#!/usr/bin/env bash # Copyright (c) 2021-2023 tteck # Author: tteck (tteckster) # License: MIT # https://github.com/tteck/Proxmox/raw/main/LICENSE if [ "$VERBOSE" = "yes" ]; then set -x; STD=""; else STD="silent"; fi silent() { "$@" > /dev/null 2>&1; } if [ "$DISABLEIPV6" == "yes" ]; then echo "net.ipv6.conf.all.disable_ipv6 = 1" >>/etc/sysctl.conf; $STD sysctl -p; fi YW=$(echo "\033[33m") RD=$(echo "\033[01;31m") BL=$(echo "\033[36m") GN=$(echo "\033[1;92m") CL=$(echo "\033[m") RETRY_NUM=10 RETRY_EVERY=3 CM="${GN}✓${CL}" CROSS="${RD}✗${CL}" BFR="\\r\\033[K" HOLD="-" set -Eeuo pipefail trap 'error_handler $LINENO "$BASH_COMMAND"' ERR function error_handler() { local exit_code="$?" local line_number="$1" local command="$2" local error_message="${RD}[ERROR]${CL} in line ${RD}$line_number${CL}: exit code ${RD}$exit_code${CL}: while executing command ${YW}$command${CL}" echo -e "\n$error_message\n" } function msg_info() { local msg="$1" echo -ne " ${HOLD} ${YW}${msg}..." } function msg_ok() { local msg="$1" echo -e "${BFR} ${CM} ${GN}${msg}${CL}" } function msg_error() { local msg="$1" echo -e "${BFR} ${CROSS} ${RD}${msg}${CL}" } msg_info "Setting up Container OS " sed -i "/$LANG/ s/\(^# \)//" /etc/locale.gen locale-gen >/dev/null timedatectl set-timezone $tz for ((i=RETRY_NUM; i>0; i--)); do if [ "$(hostname -I)" != "" ]; then break fi echo 1>&2 -en "${CROSS}${RD} No Network! " sleep $RETRY_EVERY done if [ "$(hostname -I)" = "" ]; then echo 1>&2 -e "\n${CROSS}${RD} No Network After $RETRY_NUM Tries${CL}" echo -e " 🖧 Check Network Settings" exit 1 fi msg_ok "Set up Container OS" msg_ok "Network Connected: ${BL}$(hostname -I)" set +e trap - ERR if ping -c 1 -W 1 1.1.1.1 &> /dev/null; then msg_ok "Internet Connected"; else msg_error "Internet NOT Connected" read -r -p "Would you like to continue anyway? " prompt if [[ $prompt == "y" || $prompt == "Y" || $prompt == "yes" || $prompt == "Yes" ]]; then echo -e " ⚠️ ${RD}Expect Issues Without Internet${CL}" else echo -e " 🖧 Check Network Settings" exit 1 fi fi RESOLVEDIP=$(getent hosts github.com | awk '{ print $1 }') if [[ -z "$RESOLVEDIP" ]]; then msg_error "DNS Lookup Failure"; else msg_ok "DNS Resolved github.com to ${BL}$RESOLVEDIP${CL}"; fi set -e trap 'error_handler $LINENO "$BASH_COMMAND"' ERR msg_info "Updating Container OS" $STD apt-get update $STD apt-get -y upgrade msg_ok "Updated Container OS" msg_info "Installing Dependencies" $STD apt-get install -y curl $STD apt-get install -y sudo $STD apt-get install -y mc msg_ok "Installed Dependencies" msg_info "Installing Blocky" systemctl stop systemd-resolved $STD systemctl disable systemd-resolved.service RELEASE=$(curl -s https://api.github.com/repos/0xERR0R/blocky/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4) }') wget -q https://github.com/0xERR0R/blocky/releases/download/v$RELEASE/blocky_${RELEASE}_Linux_x86_64.tar.gz mkdir -p /opt/blocky tar -xf blocky_${RELEASE}_Linux_x86_64.tar.gz -C /opt/blocky rm -rf blocky_${RELEASE}_Linux_x86_64.tar.gz cat </opt/blocky/config.yml upstream: # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query # format for resolver: [net:]host:[port][/path]. net could be empty (default, shortcut for tcp+udp), tcp+udp, tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh)) # this configuration is mandatory, please define at least one external DNS resolver default: # example for tcp+udp IPv4 server (https://digitalcourage.de/) #- 5.9.164.112 # Cloudflare - 1.1.1.1 # example for DNS-over-TLS server (DoT) #- tcp-tls:fdns1.dismail.de:853 # example for DNS-over-HTTPS (DoH) #- https://dns.digitale-gesellschaft.ch/dns-query # optional: use client name (with wildcard support: * - sequence of any characters, [0-9] - range) # or single ip address / client subnet as CIDR notation #laptop*: #- 123.123.123.123 # optional: timeout to query the upstream resolver. Default: 2s #upstreamTimeout: 2s # optional: If true, blocky will fail to start unless at least one upstream server per group is reachable. Default: false #startVerifyUpstream: true # optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists. # accepted: dual, v4, v6 # default: dual #connectIPVersion: dual # optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma # example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3 #customDNS: #customTTL: 1h # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined). # if false, queries with unmapped types will be forwarded to the upstream resolver #filterUnmappedTypes: true # optional: replace domain in the query with other domain before resolver lookup in the mapping #rewrite: #example.com: printer.lan #mapping: #printer.lan: 192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344 # optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma # Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name #conditional: # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if was set to , the original query "blog.example.com" will be sent upstream. # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain. #fallbackUpstream: false # optional: replace domain in the query with other domain before resolver lookup in the mapping #rewrite: #example.com: fritz.box #mapping: #fritz.box: 192.168.178.1 #lan.net: 192.168.178.1,192.168.178.2 # optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.) blocking: # definition of blacklist groups. Can be external link (http/https) or local file blackLists: ads: - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts - http://sysctl.org/cameleon/hosts - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt - | # inline definition with YAML literal block scalar style # hosts format someadsdomain.com special: - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts # definition of whitelist groups. Attention: if the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. If a group has only whitelist entries -> this means only domains from this list are allowed, all other domains will be blocked whiteLists: ads: - whitelist.txt - | # inline definition with YAML literal block scalar style # hosts format whitelistdomain.com # this is a regex /^banners?[_.-]/ # definition: which groups should be applied for which client clientGroupsBlock: # default will be used, if no special definition for a client name exists default: - ads - special # use client name (with wildcard support: * - sequence of any characters, [0-9] - range) # or single ip address / client subnet as CIDR notation #laptop*: #- ads #192.168.178.1/24: #- special # which response will be sent, if query is blocked: # zeroIp: 0.0.0.0 will be returned (default) # nxDomain: return NXDOMAIN as return code # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page. blockType: zeroIp # optional: TTL for answers to blocked domains # default: 6h blockTTL: 1m # optional: automatically list refresh period (in duration format). Default: 4h. # Negative value -> deactivate automatically refresh. # 0 value -> use default refreshPeriod: 4h # optional: timeout for list download (each url). Default: 60s. Use large values for big lists or slow internet connections downloadTimeout: 4m # optional: Download attempt timeout. Default: 60s downloadAttempts: 5 # optional: Time between the download attempts. Default: 1s downloadCooldown: 10s # optional: if failOnError, application startup will fail if at least one list can't be downloaded / opened. Default: blocking #startStrategy: failOnError # optional: configuration for caching of DNS responses caching: # duration how long a response must be cached (min value). # If <=0, use response's TTL, if >0 use this value, if TTL is smaller # Default: 0 minTime: 5m # duration how long a response must be cached (max value). # If <0, do not cache responses # If 0, use TTL # If > 0, use this value, if TTL is greater # Default: 0 maxTime: 30m # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM. # Default (0): unlimited maxItemsCount: 0 # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window) # this improves the response time for often used queries, but significantly increases external traffic # default: false prefetching: true # prefetch track time window (in duration format) # default: 120 prefetchExpires: 2h # name queries threshold for prefetch # default: 5 prefetchThreshold: 5 # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM. # Default (0): unlimited #prefetchMaxItemsCount: 0 # optional: configuration of client name resolution clientLookup: # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router) #upstream: 192.168.178.1 # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used. # Example: take second name if present, if not take first name #singleNameOrder: #- 2 #- 1 # optional: custom mapping of client name to IP addresses. Useful if reverse DNS does not work properly or just to have custom client names. #clients: #laptop: #- 192.168.178.29 # optional: configuration for prometheus metrics endpoint prometheus: # enabled if true #enable: true # url path, optional (default '/metrics') #path: /metrics # optional: write query information (question, answer, client, duration etc.) to daily csv file queryLog: # optional one of: mysql, postgresql, csv, csv-client. If empty, log to console #type: mysql # directory (should be mounted as volume in docker) for csv, db connection string for mysql/postgresql #target: db_user:db_password@tcp(db_host_or_ip:3306)/db_name?charset=utf8mb4&parseTime=True&loc=Local #postgresql target: postgres://user:password@db_host_or_ip:5432/db_name # if > 0, deletes log files which are older than ... days #logRetentionDays: 7 # optional: Max attempts to create specific query log writer, default: 3 #creationAttempts: 1 # optional: Time between the creation attempts, default: 2s #creationCooldown: 2s # optional: Blocky can synchronize its cache and blocking state between multiple instances through redis. redis: # Server address and port #address: redis:6379 # Password if necessary #password: passwd # Database, default: 0 #database: 2 # Connection is required for blocky to start. Default: false #required: true # Max connection attempts, default: 3 #connectionAttempts: 10 # Time between the connection attempts, default: 1s #connectionCooldown: 3s # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353" port: 553 # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853 #tlsPort: 853 # optional: HTTPS listener port(s) and bind ip address(es), default empty = no http listener. If > 0, will be used for prometheus metrics, pprof, REST API, DoH... Example: 443, :443, 127.0.0.1:443 #httpPort: 4000 #httpsPort: 443 # optional: Mininal TLS version that the DoH and DoT server will use #minTlsServeVersion: 1.3 # if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated #certFile: server.crt #keyFile: server.key # optional: use this DNS server to resolve blacklist urls and upstream DNS servers. Useful if no DNS resolver is configured and blocky needs to resolve a host name. Format net:IP:port, net must be udp or tcp #bootstrapDns: tcp+udp:1.1.1.1 filtering: # optional: drop all queries with following query types. Default: empty #queryTypes: #- AAAA # optional: if path defined, use this file for query resolution (A, AAAA and rDNS). Default: empty hostsFile: # optional: Path to hosts file (e.g. /etc/hosts on Linux) #filePath: /etc/hosts # optional: TTL, default: 1h #hostsTTL: 60m # optional: Time between hosts file refresh, default: 1h #refreshPeriod: 30m # optional: Whether loopback hosts addresses (127.0.0.0/8 and ::1) should be filtered or not, default: false #filterLoopback: true # optional: Log level (one from debug, info, warn, error). Default: info #logLevel: info # optional: Log format (text or json). Default: text #logFormat: text # optional: log timestamps. Default: true #logTimestamp: true # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false #logPrivacy: false # optional: add EDE error codes to dns response #ede: # enabled if true, Default: false #enable: true EOF msg_ok "Installed Blocky" msg_info "Creating Service" cat </etc/systemd/system/blocky.service [Unit] Description=Blocky After=network.target [Service] User=root WorkingDirectory=/opt/blocky ExecStart=/opt/blocky/./blocky --config config.yml [Install] WantedBy=multi-user.target EOF $STD systemctl enable --now blocky msg_ok "Created Service" echo "export TERM='xterm-256color'" >>/root/.bashrc echo -e "$APPLICATION LXC provided by https://tteck.github.io/Proxmox/\n" > /etc/motd chmod -x /etc/update-motd.d/* if ! getent shadow root | grep -q "^root:[^\!*]"; then msg_info "Customizing Container" GETTY_OVERRIDE="/etc/systemd/system/container-getty@1.service.d/override.conf" mkdir -p $(dirname $GETTY_OVERRIDE) cat <$GETTY_OVERRIDE [Service] ExecStart= ExecStart=-/sbin/agetty --autologin root --noclear --keep-baud tty%I 115200,38400,9600 \$TERM EOF systemctl daemon-reload systemctl restart $(basename $(dirname $GETTY_OVERRIDE) | sed 's/\.d//') msg_ok "Customized Container" fi if [[ "${SSH_ROOT}" == "yes" ]]; then sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config; systemctl restart sshd; fi msg_info "Cleaning up" $STD apt-get autoremove $STD apt-get autoclean msg_ok "Cleaned"