###################################################################
# unbound-adblock 0.4 Alpine Linux Installation Instructions 
# Copyright 2020 Jordan Geoghegan <jordan@geoghegan.ca>
###################################################################

###################################################################
# Notes:
###################################################################

1) These are the unbound-adblock instrucktions for Alpine Linux
   These instructions are known to work on Alpine 3.9.x

2) If something doesn't work, then the script can be easily tweaked
   to make it work. The variables set based on OS declaration can be 
   very easily modified to accomodate nearly any OS/setup

3) This guide assumes you know how to setup Unbound. If not,
   there are plenty of online guides to setting up Unbound.

Alpine Linux Unbound Quick Start:

	apk add unbound
	wget https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example
	install -m 644 -o root unbound.conf.example /etc/unbound/unbound.conf

	# Modify unbound.conf to suit your needs:
	vi /etc/unbound/unbound.conf

	# Enable and Start
	rc-update add unbound
	rc-service unbound start

###################################################################
# Fresh Installation Guide 
###################################################################

1) Install and configure Unbound as a local recursive DNS server
   An example unbound.conf can be found here:
	https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example

2) Download script:
	$ wget https://geoghegan.ca/pub/unbound-adblock/0.4/unbound-adblock.sh

3) Create a new user (we'll call ours "_adblock")
   The user should be created with default shell of "nologin" and an empty
   password (disables password logins). 
	# adduser -D -s /sbin/nologin _adblock

4) Install script with appropriate permissions
	# install -m 755 -o root -g bin unbound-adblock.sh /usr/local/bin/unbound-adblock.sh

5) Create /etc/unbound/adblock.conf:
	# install -m 644 -o _adblock /dev/null /etc/unbound/adblock.conf

6) Install 'doas' utility:
   NOTE: You will need to enable the 'edge' repository to install doas
   You can edit the file '/etc/apk/repositories' by hand to enable it

   Run these commands to enable the edge repo and install 'doas':
	# sed -i '4 s/^#//g' /etc/apk/repositories
	# apk add doas
 

7) Give user '_adblock' strict doas permission for the exact command the 
   script needs run as superuser. NOTE: Unlike 'sudo', _ALL_ users must be
   explicitly granted permission to use doas, even the root user.
 
	$ cat /etc/doas.conf
	permit root
	permit nopass _adblock cmd rc-service args unbound restart
	

8) Add a line to your unbound.conf located BEFORE the forwarders section:
	...
	include: /etc/unbound/adblock.conf 
	...

9) Run script manually using the '-alpine' argument
	# doas -u _adblock sh /usr/local/bin/unbound-adblock.sh -alpine
	  unbound(ok)
	
10) For good measure, we'll run the unbound-adblock.sh script once more
	# doas -u _adblock sh /usr/local/bin/unbound-adblock.sh -alpine
	
11) Edit _adblock crontab to run unbound-adblock.sh every night at midnight 
	# crontab -u _adblock -e
	@midnight	/bin/sh /usr/local/bin/unbound-adblock.sh -alpine


Yay! unbound-adblock is now installed!

With the nightly cron job, the list will be be regularly updated with
the latest known bad hosts.

NOTE: 
X) Google mandates the use of their DNS servers in many apps and services
   and many devices also use hardcoded Google DNS that cannot be changed.
   This is both a privacy and freedom concern. If you can, redirect all
   DNS traffic to the machine running Unbound. Example PF ruleset:
   (This rule should be run on your router/gateway)
	...
	# Replace $adblock with the IP address of the Unbound machine
	pass in quick to {8.8.8.8, 8.8.4.4} rdr-to $adblock
	...