FreedomBox

nik/FreedomBox

Fork 0

mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-28 08:03:36 +00:00

Commit Graph

Author	SHA1	Message	Date
Sunil Mohan Adapa	0817e7af45	names: Use systemd-resolved for DNS resolution - Disable mDNS resolution. While we can migrate our DNS-SD service definition files to systemd-resolved and switch from using avahi to systemd-resolved, many programs still solely depend on avahi-daemon. Examples include cups and GNOME. It is not clear if they will work any mDNS daemon or if they interact with avahi-daemon in other ways that the mDNS protocol. So, for now, disable mDNS in systemd-resolved and continue to use avahi-daemon for it. This is also Fedora's default. - Re-introduce Fallback DNS servers with the value same as the upstream systemd project. Debian removes the default fallback DNS servers likely because they could be considered a privacy violation. However, when systemd-resolved package is first installed, the post install script recommends a reboot instead of feeding the currently configured nameservers from /etc/resolve.conf into systemd-resolved. Immediately, this causes the system not be able to connect to any external servers. While this may be acceptable solution for interactive systems and pre-built images, FreedomBox has to a) be available for remote access b) perform upgrades without user intervention (and without reboot until a day). To mitigate privacy concerns, an option to disable these fallback servers will be provided in the UI. - systemd-resolved's stub resolver runs on 127.0.0.53%lo:53 and 127.0.0.54. This does not conflict either with shared connections which listen on 10.42.x.1 or with bind which listens on 127.0.0.1 (and other IP addresses). This MR does not address the existing conflict between bind and shared network connections. However, it does not cause any further conflicts. Tests: * mDNS - Avahi diagnostics works. daemon is running. mdns port is exposed in the firewall. - systemd-resolved does not listen on mDNS ports. - Running avahi-browse shows freedombox on local network. - Running avahi-browse shows the services ssh, sftp-ssh, http and ejabberd. - Machine can be discovered in Gnome Files. * NetworkManager shared connections - After install/upgrade to systemd-resolved, 'shared' connections can be created. - With a 'shared' connection configured and active, it is possible to upgrade to using systemd-resolved. - Resolving domains from a machine on shared network goes via systemd-resolved on FreedomBox. * Bind - Installing, running tests on bind works. - Programs connecting from outside network can connect to bind as expected. - Programs connecting from local machine can connect to bind as expected. * Upgrading works - Upgrading to new FreedomBox package works - systemd-resolved is installed and running. 'resolvectl' shows a proper name server (or fallback nameserver like 1.1.1.1). - libnss-resolve is installed and configured in /etc/nsswitch.conf - /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf. - Programs using /etc/resolv.conf directly work. Install python3-pycares. python3 -m pycares freedombox.org. - NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved, rc-manager=unmanaged, plugin=systemd-resolved - DNS resolution works after first setup. Installing packages works. - 'resolvectl query' resolution works. - Programs using glibc API resolution such as 'ping' work. * Fresh image - Building an image with new freedombox package works without error. - Booting from fresh images works. - systemd-resolved is installed and running. 'resolvectl' show proper name server. - libnss-resolve is installed and configured in /etc/nsswitch.conf - /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf - Programs using /etc/resolv.conf directly work. Install python3-pycares. python3 -m pycares wikipedia.org - NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved, rc-manager=unmanaged, plugin=systemd-resolved - DNS resolution works after first setup. Installing packages works. * Installing package on Debian - Installing new freedombox package in Debian machine works. - systemd-resolved is installed and running. - libnss-resolve is installed and configured. - /etc/resolv.conf has proper link to /run - NetworkManager has passed on proper DNS entries to systemd-resolved using 'nmcli reload dns-rc'. - Resolution works with fallback DNS servers when network interfaces are configured with /etc/network/interfaces * OpenVPNs works - As a server, we don't push DNS servers to the client. So, a client continues to use its old DNS servers. With systemd-resolved running on server, the client is able to connect to OpenVPN server, route traffic to the internet, and resolve DNS queries. * WireGuard works - As a server, we can't push DNS servers to the client. So, a client continues to use its old DNS servers. With systemd-resolved running on server, the client is able to connect to WireGuard server, route traffic to the internet, and resolve DNS queries. - As a client, server does not push DNS servers to the client. So, a client continues to use its old DNS servers. With systemd-resolved running on the client, the client is able to connect to WireGuard server, route traffic to the internet, and resolve DNS queries. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Veiko Aasa <veiko17@disroot.org>	2024-09-04 10:28:47 +03:00
Sunil Mohan Adapa	40eecb6446	*: Move modules-enabled files to /usr/share - This will leave /etc/{plinth,freedombox} empty by default making service more robust to run across various environments and situations. See systemd's explanation for more details. - Use Debian maintainer scripts remove all the existing files in /etc/plinth/modules-enabled. - Read from /usr/share/freedombox/modules-enabled then from /etc/plinth/modules-enabled and finally from /etc/freedombox/modules-enabled. Later read ones override previously read files. Any file pointing to /dev/null will mean the module must be ignored. Tests: - Clean up /etc/plinth, /etc/freedombox and /usr/share/freedombox/modules-enabled. Run service and notice that files are getting loaded from development folder using a debug message. - Run setup.py and notice that files get installed in /usr/share/freedombox/modules-enabled/ and in the next run they get loaded from there. - Create a override file in /etc/plinth/modules-enabled/transmission and notice that overriden file gets priority over the one in /usr/share/freedombox/modules-enabled. - Link the file /etc/plinth/modules-enabled/transmission to /dev/null and notice that is not loaded. - Create another file in /etc/freedombox/modules-enabled/transmission and notice that it overrides the previous two files. - All affected modules are loaded. - Build a new Debian package and ensure that upgrading 23.8 to new version removes are all configuration files. - Build developer documentation and test that Tutorial -> Full Code and Tutorial -> Skeleton sections have been updated with references to -.../modules-enabled/... paths. - Install quassel and notice that certificates were copied to /var/lib/quassel directory. Change domain to another domain and notice that certificates were copied again to that directory. Reviewed-by: James Valleroy <jvalleroy@mailbox.org>	2023-05-13 07:08:43 -04:00
Sunil Mohan Adapa	fdcbd46513	setup: Move app enabling files to respective apps Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>	2019-03-17 16:20:54 -04:00

Author

SHA1

Message

Date

Sunil Mohan Adapa

0817e7af45

names: Use systemd-resolved for DNS resolution

- Disable mDNS resolution. While we can migrate our DNS-SD service definition
files to systemd-resolved and switch from using avahi to systemd-resolved, many
programs still solely depend on avahi-daemon. Examples include cups and GNOME.
It is not clear if they will work any mDNS daemon or if they interact with
avahi-daemon in other ways that the mDNS protocol. So, for now, disable mDNS in
systemd-resolved and continue to use avahi-daemon for it. This is also Fedora's
default.

- Re-introduce Fallback DNS servers with the value same as the upstream systemd
project. Debian removes the default fallback DNS servers likely because they
could be considered a privacy violation. However, when systemd-resolved package
is first installed, the post install script recommends a reboot instead of
feeding the currently configured nameservers from /etc/resolve.conf into
systemd-resolved. Immediately, this causes the system not be able to connect to
any external servers. While this may be acceptable solution for interactive
systems and pre-built images, FreedomBox has to a) be available for remote
access b) perform upgrades without user intervention (and without reboot until a
day). To mitigate privacy concerns, an option to disable these fallback servers
will be provided in the UI.

- systemd-resolved's stub resolver runs on 127.0.0.53%lo:53 and 127.0.0.54. This
does not conflict either with shared connections which listen on 10.42.x.1 or
with bind which listens on 127.0.0.1 (and other IP addresses). This MR does not
address the existing conflict between bind and shared network connections.
However, it does not cause any further conflicts.

Tests:

* mDNS

- Avahi diagnostics works. daemon is running. mdns port is exposed in the
firewall.

- systemd-resolved does not listen on mDNS ports.

- Running avahi-browse shows freedombox on local network.

- Running avahi-browse shows the services ssh, sftp-ssh, http and ejabberd.

- Machine can be discovered in Gnome Files.

* NetworkManager shared connections

- After install/upgrade to systemd-resolved, 'shared' connections can be
created.

- With a 'shared' connection configured and active, it is possible to upgrade to
using systemd-resolved.

- Resolving domains from a machine on shared network goes via systemd-resolved
on FreedomBox.

* Bind

- Installing, running tests on bind works.

- Programs connecting from outside network can connect to bind as expected.

- Programs connecting from local machine can connect to bind as expected.

* Upgrading works

- Upgrading to new FreedomBox package works

- systemd-resolved is installed and running. 'resolvectl' shows a proper name
server (or fallback nameserver like 1.1.1.1).

- libnss-resolve is installed and configured in /etc/nsswitch.conf

- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf.

- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares freedombox.org.

- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved

- DNS resolution works after first setup. Installing packages works.

- 'resolvectl query' resolution works.

- Programs using glibc API resolution such as 'ping' work.

* Fresh image

- Building an image with new freedombox package works without error.

- Booting from fresh images works.

- systemd-resolved is installed and running. 'resolvectl' show proper name
server.

- libnss-resolve is installed and configured in /etc/nsswitch.conf

- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf

- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares wikipedia.org

- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved

- DNS resolution works after first setup. Installing packages works.

* Installing package on Debian

- Installing new freedombox package in Debian machine works.

- systemd-resolved is installed and running.

- libnss-resolve is installed and configured.

- /etc/resolv.conf has proper link to /run

- NetworkManager has passed on proper DNS entries to systemd-resolved using
'nmcli reload dns-rc'.

- Resolution works with fallback DNS servers when network interfaces are
configured with /etc/network/interfaces

* OpenVPNs works

- As a server, we don't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to OpenVPN server, route traffic to the internet, and resolve
DNS queries.

* WireGuard works

- As a server, we can't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to WireGuard server, route traffic to the internet, and
resolve DNS queries.

- As a client, server does not push DNS servers to the client. So, a client
continues to use its old DNS servers. With systemd-resolved running on the
client, the client is able to connect to WireGuard server, route traffic to the
internet, and resolve DNS queries.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>

2024-09-04 10:28:47 +03:00

Sunil Mohan Adapa

40eecb6446

*: Move modules-enabled files to /usr/share

- This will leave /etc/{plinth,freedombox} empty by default making service more
robust to run across various environments and situations. See systemd's
explanation for more details.

- Use Debian maintainer scripts remove all the existing files in
/etc/plinth/modules-enabled.

- Read from /usr/share/freedombox/modules-enabled then from
/etc/plinth/modules-enabled and finally from /etc/freedombox/modules-enabled.
Later read ones override previously read files. Any file pointing to /dev/null
will mean the module must be ignored.

Tests:

- Clean up /etc/plinth, /etc/freedombox and
/usr/share/freedombox/modules-enabled. Run service and notice that files are
getting loaded from development folder using a debug message.

- Run setup.py and notice that files get installed in
/usr/share/freedombox/modules-enabled/ and in the next run they get loaded from
there.

- Create a override file in /etc/plinth/modules-enabled/transmission and notice
that overriden file gets priority over the one in
/usr/share/freedombox/modules-enabled.

- Link the file /etc/plinth/modules-enabled/transmission to /dev/null and notice
that is not loaded.

- Create another file in /etc/freedombox/modules-enabled/transmission and notice
that it overrides the previous two files.

- All affected modules are loaded.

- Build a new Debian package and ensure that upgrading 23.8 to new version
removes are all configuration files.

- Build developer documentation and test that Tutorial -> Full Code and Tutorial
-> Skeleton sections have been updated with references to
-.../modules-enabled/... paths.

- Install quassel and notice that certificates were copied to /var/lib/quassel
directory. Change domain to another domain and notice that certificates were
copied again to that directory.

Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

2023-05-13 07:08:43 -04:00

Sunil Mohan Adapa

fdcbd46513

setup: Move app enabling files to respective apps

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

2019-03-17 16:20:54 -04:00

3 Commits