enable DOH/DOQ using Let's Encrypt certs out of the box (#154)

Co-authored-by: yunohost-bot <yunohost@yunohost.org> Co-authored-by: OniriCorpe <OniriCorpe@users.noreply.github.com> Co-authored-by: tituspijean <titus+yunohost@pijean.ovh>
2024-09-03 18:06:23 +02:00 · 2024-05-21 18:34:12 +02:00 · 2024-05-21 18:34:12 +02:00 · aee1f2aaca
commit aee1f2aaca
parent a450bfbed3
27 changed files with 1216 additions and 291 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -5,13 +5,15 @@ about: When creating a bug report, please use the following template to provide
 ---
 **How to post a meaningful bug report**
 1. *Read this whole template first.*
 2. *Determine if you are on the right place:*
   - *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!*
   - *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.*
   - *When in doubt, post here and we will figure it out together.*
 3. *Delete the italic comments as you write over them below, and remove this guide.*
--- 
+
 ---
 ### Describe the bug
@ -26,13 +28,16 @@ about: When creating a bug report, please use the following template to provide
  - If yes, please explain:
 - Using, or trying to install package version/branch:
 - If upgrading, current package version: *can be found in the admin, or with `yunohost app info $app_id`*
 - Is DNS over HTTP or DNS over QUIC activated?: *no / yes*
 ### Steps to reproduce
 - *If you performed a command from the CLI, the command itself is enough. For example:*
    ```sh
    sudo yunohost app install the_app
    ```
 - *If you used the webadmin, please perform the equivalent command from the CLI first.*
 - *If the error occurs in your browser, explain what you did:*
   1. *Go to '...'*
@ -47,6 +52,7 @@ about: When creating a bug report, please use the following template to provide
 ### Logs
 *When an operation fails, YunoHost provides a simple way to share the logs.*
 - *In the webadmin, the error message contains a link to the relevant log page. On that page, you will be able to 'Share with Yunopaste'. If you missed it, the logs of previous operations are also available under Tools > Logs.*
 - *In command line, the command to share the logs is displayed at the end of the operation and looks like `yunohost log display [log name] --share`. If you missed it, you can find the log ID of a previous operation using `yunohost log list`.*
--- a/.shellcheckrc
+++ b/.shellcheckrc
@ -0,0 +1,15 @@
 # ~/.shellcheckrc
 # follow source _common.sh
 external-sources=true
 # disable common errors with yunohost scripting:
 # Not following: (error message here)
 disable=SC1091
 # foo appears unused. Verify it or export it.
 disable=SC2034
 # var is referenced but not assigned.
 disable=SC2154
--- a/README.md
+++ b/README.md
@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
-**Shipped version:** 0.107.48~ynh2
+**Shipped version:** 0.107.48~ynh3
 ## Screenshots
--- a/README_es.md
+++ b/README_es.md
@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
-**Versión actual:** 0.107.48~ynh2
+**Versión actual:** 0.107.48~ynh3
 ## Capturas
--- a/README_eu.md
+++ b/README_eu.md
@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
-**Paketatutako bertsioa:** 0.107.48~ynh2
+**Paketatutako bertsioa:** 0.107.48~ynh3
 ## Pantaila-argazkiak
--- a/README_fr.md
+++ b/README_fr.md
@ -24,7 +24,7 @@ Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un
 Cependant, Dnsmasq n'est pas désactivé et continuera à fonctionner en tant que *serveur DNS localhost*.
-**Version incluse :** 0.107.48~ynh2
+**Version incluse :** 0.107.48~ynh3
 ## Captures d’écran
--- a/README_gl.md
+++ b/README_gl.md
@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
-**Versión proporcionada:** 0.107.48~ynh2
+**Versión proporcionada:** 0.107.48~ynh3
 ## Capturas de pantalla
--- a/README_zh_Hans.md
+++ b/README_zh_Hans.md
@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
-**分发版本：** 0.107.48~ynh2
+**分发版本：** 0.107.48~ynh3
 ## 截图
--- a/28
+++ b/28
@ -1,28 +0,0 @@
 ;; Test complet
 	; Manifest
 		domain="domain.tld"
 		path="/path"
 		admin="john"
 		password="1Strong-Password"
 		dns_over_https=1
 	; Checks
 		pkg_linter=1
 		setup_sub_dir=1
 		setup_root=1
 		setup_nourl=0
 		setup_private=1
 		setup_public=1
 		upgrade=1
 		upgrade=1	from_commit=c57900238fe703377b39d2dc54027e4b5303e9e6
 		# 0.107.8~ynh1
 		upgrade=1	from_commit=66d2a70352aa1337f0f7fcef20a91efaf557b0ec
 		backup_restore=1
 		multi_instance=0
 		change_url=1
 ;;; Options
 Email=
 Notification=none
 ;;; Upgrade options
 	; commit=c57900238fe703377b39d2dc54027e4b5303e9e6
 		name=0.107.2, 5 JAN 22
 		manifest_arg=domain=DOMAIN&path=PATH&admin=USER&is_public=1&password=pass&
--- a/conf/10-adguardhome.conf
+++ b/conf/10-adguardhome.conf
@ -0,0 +1,5 @@
 # This is a configuration file linked to the AdGuardHome YunoHost package
 # augment the packet buffer size for DNS over QUIC to work properly
 net.core.rmem_max = 2500000
 net.core.wmem_max = 2500000
--- a/conf/AdGuardHome.yaml
+++ b/conf/AdGuardHome.yaml
@ -1,109 +1,120 @@
-bind_host: 127.0.0.1
+http:
-bind_port: __PORT__
+  pprof:
-beta_bind_port: 0
+    port: 6060
    enabled: false
  address: 127.0.0.1:__PORT__
  session_ttl: 720h
 users:
- name: __ADMIN__
+  - name: __ADMIN__
-  password: __PASSWORD__
+    password: __PASSWORD__
 auth_attempts: 5
 block_auth_min: 15
 http_proxy: ""
-language: ""
+language: en
-rlimit_nofile: 0
+theme: auto
 debug_pprof: false
 web_session_ttl: 720
 dns:
-  bind_hosts:
+  bind_hosts: []
  __IPV4_ADDR__
  __IPV6_ADDR__
  port: 53
  statistics_interval: 1
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 90
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
-  - https://dns10.quad9.net/dns-query
+    - https://dns10.quad9.net/dns-query
    - https://dns.mullvad.net/dns-query
    - https://dns-unfiltered.adguard.com/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
  - 9.9.9.10
  - 149.112.112.10
  - 194.242.2.2
  - 2620:fe::10
  - 2620:fe::fe:10
-  all_servers: false
+  - 2a07:e340::2
  fallback_dns: []
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
-  - version.bind
+    - version.bind
-  - id.server
+    - id.server
-  - hostname.bind
+    - hostname.bind
-  cache_size: 4194304
+  trusted_proxies:
-  cache_ttl_min: 0
+    - 127.0.0.0/8
-  cache_ttl_max: 0
+    - ::1/128
  cache_size: 41943040
  cache_ttl_min: 10800
  cache_ttl_max: 86400
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
-  edns_client_subnet: false
+  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
-  filtering_enabled: true
+  ipset_file: ""
-  filters_update_interval: 24
+  bootstrap_prefer_ipv6: true
-  parental_enabled: false
+  upstream_timeout: 10s
-  safesearch_enabled: false
+  private_networks: []
-  safebrowsing_enabled: false
+  use_private_ptr_resolvers: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
  local_domain_name: lan
  resolve_clients: true
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: true
  use_http3_upstreams: true
  serve_plain_dns: true
 tls:
-  enabled: false
+  enabled: __DNS_OVER_HTTPS__
-  server_name: ""
+  server_name: "__DOMAIN__"
  force_https: false
-  port_https: 443
+  port_https: 0
-  port_dns_over_tls: 853
+  port_dns_over_tls: __PORT_DNS_OVER_TLS__
-  port_dns_over_quic: 784
+  port_dns_over_quic: __PORT_DNS_OVER_QUIC__
  port_dnscrypt: 0
  dnscrypt_config_file: ""
-  allow_unencrypted_doh: __DNS_OVER_HTTPS__
+  allow_unencrypted_doh: true
  strict_sni_check: false
  certificate_chain: ""
  private_key: ""
-  certificate_path: ""
+  certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem"
-  private_key_path: ""
+  private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem"
  strict_sni_check: false
 querylog:
  ignored: []
  interval: 24h
  size_memory: 1000
  enabled: true
  file_enabled: true
 statistics:
  ignored: []
  interval: 720h
  enabled: true
 filters:
- enabled: true
+  - enabled: true
-  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
-  name: AdGuard DNS filter
+    name: AdGuard DNS filter
-  id: 1
+    id: 1
- enabled: false
+  - enabled: false
-  url: https://adaway.org/hosts.txt
+    url: https://adaway.org/hosts.txt
-  name: AdAway Default Blocklist
+    name: AdAway Default Blocklist
-  id: 2
+    id: 2
- enabled: false
+  - enabled: false
-  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
+    url: https://www.malwaredomainlist.com/hostslist/hosts.txt
-  name: MalwareDomainList.com Hosts List
+    name: MalwareDomainList.com Hosts List
-  id: 4
+    id: 3
 whitelist_filters: []
 user_rules: []
 dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
@ -117,13 +128,54 @@ dhcp:
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
-clients: []
+filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: Local
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: false
    duckduckgo: false
    google: false
    pixabay: false
    yandex: false
    youtube: false
  blocking_mode: refused
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 12
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: true
  protection_enabled: true
 clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
 log:
-  compress: false
+  file: ""
  localtime: false
  max_backups: 0
  max_size: 100
  max_age: 3
-  file: ""
+  compress: false
-verbose: false
+  local_time: false
-schema_version: 10
+  verbose: false
 os:
  group: "__APP__"
  user: "__APP__"
  rlimit_nofile: 0
 schema_version: 27
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -22,11 +22,8 @@ location __PATH__/ {
 location /dns-query {
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_redirect off;
+  proxy_set_header X-Real-IP $remote_addr;
-  proxy_buffering on;
+  proxy_bind 127.0.0.1;
  proxy_http_version 1.1;
  proxy_read_timeout 6s;
  proxy_connect_timeout 6s;
  proxy_pass http://127.0.0.1:__PORT__/dns-query;
 }
--- a/config_panel.toml
+++ b/config_panel.toml
@ -1,12 +1,43 @@
 version = "1.0"
 [main]
-name = "AdguardHome configuration"
+name.en = "AdGuard Home configuration"
 name.fr = "Configuration de AdGuard Home"
 help.en = "If any trouble or question, please refer to the admin documentation right below!"
 help.fr = "En cas de problème ou questionnement, référez-vous au guide d'administration en bas de la page !"
 services = ["__APP__"]
-        [main.options.dns_over_https]
+[main.options]
-        ask = "Enable DNS-over-HTTPS"
+name.en = "Configure AdGuard Home options"
-        type = "boolean"
+name.fr = "Options de configuration de AdGuard Home"
-        yes = "true"
+
-        no = "false"
+[main.options.expose_port_53]
-        bind = "allow_unencrypted_doh:__INSTALL_DIR__/AdGuardHome.yaml"
+ask.en = "Bind to public IP addresses?"
 ask.fr = "Liaison avec les adresses IP publiques ?"
 no = "false"
 type = "boolean"
 yes = "true"
 help.en = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Please read the admin doc to understand that setting and to secure your server using allowlist."
 help.fr = "Si activé, quiconque connaissant l'adresse IP de votre serveur pourra lui faire des requêtes DNS. Il pourrait être utilisé afin de réaliser des attaques par amplification DNS : https://www.malekal.com/attaque-dos-amplification Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche."
 [main.options.dns_over_https]
 ask.en = "Enable DNS-over-HTTPS/TLS/QUIC?"
 ask.fr = "Activer le DNS-sur-HTTPS/TLS/QUIC ?"
 no = "false"
 type = "boolean"
 yes = "true"
 bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml"
 help.en = "If so, anyone who knows your adguard address can make a DoH request to https://adguardomain.tld/dns-query or using DoT or DoQ.  It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist."
 help.fr = "Si activé, quiconque connaissant l'adresse de votre serveur pourra lui faire des requêtes DoH sur https://adguardomain.tld/dns-query ou en utilisant le DoT ou DoQ. Il pourrait aussi être utilisé afin de réaliser des attaques par amplification DNS. Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche."
 [main.extra]
 name.en = "Extra tools"
 name.fr = "Outils"
 [main.extra.new_password]
 ask.en = "Set a new admin password"
 ask.fr = "Changer le mot de passe administrateur"
 type = "string"
 help.en = "With this tool, you can easily change the password of your AdGuard Home. Just put the desired password in the text input."
 help.fr = "À l'aide de cet outil, vous pouvez facilement changer le mot de passe de votre AdGuard Home. Renseignez juste le mot de passe désiré dans le champ de saisie."
--- a/doc/ADMIN.md
+++ b/doc/ADMIN.md
@ -1 +1,124 @@
-[Read the apps guide.](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/APPS.md)
+# Admin notebook of YunoHost's AdGuard Home
 You want to be sure to understand the config settings? You're at the right place! ^w^
 ## Bind to public IP addresses?
 This setting is **disabled** by default.
 When disabled:
 - YunoHost **will not** check if the port 53 is accessible on Internet and warns you if not (so no irrelevant warning)
 - Public IP adresses **will not** be added to the AdGuard Home configuration
 When enabled:
 - YunoHost **will** check if the port 53 is accessible on Internet and warns you if not
 - ⚠️ You need to **manually open port 53** of your router if you self-host at home!
 - Server's public IP adresses **will** be added to the AdGuard Home configuration, so AGH will be able to bind to them and will expose directly the port 53 to the Internet
 You need to know that if you expose your DNS server to Internet, anyone who knows your server's IP can make a DNS request to it. It *may be used* to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)!  
 This risk is greatly minimized by the rate limiting setting, which is set to 20 requests per second per client by default:  
 `Settings → DNS settings → DNS server configuration → Rate limit`
 You can completely or almost completely reduce the risk of unauthorized use with the help of the [Allowlist section](#allowlist) further down in this documentation.
 To use AdGuard Home in your home network if your self-hosting at home, you **don't need** to activate this setting.  
 You simply have to use the private IP adress of your server (like `192.168.0.1` or so) as DNS IP for your IT devices at home.  
 The right IP addresses to use are shown at the top of the "Setup Guide" page of your AdGuard Home instance.
 If you would expose the port 53 on Internet, you'll be able to use the public IP of your server (the same as in your domain name DNS settings) on any device outside your home network.
 **Warning:** you should not have public IPs in the config file if the port 53 is **not exposed** on Internet (else: AGH crashes)  
 **Please note:** they should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case.  
 You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section.  
 Any IP **that doesn't start** with the folowing are public ones:
 - `10.`
 - `169.`
 - `172.`
 - `192.168.`
 - `fcxx:` (where the `x` can be any hexadecimal character)
 - `fdxx:` (where the `x` can be any hexadecimal character)
 **Warning:** IPv6 starting with `fe80:` (IPv6 LLA) CAN'T be used for DNS purposes, if you try to put one in the AGH config, it won't work and crash!
 So, any other IP should be a public one.
 Restart AdGuard Home after applying the needed edits: `yunohost service restart adguardhome`
 ## Enable DNS over HTTP, DNS over TLS and DNS over QUIC?
 This setting is **disabled** by default.
 If enabled, you need to know that anyone who knows your AdGuard Home domain-name can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)!
 It's really important to use the configuration panel included in the YunoHost Webadmin interface to activate or deactivate this setting, and **NOT** the built-in setting in the AdGuardHome interface.  
 This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel.
 If you host your machine at home, for using DoT or DoQ, you have to open the following ports on your router by yourself:
 - `__PORT_DNS_OVER_TLS__` in TCP & UDP (for DNS over TLS)
 - `__PORT_DNS_OVER_QUIC__` in UDP (for DNS over QUIC)
 Then you can use the following adresses as a DoH, DoT or DoQ DNS server for your devices:
 - DNS over HTTP: `https://__DOMAIN__/dns-query` (or `https://__DOMAIN__/dns-query/your-client-id` with a [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid))
 - DNS over TLS: `tls://__DOMAIN__:__PORT_DNS_OVER_TLS__`
 - DNS over QUIC: `quic://__DOMAIN__:__PORT_DNS_OVER_QUIC__`
 ## Allowlist
 If your port 53 is exposed on Internet, you can secure your AdGuard Home server using allowlist to prevent unauthorized use.
 We've had YunoHost users surprised to see their instance receiving tens of thousands of unknown requests per day, this was due to the public exposure of port 53 on Internet and the lack of securisation of their instance.
 In this allowlist, you can put [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)s in place of IP addresses for the devices that uses DNS over HTTP.  
 But since since YunoHost can't handle wildcard domain names, you can't use this ClientID functionnality with DNS over TLS and DNS over QUIC, sorry about that.
 **Note:** to use DNS over HTTP with a ClientID, you have to use the following URL: `https://__DOMAIN__/dns-query/your-client-id`
 The allowlist setting is located in your AdGuard Home interface:  
 `Settings → DNS settings → Access settings → Allowed clients`
 ### Local network
 If you selfhost at home, you can simply paste this in your allowlist (it will allow any kind of private IP):
 ```text
 10.0.0.0/8
 172.16.0.0/12
 192.168.0.0/16
 fc00::/7
 fe80::/16
 ```
 **Note:** the slash `/` and the following number after the IP adresses represents the network mask, it's called the CIDR notation. If you want to learn about the CIDR notation, [you can read this article](https://whatismyipaddress.com/cidr).
 ### Authorize some public IP addresses
 Then you can add some authorized public IP addresses.
 For example, to authorize the IPv4 of your home internet connexion, open <https://ip.yunohost.org/> and paste the showed IP in the allowlist.
 If your ISP has assigned you an IPv6 range (ex. `2a01:d34d:b33f:1312::/64`), you can add it so that any device on your home network using an address in this range will be authorized.
 You can add any public IP you know you'll use.
 If you want to use your AGH instance on your smartphone without using the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) feature (only availabe with DoH, check the 'Apps' documentation to find out how to use it on your phone), it gets more complex: you have to allow the IP ranges of your mobile operator.  
 It's not perfect but it still drastically reduces the chances of unauthorized use, while allowing you to use it with your smartphone.  
 **Note:** in case of connection on non authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance.
 Using the connexion to allow, go to <https://ip.guide/> and click on "Autonomous Systems".  
 **Note:** if you're using an iPhone, make sure that the ["Limit IP tracking" or "iCloud private relay" settings](https://support.apple.com/guide/iphone/iph499d287c2/ios) are disabled (otherwise you must authorize Akamai IP addresses using the same method).  
 You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist.  
 It should look like the list in the previous section.
 You can use the following command to automatically give you a ready-to-use list:
 ```bash
 curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s ".[].network.autonomous_system.asn")" | jq -s ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " {]\",}"
 ```
 The command asks your IP address to ip.guide, which returns the "Autonomous System" number (ASN) of your access provider, then the commands asks its IP ranges, then display it on your screen.
 **Note:** maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this.
--- a/doc/ADMIN_fr.md
+++ b/doc/ADMIN_fr.md
@ -0,0 +1,123 @@
 # Guide d'administration de AdGuard Home pour YunoHost
 Vous voulez comprendre comment bien configurer les paramètres de AdGuard Home ? Vous êtes au bon endroit ! ^w^
 ## Liaison avec les adresses IP publiques ?
 Ce paramètre est **désactivé** par défaut.
 Lorsque désactivé :
 - YunoHost **ne va pas** vérifier l'accessibilité du port 53 depuis Internet et vous avertir s'il n'est pas accessible (donc éviter les alertes non pertinentes)
 - Les adresses IP publiques **ne seront pas** ajoutées à la configuration de AdGuard Home
 Lorsque activé :
 - YunoHost **vérifiera** l'accessibilité du port 53 depuis Internet et vous avertira s'il n'est pas accessible
 - ⚠️ Vous devrez **ouvrir manuellement le port 53** sur votre routeur si vous vous auto-hébergez à la maison !
 - Les adresses IP publiques **seront** ajoutées à la configuration de AdGuard Home, donc AGH se liera à elles, ce qui exposera directement le port 53 sur Internet
 Vous devez savoir que lorsque vous exposez votre serveur DNS sur Internet, quiconque connaît son adresse peut l'utiliser. **Il peut être détourné** afin de réaliser des [attaques par amplification DNS](https://www.malekal.com/attaque-dos-amplification) !  
 Ce risque est grandement limité par le système de limitation du nombre de requêtes (rate limiting), qui est consifuré pr défaut à 20 requêtes par secondes par client :
 `Settings → DNS settings → DNS server configuration → Rate limit`
 Vous pouvez complètement ou presque complètement ces risques d'usages non autorisés à l'aide de la section [Liste blanche](#liste-blanche) plus loin dans cette documentation.
 Pour utiliser AdGuard Home sur votre réseau domestique si vous vous auto-hébergez à la maison, il **n'est pas nécessaire** d'activer ce paramètre.  
 Vous avez simplement à utiliser l'adresse IP privée de votre serveur (telle que `192.168.0.1` ou similaire) en tant qu'adresse IP du serveur DNS de vos appareils électroniques domestiques.  
 La bonne adresse à utiliser est indiquée en haut de la page "Setup Guide" de votre instance AdGuard Home.
 Si vous voulez exposer le port 53 sur Internet, vous devrez utiliser l'adresse IP publique de votre serveur (la même que celle configurée dans les paramètres DNS de votre nom de domaine) sur les apapreils situés ou pouvant se situer à l'extérieur de votre domicile.
 **Avertissement :** vous ne devez pas avoir d'adresse IP publique dans votre configuration AdGuard Home si le port 53 n'est pas exposé sur Internet (sinon AGH crash).  
 **Veuillez noter :** elles devraient être automatiquement lors de la mise à jour du packge ou en modifiant ce réglage de l'exposition du port 53, mais c'est dans la doc au cas où.  
 Vous pouvez les retirer dans la configuration située à `/var/www/adguardhome/AdGuardHome.yaml` dans la section `dns: bind_hosts:`.  
 Si une IP **ne débute pas** par ce qui suit, c'est une IP publique :
 - `10.`
 - `169.`
 - `172.`
 - `192.168.`
 - `fcxx:` (où le `x` peut être n'importe quel caractère' hexadecimal)
 - `fdxx:` (où le `x` peut être n'importe quel caractère' hexadecimal)
 **Avertissement :** les IPv6 débutant par `fe80:` (IPv6 LLA) NE peuvent PAS être utilisées pour du DNS, si vous essayez d'en mettre une dans la configuration de AGH, ça ne fonctionnera pas et AGH crashera !
 Donc toute autre adresse IP devrait être une adresse IP publique.
 Redémarrez AdGuard Home manuellement après avoir modifié sa configuration à la main : `yunohost service restart adguardhome`
 ## Activer le DNS-sur-HTTPS, DNS-sur-TLS et DNS-sur-QUIC ?
 Ce paramètre est **désactivé** par défaut.
 Si activé, vous devez savoir que quiconque connaît le nom de domaine de votre AdGuard Home peut l'utiliser. **Il peut être détourné** afin de réaliser des [attaques par amplification DNS](https://www.malekal.com/attaque-dos-amplification) !
 Il est vraiment importantd'utuliser le panneau de configuration inclus dans l'interface d'administration Web de YunoHost pour activer ou désactiver ce paramètre, et donc **NE PAS** utiliser le réglage inclus dans AdGuard Home.  
 Cela en raison de la nécessité que YunoHost réalise des réglages automatisés tels que ouvrir ou fermer des ports et rafraichir la liste des IP dans le fichier de configuration de AGH, qui ne peuvent être réalisés qu'en passant par ce paneau de configuration dédié.
 Si vous auto-hébergez votre serveur à la maison, afin de pouvoir utiliser de DoT ou DoQ, vous devez aussi ouvrir vous même les ports suivant dans les réglages de votre routeur :
 - `__PORT_DNS_OVER_TLS__` en TCP & UDP (pour le DNS sur TLS)
 - `__PORT_DNS_OVER_QUIC__` en UDP (pour le DNS sur QUIC)
 Puis vous pourrez utiliser les adresses suivantes en tant que serveur DNS DoH, DoT ou DoQ pour vos appareils électroniques :
 - DNS sur HTTP : `https://__DOMAIN__/dns-query` (ou `https://__DOMAIN__/dns-query/votre-client-id` en utilisant un [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid))
 - DNS sur TLS : `tls://__DOMAIN__:__PORT_DNS_OVER_TLS__`
 - DNS sur QUIC : `quic://__DOMAIN__:__PORT_DNS_OVER_QUIC__`
 ## Liste blanche
 Sir votre prot 53 est exposé sur Internet, vous pouvez sécuriser votre instance AdGuard Home à l'aide de la liste blanche, afin d'empêcher des usages non autorisés.
 Nous avons déjà reçu des messages d'utilisateurices de YunoHost interloqué-es en se rendant compte que leur instance AGH recevait des dizaines de milliers de requêtes inconnues par jour, cela étant du à l'exposition publique du port 53 sur Internet et au manque de sécurisation de leur instance.
 Dans cette liste blanche, vous pouvez ajouter des [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) en lieu et place des adresses IP de vos appareils utilisant le DNS sur HTTP.  
 Comme YunoHost ne supporte pas les noms de domaines "wildcard", l'usage de la fonctionnalité des ClientID n'est pas possible avec l'utilisation du DNS sur TLS et le DNS sur QUIC. Nous sommes désolées pour cela.  
 **Note :** afin d'utiliser le DNS sur HTTP avec un ClientID, vous devez utiliser une adresse telle que : `https://__DOMAIN__/dns-query/votre-client-id`
 Les réglages de la liste blanche se situent dans l'interface de AdGuard Home à cet endroit : `Settings → DNS settings → Access settings → Allowed clients`
 ### Réseau local
 Si vous vous autohébergez à la maison, vous pouvez simplement coller la liste d'IP suivantes dans votre liste blanche (cela autorisera n'importe quelle adresse IP privée) :
 ```text
 10.0.0.0/8
 172.16.0.0/12
 192.168.0.0/16
 fc00::/7
 fe80::/16
 ```
 **Note :** le slash `/` et le numéro le suivant, après une adresse IP, representent le masque de sous réseau, ceci est appelé la notation CIDR. Si vous voulez en savoir plus sur la notation CIDR, [vous pouvez lire cet article](https://whatismyipaddress.com/cidr) (en anglais).
 ### Authoriser quelques adresses IP publiques
 Vous pouvez maintenant aussi autoriser quelques adresses IP publiques.
 Par exemple, pour autoriser l'adresse IPv4 de votre connexion Internet domestique, ouvrez <https://ip.yunohost.org/> et collez l'adresse affichée dans votre liste blanche.
 Si votre FAI vous a assigné une plage d'adresses IPv6 (par exemple `2a01:d34d:b33f:1312::/64`), vous pouvez l'ajouter pour autoriser n'importe quel appareil de votre réseau utilisant cette plage d'adresses.
 Vous pouvez ajouter n'importe quelle adresse IP dont vous avez l'usage.
 Si vous voulez utiliser votre instance AGH avec votre smartphone sans utiliser la fonctionnalité [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) (qui est uniquement disponible en utilisant le DoH, lisez la documentation des applications pour savoir comment l'utiliser avec votre smartphone), cela devient plus complexe : vous devrez autoriser les plages IP de votre opérateur mobile.  
 Ce n'est clairement pas parfait mais cela diminue quand même drastiquement les chances d'utilisations non autorisées, tout en vous permettant un usage avec votre smartphone.  
 **Note :** en cas de connexion sur des réseaux wifi non préalablement autorisés, vous ne pourrez pas utiliser votre instance AdGuard Home.
 En utilisant la connexion à autoriser, rendez-vous sur <https://ip.guide/> et cliquez sur "Autonomous Systems".  
 **Note :** si vous utilisez un iPhone, vérifiez bien que [les options "Limiter le suivi de l'adresse IP" ou "Relais privé iCloud"](https://support.apple.com/guide/iphone/iph499d287c2/ios) sont désactivées (sinon vous devrez autoriser les adresses IP de Akamai en utilisant la même méthode).  
 Vous pouvez désormais copier toutes les adresses IP présentes dans la section "routes", retirer tous les guillemets, virgules et espaces en conservant une IP par ligne, puis coller ce résultat dans votre liste blanche.  
 Cela devrait ressembler à la liste de la section précédente de ce tutoriel.
 Vous pouvez utiliser la ligne de commande suivante pour avoir un résultat clé en main :
 ```bash
 curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s ".[].network.autonomous_system.asn")" | jq -s ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " {]\",}"
 ```
 Cette commande demande votre adresse IP sur ip.guide, et la réponse contient l'identifiant "Autonomous System" (ASN) lié à votre opérateur. Puis la commande demande ses plages IP et les affiche sur votre écran.
 **Note :** il est possible que vous deviez réaliser cette opération plusieurs fois, comme certains fournisseurs d'accès possèdent plusieurs numéros ASN. Donc si un jour votre AdGuard Home refuse de répondre, cela peut être la cause.
--- a/doc/APPS.md
+++ b/doc/APPS.md
@ -1,8 +1,39 @@
 # Apps documentation
 ## Preamble
 To use the DNS-over-HTTPS/TLS/QUIC functionality, you need to enable it from your app's YunoHost configuration panel.
 If you're reading this using the YunoHost interface, you should already be in the right page: just click on the [AdGuard Home configuration](#/apps/__APP__/main) option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save".
 Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration`.
 From the command line interface: `yunohost app config set __APP__ main.options.dns_over_https -v 1`
 ## Android
-To be completed by someone who uses an Android app
+### Built-in Private DNS
 Android offers a Private DNS feature starting its version 9 and above.
 This Private DNS setting will only work for DNS-over-TLS with Adguard Home, since DNS-over-HTTPS is limited to a couple of hardcoded providers.
 Make sure to have followed the instructions of the Preamble above.
 Android being available under various flavours depending on your phone manufacturer, the location of that setting can vary.
 It is generally along the lines of `Settings → Connections → More connection parameters → Private DNS`.
 There, select "Hostname of the private DNS provider" and enter your Adguard Home's domain: `__DOMAIN__` (no protocol, no slash, only the domain).
 ### Intra
 Intra by [Jigsaw Operations LLC](https://jigsaw.google.com) can be downloaded from [Google Play](https://play.google.com/store/apps/details?id=app.intra) or [F-Droid](https://f-droid.org/packages/app.intra/).
 This free app can connect you to your Adguard Home server through DNS-over-HTTPS.
 To configure it, once installed:
 - Open its side menu `≡ → Parameters → Select a DNS over HTTPS menu`
 - Choose `Custom URL server` and enter your server address:
  - `https://__DOMAIN__/dns-query`
  - If you want to track your device requests and use some per-device rules, replace [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) in the following URL: `https://__DOMAIN__/dns-query/ClientID`,
 - Go back to the main screen of the app, and enable the app with the top-right switch.
 Technically, it creates a local VPN connection to enforce the use of your DNS server: a 🔑 icon will appear at the top of your screen once it is enabled.
 ## Apple devices
@ -11,7 +42,9 @@ To be completed by someone who uses an Android app
 [AdGuard Home Remote](https://apps.apple.com/app/id1543143740) by [RocketScience IT](https://rocketscience-it.nl/) is compatible with Mac, iPhone, iPad and Watch.  
 It is free with an in-app purchase of 6€ or US$5 to unlock some features. No ads, no tracking.
-You can easilly configure it:
+This app is for monitoring or configuring your AGH instance, not to use your AGH as a DNS server on your Apple device. See the section bellow for that!
 You can easily configure this app:
 - Add Instance
 - Choose a display name
@ -20,4 +53,30 @@ You can easilly configure it:
 - Enter your AdGuard Home credentials in the "Authentication" fields
 - Test the connection, if a green check is showed up, you're alright
-![A screenshot showing the previous instructions completed in the app](screenshots/apps/AGH-remote.PNG)
+[Your configuration should look like this.](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/AGH-remote.PNG)
 ### Secure DNS profile
 To use your AGH instance as the DNS server on your Apple device, you can generate an Apple 'Secure DNS profile'.  
 **Note:** as a more tech-savvy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html).
 Make sure you have followed the instructions of the Preamble above, then go to the [Setup Guide](https://__DOMAIN____PATH__#guide) page of your AdGuard Home instance, click the "DNS Privacy" option and scroll to the bottom.
 - Hostname: keep it that way
 - HTTPS port: same, keep it that way
 - Protocol: now you have to made a choice: select either DNS-over-HTTPS or DNS-over-TLS
  - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option to whitelist your client, you can't choose DNS-over-TLS since YunoHost can't handle wildcard domain names, so mandatory DNS-over-HTTPS for you
  - If you don't know which one to choose, here's some help:
    - As stated above, pick DNS-over-HTTPS if you want to use the ClientID feature to authenticate your requests
    - Pick DNS-over-HTTPS if you are likely to use networks that filter the DNS-over-TLS port, such as companies, schools, etc.
    - Else, pick DNS-over-TLS because it's a bit faster, as it uses one less [OSI network layer](https://en.wikipedia.org/wiki/OSI_model)
 - ClientID: enter a ClientID, `iphone-123456` as an example
  - Don't forget to add the exact same ClientID to your Allowlist in the `Settings → DNS settings → Access settings → Allowed clients`
 You can now click on the "Download configuration file" button and accept the download.
 Finaly, open the system settings, click on the "Downloaded profile" message and install it by entering your device password and tapping the "Install" button a couple times. Ignore the text indicating that the profile is unsigned.
 Your device should now use your AdGuard Home instance as its DNS server. Congrats!
 **Note:** Installed DNS profiles can be managed in the Settings under "General" then "VPN and Device Management".
--- a/doc/APPS_fr.md
+++ b/doc/APPS_fr.md
@ -0,0 +1,80 @@
 # Documentation des applications
 ## Préambule
 Pour utiliser la fonctionnalité DNS sur HTTP/TLS/QUIC, vous devez l'activer dans l'interface d'administration de YunoHost.
 Si vous lisez ceci via l'interface web de YunoHost, vous devriez déjà être au bon endroit: cliquez simplement sur l'option [AdGuard Home configuration](#/apps/adguardhome/main) au dessus de ce texte, activez "Activate DNS over HTTP/TLS/QUIC?" puis cliquez sur "Save".
 Sinon, ouvrez l'interface d'administration Web et suivez ce chemin : `Applications → AdGuard Home → AdGuard Home configuration`
 Depuis la ligne de commande: `yunohost app config set __APP__ main.options.dns_over_https -v 1`
 ## Android
 ### DNS privé intégré
 Android propose une fonctionalité nommée **DNS privé** depuis sa version 9.
 Ce paramètre **DNS privé** ne fonctionnera que pour *DNS-over-TLS*, car *DNS-over-HTTPS* n'est limité qu'à une paire de fournisseurs figés dans le code.
 Android étant distribuée en de multiples variantes selon les fournisseurs d'appareils, l'emplacement de ce paramètre peut varier.
 Il est peu ou prou placé dans `Paramètres → Connexions → Plus de paramètres de connexion → DNS privé`
 Là, sélectionnez "Nom d'hôte du fournisseur DNS privé", et encodez le nom de domaine de votre serveur Adguard Home: `__DOMAIN__` (pas de protocole, pas de barre oblique, seulement le domaine).
 ### Intra
 Intra par [Jigsaw Operations LLC](https://jigsaw.google.com) peut-être téléchargée depuis [Google Play](https://play.google.com/store/apps/details?id=app.intra) ou [F-Droid](https://f-droid.org/packages/app.intra/).
 Cette application gratuite permet de vous connecter à votre serveur Adguard Home via *DNS-over-HTTPS*.
 Pour la configurer, une fois installée :
 - Ouvrez son menu latéral `≡ → Paramètres → Sélectionnez un serveur DNS over HTTPS`
 - Choisissez `URL de serveur personnaliséer` et encodez votre URL :
  - `https://__DOMAIN__/dns-query`
  - Si vous souhaitez suivre les requêtes de votre appareil ou utiliser des règles personnalisées, remplacez [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) dans l'URL suivante: `https://__DOMAIN__/dns-query/ClientID`,
 - Retournez au menu principal de l'app, et activez-la avec l'interrupteur en haut à droite de l'écran.
 Techniquement, elle créé une connexion VPN locale pour imposer l'usage de votre serveur DNS : une icône 🔑 apparaîtra en haut de votre écran, une fois activée.
 ## Appareils Apple
 ### AdGuard Home Remote
 [AdGuard Home Remote](https://apps.apple.com/app/id1543143740) par [RocketScience IT](https://rocketscience-it.nl/) est compatible avec les Mac, iPhone, iPad et Watch.  
 Elle est gratuite and un achat in-app de 6 € pour débloquer des fonctionnalités supplémentaires. Aucune publicité ni tracking.
 Cette app sert à monitorer ou configurer votre instance AGH, et non pas utiliser cette dernière comme serveur DNS pour votre appareil Apple.
 Vous pouvez facilement configurer l'app :
 - Ajouter une instance
 - Choisir un nom d'affichage
 - Écrire le nom de domaine de votre instance AdGuard Home, par exemple `adguard.example.com`
 - Choisir `https`, cela va automatiquement remplir le champ du port avec `443`
 - Renseigner vos identifiants AdGuard Home dans les champs "Authentification"
 - Tester la connexion, si une coche verte apparaît, tout est bon!
 [Votre configuration devrait ressemblr à ceci.](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/AGH-remote.PNG)
 ### Profil DNS sécurisé
 Afin d'utiliser votre instance AGH en tant que serveur DNS de votre appareil Apple, vous pouvez générer un "Profil DNS sécurisé".
 **Note :** en alternative pour utilisateurice expérimenté•e à ce tutoriel, vous pouvez également utiliser l'outil  [Secure DNS profile creator](https://dns.notjakob.com/index.html).
 Assurez-vous d'avoir suivi les instructions du Préambule ci-dessus, puis rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#guide) de votre instance AdGuard Home, cliquez sur "DNS privacy" et descendez tout en bas.
 - Hostname : laisser comme tel
 - HTTPS port : laisser aussi comme tel
 - Protocol : vous devez désormais faire un choix entre DNS-over-HTTPS et DNS-over-TLS
  - Si vous désirez utiliser la fonctionnalité [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) afin de mettre vos appareils sur liste blanche, vous ne pouvez pas choisir DNS-over-TLS car YunoHost ne peut pas gérer les noms de domaines "wildcard", l'usage du DNS-over-HTTPS sera donc obligatoire pour vous
  - Si vous ne savez pas lequel choisir, voici un peu d'aide :
    - Comme expliqué ci-dessus, choisissez DNS-over-HTTPS si vous souhaitez utiliser la fonctionnalité ClientID pour authentifier vos requêtes
    - Choisissez DNS-over-HTTPS si vous devez fréquemment utiliser des réseaux succeptibles de filtrer le port du DNS-over-TLS, tels que ceux des entreprises, des écoles, etc.
    - Sinon, choisissez le DNS-over-TLS pour sa rapidité légèrement supérieure, comme il utilise une [couche réseau OSI](https://fr.wikipedia.org/wiki/Mod%C3%A8le_OSI) de moins
 - ClientID : renseigner un ClientID, `iphone-123456` par exemple
  - N'oubliez pas d'ajouter un ClientID identique dans votre liste blanche : `Settings → DNS settings → Access settings → Allowed clients`
 Vous pouvez maintenant cliquer sur le bouton "Download configuration file" et accepter le téléchargement.
 Pour finir, ouvrez les réglages système, cliquez sur le message "Profil téléchargé" et installez-le en entrant le mot de passe de l'appareil et en tapant "Installer" quelques fois.
 Votre appareil devrait maintenant utiliser votre instance AdGuard Home en tant que serveur DNS. Super !
 **Note :** les profils installés peuvent être gérés dans les Réglages, dans "Général" puis "VPN et gestion de l'appareil".
--- a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md
+++ b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md
@ -0,0 +1,33 @@
 ⚠️ **Important thing to do before upgrading:**  
 ⚠️ If you enabled the "Enable DNS-over-HTTPS" option in your config panel, please disable it and execute the following command before upgrading, else the upgrade will fail!
 ```bash
 yunohost firewall disallow Both 853 --no-reload && yunohost firewall disallow Both 784
 ```
 ---
 From this 0.107.48~ynh3 version, some things have changed:  
 - port 53 is no longer exposed on the Internet by default, it's now a deliberate choice  
 - it is now possible to use DNS over HTTP, DNS over TLS and DNS over QUIC, with the Let's Encrypt certificates generated by YunoHost, out of the box, but this is also disabled by default for the same reason.
 To activate either of these features, please use the config panel in the YunoHost webadmin:  
 Applications → AdGuard Home → AdGuard Home configuration  
 - Bind to public IP addresses?  
 - Enable DNS-over-HTTPS/TLS/QUIC?
 It's really important to use the configuration panel to activate or deactivate the DNS-over-HTTPS/QUIC setting, and **NOT** the built-in setting in the AdGuardHome interface.  
 This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel.
 Also, a new password tool has been added in the config panel too, to make it easier to change the administration password of AdGuard Home! ^w^
 The "Apps" documentation also has been updated to add a tutoral explaining how to configure your AdGuard Home instance as the DNS server on Apple devices.  
 You can read this "Apps" doc on the AdGuard Home page in your YunoHost Webadmin interface, just next to the "Admin" doc.
 This update is at risk of crashing AdGuard Home, so:  
 - If you're already using DoH, DoT or DoQ with your AdGuard Home instance: the configuration of your devices may need to be redone, I'm sorry for that.
 - If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! In any case, we recommend reading it! ^w^  
 - If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)!
--- a/manifest.toml
+++ b/manifest.toml
@ -1,3 +1,5 @@
 #:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/manifest.v2.schema.json
 packaging_format = 2
 description.en = "Network-wide ads & trackers blocking DNS server"
@ -5,7 +7,7 @@ description.fr = "Serveur DNS, bloqueur de publicités et trackers"
 id = "adguardhome"
 name = "AdGuard Home"
-version = "0.107.48~ynh2"
+version = "0.107.48~ynh3"
 maintainers = [ "ddataa", "OniriCorpe" ]
@ -21,8 +23,8 @@ architectures = "all"
 disk = "50M"
 ldap = false
 multi_instance = false
-ram.build = "50M"
+ram.build = "200M"
-ram.runtime = "50M"
+ram.runtime = "200M"
 sso = false
 yunohost = ">= 11.2"
@ -34,9 +36,11 @@ yunohost = ">= 11.2"
    default = "/adguard"
    type = "path"
-    [install.init_main_permission]
+[install.init_main_permission]
-    default = "visitors"
+default = "all_users"
-    type = "group"
+type = "group"
 help.en = "Even by restricting access to users only, the AdGuard Home API will be available (ex. for a mobile app use)."
 help.fr = "Même en limitant l'accès aux seuls utilisateurs, l'API AdGuard Home sera disponible (par ex. pour utiliser une application mobile)."
    [install.admin]
    type = "user"
@ -44,10 +48,21 @@ yunohost = ">= 11.2"
    [install.password]
    type = "password"
-    [install.dns_over_https]
+[install.expose_port_53]
-    ask.en = "Should DNS-over-HTTPS be enabled? (If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query)"
+ask.en = "Bind to public IP addresses?"
-    default = true
+ask.fr = "Liaison avec les adresses IP publiques ?"
-    type = "boolean"
+help.en = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Please read the admin doc to understand that setting and to secure your server using allowlist."
 help.fr = "Si activé, quiconque connaissant l'adresse IP de votre serveur pourra lui faire des requêtes DNS. Il pourrait être utilisé afin de réaliser des attaques par amplification DNS : https://www.malekal.com/attaque-dos-amplification Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche."
 default = false
 type = "boolean"
 [install.dns_over_https]
 ask.en = "Enable DNS-over-HTTPS/TLS/QUIC?"
 ask.fr = "Activer le DNS-sur-HTTPS/TLS/QUIC ?"
 help.en = "If so, anyone who knows your adguard address can make a DoH request to https://adguardomain.tld/dns-query or using DoT or DoQ.  It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist."
 help.fr = "Si activé, quiconque connaissant l'adresse de votre serveur pourra lui faire des requêtes DoH sur https://adguardomain.tld/dns-query ou en utilisant le DoT ou DoQ. Il pourrait aussi être utilisé afin de réaliser des attaques par amplification DNS. Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche."
 default = false
 type = "boolean"
 [resources]
    [resources.sources.main]
@ -65,10 +80,18 @@ yunohost = ">= 11.2"
    autoupdate.strategy = "latest_github_release"
 [resources.ports]
-adguard.default = 53
+dns_over_tls.default = 853
-adguard.exposed = "Both"
+dns_over_tls.exposed = "Both"
 dns_over_tls.fixed = true
 dns_over_quic.default = 784
 dns_over_quic.exposed = "UDP"
 dns_over_quic.fixed = true
 # AGH also uses port 53 but we can't put it here as dnsmasq uses it by default
 # and the ynh core would assign us another port, however, on installation we
 # edit dnsmasq's configuration to allow AGH to use port 53 on non-localhost IPs
 [resources.system_user]
 allow_email = true
 [resources.install_dir]
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -8,6 +8,123 @@
 # PERSONAL HELPERS
 #=================================================
 get_network_interface(){
 # get the network interface name for IPv4 and IPv6
    local IPvx="$1"
    # note: echo the IP route command to prevent a crash if the server doesn't have any IPv4/6
    if [[ "$IPvx" = "4" ]]; then
        # shellcheck disable=SC2005
        echo "$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)"
    else
        # shellcheck disable=SC2005 
        echo "$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)"
    fi
 }
 configure_network_interface_dnsmasq(){
 # used to put the network interface in a dedicated dnsmasq config
    local ipv4_interface="$1"
    local ipv6_interface="$2"
    if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then
            ynh_die --message="Impossible to find the main network interface, please report this issue."
    elif [ "$ipv4_interface" != "$ipv6_interface" ]; then
            if [ -z "$ipv4_interface" ]; then
                    echo -e "bind-interfaces\nexcept-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app"
            elif [ -z "$ipv6_interface" ]; then
                    echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app"
            else
                    echo -e "bind-interfaces\nexcept-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app"
            fi
    else
            echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app"
    fi
    systemctl restart dnsmasq
    ynh_store_file_checksum --file="/etc/dnsmasq.d/$app"
 }
 is_public_ip(){
 # used to discriminate publics IPs over privates IPs
 # private IPv4 start with: 10.; 169.; 172. or 192.168.
 # private IPv6 start with: fc; fd or fe80:
 	local IP="$1"
 	if [[ "$IP" =~ ^10.*|^169.*|^172.*|^192.168.* ]] ; then
 		# private IPv4, so false
        return 1
 	elif [[ "$IP" =~ ^fc*|^fd*|^fe80:* ]] ; then
 		# private IPv6, so false
        return 1
 	else
 		# public IP, so true
        return 0
 	fi
 }
 process_ips(){
 # used to process the IPs to put in the AGH's config file
    local ips="$1"
    local processed_ips=""
    # remove the 'inet6' and 'inet' from the IP addresses string
    ips="$(echo "$ips" | sed "s/inet6//g ; s/inet//g")"
    # for each IP
    for ip in $ips; do
        # check if the so-called IP really is one
        if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then
            # we can't use IPv6 LLA for DNS: https://github.com/AdguardTeam/AdGuardHome/issues/2926#issuecomment-1284489380
            # if we try to bind port 53 on a fe80:: address, AGH crashes
            if ! [[ "$ip" =~ ^fe80:* ]]; then
                # don't process if the IP is public and the port 53 closed
                if is_public_ip "$ip" && [ "$expose_port_53" == "false" ]; then
                    # don't add this IP (do nothing)
                    :
                else
                    # add this IP and a space as IP delimiter
                    processed_ips+="$ip "
                fi
            fi
        fi
    done
    echo "${processed_ips:-}"
 }
 update_agh_ip_config(){
 # used to update the IP adresses in the AGHconfig file
 if [ -z "${ipv4_addr:-}" ] && [ -z "${ipv6_addr:-}" ]; then
    ynh_die --message="At leat one IP adress is required to run AdGuard Home. Please report this error."
 fi
 # use python's yaml and open the AGH config file
 python3 -c "import yaml
 with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file:
 	conf_file = yaml.safe_load(file)
 # reset the IPs in the AGH config file
 conf_file[\"dns\"][\"bind_hosts\"] = []
 # add each IPv4 and IPv6 in the AGH config file
 for ip in \"$ipv4_addr\".split():
    conf_file[\"dns\"][\"bind_hosts\"].append(ip)
 for ip in \"$ipv6_addr\".split():
    conf_file[\"dns\"][\"bind_hosts\"].append(ip)
 # save the config file
 with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file:
    yaml.dump(conf_file, file)
 "
 }
 #=================================================
 # EXPERIMENTAL HELPERS
 #=================================================
--- a/scripts/backup
+++ b/scripts/backup
@ -13,6 +13,7 @@ source /usr/share/yunohost/helpers
 #=================================================
 # DECLARE DATA AND CONF FILES TO BACKUP
 #=================================================
 ynh_print_info --message="Declaring files to be backed up..."
 #=================================================
@ -37,7 +38,8 @@ ynh_backup --src_path="/etc/systemd/system/$app.service"
 # BACKUP VARIOUS FILES
 #=================================================
-ynh_backup --src_path="/etc/dnsmasq.d/$app"
+# backup the kernel config file for DoQ
 ynh_backup --src_path="/etc/sysctl.d/10-adguardhome.conf"
 #=================================================
 # END OF SCRIPT
--- a/scripts/config
+++ b/scripts/config
@ -0,0 +1,111 @@
 #!/bin/bash
 #=================================================
 # GENERIC STARTING
 #=================================================
 # IMPORT GENERIC HELPERS
 #=================================================
 source _common.sh
 source /usr/share/yunohost/helpers
 ynh_abort_if_errors
 # import needed settings
 port_dns_over_tls=$(ynh_app_setting_get --app="$app" --key=port_dns_over_tls)
 port_dns_over_quic=$(ynh_app_setting_get --app="$app" --key=port_dns_over_quic)
 #=================================================
 # SPECIFIC SETTERS
 #=================================================
 set__expose_port_53() {
    # regenerate config, needed to add or delete public IPs following the user's choice
    ynh_print_info --message="Obtaining IP addresses for the AGH config file..."
    # get the name of the network interface in IPv4 and IPv6
    ipv4_interface="$(get_network_interface 4)"
    ipv6_interface="$(get_network_interface 6)"
    # the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP
    ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
    # get IPv6 for the AGH config file
    # the 'sed' is used to get rid of the network prefix ('/64' for example)
    ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
    # update the IP adresses in the AGH config file
    ynh_print_info --message="Updating the AGH config file..."
    update_agh_ip_config
    # declare needs_exposed_ports according to real user need
    ynh_print_info --message="Updating the YunoHost service for AdGuard Home..."
    if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then
        yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls"
    elif [ "$dns_over_https" == "true" ]; then
        yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls"
    elif [ "$expose_port_53" == "true" ]; then
        yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53"
    else
        yunohost service add "$app" --description="Ads & trackers blocking DNS server"
    fi
    # save the new setting
    ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53"
 }
 set__dns_over_https() {
    if [ "$dns_over_https" == "true" ]; then
        ynh_print_info --message="Opening DoH and DoQ ports..."
        # if DNS over HTTPS/QUIC is activated, open the associated ports
        ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload
        ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic"
    elif [ "$dns_over_https" == "false" ]; then
        # else if false, close them
        ynh_print_info --message="Closing DoH and DoQ ports..."
        ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload
        ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic"
    else
        # else, throw error
        ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this."
    fi
    # declare needs_exposed_ports according to real user need
    ynh_print_info --message="Updating the YunoHost service for AdGuard Home..."
    if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then
        yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls"
    elif [ "$dns_over_https" == "true" ]; then
        yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls"
    elif [ "$expose_port_53" == "true" ]; then
        yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53"
    else
        yunohost service add "$app" --description="Ads & trackers blocking DNS server"
    fi
    # save the new setting in the AGH config file
    ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="enabled" --after="tls:" --value="$dns_over_https"
    # save the new setting in YNH
    ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https"
 }
 set__new_password() {
    # user's password encryption
    ynh_print_info --message="Encrypting the new password..."
    password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$new_password\", bcrypt.gensalt(rounds=10)).decode())")
    ynh_app_setting_set --app="$app" --key=password --value="$password"
    # save the new setting in the AGH config file
    ynh_print_info --message="Saving the new password in the AGH configuration..."
    ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="password" --value="$password"
 }
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
 ynh_app_config_run "$1"
--- a/scripts/install
+++ b/scripts/install
@ -14,22 +14,52 @@ source /usr/share/yunohost/helpers
 #=================================================
 ynh_script_progression --message="Storing installation settings..." --weight=2
-if [ "$dns_over_https" == "1" ];
+if [[ $dns_over_https == 0 ]]; then
 then
    dns_over_https="true"
    # DNS over TLS
    adguard_DoT_port=853
    ynh_app_setting_set --app="$app" --key=adguard_DoT_port --value=$adguard_DoT_port
    ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoT_port
    ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_DoT_port
    # DNS over QUIC
    adguard_DoQ_port=784
    ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port
    ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoQ_port
 else
    dns_over_https="false"
 fi
-ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https
+
 ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https"
 if [[ $expose_port_53 == 0 ]]; then
    expose_port_53="true"
 else
    expose_port_53="false"
 fi
 ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53"
 ynh_app_setting_set --app="$app" --key=new_password --value=""
 #=================================================
 # PROCESS OPENING/CLOSING PORTS
 #=================================================
 ynh_script_progression --message="Process opening & closing ports..." --weight=2
 # if the port 53 is not open, open it, it's mandatory to use AGH
 if ! yunohost firewall list | grep -q " 53$"; then
    ynh_print_info --message="Opening port 53..."
    ynh_exec_warn_less yunohost firewall allow Both 53
 fi
 if [ "${dns_over_https:-}" = true ]; then
 	# if DoH and DoQ are closed
 	if ! yunohost firewall list | grep -q " $port_dns_over_tls$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then
 		ynh_print_info --message="Opening DoH and DoQ ports..."
 		ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload
 		ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic"
 	else
 		# no need to open the ports, as they were opened at the 'Provisioning ports' step
 		ynh_print_info --message="DoH and DoQ ports are open."
 	fi
 else
    # if dns_over_https is false, we need to close ports,
    # as they were opened at the 'Provisioning ports' step
    ynh_print_info --message="Closing DoH and DoQ ports..."
    ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload
    ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic"
 fi
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@ -37,12 +67,12 @@ ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https
 ynh_script_progression --message="Setting up source files..." --weight=4
 # Download, check integrity, uncompress and patch the source from app.src
-ynh_setup_source --dest_dir=$install_dir 
+ynh_setup_source --dest_dir="$install_dir"
 chmod -R o-rwx "$install_dir"
-chown -R $app:$app "$install_dir"
+chown -R "$app:$app" "$install_dir"
-setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' $install_dir/AdGuardHome
+setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' "$install_dir/AdGuardHome"
 #=================================================
 # NGINX CONFIGURATION
@ -54,62 +84,47 @@ ynh_add_nginx_config
 #=================================================
 # SPECIFIC SETUP
 #=================================================
 # adding the adguardhome dedicated user to the 'ssl-cert' group to permit the
 # use of the Let's Encrypt certs for DOT/DOQ
 usermod -a -G ssl-cert "$app"
 # adding a kernel config file for DoQ
 ynh_add_config --template="10-adguardhome.conf" --destination="/etc/sysctl.d/10-adguardhome.conf"
 #=================================================
 # ADD A CONFIGURATION
 #=================================================
 ynh_script_progression --message="Adding a configuration file..." --weight=1
-# echo the ip route command to prevent a crash if the server doesn't have any ipv4/6
+# user's password encryption
 ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)
 ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)
 if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then
    ynh_die --message="Impossible to find the main network interface, please report this issue."
 elif [ "$ipv4_interface" != "$ipv6_interface" ]; then
    if [ -z "$ipv4_interface" ]; then
        echo -e "bind-interface\nexcept-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app"
    elif [ -z "$ipv6_interface" ]; then
        echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app"
    else
        echo -e "bind-interfaces\nexcept-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app"
    fi
 else
    echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app"
 fi
 systemctl restart dnsmasq
 ynh_store_file_checksum --file="/etc/dnsmasq.d/$app"
 ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1)
 ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1)
 ipv4_addr=""
 for i in $(seq "$(echo "$ipv4_route_output" | wc -w)" -1 1); do
    ip=$(echo "$ipv4_route_output" | awk "{print \$$i}")
    if ynh_validate_ip4 --ip_address="$ip"; then
        ipv4_addr="- $ip"
        break
    fi
 done
 ipv6_addr=""
 for i in $(seq "$(echo "$ipv6_route_output" | wc -w)" -1 1); do
    ip=$(echo "$ipv6_route_output" | awk "{print \$$i}")
    if ynh_validate_ip6 --ip_address="$ip"; then
        ipv6_addr="- $ip"
        break
    fi
 done
 password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())")
 ynh_app_setting_set --app="$app" --key=password --value="$password"
 # Main config File
-ynh_add_config --template="../conf/AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml"
+ynh_add_config --template="AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml"
 # get the name of the network interface in IPv4 and IPv6
 ipv4_interface="$(get_network_interface 4)"
 ipv6_interface="$(get_network_interface 6)"
 # put the network interface in a dedicated dnsmasq config
 configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface"
 # get IPv4 for the AGH config file
 # the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP
 ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
 # get IPv6 for the AGH config file
 # the 'sed' is used to get rid of the network prefix ('/64' for example)
 ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
 # update the IP adresses in the AGH config file
 update_agh_ip_config
 chmod 600 "$install_dir/AdGuardHome.yaml"
-chown -R $app:$app "$install_dir/AdGuardHome.yaml"
+chown -R "$app:$app" "$install_dir/AdGuardHome.yaml"
 #=================================================
 # SETUP SYSTEMD
@ -119,7 +134,16 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1
 # Create a dedicated systemd config
 ynh_add_systemd_config
-yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports 53
+# declare needs_exposed_ports according to real user need
 if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls"
 elif [ "$dns_over_https" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls"
 elif [ "$expose_port_53" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53"
 else
    yunohost service add "$app" --description="Ads & trackers blocking DNS server"
 fi
 #=================================================
 # START SYSTEMD SERVICE
--- a/scripts/remove
+++ b/scripts/remove
@ -9,6 +9,20 @@
 source _common.sh
 source /usr/share/yunohost/helpers
 #=================================================
 # PROCESS CLOSING PORTS
 #=================================================
 ynh_script_progression --message="Closing ports..." --weight=2
 # close ports
 ynh_print_info --message="Closing port 53..."
 ynh_exec_warn_less yunohost firewall disallow Both 53
 if [ "$dns_over_https" == "true" ]; then
    ynh_print_info --message="Closing DoH and DoQ ports..."
    ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload
    ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic"
 fi
 #=================================================
 # STANDARD REMOVE
 #=================================================
@ -16,11 +30,10 @@ source /usr/share/yunohost/helpers
 #=================================================
 # Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
-if ynh_exec_warn_less yunohost service status "$app" >/dev/null
+ynh_script_progression --message="Removing $app service integration..." --weight=1
-then
+yunohost service remove "$app"
-	ynh_script_progression --message="Removing $app service integration..." --weight=1
+
-	yunohost service remove "$app"
+ynh_script_progression --message="Removing system configurations related to $app..." --weight=1
 fi
 # Remove the dedicated systemd config
 ynh_remove_systemd_config
@ -28,7 +41,12 @@ ynh_remove_systemd_config
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
-# Remove other various files specific to the app...
+#=================================================
 # REMOVE VARIOUS FILES specific to the app...
 #=================================================
 # remove the kernel config file for DoQ
 ynh_secure_remove --file="/etc/sysctl.d/10-adguardhome.conf"
 # Remove the dedicated dnsmasq config for AdGuardHome
 ynh_secure_remove --file="/etc/dnsmasq.d/$app"
--- a/scripts/restore
+++ b/scripts/restore
@ -10,21 +10,75 @@
 source ../settings/scripts/_common.sh
 source /usr/share/yunohost/helpers
 #=================================================
 # PROCESS OPENING/CLOSING PORTS
 #=================================================
 ynh_script_progression --message="Process opening & closing ports..." --weight=2
 # if the port 53 is not open, open it, it's mandatory to use AGH
 if ! yunohost firewall list | grep -q " 53$"; then
    ynh_print_info --message="Opening port 53..."
    ynh_exec_warn_less yunohost firewall allow Both 53
 fi
 if [ "${dns_over_https:-}" = true ]; then
 	# if DoH and DoQ are closed
 	if ! yunohost firewall list | grep -q " $port_dns_over_tls$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then
 		ynh_print_info --message="Opening DoH and DoQ ports..."
 		ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload
 		ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic"
 	else
 		# no need to open the ports, as they were opened at the 'Provisioning ports' step
 		ynh_print_info --message="DoH and DoQ ports are open."
 	fi
 else
    # if dns_over_https is false, we need to close ports,
    # as they were opened at the 'Provisioning ports' step
    ynh_print_info --message="Closing DoH and DoQ ports..."
    ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload
    ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic"
 fi
 #=================================================
 # RESTORE THE APP MAIN DIR
 #=================================================
 # adding the adguardhome dedicated user to the 'ssl-cert' group to permit the
 # use of the Let's Encrypt certs for DOT/DOQ
 usermod -a -G ssl-cert "$app"
 ynh_script_progression --message="Restoring the app main directory..." --weight=1
 ynh_restore_file --origin_path="$install_dir"
 # we need to refresh IP adresses in case the backup is restored in a different
 # environment, else AGH will try to bind port 53 on non-existent IPs and crash
 # get the name of the network interface in IPv4 and IPv6
 ipv4_interface="$(get_network_interface 4)"
 ipv6_interface="$(get_network_interface 6)"
 # put the network interface in a dedicated dnsmasq config
 configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface"
 # get IPv4 for the AGH config file
 # the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP
 ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
 # get IPv6 for the AGH config file
 # the 'sed' is used to get rid of the network prefix ('/64' for example)
 ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
 # update the IP adresses in the AGH config file
 update_agh_ip_config
 # this will be treated as a security issue.
 chmod 750 "$install_dir"
 chmod -R o-rwx "$install_dir"
-chown -R $app:$app "$install_dir"
+chown -R "$app:$app" "$install_dir"
-setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' $install_dir/AdGuardHome
+setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' "$install_dir/AdGuardHome"
 ynh_restore_file --origin_path="/etc/dnsmasq.d/$app"
 systemctl restart dnsmasq
@ -38,7 +92,23 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable "$app.service" --quiet
-yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports 53
+# declare needs_exposed_ports according to real user need
 if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls"
 elif [ "$dns_over_https" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls"
 elif [ "$expose_port_53" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53"
 else
    yunohost service add "$app" --description="Ads & trackers blocking DNS server"
 fi
 #=================================================
 # RESTORE VARIOUS FILES
 #=================================================
 # restore the kernel config file for DoQ
 ynh_restore_file --origin_path="/etc/sysctl.d/10-adguardhome.conf"
 #=================================================
 # START SYSTEMD SERVICE
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -29,23 +29,89 @@ ynh_systemd_action --service_name="$app" --action="stop"
 #=================================================
 ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
-if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ];
+# to remove some time in the future (DoH PR during testing phase residual)
-then
+if ! grep -q "port_https: 0" "$install_dir/AdGuardHome.yaml"; then
-	dns_over_https="true"
+	ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_https" --value="0"
-	ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https
+fi
-	# DNS over TLS
+
-    	adguard_DoT_port=853
+if [ -z "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then
-	ynh_app_setting_set --app=$app --key=adguard_DoT_port --value=$adguard_DoT_port
+	# if 'expose_port_53' doesn't exist or is false 
-	ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoT_port
+    expose_port_53="false"
-	ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_DoT_port
+	ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53"
-	# DNS over QUIC
+elif [ "${expose_port_53:-}" = true ]; then
-    	adguard_DoQ_port=784
+    expose_port_53="true"
-	ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port
+	ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53"
-	ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoQ_port
+fi
-elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ];
+
-then
+if [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then
 	# if 'dns_over_https' doesn't exist or is false 
 	dns_over_https="false"
 	ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https
 elif [ "${dns_over_https:-}" = true ]; then
 	dns_over_https="true"
 	ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https
 fi
 # about all those 'ynh_write_var_in_file':
 # AGH modifies by itself the config file when an user modifies it using the front-end
 # so if we're using 'ynh_add_config' to process the config file, each
 # regeneration of the config would break the user's changes :/ (yeah ik...)
 # maybe one day we'll use python3 -c "import yaml" in place of this shit, but not today
 # fill the 'tls:' section of the AGH configuration if necessary
 if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "private_key_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "server_name: \"\"" "$install_dir/AdGuardHome.yaml"; then
 	ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="enabled" --after="tls:" --value="$dns_over_https"
 	ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="server_name" --value="$domain"
 	ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="allow_unencrypted_doh" --value="true"
 	ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="certificate_path" --value="/etc/yunohost/certs/$domain/crt.pem"
 	ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="private_key_path" --value="/etc/yunohost/certs/$domain/key.pem"
 fi
 # make sure that the ports configured for the app are those known by the package
 ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="address" --after="http:" --value="127.0.0.1:$port"
 ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_tls" --value="$port_dns_over_tls"
 ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_quic" --value="$port_dns_over_quic"
 # remove setting no longer required
 ynh_app_setting_delete --app="$app" --key=port_adguard
 if [ -z "${new_password:-}" ]; then
 	ynh_app_setting_set --app="$app" --key=new_password --value=""
 fi
 #=================================================
 # PROCESS OPENING/CLOSING PORTS
 #=================================================
 ynh_script_progression --message="Process opening & closing ports..." --weight=2
 # if the DNS port in the AGH config is not 53, make sure it is...
 if ! [ "$(ynh_read_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns")" == "53" ]; then
 	ynh_print_info --message="Fixing port 53 in the AGH config file..."
 	ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns" --value="53"
 fi
 # if the port 53 is not open, open it, it's mandatory to use AGH
 if ! yunohost firewall list | grep -q " 53$"; then
    ynh_print_info --message="Opening port 53..."
    ynh_exec_warn_less yunohost firewall allow Both 53
 fi
 if [ "${dns_over_https:-}" = true ]; then
 	# if DoH and DoQ are closed
 	if ! yunohost firewall list | grep -q " $port_dns_over_tls$" || ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then
 		ynh_print_info --message="Opening DoH and DoQ ports..."
 		ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload
 		ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic"
 	else
 		# no need to open the ports, as they were opened at the 'Provisioning ports' step
 		ynh_print_info --message="DoH and DoQ ports are open."
 	fi
 else
    # if dns_over_https is false, we need to close ports,
    # as they were opened at the 'Provisioning ports' step
    ynh_print_info --message="Closing DoH and DoQ ports..."
    ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload
    ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic"
 fi
 #=================================================
@ -57,13 +123,13 @@ then
 	ynh_script_progression --message="Upgrading source files..." --weight=1
 	# Download, check integrity, uncompress and patch the source from app.src
-	ynh_setup_source --dest_dir=$install_dir --full_replace=1 --keep="data AdGuardHome.yaml"
+	ynh_setup_source --dest_dir="$install_dir" --full_replace=1 --keep="data AdGuardHome.yaml"
 fi
 chmod -R o-rwx "$install_dir"
-chown -R $app:$app "$install_dir"
+chown -R "$app:$app" "$install_dir"
-setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' $install_dir/AdGuardHome
+setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' "$install_dir/AdGuardHome"
 #=================================================
 # NGINX CONFIGURATION
@ -76,79 +142,50 @@ ynh_add_nginx_config
 # Create a dedicated systemd config
 ynh_add_systemd_config
-yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports 53
+# declare needs_exposed_ports according to real user need
 if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls"
 elif [ "$dns_over_https" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls"
 elif [ "$expose_port_53" == "true" ]; then
    yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53"
 else
    yunohost service add "$app" --description="Ads & trackers blocking DNS server"
 fi
 #=================================================
 # SPECIFIC UPGRADE
 #=================================================
 # adding the adguardhome dedicated user to the 'ssl-cert' group to permit the
 # use of the Let's Encrypt certs for DOT/DOQ
 usermod -a -G ssl-cert "$app"
 # adding a kernel config file for DoQ
 ynh_add_config --template="10-adguardhome.conf" --destination="/etc/sysctl.d/10-adguardhome.conf"
 #=================================================
 # UPDATE A CONFIG FILE
 #=================================================
 ynh_script_progression --message="Updating a configuration file..." --weight=1
-ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)
+# get the name of the network interface in IPv4 and IPv6
-ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)
+ipv4_interface="$(get_network_interface 4)"
 ipv6_interface="$(get_network_interface 6)"
-if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then
+# get IPv4 for the AGH config file
-		ynh_die --message="Impossible to find the main network interface, please report this issue."
+# the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP
-elif [ "$ipv4_interface" != "$ipv6_interface" ]; then
+ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
 		if [ -z "$ipv4_interface" ]; then
 				echo -e "bind-interfaces\nexcept-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app"
 		elif [ -z "$ipv6_interface" ]; then
 				echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app"
 		else
 				echo -e "bind-interfaces\nexcept-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app"
 		fi
 else
 		echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app"
 fi
-systemctl restart dnsmasq
+# get IPv6 for the AGH config file
 # the 'sed' is used to get rid of the network prefix ('/64' for example)
 ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")
-ynh_store_file_checksum --file="/etc/dnsmasq.d/$app"
+# update the IP adresses in the AGH config file
-
+update_agh_ip_config
 ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1)
 ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1)
 ipv4_addr=""
 for i in $(seq "$(echo "$ipv4_route_output" | wc -w)" -1 1); do
 		ip=$(echo "$ipv4_route_output" | awk "{print \$$i}")
 		if ynh_validate_ip4 --ip_address="$ip"; then
 				ipv4_addr="$ip"
 				break
 		fi
 done
 ipv6_addr=""
 for i in $(seq "$(echo "$ipv6_route_output" | wc -w)" -1 1); do
 		ip=$(echo "$ipv6_route_output" | awk "{print \$$i}")
 		if ynh_validate_ip6 --ip_address="$ip"; then
 				ipv6_addr="$ip"
 				break
 		fi
 done
 # Reset the bind_hosts if the current ip is 0.0.0.0
 python3 -c "import yaml
 with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file:
 	conf_file = yaml.safe_load(file)
 need_file_update = False
 if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]:
 	conf_file[\"dns\"][\"bind_hosts\"] = []
 	if \"$ipv4_addr\":
 		conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\")
 	if \"$ipv6_addr\":
 		conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\")
 	need_file_update = True
 if need_file_update:
 	with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file:
 		yaml.dump(conf_file, file)
 "
 chmod 600 "$install_dir/AdGuardHome.yaml"
-chown -R $app:$app "$install_dir/AdGuardHome.yaml"
+chown -R "$app:$app" "$install_dir/AdGuardHome.yaml"
 #=================================================
 # START SYSTEMD SERVICE
--- a/tests.toml
+++ b/tests.toml
@ -2,8 +2,35 @@ test_format = 1.0
 [default]
-    # -------------------------------
+# -------------------------------
-    # Default args to use for install
+# Default args to use for install
-    # -------------------------------
+# -------------------------------
-    args.dns_over_https=1
+# false by default
 args.expose_port_53 = 1
 args.dns_over_https = 1
 # -------------------------------
 # Commits to test upgrade from
 # -------------------------------
 # test_upgrade_from.c1b81566.name = "Upgrade from 0.107.43~ynh3"
 # -------------------------------
 # additional tests suite
 # -------------------------------
 [expose_port_53]
 only = ["install.root"]
 args.expose_port_53 = 0
 args.dns_over_https = 1
 [open_doh_doq_ports]
 only = ["install.root"]
 args.expose_port_53 = 1
 args.dns_over_https = 0
 [open_both_port_53_and_doh_doq_ports]
 only = ["install.root"]
 args.expose_port_53 = 0
 args.dns_over_https = 0