diff --git a/README.md b/README.md index 730daca..65747ef 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ AdGuard Home is a network-wide software for blocking ads & tracking. After you s It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. -**Shipped version:** 0.107.2~ynh1 +**Shipped version:** 0.107.2~ynh2 diff --git a/README_fr.md b/README_fr.md index a2fd540..0b55e1e 100644 --- a/README_fr.md +++ b/README_fr.md @@ -16,7 +16,7 @@ AdGuard Home est un logiciel à l'échelle du réseau pour bloquer les publicit Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un "trou noir", empêchant ainsi vos appareils de se connecter à ces serveurs. Il est basé sur un logiciel que nous utilisons pour nos serveurs DNS publics AdGuard - les deux partagent beaucoup de code commun. -**Version incluse :** 0.107.2~ynh1 +**Version incluse :** 0.107.2~ynh2 diff --git a/check_process b/check_process index 7d97801..f04e942 100644 --- a/check_process +++ b/check_process @@ -3,17 +3,17 @@ domain="domain.tld" path="/path" admin="john" - is_public=1 password="1Strong-Password" + dns_over_https=1 ; Checks pkg_linter=1 - setup_sub_dir=0 + setup_sub_dir=1 setup_root=1 setup_nourl=0 setup_private=1 setup_public=1 upgrade=1 - #upgrade=1 from_commit=CommitHash + upgrade=1 from_commit=c57900238fe703377b39d2dc54027e4b5303e9e6 backup_restore=1 multi_instance=0 change_url=1 @@ -21,6 +21,6 @@ Email= Notification=none ;;; Upgrade options - ; commit=CommitHash - name=Name and date of the commit. - manifest_arg=domain=DOMAIN&path=PATH&admin=USER&language=fr&is_public=1&password=pass&port=666& + ; commit=c57900238fe703377b39d2dc54027e4b5303e9e6 + name=0.107.2, 5 JAN 22 + manifest_arg=domain=DOMAIN&path=PATH&admin=USER&is_public=1&password=pass& \ No newline at end of file diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index 9e1fdd9..d0d4c6e 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -80,7 +80,7 @@ tls: port_dns_over_quic: 784 port_dnscrypt: 0 dnscrypt_config_file: "" - allow_unencrypted_doh: false + allow_unencrypted_doh: __DNS_OVER_HTTPS__ strict_sni_check: false certificate_chain: "" private_key: "" diff --git a/conf/nginx.conf b/conf/nginx.conf index c8cd24c..3a3bff2 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,7 +1,8 @@ location __PATH__/ { - proxy_pass http://127.0.0.1:__PORT__; - proxy_redirect off; + proxy_pass http://127.0.0.1:__PORT__/; + proxy_redirect / __PATH__/; + proxy_cookie_path / __PATH__/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; @@ -16,8 +17,13 @@ location __PATH__/ { include conf.d/yunohost_panel.conf.inc; } -#location ~ .*.(gif|jpg|jpeg|png|bmp|swf|css|js)$ { -# proxy_pass http://127.0.0.1:__PORT__; -# proxy_set_header Host $host; -# proxy_set_header X-Forwarded-For $remote_addr; -# } +location /dns-query { + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect off; + proxy_buffering on; + proxy_http_version 1.1; + proxy_read_timeout 6s; + proxy_connect_timeout 6s; + proxy_pass http://127.0.0.1:__PORT__/dns-query; +} diff --git a/config_panel.toml b/config_panel.toml new file mode 100644 index 0000000..f57cd51 --- /dev/null +++ b/config_panel.toml @@ -0,0 +1,15 @@ +version = "1.0" + +[main] +name = "Adguard configuration" + + [main.options] + name = "Enable some features" + + [main.options.dns_over_https] + ask = "Enable DNS-over-HTTPS" + type = "boolean" + yes = "true" + no = "false" + bind = "allow_unencrypted_doh:__FINALPATH__/AdGuardHome.yaml" + services = [ '__APP__' ] \ No newline at end of file diff --git a/manifest.json b/manifest.json index 5bf735d..199d8b2 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Network-wide ads & trackers blocking DNS server", "fr": "Serveur DNS, bloqueur de publicités et trackers" }, - "version": "0.107.2~ynh1", + "version": "0.107.2~ynh2", "url": "https://adguard.com/adguard-home.html", "upstream": { "license": "GPL-3.0", @@ -28,14 +28,15 @@ "nginx" ], "arguments": { - "install": [{ + "install": [ + { "name": "domain", "type": "domain" }, { - "name": "is_public", - "type": "boolean", - "default": true + "name": "path", + "type": "path", + "default": "/adguard" }, { "name": "admin", @@ -44,6 +45,14 @@ { "name": "password", "type": "password" + }, + { + "name": "dns_over_https", + "type": "boolean", + "ask": { + "en": "Should DNS-over-HTTPS be enabled? (If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query)" + }, + "default": true } ] } diff --git a/scripts/actions/reset_default_config b/scripts/actions/reset_default_config index 612e13b..c8d6bff 100644 --- a/scripts/actions/reset_default_config +++ b/scripts/actions/reset_default_config @@ -27,9 +27,10 @@ password=$(ynh_app_setting_get --app=$app --key=password) final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) adguard_port=$(ynh_app_setting_get --app=$app --key=adguard_port) +dns_over_https=$(ynh_app_setting_get --app=$app --key=dns_over_https) -ipv4_route_output=$(ip -4 route get 1.2.3.4 | head -n1) -ipv6_route_output=$(ip -6 route get ::1.2.3.4 | head -n1) +ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1) +ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) ipv4_addr="" for i in $(seq "$(echo $ipv4_route_output | wc -w)" -1 1); do diff --git a/scripts/change_url b/scripts/change_url index fd8eea8..eca2bc2 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -28,6 +28,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) +port=$(ynh_app_setting_get --app=$app --key=port) #================================================= # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP @@ -56,9 +57,10 @@ then change_domain=1 fi -if [ "$old_path" != "$new_path" ] || [ "$new_path" != "/" ] +change_path=0 +if [ "$old_path" != "$new_path" ] then - ynh_die --message="You must use a root domain" + change_path=1 fi #================================================= @@ -77,6 +79,18 @@ ynh_script_progression --message="Updating NGINX web server configuration..." -- nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf +# Change the path in the NGINX config file +if [ $change_path -eq 1 ] +then + # Make a backup of the original NGINX config file if modified + ynh_backup_if_checksum_is_different --file="$nginx_conf_path" + # Set global variables for NGINX helper + domain="$old_domain" + path_url="$new_path" + # Create a dedicated NGINX config + ynh_add_nginx_config +fi + # Change the domain for NGINX if [ $change_domain -eq 1 ] then @@ -87,10 +101,6 @@ then ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" fi -#================================================= -# SPECIFIC MODIFICATIONS -#================================================= - #================================================= # GENERIC FINALISATION #================================================= diff --git a/scripts/install b/scripts/install index d9efa49..2fc400f 100644 --- a/scripts/install +++ b/scripts/install @@ -22,10 +22,10 @@ ynh_abort_if_errors # Retrieve arguments domain=$YNH_APP_ARG_DOMAIN -path_url="/" -is_public=$YNH_APP_ARG_IS_PUBLIC +path_url=$YNH_APP_ARG_PATH admin=$YNH_APP_ARG_ADMIN password=$YNH_APP_ARG_PASSWORD +dns_over_https=$YNH_APP_ARG_DNS_OVER_HTTPS architecture=$YNH_ARCH app=$YNH_APP_INSTANCE_NAME @@ -50,6 +50,14 @@ ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin +if [ "$dns_over_https" == "1" ]; +then + dns_over_https="true" +else + dns_over_https="false" +fi +ynh_app_setting_set --app=$app --key=dns_over_https --value=$dns_over_https + #================================================= # FIND AND OPEN A PORT #================================================= @@ -116,12 +124,23 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Modifying a config file..." --weight=1 -ipv4_interface=$(ip route get 1.2.3.4 | grep -oP '(?<=dev )\w+') -ipv6_interface=$(ip -6 route get ::1.2.3.4 | grep -oP '(?<=dev )\w+') +# echo the ip route command to prevent a crash if the server doesn't have any ipv4/6 +ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+') +ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+') -if [ "$ipv4_interface" != "$ipv6_interface" ]; then - echo "bind-interfaces +if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then + ynh_die --message="Impossible to find the main network interface, please report this issue." +elif [ "$ipv4_interface" != "$ipv6_interface" ]; then + if [ -z "$ipv4_interface" ]; then + echo "bind-interfaces +except-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app" + elif [ -z "$ipv6_interface" ]; then + echo "bind-interfaces +except-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" + else + echo "bind-interfaces except-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app" + fi else echo "bind-interfaces except-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" @@ -131,8 +150,8 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" -ipv4_route_output=$(ip -4 route get 1.2.3.4 | head -n1) -ipv6_route_output=$(ip -6 route get ::1.2.3.4 | head -n1) +ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) +ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) ipv4_addr="" for i in $(seq "$(echo $ipv4_route_output | wc -w)" -1 1); do @@ -175,6 +194,13 @@ ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 yunohost service add $app --description="Ads & trackers blocking DNS server" +#================================================= +# SETUP SSOWAT +#================================================= +ynh_script_progression --message="Configuring permissions..." + +ynh_permission_create --permission="api" --label="api" --url="re:$domain/dns-query" --allowed="visitors" --auth_header="false" --show_tile="false" --protected="true" + #================================================= # START SYSTEMD SERVICE #================================================= @@ -183,17 +209,6 @@ ynh_script_progression --message="Starting a systemd service..." --weight=2 # Start a systemd service ynh_systemd_action --service_name=$app --action="restart" --log_path=systemd -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Configuring permissions..." --weight=1 - -# Make app public if necessary -if [ $is_public -eq 1 ] -then - ynh_permission_update --permission="main" --add="visitors" -fi - #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 7a7e460..c02b552 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -23,6 +23,7 @@ password=$(ynh_app_setting_get --app=$app --key=password) final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) adguard_port=$(ynh_app_setting_get --app=$app --key=adguard_port) +dns_over_https=$(ynh_app_setting_get --app=$app --key=dns_over_https) architecture=$YNH_ARCH #================================================= @@ -37,6 +38,21 @@ if [ "$adguard_port" -ne "53" ]; then ynh_app_setting_set --app=$app --key=adguard_port --value=$adguard_port fi +# Create a permission if needed +if ! ynh_permission_exists --permission="api"; then + ynh_permission_create --permission="api" --label="api" --url="re:$domain/dns-query" --allowed="visitors" --auth_header="false" --show_tile="false" --protected="true" +fi + +if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; +then + dns_over_https="true" + ynh_app_setting_set --app=$app --key=dns_over_https --value=$dns_over_https +elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; +then + dns_over_https="false" + ynh_app_setting_set --app=$app --key=dns_over_https --value=$dns_over_https +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -121,12 +137,22 @@ ynh_install_app_dependencies $pkg_dependencies #================================================= ynh_script_progression --message="Updating a configuration file..." --weight=1 -ipv4_interface=$(ip route get 1.2.3.4 | grep -oP '(?<=dev )\w+') -ipv6_interface=$(ip -6 route get ::1.2.3.4 | grep -oP '(?<=dev )\w+') +ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+') +ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+') -if [ "$ipv4_interface" != "$ipv6_interface" ]; then - echo "bind-interfaces +if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then + ynh_die --message="Impossible to find the main network interface, please report this issue." +elif [ "$ipv4_interface" != "$ipv6_interface" ]; then + if [ -z "$ipv4_interface" ]; then + echo "bind-interfaces +except-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app" + elif [ -z "$ipv6_interface" ]; then + echo "bind-interfaces +except-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" + else + echo "bind-interfaces except-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app" + fi else echo "bind-interfaces except-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" @@ -136,8 +162,8 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" -ipv4_route_output=$(ip -4 route get 1.2.3.4 | head -n1) -ipv6_route_output=$(ip -6 route get ::1.2.3.4 | head -n1) +ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1) +ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) ipv4_addr="" for i in $(seq "$(echo $ipv4_route_output | wc -w)" -1 1); do @@ -165,7 +191,11 @@ with open(\"$final_path/AdGuardHome.yaml\", 'r') as file: need_file_update = False if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: - conf_file[\"dns\"][\"bind_hosts\"] = [\"$ipv4_addr\", \"$ipv6_addr\"] + conf_file[\"dns\"][\"bind_hosts\"] = [] + if \"$ipv4_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") + if \"$ipv6_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") need_file_update = True if conf_file[\"dns\"][\"port\"] != $adguard_port: