Upgrade to UniFiOS 3.x

.justfile

@@ -7,12 +7,6 @@ SSH_HOST := 'root@192.168.16.1'
 default $FZF_DEFAULT_OPTS='--preview-window hidden':
     @just --choose
 
-update:
-    curl -L https://raw.githubusercontent.com/unifi-utilities/unifios-utilities/main/cni-plugins/05-install-cni-plugins.sh -o ./on_boot.d/05-install-cni-plugins.sh
-    curl -L https://raw.githubusercontent.com/unifi-utilities/unifios-utilities/main/dns-common/on_boot.d/10-dns.sh -o ./on_boot.d/10-dns.sh
-    curl -L https://raw.githubusercontent.com/pedropombeiro/udm-utilities/master/run-pihole/custom_pihole_dote.sh -o ./scripts/upd_pihole_dote.sh
-    chmod +x ./on_boot.d/*.sh ./scripts/*.sh
-
 _ssh cmd:
     ssh {{ SSH_FLAGS }} {{ SSH_HOST }} '{{ cmd }}'
 
@@ -35,10 +29,10 @@ dns_config_cmd := '''
     just _rsync --delete ./pihole/ {{ SSH_HOST }}:/data/
     just _rsync ./etc-pihole/ {{ SSH_HOST }}:/data/
     just _ssh '{{ dns_config_cmd }}'
-    just unbound-reload
+    # just unbound-reload
 
 prepare_data_dir_cmd := '''
-    mkdir -p {{ REMOTE_ON_BOOT_D }} /data/scripts /data/podman
+    mkdir -p {{ REMOTE_ON_BOOT_D }} /data/scripts
     rm -rf {{ REMOTE_ON_BOOT_D }}/*.sh /data/scripts/*.sh
 '''
 
@@ -56,11 +50,12 @@ push-config:
     @just _ssh '{{ prepare_data_dir_cmd }}'
     chmod +x ./on_boot.d/*.sh
     @just _rsync --delete ./on_boot.d/ {{ SSH_HOST }}:/data/
-    @just _rsync ./cronjobs/ ./etc-ddns-updater/ ./podman/cni/ ./scripts/ ./settings/ ./system/ {{ SSH_HOST }}:/data/
+    @just _rsync ./cronjobs/ ./custom ./etc-ddns-updater/ ./opt/ ./scripts/ ./settings/ ./system/ {{ SSH_HOST }}:/data/
+    @just _rsync --no-relative ./etc-systemd/ {{ SSH_HOST }}:/etc/systemd/
     just push-dns-config
     @just _ssh '{{ REMOTE_ON_BOOT_D }}/25-add-cron-jobs.sh'
 
-push: push-config (_ssh '/data/scripts/upd_pihole_unbound.sh')
+push: push-config
 
 install-tools: (_ssh '/data/scripts/download-tools.sh')
 

README.md

@@ -15,3 +15,48 @@ The customizations built on top of the utilities provide the following services:
 - Unbound exporter: exporter on TCP port 9167 allowing the Prometheus server on the NAS to retrieve metrics about
   Unbound on TCP port 8953;
 - Pi-hole: Ad-blocking recursive caching DNS provider which delegates the DNS queries to Unbound on UDP port 5335.
+
+### Create VM for Pi-hole/Unbound
+
+SSH into the UDM Pro, and follow the instructions in
+https://github.com/unifi-utilities/unifios-utilities/tree/main/nspawn-container (including the MACVLAN steps).
+
+Install the Prometheus Node Exporter:
+
+```shell
+apt install -y prometheus-node-exporter
+```
+
+Inside the debian-dns container:
+
+```shell
+echo 'pihole' > /etc/hostname
+```
+
+### Unbound
+
+Inside the debian-dns container (`machinectl shell debian-dns`):
+
+```shell
+echo 'pihole' > /etc/hostname
+
+apt -y install curl
+curl -sSL https://install.pi-hole.net | PIHOLE_SKIP_OS_CHECK=true bash
+
+# https://docs.pi-hole.net/guides/dns/unbound/#setting-up-pi-hole-as-a-recursive-dns-server-solution
+
+apt-get install unbound unbound-anchor
+chown -R unbound:unbound /var/lib/unbound
+curl -s https://www.internic.net/domain/named.root | sudo -h pihole -u unbound tee /var/lib/unbound/root.hints
+sudo -h pihole -u unbound unbound-control-setup
+
+# Generate root trust anchor for DNSSEC validation
+sudo -h pihole -u unbound unbound-anchor -a "/var/lib/unbound/root.key"
+
+sudo -h pihole service unbound restart
+
+systemctl enable unbound-exporter
+systemctl start unbound-exporter
+```
+
+At the end, run `apt clean` to remove caches from installed packages.

custom/machines/debian-dns/etc/systemd/network/mv-br6.network

@@ -0,0 +1,7 @@
+[Match]
+Name=mv-br6
+
+[Network]
+IPForward=yes
+Address=192.168.6.254/24
+Gateway=192.168.6.1

custom/machines/debian-dns/etc/systemd/system/unbound-exporter.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Unbound Exporter
+After=network-online.target
+
+[Service]
+ExecStart=/opt/unbound/bin/unbound-exporter
+
+[Install]
+WantedBy=multi-user.target

etc-pihole/setupVars.conf

@@ -14,7 +14,7 @@ IPV4_ADDRESS=192.168.6.254
 LIGHTTPD_ENABLED=true
 PIHOLE_DNS_1=127.0.0.1#5335
 PIHOLE_DOMAIN=dns.pombei.ro
-PIHOLE_INTERFACE=eth0
+PIHOLE_INTERFACE=mv-br6
 QUERY_LOGGING=true
 TEMPERATUREUNIT=C
 WEBPASSWORD=772bdb792293cf2b309fee7d7d10b53cf491ced74ebfcbbaac4bf2c3e20bfadd

etc-systemd/nspawn/debian-dns.nspawn

@@ -0,0 +1,15 @@
+[Exec]
+Boot=on
+ResolvConf=off
+Capability=CAP_SYS_NICE
+
+[Network]
+MACVLAN=br6
+
+[Files]
+Bind=/data/etc-pihole:/etc/pihole
+Bind=/data/pihole/etc-dnsmasq.d/03-user.conf:/etc/dnsmasq.d/03-user.conf
+BindReadOnly=/data/pihole/hosts:/etc/hosts
+
+Bind=/data/unbound/etc/:/etc/unbound/
+Bind=/data/unbound/lib/:/var/lib/unbound/

etc-systemd/system/ddns-updater.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=DDNS Updater
+After=network-online.target
+
+[Service]
+ExecStart=/data/opt/ddns-updater
+Environment=LISTENING_PORT=8001
+Environment=PUBLICIP_DNS_PROVIDERS=cloudflare
+Environment=LOG_LEVEL=info
+Environment=LOG_CALLER=short
+Environment=TZ=Europe/Zurich
+Environment=BACKUP_PERIOD=0
+Environment=BACKUP_DIRECTORY=/data/etc-ddns-updater
+Environment=DATADIR=/data/etc-ddns-updater
+Environment=PERIOD=5m
+Environment=UPDATE_COOLDOWN_PERIOD=5m
+Environment=PUBLICIP_FETCHERS=all
+Environment=PUBLICIP_HTTP_PROVIDERS=all
+Environment=PUBLICIPV4_HTTP_PROVIDERS=all
+Environment=PUBLICIPV6_HTTP_PROVIDERS=all
+Environment=PUBLICIP_DNS_PROVIDERS=all
+Environment=PUBLICIP_DNS_TIMEOUT=3s
+Environment=HTTP_TIMEOUT=10s
+
+[Install]
+WantedBy=multi-user.target

etc-systemd/system/multicast-relay.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Multicast Relay
+After=network-online.target
+
+[Service]
+ExecStart=/usr/bin/python3 /tmp/sonosnet.py --noSonosDiscovery --interfaces eth8 br46 br56 br76 br96
+ExecStartPre=/usr/bin/curl -o /tmp/sonosnet.py \
+https://raw.githubusercontent.com/alsmith/multicast-relay/master/multicast-relay.py
+ExecStop=/bin/kill $(/usr/bin/pgrep -d " " -f " /tmp/sonosnet\.py ")
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

etc-systemd/system/on_boot.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Run On Startup UDM 3.x
+Wants=network-online.target
+After=network-online.target
+StartLimitIntervalSec=500
+StartLimitBurst=5
+
+[Service]
+Restart=on-failure
+RestartSec=5s
+ExecStart=bash -c 'mkdir -p /data/on_boot.d && find -L /data/on_boot.d -mindepth 1 -maxdepth 1 -type f -print0 | sort -z | xargs -0 -r -n 1 -- bash -c \'if test -x "$0"; then echo "%n: running $0"; "$0"; else case "$0" in *.sh) echo "%n: sourcing $0"; . "$0";; *) echo "%n: ignoring $0";; esac; fi\''
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target

on_boot.d/00-setup-system.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# This script installs systemd-container if it's not installed.
+# Also links any containers from /data/custom/machines to /var/lib/machines.
+
+if ! dpkg -l systemd-container | grep ii >/dev/null; then
+    if ! apt -y install systemd-container debootstrap; then
+        yes | dpkg -i /data/custom/dpkg/*.deb
+    fi
+fi
+
+mkdir -p /var/lib/machines
+for machine in $(ls /data/custom/machines/); do
+	if [ ! -e "/var/lib/machines/$machine" ]; then
+		ln -s "/data/custom/machines/$machine" "/var/lib/machines/"
+		machinectl enable "$machine"
+		machinectl start "$machine"
+	fi
+done