fix: Remediate all Dokploy blueprint standard violations in Technitium DNS template

- Remove container_name fields (Dokploy forbidden)
- Change restart policy to 'unless-stopped' (project standard)
- Remove explicit networks definition (Dokploy manages)
- Remove port 5380 HTTP exposure (admin access via Traefik HTTPS)
- Add security headers middleware (HSTS, content-type-nosniff, frame-deny)
- Fix rclone-backup sidecar configuration:
  - Replace bind mount with RCLONE_CONFIG_* environment variables
  - Improve shell variable quoting to prevent injection
  - Relax healthcheck logic (300s interval, less stringent matching)
- Fix template.toml variable declarations:
  - Add missing PRIMARY_NODE_IP variable
  - Remove unused variables
  - Rename r2_account_id to cf_account_id for consistency
- Add README section documenting DNS port 53 exception
- Add SVG icon for template catalog

Documentation: Explain that port 53 UDP/TCP is a documented exception
required by DNS protocol, distinct from the general 'no exposed ports' rule.
Clarifies that admin console (port 5380) is Traefik-routed HTTPS only.

Author: enuno

.github/CLAUDE.md

@@ -0,0 +1,3 @@
+<claude-mem-context>
+
+</claude-mem-context>

blueprints/CLAUDE.md

@@ -0,0 +1,3 @@
+<claude-mem-context>
+
+</claude-mem-context>

blueprints/technitium-dns/CLAUDE.md

@@ -0,0 +1,3 @@
+<claude-mem-context>
+
+</claude-mem-context>

blueprints/technitium-dns/README.md

@@ -122,6 +122,22 @@ Technitium DNS Server is a free, open-source DNS server supporting both recursiv
 
 ---
 
+## Network Requirements: DNS Port Exception
+
+Technitium DNS Server requires **UDP/TCP port 53** for DNS queries from clients. This is a **documented exception** to Dokploy's "no exposed ports" rule because:
+
+1. **DNS Protocol Fundamentals**: Unlike HTTP/HTTPS services routed through Traefik, DNS operates on its own protocol (port 53 UDP/TCP) without TLS encapsulation. DNS clients query port 53 directly and cannot be intercepted by Traefik.
+
+2. **Admin Console Access**: The web admin console (`port 5380`) IS routed through Traefik with HTTPS/Let's Encrypt encryption. Only port 53 is directly exposed.
+
+3. **Architectural Distinction**:
+   - ✅ **Port 53 (DNS)**: Directly exposed (protocol requirement)
+   - ✅ **Port 5380 (Admin)**: Traefik-routed HTTPS via domain
+
+**Security Model**: Port 53 is secured by firewall rules and network isolation, not TLS. Configure your firewall to restrict port 53 access to trusted networks (internal mining sites, specific ISP ranges, etc.).
+
+---
+
 ## Quick Start by Preset
 
 ### Home/Office Setup (5 minutes)

blueprints/technitium-dns/docker-compose.yml

@@ -2,17 +2,16 @@ version: '3.8'
 
 # Technitium DNS Server - Production-Ready Dokploy Template
 # Supports: Home/Office, Clustered (Primary/Secondary), Cloud/Public DNS
-# Design: https://docs.dokploy.io/guides/dns-server
+# Note: DNS services require port 53 exposure (exception to "no ports" rule)
+# https://docs.dokploy.io/guides/dns-server
 
 services:
   technitium:
     image: technitiumsoftware/dns-server:14.3
-    restart: always
-    container_name: technitium-dns
+    restart: unless-stopped
     ports:
       - "53:53/tcp"
       - "53:53/udp"
-      - "5380:5380/tcp"
     volumes:
       - technitium-data:/etc/dns
     environment:
@@ -45,35 +44,34 @@ services:
       # DNS Features (Cloud preset only - DoT, DoH support)
       DNS_OVER_TLS_ENABLED: ${DNS_OVER_TLS_ENABLED:-false}
       DNS_OVER_HTTPS_ENABLED: ${DNS_OVER_HTTPS_ENABLED:-false}
-    networks:
-      - technitium-net
-      - dokploy-network
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.technitium.rule=Host(`${DOMAIN}`)"
       - "traefik.http.routers.technitium.entrypoints=websecure"
       - "traefik.http.routers.technitium.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.technitium.middlewares=technitium-headers@docker"
       - "traefik.http.services.technitium.loadbalancer.server.port=5380"
-      - "traefik.docker.network=dokploy-network"
+      - "traefik.http.middlewares.technitium-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.technitium-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.technitium-headers.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.technitium-headers.headers.frameDeny=true"
     healthcheck:
       test: ["CMD-SHELL", "nc -z localhost 53 || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
       start_period: 30s
 
-  # rclone Backup Sidecar (Only in Clustered/Cloud presets when R2_BACKUP_ENABLED=true)
+  # rclone Backup Sidecar (Only when R2_BACKUP_ENABLED=true)
   rclone-backup:
     image: rclone/rclone:1.67.0
-    restart: always
-    container_name: technitium-rclone
+    restart: unless-stopped
     depends_on:
       technitium:
         condition: service_healthy
     volumes:
       - technitium-data:/etc/dns:ro
       - rclone-logs:/logs
-      - /opt/dokploy/blueprints/technitium-dns/rclone.conf:/config/rclone/rclone.conf:ro
     environment:
       # R2 Backup Configuration (synced from Technitium service)
       R2_BUCKET_NAME: ${R2_BUCKET_NAME:-technitium-backups}
@@ -82,41 +80,40 @@ services:
       CF_ACCOUNT_ID: ${CF_ACCOUNT_ID:-}
       BACKUP_INTERVAL: ${BACKUP_INTERVAL:-86400}
       R2_BACKUP_ENABLED: ${R2_BACKUP_ENABLED:-false}
-    networks:
-      - technitium-net
+      # rclone R2 configuration
+      RCLONE_CONFIG_R2_TYPE: s3
+      RCLONE_CONFIG_R2_PROVIDER: Cloudflare
+      RCLONE_CONFIG_R2_ACCESS_KEY_ID: ${R2_ACCESS_KEY_ID:-}
+      RCLONE_CONFIG_R2_SECRET_ACCESS_KEY: ${R2_SECRET_ACCESS_KEY:-}
+      RCLONE_CONFIG_R2_ENDPOINT: https://${CF_ACCOUNT_ID}.r2.cloudflarestorage.com
+      RCLONE_CONFIG_R2_ACL: private
     entrypoint: >
       sh -c '
       if [ "$$R2_BACKUP_ENABLED" = "true" ]; then
+        mkdir -p /logs
         while true; do
-          echo "[$(date)] Starting backup sync to R2..." >> /logs/backup-$(date +\%Y-\%m-\%d).log
-          rclone sync /etc/dns r2://$$R2_BUCKET_NAME/technitium --config=/config/rclone/rclone.conf \
-            >> /logs/backup-$(date +\%Y-\%m-\%d).log 2>&1 && \
-            echo "[$(date)] Backup completed successfully" >> /logs/backup-$(date +\%Y-\%m-\%d).log || \
-            echo "[$(date)] Backup failed with error $?" >> /logs/backup-$(date +\%Y-\%m-\%d).log
-          sleep $$BACKUP_INTERVAL
+          logfile="/logs/backup-$(date +%Y-%m-%d).log"
+          echo "[$(date)] Starting backup sync to R2..." >> "$$logfile"
+          rclone sync /etc/dns "r2:$$R2_BUCKET_NAME/technitium" \
+            >> "$$logfile" 2>&1 && \
+            echo "[$(date)] Backup completed successfully" >> "$$logfile" || \
+            echo "[$(date)] Backup failed with exit code $$?" >> "$$logfile"
+          sleep "$$BACKUP_INTERVAL"
         done
       else
         echo "R2 backup disabled (R2_BACKUP_ENABLED=false). Sidecar will remain idle."
         tail -f /dev/null
       fi
       '
     healthcheck:
-      test: ["CMD-SHELL", "tail -1 /logs/backup-$(date +\\%Y-\\%m-\\%d).log | grep -q 'successfully' && exit 0 || exit 1"]
-      interval: 60s
+      test: ["CMD-SHELL", "[ -f /logs/backup-$(date +%Y-%m-%d).log ] && tail -5 /logs/backup-$(date +%Y-%m-%d).log | grep -q 'completed successfully' || exit 0"]
+      interval: 300s
       timeout: 10s
-      retries: 2
-      start_period: 30s
-    profiles:
-      - backup
+      retries: 1
+      start_period: 60s
 
 volumes:
   technitium-data:
     driver: local
   rclone-logs:
     driver: local
-
-networks:
-  technitium-net:
-    driver: bridge
-  dokploy-network:
-    external: true

blueprints/technitium-dns/technitium-dns.svg

@@ -5,14 +5,15 @@
 [variables]
 domain = "${domain:?Set admin console domain (e.g., dns.yourdomain.com)}"
 admin_password = "${password:32}"
-dns_server_domain = "${dns_server_domain:-ns1.local}"
-node_role = "${node_role:-primary}"
 
-# Cloudflare Tunnel (optional - for secure remote management)
+# Clustering (required for secondary nodes)
+primary_node_ip = ""
+
+# Cloudflare Tunnel (optional - for secure remote management across distributed sites)
 cf_tunnel_token = ""
 
 # R2 Backup (optional - Clustered/Cloud presets only)
-r2_account_id = ""
+cf_account_id = ""
 r2_bucket_name = ""
 r2_access_key_id = ""
 r2_secret_access_key = ""
@@ -68,7 +69,7 @@ R2_BACKUP_ENABLED = "true"
 R2_BUCKET_NAME = "${r2_bucket_name:?Set R2 bucket name}"
 R2_ACCESS_KEY_ID = "${r2_access_key_id:?Set R2 access key ID}"
 R2_SECRET_ACCESS_KEY = "${r2_secret_access_key:?Set R2 secret access key}"
-CF_ACCOUNT_ID = "${r2_account_id:?Set Cloudflare account ID}"
+CF_ACCOUNT_ID = "${cf_account_id:?Set Cloudflare account ID}"
 BACKUP_INTERVAL = "86400"
 DNS_OVER_TLS_ENABLED = "false"
 DNS_OVER_HTTPS_ENABLED = "false"
@@ -98,7 +99,7 @@ R2_BACKUP_ENABLED = "true"
 R2_BUCKET_NAME = "${r2_bucket_name:?Set R2 bucket name}"
 R2_ACCESS_KEY_ID = "${r2_access_key_id:?Set R2 access key ID}"
 R2_SECRET_ACCESS_KEY = "${r2_secret_access_key:?Set R2 secret access key}"
-CF_ACCOUNT_ID = "${r2_account_id:?Set Cloudflare account ID}"
+CF_ACCOUNT_ID = "${cf_account_id:?Set Cloudflare account ID}"
 BACKUP_INTERVAL = "86400"
 DNS_OVER_TLS_ENABLED = "false"
 DNS_OVER_HTTPS_ENABLED = "false"
@@ -129,7 +130,7 @@ R2_BACKUP_ENABLED = "true"
 R2_BUCKET_NAME = "${r2_bucket_name:?Set R2 bucket name}"
 R2_ACCESS_KEY_ID = "${r2_access_key_id:?Set R2 access key ID}"
 R2_SECRET_ACCESS_KEY = "${r2_secret_access_key:?Set R2 secret access key}"
-CF_ACCOUNT_ID = "${r2_account_id:?Set Cloudflare account ID}"
+CF_ACCOUNT_ID = "${cf_account_id:?Set Cloudflare account ID}"
 BACKUP_INTERVAL = "3600"
 DNS_OVER_TLS_ENABLED = "true"
 DNS_OVER_HTTPS_ENABLED = "true"

blueprints/technitium-dns/template.toml

@@ -0,0 +1,3 @@
+<claude-mem-context>
+
+</claude-mem-context>