Skip to content

install.md

Latest commit

 

History

History
250 lines (179 loc) · 6.06 KB

install.md

File metadata and controls

250 lines (179 loc) · 6.06 KB

Installation Guide (Ubuntu 22.04/Ubuntu 24.04/Debian 12)

NB! The API server must be installed on a server where is running BIND9 as master or slave DNS.

1. Install the required packages:

apt install -y curl software-properties-common ufw
add-apt-repository ppa:ondrej/php
apt install -y bzip2 composer git net-tools php8.3 php8.3-bz2 php8.3-cli php8.3-common php8.3-curl php8.3-fpm php8.3-gd php8.3-gmp php8.3-imagick php8.3-intl php8.3-mbstring php8.3-opcache php8.3-readline php8.3-soap php8.3-swoole php8.3-xml unzip wget php8.3-sqlite3 sqlite3

Configure PHP Settings:

  1. Open the PHP-FPM configuration file:
nano /etc/php/8.3/fpm/php.ini

Add or uncomment the following session security settings:

session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = "Strict"
  1. Open the OPCache configuration file:
nano /etc/php/8.3/mods-available/opcache.ini

Verify or add the following OPCache and JIT settings:

opcache.enable=1
opcache.enable_cli=1
opcache.jit=1255
opcache.jit_buffer_size=100M
  1. Restart PHP-FPM to apply the changes:
systemctl restart php8.3-fpm

2. Install and Configure Caddy:

  1. Execute the following commands:
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' -o caddy-stable.gpg.key
gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg caddy-stable.gpg.key
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt update
apt install -y caddy
  1. Edit /etc/caddy/Caddyfile and place the following content:
api.example.com {
    bind YOUR_IPV4_ADDRESS YOUR_IPV6_ADDRESS
    reverse_proxy localhost:7650
    encode gzip
    file_server
    tls your-email@example.com
    header -Server
    header * {
        Referrer-Policy "no-referrer"
        Strict-Transport-Security max-age=31536000;
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        X-XSS-Protection "1; mode=block"
        Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src https:; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; worker-src 'none'; frame-src 'none';"
        Feature-Policy "accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; usb 'none';"
        Permissions-Policy: accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=();
    }
}

Activate and reload Caddy:

systemctl enable caddy
systemctl restart caddy

3. Set File Permissions:

chown www-data:www-data /etc/bind/named.conf.local
chmod 640 /etc/bind/named.conf.local
chown -R www-data:www-data /etc/bind/zones
chmod -R 640 /etc/bind/zones

(use chown -R root:bind /etc/bind/zones if running as root)

4. Edit the sudoers file:

sudo visudo

Add the following line (replace www-data with the appropriate user):

www-data ALL=NOPASSWD: /usr/sbin/rndc reload

5. Download BIND9 API:

First, clone the project repository into the /opt/bind9_api directory:

git clone https://github.com/getnamingo/bind9-api-server-sqlite /opt/bind9_api

Next, create the directory for logs. This directory will be used to store log files generated by the API server:

mkdir -p /var/log/plexdns
chown -R www-data:www-data /var/log/plexdns

6. Import Database:

sqlite3 /opt/bind9_api/bind9_api.sqlite < /opt/bind9_api/database/bind9_api.sql
chown www-data:www-data /opt/bind9_api/bind9_api.sqlite
chmod 660 /opt/bind9_api/bind9_api.sqlite

7. Setup API Service:

cd /opt/bind9_api
composer install
mv env-sample .env

Edit the .env with the appropriate preferences as required.

Open create_user.php, set the username and password the API will use, run the script, then delete it after confirming it works.

Copy bind9_api.service to /etc/systemd/system/. Change only User and Group lines to your user and group.

systemctl daemon-reload
systemctl start bind9_api.service
systemctl enable bind9_api.service

After that you can manage BIND9 API via systemctl as any other service. Finally, you will need to restart Caddy server:

systemctl restart caddy

(Optional) 8. Install BIND9:

If needed, here is how to install BIND9.

8.1. Setting your hostname

hostnamectl set-hostname your.hostname.com

Edit the file and add your IP and hostname as in the example below:

nano /etc/hosts
192.0.2.10   your.hostname.com bind

8.2. Install BIND9

Install BIND9 and related utilities:

apt install bind9 bind9utils bind9-doc dnsutils -y

It's good practice to back up the original BIND9 configuration files before making changes.

cp /etc/bind/named.conf.options /etc/bind/named.conf.options.backup
cp /etc/bind/named.conf.local /etc/bind/named.conf.local.backup

Edit the named.conf.options file to set up general options.

nano /etc/bind/named.conf.options

Replace its contents with the following:

options {
    directory "/var/cache/bind";

    // Allow queries from any IP
    allow-query { any; };

    // Listen on all interfaces
    listen-on { any; };
    listen-on-v6 { any; };

    // Enable DNSSEC validation
    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on port 53 { any; };
};

Create the zones directory if it doesn't exist:

mkdir -p /etc/bind/zones

Before restarting BIND9, verify the configuration:

sudo named-checkconf

If you are using UFW (Uncomplicated Firewall), execute the following commands:

ufw allow 53/tcp
ufw allow 53/udp

Enable BIND9 to start on boot and start the service:

systemctl enable bind9
systemctl start bind9