Add authoritative zone handling

Dockerfile

@@ -18,6 +18,9 @@ ENV UNBOUND_GIT_REVISION 10843805ac37002f1d9293c9835a3e68e41d392d
 
 WORKDIR /tmp
 
+# --- FOR TESTING ---
+# RUN apt-get update && apt-get install -y iproute2 less vim
+
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
     git clone --depth=1000 "$UNBOUND_GIT_URL" && \
     cd unbound && \
@@ -64,6 +67,8 @@ RUN mkdir -p \
 COPY encrypted-dns.toml.in /opt/encrypted-dns/etc/
 COPY undelegated.txt /opt/encrypted-dns/etc/
 
+RUN chmod a+r /opt/encrypted-dns/etc/undelegated.txt
+
 COPY entrypoint.sh /
 
 COPY unbound.sh /var/svc/unbound/run

entrypoint.sh

@@ -14,28 +14,65 @@ CONF_DIR="/opt/encrypted-dns/etc"
 CONFIG_FILE="${KEYS_DIR}/encrypted-dns.toml"
 CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
 SERVICES_DIR="/etc/runit/runsvdir/svmanaged"
+SCRIPTNAME=$(basename $0)
 
 init() {
     if [ "$(is_initialized)" = yes ]; then
         start
         exit $?
     fi
 
+    # TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' --longoptions 'unbound-on-all-interfaces' -- "$@")
+    TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' -- "$@")
+    eval set -- "$TEMP"
+
     anondns_enabled="false"
     anondns_blacklisted_ips=""
 
     metrics_address="127.0.0.1:9100"
 
-    while getopts "h?N:E:T:AM:" opt; do
-        case "$opt" in
-        h | \?) usage ;;
-        N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        E) ext_addresses=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        A) anondns_enabled="true" ;;
-        M) metrics_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+    # extract options and their arguments into variables.
+    while true ; do
+        case "$1" in
+            -h | -\?)
+                shift
+                usage
+                ;;
+            -N)
+                provider_name=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -E)
+                ext_addresses=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -T)
+                tls_proxy_upstream_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -A)
+                anondns_enabled="true"
+                shift
+                ;;
+            -M)
+                metrics_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            # --unbound-on-all-interfaces)
+            #     touch /opt/unbound/run-options/use-all-interfaces
+            #     shift
+            #     ;;
+            --)
+                shift
+                break
+                ;;
+            *)
+                echo "Internal error!"
+                exit 1
+                ;;
         esac
     done
+
     [ -z "$provider_name" ] && usage
     case "$provider_name" in
     .*) usage ;;

unbound.sh

@@ -2,6 +2,36 @@
 
 KEYS_DIR="/opt/encrypted-dns/etc/keys"
 ZONES_DIR="/opt/unbound/etc/unbound/zones"
+AUTHZONES_DIR="/opt/unbound/etc/unbound/auth-zones"
+
+OIFS="${IFS}"
+
+INTERFACES="\
+  interface: 127.0.0.1@553
+  interface: ::1@553"
+ACCESS_CONTROL="\
+  access-control: 0.0.0.0/0 allow
+  access-control: ::0/0 allow"
+AUTHZONE_INCLUDE=""
+
+test -d $AUTHZONES_DIR && {
+    chown -R _unbound:_unbound $AUTHZONES_DIR
+    INTERFACES="\
+  interface: 0.0.0.0@553
+  interface: ::@553"
+    ACCESS_CONTROL="\
+  access-control: 127.0.0.1/32 allow
+  access-control: ::1/128 allow
+  access-control: 0.0.0.0/0 refuse_non_local
+  access-control: ::0/0 refuse_non_local"
+    AUTHZONE_INCLUDE="include: \"${AUTHZONES_DIR}/*.conf\""
+}
+
+# Replace multiline replacements so sed can deal with them later
+INTERFACES=$(echo -n "${INTERFACES}" | sed -z 's/\n/\\n/g')
+ACCESS_CONTROL=$(echo -n "${ACCESS_CONTROL}" | sed -z 's/\n/\\n/g')
+
+IFS="${OIFS}"
 
 reserved=134217728
 availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
@@ -27,11 +57,15 @@ sed \
     -e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
     -e "s/@THREADS@/${threads}/" \
     -e "s#@ZONES_DIR@#${ZONES_DIR}#" \
+    -e "s#@INTERFACES@#${INTERFACES}#" \
+    -e "s#@ACCESS_CONTROL@#${ACCESS_CONTROL}#" \
+    -e "s#@AUTHZONE_INCLUDE@#${AUTHZONE_INCLUDE}#" \
     >/opt/unbound/etc/unbound/unbound.conf <<EOT
 server:
   verbosity: 1
   num-threads: @THREADS@
-  interface: 127.0.0.1@553
+@INTERFACES@
+@ACCESS_CONTROL@
   so-reuseport: yes
   edns-buffer-size: 1232
   delay-close: 10000
@@ -66,8 +100,6 @@ server:
   serve-expired: yes
   serve-expired-ttl: 86400
   serve-expired-ttl-reset: yes
-  access-control: 0.0.0.0/0 allow
-  access-control: ::0/0 allow
   tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
   aggressive-nsec: yes
   val-bogus-ttl: 600
@@ -138,6 +170,8 @@ auth-zone:
   for-downstream: no
   for-upstream: yes
   zonefile: "var/root.zone"
+
+@AUTHZONE_INCLUDE@
 EOT
 
 mkdir -p /opt/unbound/etc/unbound/dev &&