From 3effd2d06b377b7ac4bb98c382a2df4d8d9347f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20K=C3=A1rolyi?= <laszlo@karolyi.hu>
Date: Sun, 14 Jan 2024 18:13:43 +0100
Subject: [PATCH] Add authoritative zone handling

---
 Dockerfile    |  3 +++
 entrypoint.sh | 53 +++++++++++++++++++++++++++++++++++++++++++--------
 unbound.sh    | 41 ++++++++++++++++++++++++++++++++++++---
 3 files changed, 86 insertions(+), 11 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1cf6eda..f065341 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,6 +18,9 @@ ENV UNBOUND_GIT_REVISION a8739bad76d4d179290627e989c7ef236345bda6
 
 WORKDIR /tmp
 
+# --- FOR TESTING ---
+# RUN apt-get update && apt-get install -y iproute2 less vim
+
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
     git clone --depth=1000 "$UNBOUND_GIT_URL" && \
     cd unbound && \
diff --git a/entrypoint.sh b/entrypoint.sh
index 82a84a0..9cb9c81 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -14,6 +14,7 @@ CONF_DIR="/opt/encrypted-dns/etc"
 CONFIG_FILE="${KEYS_DIR}/encrypted-dns.toml"
 CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
 SERVICES_DIR="/etc/runit/runsvdir/svmanaged"
+SCRIPTNAME=$(basename $0)
 
 init() {
     if [ "$(is_initialized)" = yes ]; then
@@ -21,21 +22,57 @@ init() {
         exit $?
     fi
 
+    # TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' --longoptions 'unbound-on-all-interfaces' -- "$@")
+    TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' -- "$@")
+    eval set -- "$TEMP"
+
     anondns_enabled="false"
     anondns_blacklisted_ips=""
 
     metrics_address="127.0.0.1:9100"
 
-    while getopts "h?N:E:T:AM:" opt; do
-        case "$opt" in
-        h | \?) usage ;;
-        N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        E) ext_addresses=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        A) anondns_enabled="true" ;;
-        M) metrics_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+    # extract options and their arguments into variables.
+    while true ; do
+        case "$1" in
+            -h | -\?)
+                shift
+                usage
+                ;;
+            -N)
+                provider_name=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -E)
+                ext_addresses=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -T)
+                tls_proxy_upstream_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -A)
+                anondns_enabled="true"
+                shift
+                ;;
+            -M)
+                metrics_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            # --unbound-on-all-interfaces)
+            #     touch /opt/unbound/run-options/use-all-interfaces
+            #     shift
+            #     ;;
+            --)
+                shift
+                break
+                ;;
+            *)
+                echo "Internal error!"
+                exit 1
+                ;;
         esac
     done
+
     [ -z "$provider_name" ] && usage
     case "$provider_name" in
     .*) usage ;;
diff --git a/unbound.sh b/unbound.sh
index 56cc301..efe4270 100755
--- a/unbound.sh
+++ b/unbound.sh
@@ -2,6 +2,37 @@
 
 KEYS_DIR="/opt/encrypted-dns/etc/keys"
 ZONES_DIR="/opt/unbound/etc/unbound/zones"
+AUTHZONES_DIR="/opt/unbound/etc/unbound/auth-zones"
+
+OIFS="${IFS}"
+IFS=""
+
+INTERFACES="\
+  interface: 127.0.0.1@553
+  interface: ::1@553"
+ACCESS_CONTROL="\
+  access-control: 0.0.0.0/0 allow
+  access-control: ::0/0 allow"
+AUTHZONE_INCLUDE=""
+
+test -d $AUTHZONES_DIR && {
+    chown -R _unbound:_unbound $AUTHZONES_DIR
+    INTERFACES="\
+  interface: 0.0.0.0@553
+  interface: ::@553"
+    ACCESS_CONTROL="\
+  access-control: 127.0.0.1/32 allow
+  access-control: ::1/128 allow
+  access-control: 0.0.0.0/0 refuse_non_local
+  access-control: ::0/0 refuse_non_local"
+    AUTHZONE_INCLUDE="include: \"${AUTHZONES_DIR}/*.conf\""
+}
+
+# Replace multiline replacements so sed can deal with them later
+INTERFACES=$(echo -n "${INTERFACES}" | sed -z 's/\n/\\n/g')
+ACCESS_CONTROL=$(echo -n "${ACCESS_CONTROL}" | sed -z 's/\n/\\n/g')
+
+IFS="${OIFS}"
 
 reserved=134217728
 availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
@@ -27,11 +58,15 @@ sed \
     -e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
     -e "s/@THREADS@/${threads}/" \
     -e "s#@ZONES_DIR@#${ZONES_DIR}#" \
+    -e "s#@INTERFACES@#${INTERFACES}#" \
+    -e "s#@ACCESS_CONTROL@#${ACCESS_CONTROL}#" \
+    -e "s#@AUTHZONE_INCLUDE@#${AUTHZONE_INCLUDE}#" \
     >/opt/unbound/etc/unbound/unbound.conf <<EOT
 server:
   verbosity: 1
   num-threads: @THREADS@
-  interface: 127.0.0.1@553
+@INTERFACES@
+@ACCESS_CONTROL@
   so-reuseport: yes
   edns-buffer-size: 1232
   delay-close: 10000
@@ -66,8 +101,6 @@ server:
   serve-expired: yes
   serve-expired-ttl: 86400
   serve-expired-ttl-reset: yes
-  access-control: 0.0.0.0/0 allow
-  access-control: ::0/0 allow
   tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
   aggressive-nsec: yes
   val-bogus-ttl: 600
@@ -138,6 +171,8 @@ auth-zone:
   for-downstream: no
   for-upstream: yes
   zonefile: "var/root.zone"
+
+@AUTHZONE_INCLUDE@
 EOT
 
 mkdir -p /opt/unbound/etc/unbound/dev &&