.zone";
+    allow-query { any; };
+    allow-transfer { none; };
+};
+
+// ganimed.fr - authoritative master zone
+zone "ganimed.fr" {
+    type master;
+    file "/etc/bind/zones/ganimed.fr.zone";
+    allow-query { any; };
+    allow-transfer { none; };
+};
--- a/config-backups/bind/zones/ganimed.fr.zone
+++ b/config-backups/bind/zones/ganimed.fr.zone
@ -0,0 +1,32 @@
+$ORIGIN ganimed.fr.
+$TTL 3600
+
+; Zone file for ganimed.fr
+; Generated by vortexctl on 2026-03-08T10:10:04+01:00
+; Source: External DNS query
+
+@    IN SOA ns1.gandi.net. hostmaster.gandi.net. (
+              2026030801 ; serial
+              10800     ; refresh (3 hours)
+              3600      ; retry (1 hour)
+              604800    ; expire (1 week)
+              10800 )   ; minimum (3 hours)
+
+; NS records
+@    IN NS   ns-17-c.gandi.net.
+@    IN NS   ns-111-b.gandi.net.
+@    IN NS   ns-195-a.gandi.net.
+
+; MX records
+@    IN MX   10 spool.mail.gandi.net.
+@    IN MX   50 fb.mail.gandi.net.
+
+; TXT records
+@    IN TXT  "v=spf1 include:_mailcust.gandi.net ?all"
+
+; A records
+@    IN A    217.70.184.55
+
+; Subdomains (from HAProxy vhosts)
+lldh                 IN A    82.67.100.75
+oracle               IN A    82.67.100.75
--- a/config-backups/bind/zones/maegia.tv.zone
+++ b/config-backups/bind/zones/maegia.tv.zone
@ -0,0 +1,56 @@
+$ORIGIN maegia.tv.
+$TTL 3600
+
+; Zone file for maegia.tv
+; Generated by vortexctl on 2026-03-08T08:44:35+01:00
+; Source: External DNS query
+
+@    IN SOA ns1.gandi.net. hostmaster.gandi.net. (
+              2026030820 ; serial
+              10800     ; refresh (3 hours)
+              3600      ; retry (1 hour)
+              604800    ; expire (1 week)
+              10800 )   ; minimum (3 hours)
+
+; NS records
+@    IN NS   ns-150-c.gandi.net.
+@    IN NS   ns-57-a.gandi.net.
+@    IN NS   ns-250-b.gandi.net.
+
+; MX records
+@    IN MX   50 fb.mail.gandi.net.
+@    IN MX   10 spool.mail.gandi.net.
+
+; TXT records
+@    IN TXT  "v=spf1 include:_mailcust.gandi.net ?all"
+
+; A records
+@    IN A    82.67.100.75
+
+; Subdomains (from HAProxy vhosts)
+bw                   IN A    82.67.100.75
+c3box                IN A    82.67.100.75
+coin                 IN A    82.67.100.75
+crt                  IN A    82.67.100.75
+cyberzine            IN A    82.67.100.75
+devel                IN A    82.67.100.75
+diyegg               IN A    82.67.100.75
+feed                 IN A    82.67.100.75
+gandalf              IN A    82.67.100.75
+git                  IN A    82.67.100.75
+gk2                  IN A    82.67.100.75
+glances              IN A    82.67.100.75
+halt                 IN A    82.67.100.75
+home                 IN A    82.67.100.75
+how2                 IN A    82.67.100.75
+live                 IN A    82.67.100.75
+lldh360              IN A    82.67.100.75
+media                IN A    82.67.100.75
+meet                 IN A    82.67.100.75
+play                 IN A    82.67.100.75
+secubox              IN A    82.67.100.75
+shroom               IN A    82.67.100.75
+sliders              IN A    82.67.100.75
+slides               IN A    82.67.100.75
+status               IN A    82.67.100.75
+umemox               IN A    82.67.100.75
--- a/config-backups/bind/zones/sb.local.zone
+++ b/config-backups/bind/zones/sb.local.zone
@ -0,0 +1,16 @@
+$TTL 300
+@       IN      SOA     ns1.sb.local. admin.sb.local. (
+                        2026020601      ; Serial
+                        3600            ; Refresh
+                        900             ; Retry
+                        604800          ; Expire
+                        300 )           ; Negative Cache TTL
+
+        IN      NS      ns1.sb.local.
+
+; Wildcard for *.gk2.sb.local
+*.gk2   IN      A       192.168.255.1
+gk2     IN      A       192.168.255.1
+
+; Direct records
+ns1     IN      A       192.168.255.1
--- a/config-backups/bind/zones/sblocal.zone
+++ b/config-backups/bind/zones/sblocal.zone
@ -0,0 +1,17 @@
+$TTL 86400
+@   IN  SOA     ns1.sblocal. admin.sblocal. (
+        2026021101  ; Serial
+        3600        ; Refresh
+        1800        ; Retry
+        604800      ; Expire
+        86400 )     ; Minimum TTL
+
+    IN  NS      ns1.sblocal.
+
+; SecuBox Mesh nodes
+ns1         IN  A   192.168.255.1
+c3box       IN  A   192.168.255.1
+@           IN  A   192.168.255.1
+
+; Wildcard for services
+*           IN  A   192.168.255.1
--- a/config-backups/bind/zones/secubox.in.internal.zone
+++ b/config-backups/bind/zones/secubox.in.internal.zone
@ -0,0 +1,24 @@
+$TTL 3600
+@       IN      SOA     ns0.secubox.in. admin.secubox.in. (
+                        2026030301      ; Serial
+                        3600            ; Refresh
+                        1800            ; Retry
+                        604800          ; Expire
+                        3600 )          ; Negative Cache TTL
+
+; Nameservers
+@       IN      NS      ns0.secubox.in.
+
+; Internal IPs for LAN access
+@       IN      A       192.168.255.1
+*       IN      A       192.168.255.1
+gk2     IN      A       192.168.255.1
+*.gk2   IN      A       192.168.255.1
+
+; Mail goes to mail container
+mail    IN      A       192.168.255.30
+mail.gk2 IN     A       192.168.255.30
+
+; Jellyfin
+jellyfin IN     A       192.168.255.31
+jellyfin.gk2 IN A       192.168.255.31
--- a/config-backups/bind/zones/secubox.in.zone
+++ b/config-backups/bind/zones/secubox.in.zone
@ -0,0 +1,78 @@
+$TTL 300
+@       IN      SOA     ns0.secubox.in. admin.secubox.in. (
+                        2026021704      ; Serial (updated)
+                        3600            ; Refresh
+                        600             ; Retry
+                        604800          ; Expire
+                        300 )           ; Negative TTL
+
+; Nameservers
+@       IN      NS      ns0.secubox.in.
+@       IN      NS      ns1.secubox.in.
+@       IN      NS      ns6.gandi.net.
+
+; CAA records for Let's Encrypt
+@       IN      CAA     0 issue "letsencrypt.org"
+@       IN      CAA     0 issuewild "letsencrypt.org"
+
+; A records - PUBLIC IP for external access
+@       IN      A       82.67.100.75
+ns0     IN      A       82.67.100.75
+ns1     IN      A       82.67.100.75
+mail    IN      A       82.67.100.75
+localai IN      A       82.67.100.75
+gk2     IN      A       82.67.100.75
+
+; Wildcard for all subdomains - PUBLIC IP
+*       IN      A       82.67.100.75
+*.gk2   IN      A       82.67.100.75
+
+; MX record
+@       IN      MX      10 mail.secubox.in.
+
+; SPF record
+@       IN      TXT     "v=spf1 mx a ip4:82.67.100.75 ~all"
+
+; DMARC record
+_dmarc  IN      TXT     "v=DMARC1; p=quarantine; rua=mailto:postmaster@secubox.in"
+
+; ACME challenges
+_acme-challenge IN TXT "zIRC4aGfihUuFO1XhahHT8NvuC7a3Oi2fDzt1bXEmOA"
+_acme-challenge IN TXT "G0iJO-MiKDmYTJtjLdJoW3oWGA2l5d9moQ2H3DQLxyA"
+
+; IPv6 AAAA records
+@       IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+ns0     IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+ns1     IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+mail    IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+*       IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+
+; Mail client autoconfig/autodiscover
+autoconfig      IN      A       82.67.100.75
+autoconfig      IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+autodiscover    IN      A       82.67.100.75
+autodiscover    IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+autoconfig.gk2  IN      A       82.67.100.75
+autoconfig.gk2  IN      AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+autodiscover.gk2 IN     A       82.67.100.75
+autodiscover.gk2 IN     AAAA    2a01:e0a:dec:c4e0:250:43ff:fe84:fb2f
+
+; SRV records for mail services (RFC 6186)
+_autodiscover._tcp      IN      SRV     0 0 443 autodiscover.secubox.in.
+_autodiscover._tcp.gk2  IN      SRV     0 0 443 autodiscover.gk2.secubox.in.
+
+; IMAP/IMAPS service discovery
+_imap._tcp              IN      SRV     0 0 143 mail.secubox.in.
+_imaps._tcp             IN      SRV     0 0 993 mail.secubox.in.
+_imap._tcp.gk2          IN      SRV     0 0 143 mail.gk2.secubox.in.
+_imaps._tcp.gk2         IN      SRV     0 0 993 mail.gk2.secubox.in.
+
+; SMTP submission service discovery
+_submission._tcp        IN      SRV     0 0 587 mail.secubox.in.
+_submissions._tcp       IN      SRV     0 0 465 mail.secubox.in.
+_submission._tcp.gk2    IN      SRV     0 0 587 mail.gk2.secubox.in.
+_submissions._tcp.gk2   IN      SRV     0 0 465 mail.gk2.secubox.in.
+
+; POP3 (optional, for legacy clients)
+_pop3s._tcp             IN      SRV     0 0 995 mail.secubox.in.
+_pop3s._tcp.gk2         IN      SRV     0 0 995 mail.gk2.secubox.in.