Some progress on the migration

encrypted-dns.toml.in

@@ -93,12 +93,12 @@ daemonize = false
 
 ## User name to drop privileges to, when started as root.
 
-# user = "nobody"
+user = "_encrypted-dns"
 
 
 ## Group name to drop privileges to, when started as root.
 
-# group = "nobody"
+group = "_encrypted-dns"
 
 
 ## Path to chroot() to, when started as root.

entrypoint.sh

@@ -71,15 +71,12 @@ provider_info() {
 
 dnscrypt_wrapper_compat() {
     if [ ! -d "$LEGACY_KEYS_DIR" ]; then
-        exit 1
+        return 1
     fi
-    echo "Legacy [$LEGACY_KEYS_DIR] directory found."
-    if [ -d "$KEYS_DIR" ]; then
-        echo "Both [${LEGACY_KEYS_DIR}] and [${KEYS_DIR}] are present - This is not expected" >&2
-        exit 1
-    else
-        echo "We'll just symlink it to [${KEYS_DIR}] internally"
-        ln -s "$LEGACY_KEYS_DIR" "$KEYS_DIR"
+    echo "Legacy [$LEGACY_KEYS_DIR] directory found" >&2
+    if [ -d "${KEYS_DIR}/provider_name" ]; then
+        echo "Both [${LEGACY_KEYS_DIR}] and [${KEYS_DIR}] are present and not empty - This is not expected" >&2
+        return 1
     fi
     if [ ! -f "${LEGACY_KEYS_DIR}/secret.key" ]; then
         echo "No secret key in [${LEGACY_KEYS_DIR}/secret.key], this is not expected." >&2
@@ -88,21 +85,35 @@ dnscrypt_wrapper_compat() {
         echo "If you are setting up a brand new server, maybe you've been following" >&2
         echo "an outdated tutorial." >&2
         echo "The key directory should be mounted as [${KEYS_DIR}] and not [$LEGACY_KEYS_DIR]." >&2
-        exit 1
+        return 1
     fi
-    echo
-    echo "...and this is fine! You can keep using it, no need to change anything to your Docker volumes."
-    echo
+    echo "...and this is fine! You can keep using it, no need to change anything to your Docker volumes." >&2
+    echo "We'll just copy a few things to [${KEYS_DIR}] internally" >&2
+    find "$KEYS_DIR" -type f -print -exec cp -afv {} "$LEGACY_KEYS_DIR/" \;
+    chmod 700 "$LEGACY_KEYS_DIR"
+    chown _encrypted-dns:_encrypted-dns "$LEGACY_KEYS_DIR"
+    echo "...and update the configuration file" >&2
+    sed -e "s#${KEYS_DIR}#${LEGACY_KEYS_DIR}#g" <"$CONFIG_FILE_TEMPLATE" >"${CONFIG_FILE_TEMPLATE}.tmp" &&
+        mv -f "${CONFIG_FILE_TEMPLATE}.tmp" "$CONFIG_FILE_TEMPLATE" || exit 1
+    provider_name=$(cat "${LEGACY_KEYS_DIR}/provider_name")
+    ext_address="0.0.0.0:443"
+    sed \
+        -e "s/@PROVIDER_NAME@/${provider_name}/" \
+        -e "s/@EXTERNAL_IPV4@/${ext_address}/" \
+        "$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE"
+    echo "...and check that everything's fine..." >&2
     /opt/encrypted-dns/sbin/encrypted-dns \
         --config "$CONFIG_FILE" \
         --import-from-dnscrypt-wrapper "${LEGACY_KEYS_DIR}/secret.key" \
-        --dry-run >/dev/null
+        --dry-run >/dev/null || exit 1
+    echo "Done!" >&2
+    echo >&2
 }
 
 is_initialized() {
-    if [ ! -f "${KEYS_DIR}/encrypted-dns.state" ] && [ ! -f "${KEYS_DIR}/provider-info.txt" ] && [ ! -f "${KEYS_DIR}/provider_name" ]; then
+    if [ ! -f "${KEYS_DIR}/encrypted-dns.state" ] || [ ! -f "${KEYS_DIR}/provider-info.txt" ] || [ ! -f "${KEYS_DIR}/provider_name" ]; then
         if dnscrypt_wrapper_compat; then
-            if [ ! -f "${KEYS_DIR}/encrypted-dns.state" ] && [ ! -f "${KEYS_DIR}/provider-info.txt" ] && [ ! -f "${KEYS_DIR}/provider_name" ]; then
+            if [ ! -f "${LEGACY_KEYS_DIR}/encrypted-dns.state" ] || [ ! -f "${LEGACY_KEYS_DIR}/provider-info.txt" ] || [ ! -f "${LEGACY_KEYS_DIR}/provider_name" ]; then
                 echo no
             else
                 echo yes
@@ -117,7 +128,9 @@ is_initialized() {
 
 ensure_initialized() {
     if [ "$(is_initialized)" = no ]; then
-        echo "Please provide an initial configuration (init -N <provider_name> -E <external IP>)" >&2
+        if [ -d "$LEGACY_KEYS_DIR" ]; then
+            echo "Please provide an initial configuration (init -N <provider_name> -E <external IP>)" >&2
+        fi
         exit 1
     fi
 }