services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

pivpn update and working with doh

Browse Source
This commit is contained in:
Reese Wells
2024-07-20 01:49:58 -04:00
parent 697e08ed78
commit fd1fde499d
8 changed files with 130 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
certmanager/letsencrypt-issuer.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: nginx@ducoterra.net
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx

44
k3s/README.md
View File

@@ -276,7 +276,49 @@ helm upgrade --install \
Create the let's encrypt issuer (Route53 DNS) Create the let's encrypt issuer (Route53 DNS)
```bash ```bash
kubectl apply -f certmanager/letsencrypt-issuer.yaml export LE_ACCESS_KEY_ID=
export LE_SECRET_KEY=
cat <<EOF > secrets/cert-manager-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: prod-route53-credentials-cert-manager
data:
access-key-id: $(echo $LE_ACCESS_KEY_ID | base64)
secret-access-key: $(echo $LE_SECRET_KEY | base64)
EOF
kubectl apply -f secrets/cert-manager-secret.yaml
```
```bash
cat <<EOF > secrets/route53-cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: nginx@ducoterra.net
privateKeySecretRef:
name: letsencrypt
solvers:
- selector:
dnsZones:
- "reeseapps.com"
dns01:
route53:
region: us-east-1
hostedZoneID: Z012820733346FJ0U4FUF
accessKeyID: ${LE_ACCESS_KEY_ID}
secretAccessKeySecretRef:
name: prod-route53-credentials-cert-manager
key: secret-access-key
EOF
kubectl apply -f secrets/route53-cluster-issuer.yaml
``` ```
You can test if your ingress is working with: You can test if your ingress is working with:

2
pihole_blocklist/README.md
View File

@@ -21,7 +21,7 @@ podman-compose push
helm upgrade --install \ helm upgrade --install \
--namespace pihole \ --namespace pihole \
--create-namespace \ --create-namespace \
blocklist ./helm/blocklist blocklist ./pihole_blocklist/helm
``` ```
## Notes ## Notes

0
pihole_blocklist/helm/blocklist/.helmignore → pihole_blocklist/helm/.helmignore
View File

0
pihole_blocklist/helm/blocklist/Chart.yaml → pihole_blocklist/helm/Chart.yaml
View File

2
pihole_blocklist/helm/blocklist/templates/blocklist.yaml → pihole_blocklist/helm/templates/blocklist.yaml
View File

@@ -52,10 +52,10 @@ metadata:
name: {{ .Release.Name }} name: {{ .Release.Name }}
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt cert-manager.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.org/client-max-body-size: "0" nginx.org/client-max-body-size: "0"
spec: spec:
ingressClassName: nginx
rules: rules:
- host: {{ .Values.domain }} - host: {{ .Values.domain }}
http: http:

0
pihole_blocklist/helm/blocklist/values.yaml → pihole_blocklist/helm/values.yaml
View File

99
vpn/README.md
View File

@@ -1,25 +1,96 @@
# VPN # VPN
## Raspberry Pi Setup
You'll need to configure systemd-networkd to not use ipv6 privacy extensions
/etc/systemd/network/05-end0.conf
```conf
[Match]
Name=end0
[Network]
DHCP=yes
IPv6PrivacyExtensions=false
IPv6AcceptRA=true
```
## Pihole
<https://github.com/pi-hole/pi-hole/#one-step-automated-install>
If you install pihole first pivpn will discover it automatically.
```bash
curl -sSL https://install.pi-hole.net | bash
```
## PiVPN ## PiVPN
<https://www.pivpn.io/> <https://www.pivpn.io/>
1. You'll need to configure systemd-networkd to not use ipv6 privacy extensions ```bash
curl -L https://install.pivpn.io | bash
/etc/systemd/network/05-end0.conf # PiVPN can sometimes have issues after install. Run debug to fix them:
pivpn -d
```
```conf ## Cloudflared (DOH)
[Match]
Name=end0
[Network] <https://docs.pi-hole.net/guides/dns/cloudflared/>
DHCP=yes
IPv6PrivacyExtensions=false
IPv6AcceptRA=true
```
2. Install pivpn ```bash
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
sudo mv -f ./cloudflared-linux-arm64 /usr/local/bin/cloudflared
sudo chmod +x /usr/local/bin/cloudflared
cloudflared -v
```bash sudo useradd -s /usr/sbin/nologin -r -M cloudflared
curl -L https://install.pivpn.io | bash sudo vim /etc/default/cloudflared
```
# Commandline args for cloudflared, using Cloudflare DNS
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
sudo vim /etc/systemd/system/cloudflared.service
[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target
[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process
[Install]
WantedBy=multi-user.target
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared
dig @127.0.0.1 -p 5053 google.com
```
Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server by
specifying 127.0.0.1#5053 as the Custom DNS (IPv4)
```bash
sudo vim /etc/cron.weekly/cloudflared-updater
#!/bin/bash
cloudflared update
systemctl restart cloudflared
sudo chmod +x /etc/cron.weekly/cloudflared-updater
sudo chown root:root /etc/cron.weekly/cloudflared-updater
```