#! /usr/bin/env bash KEYS_DIR="/opt/dnscrypt-wrapper/etc/keys" STKEYS_DIR="${KEYS_DIR}/short-term" LISTS_DIR="/opt/dnscrypt-wrapper/etc/lists" BLACKLIST="${LISTS_DIR}/blacklist.txt" prune() { /usr/bin/find "$STKEYS_DIR" -type f -cmin +1440 -exec rm -f {} \; } rotation_needed() { if [ $(/usr/bin/find "$STKEYS_DIR" -name '*.cert' -type f -cmin -720 -print -quit | wc -l | sed 's/[^0-9]//g') -le 0 ]; then echo true else echo false fi } new_key() { ts=$(date '+%s') /opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper --gen-crypt-keypair \ --crypt-secretkey-file="${STKEYS_DIR}/${ts}.key" && /opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper --gen-cert-file \ --xchacha20 \ --provider-publickey-file="${KEYS_DIR}/public.key" \ --provider-secretkey-file="${KEYS_DIR}/secret.key" \ --crypt-secretkey-file="${STKEYS_DIR}/${ts}.key" \ --provider-cert-file="${STKEYS_DIR}/${ts}.cert" \ --cert-file-expire-days=1 [ $? -ne 0 ] && rm -f "${STKEYS_DIR}/${ts}.key" "${STKEYS_DIR}/${ts}.cert" } stkeys_files() { res="" for file in $(ls "$STKEYS_DIR"/[0-9]*.key); do res="${res}${file}," done echo "$res" } stcerts_files() { res="" for file in $(ls "$STKEYS_DIR"/[0-9]*.cert); do res="${res}${file}," done echo "$res" } if [ ! -f "$KEYS_DIR/provider_name" ]; then exit 1 fi provider_name=$(cat "$KEYS_DIR/provider_name") mkdir -p "$STKEYS_DIR" prune [ $(rotation_needed) = true ] && new_key [ -r "$BLACKLIST" ] && blacklist_opt="--blacklist-file=${BLACKLIST}" exec /opt/dnscrypt-wrapper/sbin/dnscrypt-wrapper \ --user=_dnscrypt-wrapper \ --listen-address=[::]:443 \ --resolver-address=127.0.0.1:553 \ --provider-name="$provider_name" \ --provider-cert-file="$(stcerts_files)" \ --crypt-secretkey-file=$(stkeys_files) \ $blacklist_opt