#!/bin/sh
# Contributor: IT Offshore <developer@it-offshore.co.uk>
# dnscrypt-proxy setup script to choose DNS Resolver / install & configure DNS Caching
############################################################################################

NORMAL="\033[1;0m"
STRONG="\033[1;1m"
RED="\033[1;31m"
GREEN="\033[1;32m"

print_question() {
        local prompt="${STRONG}$1 ${RED}$2${NORMAL}"
        printf "${prompt} %s"
}

print_strong() {
        local prompt="${STRONG}$1 ${RED}$2${NORMAL}"
        printf "${prompt} %s\n"
}


print_green() {
        local prompt="${GREEN}${STRONG}$1 ${NORMAL}"
        printf "${prompt} %s\n"
}

print_table() {
        local choice="${RED}${STRONG}$1${NORMAL}"
	local resolver="${STRONG}$2"
	local location="${GREEN}$3"
	 printf "${choice} ${resolver} ${location} %s\n"
}

die() {
    print_table "ERROR:" "$1" > /dev/null 1>&2
    exit 1
}

restart_interface(){

INTERFACES=$(echo | ifconfig | grep "Link encap" | sed '/lo/d' | cut -d"L" -f1)
print_question "\nChoose external interface to restart from the following:"
print_question "\n\n$INTERFACES" "[ default - eth0 ]"
read RESTART
if [ ! $RESTART ] ;then
        RESTART=eth0; print_green "\nInterface: $RESTART Selected\n";
	if echo $INTERFACES | grep $RESTART 1> /dev/null; then
		ifdown $RESTART && ifup $RESTART
	fi
fi

}

choose_ip(){

if [ ! $IP ]; then
	IP=none
	IPADDR=$(ifconfig |grep -B1 "inet addr" |awk '{ if ( $1 == "inet" ) { print $2 } else if ( $2 == "Link" ) { printf "%s:" ,$1 } }' |awk -F: '{ print $1 ": " $3 }')
	until echo $IPADDR | grep -e $IP 1>/dev/null
	do
		print_question "\nChoose dnscrypt ip from the following addresses:\n"
		print_question "\n$IPADDR\t" "[ default - 127.0.0.1 ]"
		read IP
		if [ ! $IP ] ;then
		IP=127.0.0.1; print_green "\nIP: $IP Selected";
		fi
	done
else
	#ip already set to 2nd loopback for dns caching
	print_green "\nIP: $IP will be configured for dnscrypt-proxy";
fi
}

choose_port(){
print_question "\nChoose dnscrypt port:" "[ default = 40 ]"
until [ "$DNSPORT" -gt 0 ] 2>/dev/null
do
        read DNSPORT
        if [ ! $DNSPORT ]; then
             DNSPORT=40; print_green "\nPort: 40 Selected"
        fi

        case $DNSPORT in
        ''|*[!0-9]*) print_question "\nChoose NUMERIC dnscrypt port:" "[ default = 40 ]" ;;
        *) if [ "$DNSPORT" -gt 65535 ]; then
                                print_question "\nPlease choose a valid port" "[1 - 65535]";
                                DNSPORT=0;
           fi;;
        esac
done
}

update_unbound(){
if [ -f /etc/unbound/unbound.conf ]; then
	if grep 'Settings from /sbin/setup-dnscrypt' /etc/unbound/unbound.conf 1>/dev/null; then
		#update forward zone
		START=$(sed -n '/Settings from \/sbin\/setup-dnscrypt/=' /etc/unbound/unbound.conf)
		LINE=$(expr $START + 4)
		sed "$LINE c \  forward-addr: $IP@$DNSPORT" /etc/unbound/unbound.conf -i
	else
		# allow querying of localhost
		START=$(sed -n '/do-not-query-localhost:/=' /etc/unbound/unbound.conf)
		sed "$START c \do-not-query-localhost: no #set by /sbin/setup-dnscrypt" /etc/unbound/unbound.conf -i
		# create catch all forward zone
		echo -e '##### Settings from /sbin/setup-dnscrypt #####' >> /etc/unbound/unbound.conf
		echo -e 'forward-zone:' >> /etc/unbound/unbound.conf
		echo -e '  name: "."' >> /etc/unbound/unbound.conf
		echo -e "  forward-addr: $IP@$DNSPORT" >> /etc/unbound/unbound.conf
	fi
print_strong "\n/etc/unbound/unbound.conf settings updated to:"
print_green "--------------------------------------------------------"
print_table "do-not-query-localhost: no"
print_table ""
print_table 'forward-zone:'
print_table '  name: "."'
print_table "  forward-addr: $IP@$DNSPORT"
print_green "--------------------------------------------------------"
fi
}

# Do some sanity checking.
if [ $(/usr/bin/id -u) != "0" ]; then
   die 'Must be run by root user'
fi

clear;
print_table "\n   DNSCRYPT-PROXY MANAGER"
print_green "-----------------------------------------------------------------"
print_table "1:" "OpenDNS"
print_table "2:" "Cloud NS\t\t : Canberra, Australia" "(No Logs, DNSSEC)"
print_table "3:" "Cloud NS\t\t : Canberra" "(over TOR .onion:443)"
print_table "4:" "Cloud NS\t\t : Sydney, Australia" "(No Logs, DNSSEC)"
print_table "5:" "Cloud NS\t\t : Sydney" "(over TOR .onion:443)"
print_table "6:" "OpenNIC\t\t : Japan" "(No Logs)"
print_table "7:" "DNSCrypt.eu\t\t : Holland" "(No logs, DNSSEC)"
print_table "8:" "Soltysiak.com\t : Poland" "(No logs, DNSSEC)"
print_green "-----------------------------------------------------------------"
print_question "Please choose a DNS Resolver for dnscrypt-proxy to query" "[1 - 8]:"


until [ "$DNS" -gt 0 ] 2>/dev/null
do

read DNS

case $DNS in
    1) RESOLVER=208.67.220.220:443;
       PROVIDER=2.dnscrypt-cert.opendns.com
       PUBKEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79;;
    2) RESOLVER=113.20.6.2:443;
       PROVIDER=2.dnscrypt-cert.cloudns.com.au;
       PUBKEY=1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4;;
    3) RESOLVER=gc2tzw6lbmeagrp3.onion:443;
       PROVIDER=2.dnscrypt-cert.cloudns.com.au;
       PUBKEY=1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4;;
    4) RESOLVER=113.20.8.17:443;
       PROVIDER=2.dnscrypt-cert-2.cloudns.com.au;
       PUBKEY=67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330;;
    5) RESOLVER=l65q62lf7wnfme7m.onion:443;
       PROVIDER=2.dnscrypt-cert-2.cloudns.com.au;
       PUBKEY=67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330;;
    6) RESOLVER=106.186.17.181:2053;
       PROVIDER=2.dnscrypt-cert.ns2.jp.dns.opennic.glue;
       PUBKEY=8768:C3DB:F70A:FBC6:3B64:8630:8167:2FD4:EE6F:E175:ECFD:46C9:22FC:7674:A1AC:2E2A;;
    7) RESOLVER=176.56.237.171:443;
       PROVIDER=2.dnscrypt-cert.dnscrypt.eu;
       PUBKEY=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66;;
    8) RESOLVER=178.216.201.222:2053;
       PROVIDER=2.dnscrypt-cert.soltysiak.com;
       PUBKEY=25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5D53:03E7:1928:C066:8F21;;
       #check for numerical input
    ''|0|*[!0-9]*) print_question "Please choose a NUMERIC option:" "[1 - 8]" ;;
    *) if [ "$DNS" -gt 8 ]; then
	  print_question "Please choose an option:" "[1 - 8]";
	  DNS=0;
       fi;;
esac
done

# remove existing Resolver config
if grep "RESOLVER" /etc/conf.d/dnscrypt-proxy 1> /dev/null; then
   sed -e '/RESOLVER/d' -e '/PROVIDER/d' -e '/PUBKEY/d' /etc/conf.d/dnscrypt-proxy -i
fi

# update Resolver config
echo "RESOLVER=$RESOLVER" >> /etc/conf.d/dnscrypt-proxy
echo "PROVIDER=$PROVIDER" >> /etc/conf.d/dnscrypt-proxy
echo "PUBKEY=$PUBKEY" >> /etc/conf.d/dnscrypt-proxy

print_strong "\n/etc/conf.d/dnscrypt-proxy Resolver Settings updated to:"
print_green "---------------------------------------------------------------------------------------------"
print_table "RESOLVER\t\t:" "$RESOLVER"
print_table "PROVIDER\t\t:" "$PROVIDER"
print_table "PUBLIC KEY :" "$PUBKEY"
print_green "---------------------------------------------------------------------------------------------"

# install unbound
if ! which unbound 1> /dev/null; then
   print_question "Install Unbound (Caching DNS Server)" "[ Y / N ]"
   read installsrv
   if [ "$installsrv" = "Y" ] || [ "$installsrv" = "y" ]; then
      apk add -q unbound
   fi
fi

# check for / setup secondary loopback for dns caching
if which unbound 1> /dev/null && ! grep "address 127.0.0.2" /etc/network/interfaces 1> /dev/null; then
	print_question "Configure DNS Caching (this will create a 2nd loopback interface @ 127.0.0.2) " "[ Y / N ]"
	read install2ndloop
	if [ "$install2ndloop" = "Y" ] || [ "$install2ndloop" = "y" ]; then
		IP=127.0.0.2
		echo "auto lo:1" >> /etc/network/interfaces
		echo "iface lo:1 inet static" >> /etc/network/interfaces
		echo "address 127.0.0.2" >> /etc/network/interfaces
		echo "netmask 255.0.0.0" >> /etc/network/interfaces
		ifconfig lo:1 127.0.0.2 up
	fi
fi


# choose dnscrypt ip address port
if ! grep "address 127.0.0.2" /etc/network/interfaces 1> /dev/null; then
	print_question "Modify dnscrypt-proxy ip / port ?" "[ Y / N ]"
	read updateip
else
	#ip is already the 2nd loopback
	updateip=Y; IP=127.0.0.2
	print_green "\nDNS Caching configured"
fi

if [ "$updateip" = "Y" ] || [ "$updateip" = "y" ]; then
		choose_ip; choose_port

		# update dnscrypt listening ip & port
		LINE=$(sed -n '/DNSCRYPT_LOCALIP=/=' /etc/conf.d/dnscrypt-proxy)
		sed "$LINE c DNSCRYPT_LOCALIP=$IP:$DNSPORT" /etc/conf.d/dnscrypt-proxy -i

		# update dhclient.conf
		if [ -f /etc/dhcp/dhclient.conf ]; then
			if grep 'supersede domain-name-servers' /etc/dhcp/dhclient.conf 1>/dev/null; then
			LINE=$(sed -n '/supersede domain-name-servers/=' /etc/dhcp/dhclient.conf)
			sed "$LINE c supersede domain-name-servers $IP" /etc/dhcp/dhclient.conf -i
			else
				echo "supersede domain-name-servers $IP" >> /etc/dhcp/dhclient.conf
			fi
		fi

		# update resolv.conf & unbound
		LINE=$(sed -n '/nameserver/=' /etc/resolv.conf)
                sed "$LINE c nameserver 127.0.0.1" /etc/resolv.conf -i
		update_unbound

		restart_interface

		# add / restart services
		for srv in "unbound" "dnscrypt-proxy"; do
		if which $srv 1> /dev/null; then
			rc-status default | grep $srv 1> /dev/null
			if [ "$?" != "0" ]; then
				rc-update add $srv default
			fi
			rc-service $srv restart
		fi
		done

		print_strong "\n/etc/conf.d/dnscrypt-proxy Listening Address updated to:"
		print_green "--------------------------------------------------------"
		print_table "DNSCRYPT_LOCALIP=$IP:$DNSPORT"
		print_green "--------------------------------------------------------\n"
fi