pivpn update and working with doh

2024-07-20 01:49:58 -04:00
parent 697e08ed78
commit fd1fde499d
8 changed files with 130 additions and 35 deletions
--- a/certmanager/letsencrypt-issuer.yaml
+++ b/certmanager/letsencrypt-issuer.yaml
@@ -1,18 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    # The ACME server URL
-    server: https://acme-v02.api.letsencrypt.org/directory
-    # Email address used for ACME registration
-    email: nginx@ducoterra.net
-    # Name of a secret used to store the ACME account private key
-    privateKeySecretRef:
-      name: letsencrypt
-    # Enable the HTTP-01 challenge provider
-    solvers:
-    - http01:
-        ingress:
-          class: nginx
--- a/k3s/README.md
+++ b/k3s/README.md
@@ -276,7 +276,49 @@ helm upgrade --install \
 Create the let's encrypt issuer (Route53 DNS)

 ```bash
-kubectl apply -f certmanager/letsencrypt-issuer.yaml
+export LE_ACCESS_KEY_ID=
+export LE_SECRET_KEY=
+
+cat <<EOF > secrets/cert-manager-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prod-route53-credentials-cert-manager
+data:
+  access-key-id: $(echo $LE_ACCESS_KEY_ID | base64)
+  secret-access-key: $(echo $LE_SECRET_KEY | base64)
+EOF
+
+kubectl apply -f secrets/cert-manager-secret.yaml
+```
+
+```bash
+cat <<EOF > secrets/route53-cluster-issuer.yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: nginx@ducoterra.net
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+    - selector:
+        dnsZones:
+          - "reeseapps.com"
+      dns01:
+        route53:
+          region: us-east-1
+          hostedZoneID: Z012820733346FJ0U4FUF
+          accessKeyID: ${LE_ACCESS_KEY_ID}
+          secretAccessKeySecretRef:
+            name: prod-route53-credentials-cert-manager
+            key: secret-access-key
+EOF
+
+kubectl apply -f secrets/route53-cluster-issuer.yaml
 ```

 You can test if your ingress is working with:
--- a/pihole_blocklist/README.md
+++ b/pihole_blocklist/README.md
@@ -21,7 +21,7 @@ podman-compose push
 helm upgrade --install \
    --namespace pihole \
    --create-namespace \
-    blocklist ./helm/blocklist
+    blocklist ./pihole_blocklist/helm
 ```

 ## Notes
--- a/pihole_blocklist/helm/blocklist/.helmignore
+++ b/pihole_blocklist/helm/blocklist/.helmignore
--- a/pihole_blocklist/helm/blocklist/Chart.yaml
+++ b/pihole_blocklist/helm/blocklist/Chart.yaml
--- a/pihole_blocklist/helm/blocklist/templates/blocklist.yaml
+++ b/pihole_blocklist/helm/blocklist/templates/blocklist.yaml
@@ -52,10 +52,10 @@ metadata:
  name: {{ .Release.Name }}
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.org/client-max-body-size: "0"
 spec:
+  ingressClassName: nginx
  rules:
  - host: {{ .Values.domain }}
    http:
--- a/pihole_blocklist/helm/blocklist/values.yaml
+++ b/pihole_blocklist/helm/blocklist/values.yaml
--- a/vpn/README.md
+++ b/vpn/README.md
@@ -1,25 +1,96 @@
 # VPN

+## Raspberry Pi Setup
+
+You'll need to configure systemd-networkd to not use ipv6 privacy extensions
+
+/etc/systemd/network/05-end0.conf
+
+```conf
+[Match]
+Name=end0
+
+[Network]
+DHCP=yes
+IPv6PrivacyExtensions=false
+IPv6AcceptRA=true
+```
+
+## Pihole
+
+<https://github.com/pi-hole/pi-hole/#one-step-automated-install>
+
+If you install pihole first pivpn will discover it automatically.
+
+```bash
+curl -sSL https://install.pi-hole.net | bash
+```
+
 ## PiVPN

 <https://www.pivpn.io/>

-1. You'll need to configure systemd-networkd to not use ipv6 privacy extensions
+```bash
+curl -L https://install.pivpn.io | bash

-    /etc/systemd/network/05-end0.conf
+# PiVPN can sometimes have issues after install. Run debug to fix them:
+pivpn -d
+```

-    ```conf
-    [Match]
-    Name=end0
+## Cloudflared (DOH)

-    [Network]
-    DHCP=yes
-    IPv6PrivacyExtensions=false
-    IPv6AcceptRA=true
-    ```
+<https://docs.pi-hole.net/guides/dns/cloudflared/>

-2. Install pivpn
+```bash
+wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
+sudo mv -f ./cloudflared-linux-arm64 /usr/local/bin/cloudflared
+sudo chmod +x /usr/local/bin/cloudflared
+cloudflared -v

-    ```bash
-    curl -L https://install.pivpn.io | bash
-    ```
+sudo useradd -s /usr/sbin/nologin -r -M cloudflared
+sudo vim /etc/default/cloudflared
+
+# Commandline args for cloudflared, using Cloudflare DNS
+CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
+
+sudo chown cloudflared:cloudflared /etc/default/cloudflared
+sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
+
+sudo vim /etc/systemd/system/cloudflared.service
+
+[Unit]
+Description=cloudflared DNS over HTTPS proxy
+After=syslog.target network-online.target
+
+[Service]
+Type=simple
+User=cloudflared
+EnvironmentFile=/etc/default/cloudflared
+ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
+Restart=on-failure
+RestartSec=10
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+
+sudo systemctl enable cloudflared
+sudo systemctl start cloudflared
+sudo systemctl status cloudflared
+
+dig @127.0.0.1 -p 5053 google.com
+```
+
+Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server by
+specifying 127.0.0.1#5053 as the Custom DNS (IPv4)
+
+```bash
+sudo vim /etc/cron.weekly/cloudflared-updater
+
+#!/bin/bash
+cloudflared update
+systemctl restart cloudflared
+
+sudo chmod +x /etc/cron.weekly/cloudflared-updater
+sudo chown root:root /etc/cron.weekly/cloudflared-updater
+```