From b658f5fcde0cc7ac99a09589d3e59c8322931531 Mon Sep 17 00:00:00 2001
From: tteckster <tteckster@gmail.com>
Date: Wed, 5 Oct 2022 11:25:50 -0400
Subject: [PATCH] Create blocky-install.sh
---
setup/blocky-install.sh | 355 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 355 insertions(+)
create mode 100644 setup/blocky-install.sh
diff --git a/setup/blocky-install.sh b/setup/blocky-install.sh
new file mode 100644
index 00000000..33330ff0
--- /dev/null
+++ b/setup/blocky-install.sh
@@ -0,0 +1,355 @@
+#!/usr/bin/env bash
+YW=`echo "\033[33m"`
+RD=`echo "\033[01;31m"`
+BL=`echo "\033[36m"`
+GN=`echo "\033[1;92m"`
+CL=`echo "\033[m"`
+RETRY_NUM=10
+RETRY_EVERY=3
+NUM=$RETRY_NUM
+CM="${GN}✓${CL}"
+CROSS="${RD}✗${CL}"
+BFR="\\r\\033[K"
+HOLD="-"
+set -o errexit
+set -o errtrace
+set -o nounset
+set -o pipefail
+shopt -s expand_aliases
+alias die='EXIT=$? LINE=$LINENO error_exit'
+trap die ERR
+
+function error_exit() {
+ trap - ERR
+ local reason="Unknown failure occurred."
+ local msg="${1:-$reason}"
+ local flag="${RD}‼ ERROR ${CL}$EXIT@$LINE"
+ echo -e "$flag $msg" 1>&2
+ exit $EXIT
+}
+
+function msg_info() {
+ local msg="$1"
+ echo -ne " ${HOLD} ${YW}${msg}..."
+}
+
+function msg_ok() {
+ local msg="$1"
+ echo -e "${BFR} ${CM} ${GN}${msg}${CL}"
+}
+function msg_error() {
+ local msg="$1"
+ echo -e "${BFR} ${CROSS} ${RD}${msg}${CL}"
+}
+
+msg_info "Setting up Container OS "
+sed -i "/$LANG/ s/\(^# \)//" /etc/locale.gen
+locale-gen >/dev/null
+while [ "$(hostname -I)" = "" ]; do
+ 1>&2 echo -en "${CROSS}${RD} No Network! "
+ sleep $RETRY_EVERY
+ ((NUM--))
+ if [ $NUM -eq 0 ]
+ then
+ 1>&2 echo -e "${CROSS}${RD} No Network After $RETRY_NUM Tries${CL}"
+ exit 1
+ fi
+done
+msg_ok "Set up Container OS"
+msg_ok "Network Connected: ${BL}$(hostname -I)"
+
+if nc -zw1 8.8.8.8 443; then msg_ok "Internet Connected"; else msg_error "Internet NOT Connected"; exit 1; fi;
+RESOLVEDIP=$(nslookup "github.com" | awk -F':' '/^Address: / { matched = 1 } matched { print $2}' | xargs)
+if [[ -z "$RESOLVEDIP" ]]; then msg_error "DNS Lookup Failure"; else msg_ok "DNS Resolved github.com to $RESOLVEDIP"; fi;
+
+msg_info "Updating Container OS"
+apt-get update &>/dev/null
+apt-get -y upgrade &>/dev/null
+msg_ok "Updated Container OS"
+
+msg_info "Installing Dependencies"
+apt-get install -y curl &>/dev/null
+apt-get install -y sudo &>/dev/null
+msg_ok "Installed Dependencies"
+
+msg_info "Installing Blocky"
+RELEASE=$(curl -s https://api.github.com/repos/0xERR0R/blocky/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4) }')
+wget https://github.com/0xERR0R/blocky/releases/download/v$RELEASE/blocky_${RELEASE}_Linux_x86_64.tar.gz &>/dev/null
+mkdir -p /opt/blocky
+tar -xf blocky_0.19_Linux_x86_64.tar.gz -C /opt/blocky
+rm -rf blocky_${RELEASE}_Linux_x86_64.tar.gz
+cat << EOF > /opt/blocky/config.yml
+upstream:
+ # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query
+ # format for resolver: [net:]host:[port][/path]. net could be empty (default, shortcut for tcp+udp), tcp+udp, tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh))
+ # this configuration is mandatory, please define at least one external DNS resolver
+ default:
+ # example for tcp+udp IPv4 server (https://digitalcourage.de/)
+ #- 5.9.164.112
+ # Cloudflare
+ - 1.1.1.1
+ # example for DNS-over-TLS server (DoT)
+ #- tcp-tls:fdns1.dismail.de:853
+ # example for DNS-over-HTTPS (DoH)
+ #- https://dns.digitale-gesellschaft.ch/dns-query
+ # optional: use client name (with wildcard support: * - sequence of any characters, [0-9] - range)
+ # or single ip address / client subnet as CIDR notation
+ #laptop*:
+ #- 123.123.123.123
+
+# optional: timeout to query the upstream resolver. Default: 2s
+#upstreamTimeout: 2s
+
+# optional: If true, blocky will fail to start unless at least one upstream server per group is reachable. Default: false
+#startVerifyUpstream: true
+
+# optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists.
+# accepted: dual, v4, v6
+# default: dual
+#connectIPVersion: dual
+
+# optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma
+# example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3
+#customDNS:
+ #customTTL: 1h
+ # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined).
+ # if false, queries with unmapped types will be forwarded to the upstream resolver
+ #filterUnmappedTypes: true
+ # optional: replace domain in the query with other domain before resolver lookup in the mapping
+ #rewrite:
+ #example.com: printer.lan
+ #mapping:
+ #printer.lan: 192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344
+
+# optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma
+# Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name
+#conditional:
+ # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver
+ # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if was set to , the original query "blog.example.com" will be sent upstream.
+ # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain.
+ #fallbackUpstream: false
+ # optional: replace domain in the query with other domain before resolver lookup in the mapping
+ #rewrite:
+ #example.com: fritz.box
+ #mapping:
+ #fritz.box: 192.168.178.1
+ #lan.net: 192.168.178.1,192.168.178.2
+
+# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.)
+blocking:
+ # definition of blacklist groups. Can be external link (http/https) or local file
+ blackLists:
+ ads:
+ - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
+ - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+ - http://sysctl.org/cameleon/hosts
+ - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
+ - |
+ # inline definition with YAML literal block scalar style
+ # hosts format
+ someadsdomain.com
+ special:
+ - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
+ # definition of whitelist groups. Attention: if the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. If a group has only whitelist entries -> this means only domains from this list are allowed, all other domains will be blocked
+ whiteLists:
+ ads:
+ - whitelist.txt
+ - |
+ # inline definition with YAML literal block scalar style
+ # hosts format
+ whitelistdomain.com
+ # this is a regex
+ /^banners?[_.-]/
+ # definition: which groups should be applied for which client
+ clientGroupsBlock:
+ # default will be used, if no special definition for a client name exists
+ default:
+ - ads
+ - special
+ # use client name (with wildcard support: * - sequence of any characters, [0-9] - range)
+ # or single ip address / client subnet as CIDR notation
+ #laptop*:
+ #- ads
+ #192.168.178.1/24:
+ #- special
+ # which response will be sent, if query is blocked:
+ # zeroIp: 0.0.0.0 will be returned (default)
+ # nxDomain: return NXDOMAIN as return code
+ # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page.
+ blockType: zeroIp
+ # optional: TTL for answers to blocked domains
+ # default: 6h
+ blockTTL: 1m
+ # optional: automatically list refresh period (in duration format). Default: 4h.
+ # Negative value -> deactivate automatically refresh.
+ # 0 value -> use default
+ refreshPeriod: 4h
+ # optional: timeout for list download (each url). Default: 60s. Use large values for big lists or slow internet connections
+ downloadTimeout: 4m
+ # optional: Download attempt timeout. Default: 60s
+ downloadAttempts: 5
+ # optional: Time between the download attempts. Default: 1s
+ downloadCooldown: 10s
+ # optional: if failOnError, application startup will fail if at least one list can't be downloaded / opened. Default: blocking
+ #startStrategy: failOnError
+
+# optional: configuration for caching of DNS responses
+caching:
+ # duration how long a response must be cached (min value).
+ # If <=0, use response's TTL, if >0 use this value, if TTL is smaller
+ # Default: 0
+ minTime: 5m
+ # duration how long a response must be cached (max value).
+ # If <0, do not cache responses
+ # If 0, use TTL
+ # If > 0, use this value, if TTL is greater
+ # Default: 0
+ maxTime: 30m
+ # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM.
+ # Default (0): unlimited
+ maxItemsCount: 0
+ # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window)
+ # this improves the response time for often used queries, but significantly increases external traffic
+ # default: false
+ prefetching: true
+ # prefetch track time window (in duration format)
+ # default: 120
+ prefetchExpires: 2h
+ # name queries threshold for prefetch
+ # default: 5
+ prefetchThreshold: 5
+ # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM.
+ # Default (0): unlimited
+ #prefetchMaxItemsCount: 0
+
+# optional: configuration of client name resolution
+clientLookup:
+ # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router)
+ #upstream: 192.168.178.1
+ # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used.
+ # Example: take second name if present, if not take first name
+ #singleNameOrder:
+ #- 2
+ #- 1
+ # optional: custom mapping of client name to IP addresses. Useful if reverse DNS does not work properly or just to have custom client names.
+ #clients:
+ #laptop:
+ #- 192.168.178.29
+# optional: configuration for prometheus metrics endpoint
+prometheus:
+ # enabled if true
+ #enable: true
+ # url path, optional (default '/metrics')
+ #path: /metrics
+
+# optional: write query information (question, answer, client, duration etc.) to daily csv file
+queryLog:
+ # optional one of: mysql, postgresql, csv, csv-client. If empty, log to console
+ #type: mysql
+ # directory (should be mounted as volume in docker) for csv, db connection string for mysql/postgresql
+ #target: db_user:db_password@tcp(db_host_or_ip:3306)/db_name?charset=utf8mb4&parseTime=True&loc=Local
+ #postgresql target: postgres://user:password@db_host_or_ip:5432/db_name
+ # if > 0, deletes log files which are older than ... days
+ #logRetentionDays: 7
+ # optional: Max attempts to create specific query log writer, default: 3
+ #creationAttempts: 1
+ # optional: Time between the creation attempts, default: 2s
+ #creationCooldown: 2s
+
+# optional: Blocky can synchronize its cache and blocking state between multiple instances through redis.
+redis:
+ # Server address and port
+ #address: redis:6379
+ # Password if necessary
+ #password: passwd
+ # Database, default: 0
+ #database: 2
+ # Connection is required for blocky to start. Default: false
+ #required: true
+ # Max connection attempts, default: 3
+ #connectionAttempts: 10
+ # Time between the connection attempts, default: 1s
+ #connectionCooldown: 3s
+
+# optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353"
+port: 553
+# optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853
+#tlsPort: 853
+# optional: HTTPS listener port(s) and bind ip address(es), default empty = no http listener. If > 0, will be used for prometheus metrics, pprof, REST API, DoH... Example: 443, :443, 127.0.0.1:443
+#httpPort: 4000
+#httpsPort: 443
+# optional: Mininal TLS version that the DoH and DoT server will use
+#minTlsServeVersion: 1.3
+# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated
+#certFile: server.crt
+#keyFile: server.key
+# optional: use this DNS server to resolve blacklist urls and upstream DNS servers. Useful if no DNS resolver is configured and blocky needs to resolve a host name. Format net:IP:port, net must be udp or tcp
+#bootstrapDns: tcp+udp:1.1.1.1
+
+filtering:
+# optional: drop all queries with following query types. Default: empty
+ #queryTypes:
+ #- AAAA
+
+# optional: if path defined, use this file for query resolution (A, AAAA and rDNS). Default: empty
+hostsFile:
+ # optional: Path to hosts file (e.g. /etc/hosts on Linux)
+ #filePath: /etc/hosts
+ # optional: TTL, default: 1h
+ #hostsTTL: 60m
+ # optional: Time between hosts file refresh, default: 1h
+ #refreshPeriod: 30m
+ # optional: Whether loopback hosts addresses (127.0.0.0/8 and ::1) should be filtered or not, default: false
+ #filterLoopback: true
+# optional: Log level (one from debug, info, warn, error). Default: info
+#logLevel: info
+# optional: Log format (text or json). Default: text
+#logFormat: text
+# optional: log timestamps. Default: true
+#logTimestamp: true
+# optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false
+#logPrivacy: false
+
+# optional: add EDE error codes to dns response
+#ede:
+ # enabled if true, Default: false
+ #enable: true
+EOF
+msg_ok "Installed Blocky"
+
+msg_info "Creating Service"
+cat << EOF > /etc/systemd/system/blocky.service
+[Unit]
+Description=Blocky
+After=network.target
+[Service]
+User=root
+WorkingDirectory=/opt/blocky
+ExecStart=/opt/blocky/./blocky --config config.yml
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable --now blocky
+msg_ok "Created Service"
+
+PASS=$(grep -w "root" /etc/shadow | cut -b6);
+ if [[ $PASS != $ ]]; then
+msg_info "Customizing Container"
+chmod -x /etc/update-motd.d/*
+touch ~/.hushlogin
+GETTY_OVERRIDE="/etc/systemd/system/container-getty@1.service.d/override.conf"
+mkdir -p $(dirname $GETTY_OVERRIDE)
+cat << EOF > $GETTY_OVERRIDE
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin root --noclear --keep-baud tty%I 115200,38400,9600 \$TERM
+EOF
+systemctl daemon-reload
+systemctl restart $(basename $(dirname $GETTY_OVERRIDE) | sed 's/\.d//')
+msg_ok "Customized Container"
+ fi
+
+msg_info "Cleaning up"
+apt-get autoremove >/dev/null
+apt-get autoclean >/dev/null
+msg_ok "Cleaned"