Development
This commit is contained in:
parent
a4652866c3
commit
27eaea3d73
19 changed files with 602 additions and 427 deletions
16
README.md
16
README.md
|
|
@ -20,19 +20,18 @@ These scripts do not run continuously in the background. They install and facili
|
|||
|
||||
## Capabilities
|
||||
|
||||
The suite is organized into three independent but complementary scripts, each managing one layer of the stack:
|
||||
The suite is organized into independent but complementary scripts, each managing one layer of the stack:
|
||||
|
||||
### Core: DHCP, DNS, Blocklists, Firewall, RADIUS, mDNS, and WireGuard VPN (`core.py`)
|
||||
### Core: DHCP, DNS, Firewall, RADIUS, mDNS, and WireGuard VPN (`core.py`)
|
||||
|
||||
- Configures VLAN sub-interfaces via `systemd-networkd`
|
||||
- Assigns static or dynamic DHCP reservations by MAC address and hostname
|
||||
- Defines dynamic IP pools per VLAN
|
||||
- Manages per-VLAN gateway, DNS, and NTP settings derived from `server_identities`
|
||||
- Runs one `dnsmasq` instance per VLAN, each bound exclusively to its gateway IP, giving true per-VLAN DNS filtering
|
||||
- Downloads and merges blocklists from upstream providers you choose (e.g. OISD, Hagezi)
|
||||
- Applies per-VLAN content filtering - VLANs with different blocklist sets each get their own merged blocklist
|
||||
- Applies per-VLAN content filtering - VLANs with different blocklist sets each get their own merged blocklist (blocklists are downloaded and merged by `dns-blocklists.py`)
|
||||
- Supports local hostname overrides (split DNS for DDNS hostnames)
|
||||
- Installs a daily `systemd` timer to refresh blocklists
|
||||
- Installs a daily `systemd` timer that runs `dns-blocklists.py` to refresh blocklists
|
||||
- Tracks lifetime DNS metrics (queries forwarded, cache hits, authoritative, TCP peaks, pool usage)
|
||||
- Builds `nftables` tables atomically - safe to re-apply without service disruption
|
||||
- Handles port forwarding (DNAT/SNAT) for externally accessible services
|
||||
|
|
@ -50,6 +49,13 @@ The suite is organized into three independent but complementary scripts, each ma
|
|||
- Supports any number of WireGuard VPN interfaces (`is_vpn: true` VLANs); generates the server keypair on first apply, writes the server conf to `/etc/wireguard/`, and brings the interface up with `wg-quick`; subsequent applies sync peer changes live without restarting the interface
|
||||
- Supports per-peer split-tunnel (VPN subnet only) or full-tunnel (all traffic) routing; peer data is stored directly in `core.json`
|
||||
|
||||
### Optional: DNS Blocklists (`dns-blocklists.py`)
|
||||
|
||||
- Downloads blocklists from upstream providers you choose (e.g. OISD, Hagezi)
|
||||
- Merges them per unique VLAN combination into conf files loaded by `dnsmasq`
|
||||
- Runs `core.py --apply` after a successful download to reload all instances
|
||||
- Invoked by the daily `systemd` timer installed by `core.py --apply`
|
||||
|
||||
### Optional: DDNS (`ddns.py`)
|
||||
|
||||
- Detects the current public IP by rotating through multiple IP-check services
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue