1
1
mirror of https://github.com/dnscrypt/dnscrypt-server-docker synced 2024-11-22 23:51:59 +01:00
dnscrypt-server-docker/entrypoint.sh

204 lines
6.7 KiB
Bash
Raw Normal View History

#! /usr/bin/env bash
2015-07-06 01:39:54 +02:00
set -e
action="$1"
LEGACY_KEYS_DIR="/opt/dnscrypt-wrapper/etc/keys"
KEYS_DIR="/opt/encrypted-dns/etc/keys"
CONF_DIR="/opt/encrypted-dns/etc"
CONFIG_FILE="${CONF_DIR}/encrypted-dns.toml"
CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
2015-07-06 01:39:54 +02:00
2018-01-22 20:23:54 +01:00
# -N provider-name -E external-ip-address:port
2015-07-06 01:39:54 +02:00
init() {
if [ "$(is_initialized 2>/dev/null)" = yes ]; then
2015-07-06 01:39:54 +02:00
start
exit $?
fi
2019-09-24 18:17:48 +02:00
while getopts "h?N:E:T:" opt; do
2015-07-06 01:39:54 +02:00
case "$opt" in
h | \?) usage ;;
N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
2019-09-24 18:17:48 +02:00
T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
2015-07-06 01:39:54 +02:00
esac
done
[ -z "$provider_name" ] && usage
case "$provider_name" in
.*) usage ;;
2.dnscrypt-cert.*) ;;
*) provider_name="2.dnscrypt-cert.${provider_name}" ;;
2015-07-06 01:39:54 +02:00
esac
2018-01-22 18:21:50 +01:00
2018-01-22 20:23:54 +01:00
[ -z "$ext_address" ] && usage
case "$ext_address" in
.*) usage ;;
0.*)
echo "Do not use 0.0.0.0, use an actual external IP address" >&2
exit 1
;;
2018-01-22 18:21:50 +01:00
esac
2018-01-22 20:23:54 +01:00
2019-09-24 18:17:48 +02:00
tls_proxy_configuration=""
if [ -n "$tls_proxy_upstream_address" ]; then
tls_proxy_configuration="upstream_addr = \"${tls_proxy_upstream_address}\""
fi
2018-01-22 18:21:50 +01:00
echo "Provider name: [$provider_name]"
echo "$provider_name" >"${KEYS_DIR}/provider_name"
2015-07-06 01:39:54 +02:00
chmod 644 "${KEYS_DIR}/provider_name"
sed \
-e "s/@PROVIDER_NAME@/${provider_name}/" \
-e "s/@EXTERNAL_IPV4@/${ext_address}/" \
2019-09-24 18:17:48 +02:00
-e "s/@TLS_PROXY_CONFIGURATION@/${tls_proxy_configuration}/" \
"$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE"
/opt/encrypted-dns/sbin/encrypted-dns \
--config "$CONFIG_FILE" --dry-run |
tee "${KEYS_DIR}/provider-info.txt"
2015-07-06 01:39:54 +02:00
echo
echo -----------------------------------------------------------------------
echo
echo "Congratulations! The container has been properly initialized."
echo "Take a look up above at the way dnscrypt-proxy has to be configured in order"
echo "to connect to your resolver. Then, start the container with the default command."
}
provider_info() {
ensure_initialized
echo
cat "${KEYS_DIR}/provider-info.txt"
2015-07-06 01:39:54 +02:00
echo
}
2019-09-23 20:55:51 +02:00
dnscrypt_wrapper_compat() {
if [ ! -d "$LEGACY_KEYS_DIR" ]; then
2019-09-24 17:40:51 +02:00
echo "Neither [${KEYS_DIR}] doesn't seem to contain the required DNS provider information, and a [${LEGACY_KEYS_DIR}] directory wasn't found either" >&2
2019-09-23 23:34:51 +02:00
return 1
2019-09-23 20:55:51 +02:00
fi
2019-09-23 23:34:51 +02:00
echo "Legacy [$LEGACY_KEYS_DIR] directory found" >&2
if [ -d "${KEYS_DIR}/provider_name" ]; then
2019-09-24 17:40:51 +02:00
echo "Both [${LEGACY_KEYS_DIR}] and [${KEYS_DIR}] are present and not empty - This is not expected." >&2
2019-09-23 23:34:51 +02:00
return 1
2019-09-23 20:55:51 +02:00
fi
if [ ! -f "${LEGACY_KEYS_DIR}/secret.key" ]; then
echo "No secret key in [${LEGACY_KEYS_DIR}/secret.key], this is not expected." >&2
2019-09-24 17:40:51 +02:00
echo >&2
2019-09-23 21:27:49 +02:00
echo "If you are migrating from a container previously running dnscrypt-wrapper," >&2
echo "make sure that the [${LEGACY_KEYS_DIR}] directory is mounted." >&2
2019-09-24 17:40:51 +02:00
echo >&2
2019-09-23 21:27:49 +02:00
echo "If you are setting up a brand new server, maybe you've been following" >&2
echo "an outdated tutorial." >&2
2019-09-24 17:40:51 +02:00
echo >&2
2019-09-23 21:27:49 +02:00
echo "The key directory should be mounted as [${KEYS_DIR}] and not [$LEGACY_KEYS_DIR]." >&2
2019-09-23 23:34:51 +02:00
return 1
2019-09-23 20:55:51 +02:00
fi
2019-09-23 23:34:51 +02:00
echo "...and this is fine! You can keep using it, no need to change anything to your Docker volumes." >&2
echo "We'll just copy a few things to [${KEYS_DIR}] internally" >&2
find "$KEYS_DIR" -type f -print -exec cp -afv {} "$LEGACY_KEYS_DIR/" \;
chmod 700 "$LEGACY_KEYS_DIR"
chown -R _encrypted-dns:_encrypted-dns "$LEGACY_KEYS_DIR"
2019-09-23 23:34:51 +02:00
echo "...and update the configuration file" >&2
sed -e "s#${KEYS_DIR}#${LEGACY_KEYS_DIR}#g" <"$CONFIG_FILE_TEMPLATE" >"${CONFIG_FILE_TEMPLATE}.tmp" &&
mv -f "${CONFIG_FILE_TEMPLATE}.tmp" "$CONFIG_FILE_TEMPLATE" || exit 1
provider_name=$(cat "${LEGACY_KEYS_DIR}/provider_name")
2019-09-24 17:40:51 +02:00
if [ -f "${LEGACY_KEYS_DIR}/provider-info.txt" ]; then
ext_address=$(grep -F -- "--resolver-address=" "${LEGACY_KEYS_DIR}/provider-info.txt" 2>/dev/null | cut -d'=' -f2 | sed 's/ //g')
fi
if [ -z "$ext_address" ]; then
echo "(we were not able to find the previous external IP address, the printed stamp will be wrong, but the previous stamp will keep working)" >&2
ext_address="0.0.0.0:443"
fi
2019-09-23 23:34:51 +02:00
sed \
-e "s/@PROVIDER_NAME@/${provider_name}/" \
-e "s/@EXTERNAL_IPV4@/${ext_address}/" \
"$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE"
echo "...and check that everything's fine..." >&2
2019-09-23 21:27:49 +02:00
/opt/encrypted-dns/sbin/encrypted-dns \
--config "$CONFIG_FILE" \
--import-from-dnscrypt-wrapper "${LEGACY_KEYS_DIR}/secret.key" \
2019-09-23 23:34:51 +02:00
--dry-run >/dev/null || exit 1
2019-09-24 17:40:51 +02:00
chmod 600 "${LEGACY_KEYS_DIR}/secret.key"
2019-09-23 23:34:51 +02:00
echo "Done!" >&2
echo >&2
2019-09-24 17:40:51 +02:00
export KEYS_DIR="$LEGACY_KEYS_DIR"
2019-09-23 20:55:51 +02:00
}
2015-07-06 01:39:54 +02:00
is_initialized() {
2019-09-23 23:34:51 +02:00
if [ ! -f "${KEYS_DIR}/encrypted-dns.state" ] || [ ! -f "${KEYS_DIR}/provider-info.txt" ] || [ ! -f "${KEYS_DIR}/provider_name" ]; then
2019-09-23 21:27:49 +02:00
if dnscrypt_wrapper_compat; then
2019-09-24 17:40:51 +02:00
if [ ! -f "${KEYS_DIR}/encrypted-dns.state" ] || [ ! -f "${KEYS_DIR}/provider_name" ]; then
2019-09-23 21:27:49 +02:00
echo no
else
echo yes
fi
else
echo no
fi
2015-07-06 01:39:54 +02:00
else
echo yes
fi
}
ensure_initialized() {
if [ "$(is_initialized)" = no ]; then
2019-09-23 23:34:51 +02:00
if [ -d "$LEGACY_KEYS_DIR" ]; then
echo "Please provide an initial configuration (init -N <provider_name> -E <external IP>)" >&2
fi
2015-07-06 01:39:54 +02:00
exit 1
fi
}
start() {
ensure_initialized
2019-09-23 19:40:44 +02:00
/opt/encrypted-dns/sbin/encrypted-dns \
--config "$CONFIG_FILE" --dry-run |
tee "${KEYS_DIR}/provider-info.txt"
exec /etc/runit/2 </dev/null >/dev/null 2>/dev/null
2019-09-22 17:31:17 +02:00
}
shell() {
exec /bin/bash
2015-07-06 01:39:54 +02:00
}
usage() {
cat <<EOT
2015-07-06 01:39:54 +02:00
Commands
========
2018-01-22 20:23:54 +01:00
* init -N <provider_name> -E <external ip>:<port>
2018-01-22 18:21:50 +01:00
initialize the container for a server accessible at ip <external ip> on port
<port>, for a provider named <provider_name>. This is required only once.
2019-09-24 18:17:48 +02:00
If TLS connections to the same port have to be redirected to a HTTPS server
(e.g. for DoH), add -T <https server ip>:<port>
2015-07-06 01:39:54 +02:00
* start (default command): start the resolver and the dnscrypt server proxy.
Ports 443/udp and 443/tcp have to be publicly exposed.
2018-01-23 00:31:12 +01:00
* provider-info: prints the provider name and provider public key.
2015-07-06 01:39:54 +02:00
2019-09-24 17:41:49 +02:00
* shell: run a shell.
2019-09-22 17:31:17 +02:00
2015-07-06 01:39:54 +02:00
This container has a single volume that you might want to securely keep a
backup of: /opt/encrypted-dns/etc/keys
2015-07-06 01:39:54 +02:00
EOT
exit 1
}
case "$action" in
start) start ;;
init)
shift
2019-09-23 19:40:44 +02:00
init "$@"
;;
provider-info) provider_info ;;
2019-09-22 17:31:17 +02:00
shell) shell ;;
*) usage ;;
2015-07-06 01:39:54 +02:00
esac