Hairpin Nat workaround

infrastructure/docker/containers/bind9/bind9.tf

@@ -44,6 +44,7 @@ resource "docker_container" "bind9" {
   upload {
     file = "/etc/bind/named.conf.local"
     content = templatefile("${path.module}/named.conf.local", {
+      public_domain = var.public_domain
     })
   }
 
@@ -52,13 +53,26 @@ resource "docker_container" "bind9" {
     container_path = "/var/lib/bind"
     host_path = "/opt/containers/bind9/zones/"
   }
+
+  volumes {
+    container_path = "/var/log"
+    host_path = "/opt/containers/bind9/logs/"
+  }
 
   upload {
     file = "/var/lib/bind/db.home"
     content = templatefile("${path.module}/db.home", {
       server_ip = var.server_ip
     })
   }
+
+  upload {
+    file = "/var/lib/bind/db.public"
+    content = templatefile("${path.module}/db.public", {
+      server_ip = var.server_ip
+      public_domain = var.public_domain
+    })
+  }
 
   upload {
     file = "/etc/bind/home.key"
@@ -67,4 +81,4 @@ resource "docker_container" "bind9" {
       secret = base64encode(random_password.password.result)
     })
   }
-}
+}

infrastructure/docker/containers/bind9/db.public

@@ -0,0 +1,30 @@
+; base zone file for example.com
+$TTL 1h    ; default TTL for zone
+
+$ORIGIN ${public_domain}. ; base domain-name
+
+; Start of Authority RR defining the key characteristics of the zone (domain)
+
+@         IN      SOA   ns1.${public_domain}. hostmaster.${public_domain}. (
+
+                                1 ; serial number
+
+                                12h        ; refresh
+
+                                15m        ; update retry
+
+                                3w         ; expiry
+
+                                2h         ; minimum
+
+                                )
+
+; name server RR for the domain
+
+           IN      NS      ns1.${public_domain}.
+
+; domain hosts includes NS and MX records defined above
+
+; plus any others required
+
+ns1        IN      A       ${server_ip}

infrastructure/docker/containers/bind9/named.conf.local

@@ -12,6 +12,14 @@ zone "home." {
         allow-update { key home; };
 };
 
+zone "${public_domain}." {
+        type primary;
+        file "/var/lib/bind/db.public";
+        notify explicit;
+
+        allow-update { key home; };
+};
+
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
-include "/etc/bind/zones.rfc1918";
+include "/etc/bind/zones.rfc1918";

infrastructure/docker/containers/bind9/named.conf.options

@@ -32,4 +32,29 @@ options {
     allow-update {
             none;
     };
-};
+};
+
+
+logging {
+	channel bind_log {
+		file "/var/log/bind.log" versions 1 size 100M;
+		severity info;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+	category resolver {bind_log;};
+	category default {bind_log;};
+	category queries {bind_log;};
+	category client {bind_log;};
+	category config {bind_log;};
+	category notify {bind_log;};
+	category unmatched {bind_log;};
+	category dispatch {bind_log;};
+	category dnssec {bind_log;};
+	category database {bind_log;};
+	category security {bind_log;};
+	category network {bind_log;};
+	category rate-limit {bind_log;};
+	category lame-servers {bind_log;};	
+};

infrastructure/docker/containers/bind9/variables.tf

@@ -9,4 +9,8 @@ variable "wan_network_name" {
 
 variable "server_ip" {
   type        = string
-}
+}
+
+variable "public_domain" {
+  type        = string
+}

infrastructure/docker/dns_internal.tf

@@ -8,6 +8,7 @@ module "bind9" {
 
   source = "./containers/bind9"
   server_ip = var.docker_web_host
+  public_domain = var.base_domain
 }
 
 
@@ -20,6 +21,8 @@ provider "dns" {
   }
 }
 
+# Internal DNS
+
 resource "dns_a_record_set" "nas" {
   zone = "home."
   name    = "nas"
@@ -62,3 +65,27 @@ resource "dns_a_record_set" "dns_internal" {
   ]
   ttl = 300
 }
+
+# Split Head DNS because Speedport doesn't support hairpin nat (and I want to be able to access these services without internet!)
+
+resource "dns_a_record_set" "dns_web_loopback" {
+  for_each = module.web.hostnames
+
+  zone    = "${var.base_domain}."
+  name    = trimsuffix(each.value.url, ".${var.base_domain}")
+  addresses = [
+    var.docker_web_host
+  ]
+  ttl = 300
+}
+
+# TODO Remove once not used by services anymore...
+resource "dns_a_record_set" "dns_media_nat_hairpin" {
+  for_each = module.media.hostnames
+
+  zone    = "${var.base_domain}."
+  name    = trimsuffix(each.value, ".${var.base_domain}")
+  addresses = [
+    var.docker_media_host
+  ]
+}

infrastructure/docker/internal/internal.tf

@@ -67,7 +67,7 @@ module "archivebox" {
 }
 
 module "addons" {
-  source = "git::ssh://[email protected]/flx5/homelab-addons.git//internal?ref=cec935d"
+  source = "git::ssh://[email protected]/flx5/homelab-addons.git//internal?ref=4c5d5d1"
   traefik_network = docker_network.traefik_intern.name
   base_domain = var.base_domain
 }

infrastructure/docker/media/media.tf

@@ -35,7 +35,7 @@ module "jellyfin" {
 }
 
 module "addons" {
-   source = "git::ssh://[email protected]/flx5/homelab-addons.git//media?ref=cec935d"
+   source = "git::ssh://[email protected]/flx5/homelab-addons.git//media?ref=4c5d5d1"
    traefik_network = docker_network.traefik_intern.name
    base_domain = var.base_domain
 }

infrastructure/docker/web/web.tf

@@ -111,6 +111,7 @@ module "traefik_intern" {
    }
 
    hostname = local.traefik_name_internal
+   port_offset = 10
 
    acme_email = var.acme_email
    homelab_ca = var.homelab_ca
@@ -127,7 +128,7 @@ module "traefik_public" {
       calibre = module.calibre.traefik_config
    }
 
-   port_offset = 1
+   port_offset = 0
    hostname = local.traefik_name_public
 
    additional_entrypoints = {