diff --git a/locales/en.json b/locales/en.json
index 0eca7b9bc..9f56aacd5 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -245,6 +245,7 @@
"diagnosis_ip_no_ipv4": "The server does not have working IPv4.",
"diagnosis_ip_no_ipv6": "The server does not have working IPv6.",
"diagnosis_ip_no_ipv6_tip": "Having a working IPv6 is not mandatory for your server to work, but it is better for the health of the Internet as a whole. IPv6 should usually be automatically configured by the system or your provider if it's available. Otherwise, you might need to configure a few things manually as explained in the documentation here: https://yunohost.org/#/ipv6. If you cannot enable IPv6 or if it seems too technical for you, you can also safely ignore this warning.",
+ "diagnosis_ip_no_ipv6_tip_important": "IPv6 should usually be automatically configured by the system or your provider if it's available. Otherwise, you might need to configure a few things manually as explained in the documentation here: https://yunohost.org/#/ipv6.",
"diagnosis_ip_not_connected_at_all": "The server does not seem to be connected to the Internet at all!?",
"diagnosis_ip_weird_resolvconf": "DNS resolution seems to be working, but it looks like you're using a custom /etc/resolv.conf.",
"diagnosis_ip_weird_resolvconf_details": "The file /etc/resolv.conf should be a symlink to /etc/resolvconf/run/resolv.conf itself pointing to 127.0.0.1 (dnsmasq). If you want to manually configure DNS resolvers, please edit /etc/resolv.dnsmasq.conf.",
@@ -399,6 +400,8 @@
"firewall_reloaded": "Firewall reloaded",
"firewall_rules_cmd_failed": "Some firewall rule commands have failed. More info in log.",
"global_settings_reset_success": "Reset global settings",
+ "global_settings_setting_dns_exposure": "IP versions to consider for DNS configuration and diagnosis",
+ "global_settings_setting_dns_exposure_help": "NB: This only affects the recommended DNS configuration and diagnosis checks. This does not affect system configurations.",
"global_settings_setting_admin_strength": "Admin password strength requirements",
"global_settings_setting_admin_strength_help": "These requirements are only enforced when initializing or changing the password",
"global_settings_setting_backup_compress_tar_archives": "Compress backups",
diff --git a/share/config_global.toml b/share/config_global.toml
index 1f3cc1b39..40b71ab19 100644
--- a/share/config_global.toml
+++ b/share/config_global.toml
@@ -160,3 +160,12 @@ name = "Other"
[misc.backup.backup_compress_tar_archives]
type = "boolean"
default = false
+
+ [misc.network]
+ name = "Network"
+ [misc.network.dns_exposure]
+ type = "select"
+ choices.both = "Both"
+ choices.ipv4 = "IPv4 Only"
+ choices.ipv6 = "IPv6 Only"
+ default = "both"
diff --git a/src/diagnosers/10-ip.py b/src/diagnosers/10-ip.py
index b2bedc802..6b35731a0 100644
--- a/src/diagnosers/10-ip.py
+++ b/src/diagnosers/10-ip.py
@@ -28,6 +28,7 @@ from moulinette.utils.filesystem import read_file
from yunohost.diagnosis import Diagnoser
from yunohost.utils.network import get_network_interfaces
+from yunohost.settings import settings_get
logger = log.getActionLogger("yunohost.diagnosis")
@@ -118,10 +119,13 @@ class MyDiagnoser(Diagnoser):
else:
return local_ip
+ def is_ipvx_important(x):
+ return settings_get("misc.network.dns_exposure") in ["both", "ipv"+str(x)]
+
yield dict(
meta={"test": "ipv4"},
data={"global": ipv4, "local": get_local_ip("ipv4")},
- status="SUCCESS" if ipv4 else "ERROR",
+ status="SUCCESS" if ipv4 else "ERROR" if is_ipvx_important(4) else "WARNING",
summary="diagnosis_ip_connected_ipv4" if ipv4 else "diagnosis_ip_no_ipv4",
details=["diagnosis_ip_global", "diagnosis_ip_local"] if ipv4 else None,
)
@@ -129,11 +133,11 @@ class MyDiagnoser(Diagnoser):
yield dict(
meta={"test": "ipv6"},
data={"global": ipv6, "local": get_local_ip("ipv6")},
- status="SUCCESS" if ipv6 else "WARNING",
+ status="SUCCESS" if ipv6 else "ERROR" if is_ipvx_important(6) else "WARNING",
summary="diagnosis_ip_connected_ipv6" if ipv6 else "diagnosis_ip_no_ipv6",
details=["diagnosis_ip_global", "diagnosis_ip_local"]
if ipv6
- else ["diagnosis_ip_no_ipv6_tip"],
+ else ["diagnosis_ip_no_ipv6_tip_important" if is_ipvx_important(6) else "diagnosis_ip_no_ipv6_tip"],
)
# TODO / FIXME : add some attempt to detect ISP (using whois ?) ?
diff --git a/src/diagnosers/14-ports.py b/src/diagnosers/14-ports.py
index 5671211b5..57fb7cd98 100644
--- a/src/diagnosers/14-ports.py
+++ b/src/diagnosers/14-ports.py
@@ -21,6 +21,7 @@ from typing import List
from yunohost.diagnosis import Diagnoser
from yunohost.service import _get_services
+from yunohost.settings import settings_get
class MyDiagnoser(Diagnoser):
@@ -46,7 +47,7 @@ class MyDiagnoser(Diagnoser):
ipversions = []
ipv4 = Diagnoser.get_cached_report("ip", item={"test": "ipv4"}) or {}
- if ipv4.get("status") == "SUCCESS":
+ if ipv4.get("status") == "SUCCESS" or settings_get("misc.network.dns_exposure") != "ipv6":
ipversions.append(4)
# To be discussed: we could also make this check dependent on the
@@ -120,7 +121,7 @@ class MyDiagnoser(Diagnoser):
for record in dnsrecords.get("items", [])
)
- if failed == 4 or ipv6_is_important():
+ if (failed == 4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]) or (failed == 6 and ipv6_is_important()):
yield dict(
meta={"port": port},
data={
diff --git a/src/diagnosers/21-web.py b/src/diagnosers/21-web.py
index 4a69895b2..25554fe9d 100644
--- a/src/diagnosers/21-web.py
+++ b/src/diagnosers/21-web.py
@@ -26,6 +26,7 @@ from moulinette.utils.filesystem import read_file, mkdir, rm
from yunohost.diagnosis import Diagnoser
from yunohost.domain import domain_list
from yunohost.utils.dns import is_special_use_tld
+from yunohost.settings import settings_get
DIAGNOSIS_SERVER = "diagnosis.yunohost.org"
@@ -76,7 +77,7 @@ class MyDiagnoser(Diagnoser):
ipversions = []
ipv4 = Diagnoser.get_cached_report("ip", item={"test": "ipv4"}) or {}
- if ipv4.get("status") == "SUCCESS":
+ if ipv4.get("status") == "SUCCESS" and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
ipversions.append(4)
# To be discussed: we could also make this check dependent on the
@@ -96,7 +97,7 @@ class MyDiagnoser(Diagnoser):
# "curl --head the.global.ip" will simply timeout...
if self.do_hairpinning_test:
global_ipv4 = ipv4.get("data", {}).get("global", None)
- if global_ipv4:
+ if global_ipv4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
try:
requests.head("http://" + global_ipv4, timeout=5)
except requests.exceptions.Timeout:
@@ -147,7 +148,7 @@ class MyDiagnoser(Diagnoser):
if all(
results[ipversion][domain]["status"] == "ok" for ipversion in ipversions
):
- if 4 in ipversions:
+ if 4 in ipversions and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
self.do_hairpinning_test = True
yield dict(
meta={"domain": domain},
@@ -185,7 +186,7 @@ class MyDiagnoser(Diagnoser):
)
AAAA_status = dnsrecords.get("data", {}).get("AAAA:@")
- return AAAA_status in ["OK", "WRONG"]
+ return AAAA_status in ["OK", "WRONG"] or settings_get("misc.network.dns_exposure") in ["both", "ipv6"]
if failed == 4 or ipv6_is_important_for_this_domain():
yield dict(
diff --git a/src/diagnosers/24-mail.py b/src/diagnosers/24-mail.py
index 88d6a8259..1ae1da885 100644
--- a/src/diagnosers/24-mail.py
+++ b/src/diagnosers/24-mail.py
@@ -31,6 +31,7 @@ from yunohost.diagnosis import Diagnoser
from yunohost.domain import _get_maindomain, domain_list
from yunohost.settings import settings_get
from yunohost.utils.dns import dig
+from yunohost.settings import settings_get
DEFAULT_DNS_BLACKLIST = "/usr/share/yunohost/dnsbl_list.yml"
@@ -301,13 +302,13 @@ class MyDiagnoser(Diagnoser):
outgoing_ipversions = []
outgoing_ips = []
ipv4 = Diagnoser.get_cached_report("ip", {"test": "ipv4"}) or {}
- if ipv4.get("status") == "SUCCESS":
+ if ipv4.get("status") == "SUCCESS" and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
outgoing_ipversions.append(4)
global_ipv4 = ipv4.get("data", {}).get("global", {})
if global_ipv4:
outgoing_ips.append(global_ipv4)
- if settings_get("email.smtp.smtp_allow_ipv6"):
+ if settings_get("email.smtp.smtp_allow_ipv6") or settings_get("misc.network.dns_exposure") in ["both", "ipv6"]:
ipv6 = Diagnoser.get_cached_report("ip", {"test": "ipv6"}) or {}
if ipv6.get("status") == "SUCCESS":
outgoing_ipversions.append(6)
diff --git a/src/dns.py b/src/dns.py
index 1c6b99cf0..d56e8e625 100644
--- a/src/dns.py
+++ b/src/dns.py
@@ -38,6 +38,7 @@ from yunohost.domain import (
from yunohost.utils.dns import dig, is_yunohost_dyndns_domain, is_special_use_tld
from yunohost.utils.error import YunohostValidationError, YunohostError
from yunohost.utils.network import get_public_ip
+from yunohost.settings import settings_get
from yunohost.log import is_unit_operation
from yunohost.hook import hook_callback
@@ -185,7 +186,7 @@ def _build_dns_conf(base_domain, include_empty_AAAA_if_no_ipv6=False):
###########################
# Basic ipv4/ipv6 records #
###########################
- if ipv4:
+ if ipv4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
basic.append([basename, ttl, "A", ipv4])
if ipv6:
@@ -240,7 +241,7 @@ def _build_dns_conf(base_domain, include_empty_AAAA_if_no_ipv6=False):
# Only recommend wildcard and CAA for the top level
if domain == base_domain:
- if ipv4:
+ if ipv4 and settings_get("misc.network.dns_exposure") in ["both", "ipv4"]:
extra.append([f"*{suffix}", ttl, "A", ipv4])
if ipv6: