2017-04-27 09:03:55 +02:00
|
|
|
#! /usr/bin/env bash
|
2015-07-06 01:39:54 +02:00
|
|
|
|
|
|
|
KEYS_DIR="/opt/dnscrypt-wrapper/etc/keys"
|
|
|
|
STKEYS_DIR="${KEYS_DIR}/short-term"
|
2018-05-03 23:25:37 +02:00
|
|
|
LISTS_DIR="/opt/dnscrypt-wrapper/etc/lists"
|
|
|
|
BLACKLIST="${LISTS_DIR}/blacklist.txt"
|
2015-07-06 01:39:54 +02:00
|
|
|
|
|
|
|
prune() {
|
2017-04-27 09:03:55 +02:00
|
|
|
/usr/bin/find "$STKEYS_DIR" -type f -cmin +1440 -exec rm -f {} \;
|
2015-07-06 01:39:54 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
rotation_needed() {
|
2019-05-12 13:07:02 +02:00
|
|
|
if [ "$(/usr/bin/find "$STKEYS_DIR" -name '*.cert' -type f -cmin -720 -print -quit | wc -l | sed 's/[^0-9]//g')" -le 0 ]; then
|
2015-07-06 01:39:54 +02:00
|
|
|
echo true
|
|
|
|
else
|
2018-01-26 13:17:07 +01:00
|
|
|
echo false
|
2015-07-06 01:39:54 +02:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
new_key() {
|
|
|
|
ts=$(date '+%s')
|
|
|
|
/opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper --gen-crypt-keypair \
|
|
|
|
--crypt-secretkey-file="${STKEYS_DIR}/${ts}.key" &&
|
2017-06-09 14:10:30 +02:00
|
|
|
/opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper --gen-cert-file \
|
|
|
|
--xchacha20 \
|
|
|
|
--provider-publickey-file="${KEYS_DIR}/public.key" \
|
|
|
|
--provider-secretkey-file="${KEYS_DIR}/secret.key" \
|
|
|
|
--crypt-secretkey-file="${STKEYS_DIR}/${ts}.key" \
|
2018-01-26 13:17:07 +01:00
|
|
|
--provider-cert-file="${STKEYS_DIR}/${ts}.cert" \
|
2018-01-26 13:11:56 +01:00
|
|
|
--cert-file-expire-days=1
|
2018-01-26 13:39:53 +01:00
|
|
|
[ $? -ne 0 ] && rm -f "${STKEYS_DIR}/${ts}.key" "${STKEYS_DIR}/${ts}.cert"
|
2015-07-06 01:39:54 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
stkeys_files() {
|
|
|
|
res=""
|
|
|
|
for file in $(ls "$STKEYS_DIR"/[0-9]*.key); do
|
|
|
|
res="${res}${file},"
|
|
|
|
done
|
|
|
|
echo "$res"
|
|
|
|
}
|
|
|
|
|
2018-01-26 13:11:56 +01:00
|
|
|
stcerts_files() {
|
|
|
|
res=""
|
|
|
|
for file in $(ls "$STKEYS_DIR"/[0-9]*.cert); do
|
|
|
|
res="${res}${file},"
|
|
|
|
done
|
|
|
|
echo "$res"
|
|
|
|
}
|
|
|
|
|
2015-07-06 01:39:54 +02:00
|
|
|
if [ ! -f "$KEYS_DIR/provider_name" ]; then
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
provider_name=$(cat "$KEYS_DIR/provider_name")
|
|
|
|
|
|
|
|
mkdir -p "$STKEYS_DIR"
|
|
|
|
prune
|
2019-05-12 13:07:02 +02:00
|
|
|
[ "$(rotation_needed)" = true ] && new_key
|
2015-07-06 01:39:54 +02:00
|
|
|
|
2018-05-03 23:25:37 +02:00
|
|
|
[ -r "$BLACKLIST" ] && blacklist_opt="--blacklist-file=${BLACKLIST}"
|
|
|
|
|
2015-07-06 01:39:54 +02:00
|
|
|
exec /opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper \
|
|
|
|
--user=_dnscrypt-wrapper \
|
2018-08-20 22:33:17 +02:00
|
|
|
--listen-address=[::]:443 \
|
2015-11-28 13:52:35 +01:00
|
|
|
--resolver-address=127.0.0.1:553 \
|
2015-07-06 01:39:54 +02:00
|
|
|
--provider-name="$provider_name" \
|
2018-01-26 13:11:56 +01:00
|
|
|
--provider-cert-file="$(stcerts_files)" \
|
2019-05-12 13:07:02 +02:00
|
|
|
--crypt-secretkey-file="$(stkeys_files)" \
|
2018-05-03 23:25:37 +02:00
|
|
|
$blacklist_opt
|