mirror of
https://github.com/dnscrypt/dnscrypt-server-docker
synced 2024-05-12 23:06:06 +02:00
Compare commits
8 Commits
38178cc96d
...
554ae6eebc
Author | SHA1 | Date | |
---|---|---|---|
László Károlyi | 554ae6eebc | ||
Frank Denis | 98a8ba9672 | ||
Frank Denis | c38b19c2d3 | ||
Frank Denis | 4bfd5f5672 | ||
Frank Denis | 6c6a248cd9 | ||
Frank Denis | 0b3a917317 | ||
Frank Denis | f8c0b88152 | ||
Frank Denis | bd8d693166 |
|
@ -15,4 +15,4 @@ jobs:
|
|||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
|
||||
run: docker buildx build . --file Dockerfile --tag my-image-name:$(date +%s)
|
||||
|
|
21
Dockerfile
21
Dockerfile
|
@ -3,7 +3,7 @@ LABEL maintainer="Frank Denis"
|
|||
SHELL ["/bin/sh", "-x", "-c"]
|
||||
ENV SERIAL 12
|
||||
|
||||
ENV CFLAGS=-Ofast
|
||||
ENV CFLAGS=-O3
|
||||
ENV BUILD_DEPS curl make build-essential git libevent-dev libexpat1-dev autoconf file libssl-dev flex bison
|
||||
ENV RUNTIME_DEPS bash util-linux coreutils findutils grep libssl3 ldnsutils libevent-2.1 expat ca-certificates runit runit-helper jed
|
||||
|
||||
|
@ -14,10 +14,13 @@ RUN apt-get update && apt-get -qy dist-upgrade && apt-get -qy clean && \
|
|||
RUN update-ca-certificates 2> /dev/null || true
|
||||
|
||||
ENV UNBOUND_GIT_URL https://github.com/NLnetLabs/unbound.git
|
||||
ENV UNBOUND_GIT_REVISION 10843805ac37002f1d9293c9835a3e68e41d392d
|
||||
ENV UNBOUND_GIT_REVISION a8739bad76d4d179290627e989c7ef236345bda6
|
||||
|
||||
WORKDIR /tmp
|
||||
|
||||
# --- FOR TESTING ---
|
||||
# RUN apt-get update && apt-get install -y iproute2 less vim
|
||||
|
||||
RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
|
||||
git clone --depth=1000 "$UNBOUND_GIT_URL" && \
|
||||
cd unbound && \
|
||||
|
@ -61,17 +64,17 @@ RUN mkdir -p \
|
|||
/var/svc/encrypted-dns \
|
||||
/var/svc/watchdog
|
||||
|
||||
COPY encrypted-dns.toml.in /opt/encrypted-dns/etc/
|
||||
COPY undelegated.txt /opt/encrypted-dns/etc/
|
||||
COPY --chmod=644 encrypted-dns.toml.in /opt/encrypted-dns/etc/
|
||||
COPY --chmod=644 undelegated.txt /opt/encrypted-dns/etc/
|
||||
|
||||
COPY entrypoint.sh /
|
||||
COPY --chmod=755 entrypoint.sh /
|
||||
|
||||
COPY unbound.sh /var/svc/unbound/run
|
||||
COPY unbound-check.sh /var/svc/unbound/check
|
||||
COPY --chmod=755 unbound.sh /var/svc/unbound/run
|
||||
COPY --chmod=755 unbound-check.sh /var/svc/unbound/check
|
||||
|
||||
COPY encrypted-dns.sh /var/svc/encrypted-dns/run
|
||||
COPY --chmod=755 encrypted-dns.sh /var/svc/encrypted-dns/run
|
||||
|
||||
COPY watchdog.sh /var/svc/watchdog/run
|
||||
COPY --chmod=755 watchdog.sh /var/svc/watchdog/run
|
||||
|
||||
RUN ln -sf /opt/encrypted-dns/etc/keys/encrypted-dns.toml /opt/encrypted-dns/etc/encrypted-dns.toml
|
||||
|
||||
|
|
2
LICENSE
2
LICENSE
|
@ -1,4 +1,4 @@
|
|||
Copyright (c) 2015-2020, Frank Denis <github@pureftpd.org>
|
||||
Copyright (c) 2015-2024, Frank Denis <github@pureftpd.org>
|
||||
|
||||
Permission to use, copy, modify, and/or distribute this software for any
|
||||
purpose with or without fee is hereby granted, provided that the above
|
||||
|
|
BIN
dnscrypt.png
BIN
dnscrypt.png
Binary file not shown.
Before Width: | Height: | Size: 423 KiB After Width: | Height: | Size: 422 KiB |
|
@ -14,6 +14,7 @@ CONF_DIR="/opt/encrypted-dns/etc"
|
|||
CONFIG_FILE="${KEYS_DIR}/encrypted-dns.toml"
|
||||
CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
|
||||
SERVICES_DIR="/etc/runit/runsvdir/svmanaged"
|
||||
SCRIPTNAME=$(basename $0)
|
||||
|
||||
init() {
|
||||
if [ "$(is_initialized)" = yes ]; then
|
||||
|
@ -21,21 +22,57 @@ init() {
|
|||
exit $?
|
||||
fi
|
||||
|
||||
# TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' --longoptions 'unbound-on-all-interfaces' -- "$@")
|
||||
TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' -- "$@")
|
||||
eval set -- "$TEMP"
|
||||
|
||||
anondns_enabled="false"
|
||||
anondns_blacklisted_ips=""
|
||||
|
||||
metrics_address="127.0.0.1:9100"
|
||||
|
||||
while getopts "h?N:E:T:AM:" opt; do
|
||||
case "$opt" in
|
||||
h | \?) usage ;;
|
||||
N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
E) ext_addresses=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
A) anondns_enabled="true" ;;
|
||||
M) metrics_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
|
||||
# extract options and their arguments into variables.
|
||||
while true ; do
|
||||
case "$1" in
|
||||
-h | -\?)
|
||||
shift
|
||||
usage
|
||||
;;
|
||||
-N)
|
||||
provider_name=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||
shift 2
|
||||
;;
|
||||
-E)
|
||||
ext_addresses=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||
shift 2
|
||||
;;
|
||||
-T)
|
||||
tls_proxy_upstream_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||
shift 2
|
||||
;;
|
||||
-A)
|
||||
anondns_enabled="true"
|
||||
shift
|
||||
;;
|
||||
-M)
|
||||
metrics_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
|
||||
shift 2
|
||||
;;
|
||||
# --unbound-on-all-interfaces)
|
||||
# touch /opt/unbound/run-options/use-all-interfaces
|
||||
# shift
|
||||
# ;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*)
|
||||
echo "Internal error!"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ -z "$provider_name" ] && usage
|
||||
case "$provider_name" in
|
||||
.*) usage ;;
|
||||
|
|
40
unbound.sh
40
unbound.sh
|
@ -2,6 +2,36 @@
|
|||
|
||||
KEYS_DIR="/opt/encrypted-dns/etc/keys"
|
||||
ZONES_DIR="/opt/unbound/etc/unbound/zones"
|
||||
AUTHZONES_DIR="/opt/unbound/etc/unbound/auth-zones"
|
||||
|
||||
OIFS="${IFS}"
|
||||
|
||||
INTERFACES="\
|
||||
interface: 127.0.0.1@553
|
||||
interface: ::1@553"
|
||||
ACCESS_CONTROL="\
|
||||
access-control: 0.0.0.0/0 allow
|
||||
access-control: ::0/0 allow"
|
||||
AUTHZONE_INCLUDE=""
|
||||
|
||||
test -d $AUTHZONES_DIR && {
|
||||
chown -R _unbound:_unbound $AUTHZONES_DIR
|
||||
INTERFACES="\
|
||||
interface: 0.0.0.0@553
|
||||
interface: ::@553"
|
||||
ACCESS_CONTROL="\
|
||||
access-control: 127.0.0.1/32 allow
|
||||
access-control: ::1/128 allow
|
||||
access-control: 0.0.0.0/0 refuse_non_local
|
||||
access-control: ::0/0 refuse_non_local"
|
||||
AUTHZONE_INCLUDE="include: \"${AUTHZONES_DIR}/*.conf\""
|
||||
}
|
||||
|
||||
# Replace multiline replacements so sed can deal with them later
|
||||
INTERFACES=$(echo -n "${INTERFACES}" | sed -z 's/\n/\\n/g')
|
||||
ACCESS_CONTROL=$(echo -n "${ACCESS_CONTROL}" | sed -z 's/\n/\\n/g')
|
||||
|
||||
IFS="${OIFS}"
|
||||
|
||||
reserved=134217728
|
||||
availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
|
||||
|
@ -27,11 +57,15 @@ sed \
|
|||
-e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
|
||||
-e "s/@THREADS@/${threads}/" \
|
||||
-e "s#@ZONES_DIR@#${ZONES_DIR}#" \
|
||||
-e "s#@INTERFACES@#${INTERFACES}#" \
|
||||
-e "s#@ACCESS_CONTROL@#${ACCESS_CONTROL}#" \
|
||||
-e "s#@AUTHZONE_INCLUDE@#${AUTHZONE_INCLUDE}#" \
|
||||
>/opt/unbound/etc/unbound/unbound.conf <<EOT
|
||||
server:
|
||||
verbosity: 1
|
||||
num-threads: @THREADS@
|
||||
interface: 127.0.0.1@553
|
||||
@INTERFACES@
|
||||
@ACCESS_CONTROL@
|
||||
so-reuseport: yes
|
||||
edns-buffer-size: 1232
|
||||
delay-close: 10000
|
||||
|
@ -66,8 +100,6 @@ server:
|
|||
serve-expired: yes
|
||||
serve-expired-ttl: 86400
|
||||
serve-expired-ttl-reset: yes
|
||||
access-control: 0.0.0.0/0 allow
|
||||
access-control: ::0/0 allow
|
||||
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
|
||||
aggressive-nsec: yes
|
||||
val-bogus-ttl: 600
|
||||
|
@ -138,6 +170,8 @@ auth-zone:
|
|||
for-downstream: no
|
||||
for-upstream: yes
|
||||
zonefile: "var/root.zone"
|
||||
|
||||
@AUTHZONE_INCLUDE@
|
||||
EOT
|
||||
|
||||
mkdir -p /opt/unbound/etc/unbound/dev &&
|
||||
|
|
Loading…
Reference in New Issue