-
Notifications
You must be signed in to change notification settings - Fork 0
/
pihole_sync.sh
executable file
·352 lines (278 loc) · 11 KB
/
pihole_sync.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
#!/usr/bin/env bash
set -e
DisplayHelp()
{
echo ""
echo "Pi-hole Sync"
echo ""
echo "Sync your main Pi-hole to a secondary Pi-hole using the v6 API"
echo ""
echo "This script will requst the teleporter backup from the main Pi-hole, download it and"
echo "upload it to the secondary Pi-hole."
echo ""
echo "Options"
echo ""
echo " --main <DOMAIN|IP> Mandatory. Domain or IP address of your main Pi-hole"
echo " --secondary <DOMAIN|IP> Mandatory. Domain or IP address of your secondary Pi-hole"
echo " --secret_main <secret password> Optional. Your Pi-hole password for the main server"
echo " --secret_secondary <secret password> Optional. Your Pi-hole password for the secondary server"
echo " --save Optional. Keep your teleporter file"
echo ""
echo "Abort script with Ctrl+C"
echo ""
echo ""
}
secretRead() {
local key charcount password
# POSIX compliant function to read user-input and
# mask every character entered by (*)
#
# This is challenging, because in POSIX, `read` does not support
# `-s` option (suppressing the input) or
# `-n` option (reading n chars)
# This workaround changes the terminal characteristics to not echo input and later rests this option
# credits https://stackoverflow.com/a/4316765
# showing astrix instead of password
# https://stackoverflow.com/a/24600839
# https://unix.stackexchange.com/a/464963
stty -echo # do not echo user input
stty -icanon min 1 time 0 # disable cannonical mode https://man7.org/linux/man-pages/man3/termios.3.html
unset password
unset key
unset charcount
charcount=0
while key=$(dd ibs=1 count=1 2>/dev/null); do #read one byte of input
if [ "${key}" = "$(printf '\0' | tr -d '\0')" ] ; then
# Enter - accept password
break
fi
if [ "${key}" = "$(printf '\177')" ] ; then
# Backspace
if [ $charcount -gt 0 ] ; then
charcount=$((charcount-1))
printf '\b \b' >&2
password="${password%?}"
fi
else
# any other character
charcount=$((charcount+1))
printf '*' >&2
password="$password$key"
fi
done
# restore original terminal settings
stty "${stty_orig}"
echo "${password}"
}
GetAPI() {
local chaos_api_list availabilityResonse cmdResult digReturnCode
local SERVER
local API_URL
SERVER=$1
# Query the API URLs from FTL using CHAOS TXT
# The result is a space-separated enumeration of full URLs
# e.g., "http://localhost:80/api" or "https://domain.com:443/api"
if [ -z "${SERVER}" ] || [ "${SERVER}" = "localhost" ] || [ "${SERVER}" = "127.0.0.1" ]; then
# --server was not set or set to local, assuming we're running locally
cmdResult="$(dig +short chaos txt local.api.ftl @localhost 2>&1; echo $?)"
else
# --server was set, try to get response from there
cmdResult="$(dig +short chaos txt domain.api.ftl @"${SERVER}" 2>&1; echo $?)"
fi
# Gets the return code of the dig command (last line)
# We can't use${cmdResult##*$'\n'*} here as $'..' is not POSIX
digReturnCode="$(echo "${cmdResult}" | tail -n 1)"
if [ ! "${digReturnCode}" = "0" ]; then
# If the query was not successful
echo "API not available at ${SERVER}. Please check server address and connectivity" >&2
exit 1
else
# Dig returned 0 (success), so get the actual response (first line)
chaos_api_list="$(echo "${cmdResult}" | head -n 1)"
fi
# Iterate over space-separated list of URLs
while [ -n "${chaos_api_list}" ]; do
# Get the first URL
API_URL="${chaos_api_list%% *}"
# Strip leading and trailing quotes
API_URL="${API_URL%\"}"
API_URL="${API_URL#\"}"
# Test if the API is available at this URL
availabilityResonse=$(curl -skS -o /dev/null -w "%{http_code}" "${API_URL}auth")
# Test if http status code was 200 (OK) or 401 (authentication required)
if [ ! "${availabilityResonse}" = 200 ] && [ ! "${availabilityResonse}" = 401 ]; then
# API is not available at this port/protocol combination
API_PORT=""
else
# API is available at this URL combination
echo "${API_URL}"
break
fi
# Remove the first URL from the list
local last_api_list
last_api_list="${chaos_api_list}"
chaos_api_list="${chaos_api_list#* }"
# If the list did not change, we are at the last element
if [ "${last_api_list}" = "${chaos_api_list}" ]; then
# Remove the last element
chaos_api_list=""
fi
done
# if API_PORT is empty, no working API port was found
if [ -n "${API_PORT}" ]; then
echo "API not available at: ${API_URL}" >&2
echo "Exiting."
exit 1
fi
}
Authenthication() {
local current_API current_pwd SID validSession SID
current_API=$1
current_pwd=$2
# Try to authenticate
sessionResponse=$(LoginAPI "${current_API}" "${current_pwd}")
# obtain validity and session ID from session response
validSession=$(echo "${sessionResponse}"| jq .session.valid 2>/dev/null)
SID=$(echo "${sessionResponse}"| jq --raw-output .session.sid 2>/dev/null)
while [ "${validSession}" = false ] || [ -z "${validSession}" ] ; do
echo "Authentication failed at ${current_API}" >&2
# no password was supplied as argument
if [ -z "${current_pwd}" ]; then
echo "No password supplied for ${current_API} Please enter your password:" >&2
else
echo "Wrong password supplied for ${current_API} Please enter the correct password:" >&2
fi
# secretly read the password
current_pwd=$(secretRead)
echo "" >&2
# Try to authenticate again
sessionResponse=$(LoginAPI "${current_API}" "${current_pwd}")
# obtain validity and session ID from session response
validSession=$(echo "${sessionResponse}"| jq .session.valid 2>/dev/null)
SID=$(echo "${sessionResponse}"| jq --raw-output .session.sid 2>/dev/null)
done
# Loop exited, authentication was successful
echo "Authentication successful at ${current_API}" >&2
echo "${SID}"
}
LoginAPI() {
local sessionResponse API_URL password
API_URL=$1
password=$2
sessionResponse="$(curl -skS -X POST "${API_URL}auth" --data "{\"password\":\"${password}\"}" )"
if [ -z "${sessionResponse}" ]; then
echo "No response from FTL server. Please check connectivity and use the options to set the server domain/IP" >&2
exit 1
fi
echo "${sessionResponse}"
}
DeleteSession() {
local SID API_URL deleteResponse
API_URL=$1
SID=$2
# SID is not null (successful authenthication only), delete the session
if [ ! "${SID}" = null ]; then
# Try to delte the session. Omitt the output, but get the http status code
deleteResponse=$(curl -skS -o /dev/null -w "%{http_code}" -X DELETE "${API_URL}auth" -H "Accept: application/json" -H "sid: ${SID}")
case "${deleteResponse}" in
"204") printf "%b" "Session successfully deleted at ${API_URL} \n";;
"401") printf "%b" "Logout attempt without a valid session at ${API_URL} Unauthorized!\n";;
esac;
fi
}
DownloadTeleporter() {
local response API_URL SID
API_URL=$1
SID=$2
# get the teleporter data from the API as well as the http status code
response=$(curl -skS -w "%{http_code}" -o teleporter.zip -X GET "${API_URL}teleporter" -H "Accept: application/json" -H "sid: ${SID}")
if [ "${response}" = 200 ]; then
echo "Download successful"
elif [ "${response}" = 000 ]; then
# connection lost
echo "Connection lost to ${API_URL}" >&2
exit 1
elif [ "${response}" = 401 ]; then
# unauthorized
echo "Unauthorized at ${API_URL}" >&2
exit 1
fi
}
UploadTeleporter() {
local response API_URL SID
API_URL=$1
SID=$2
# get the teleporter data from the API as well as the http status code
response=$(curl -skS -w "%{http_code}" -F [email protected] -X POST "${API_URL}teleporter" -H "Accept: application/json" -H "sid: ${SID}")
if [ "${response}" = 200 ]; then
echo "Upload successful"
elif [ "${response}" = 000 ]; then
# connection lost
echo "Connection lost to ${API_URL}" >&2
exit 1
elif [ "${response}" = 401 ]; then
# unauthorized
echo "Unauthorized at ${API_URL}" >&2
exit 1
fi
}
# Called on signals INT QUIT TERM
sig_cleanup() {
# save error code (130 for SIGINT, 143 for SIGTERM, 131 for SIGQUIT)
err=$?
# some shells will call EXIT after the INT signal
# causing EXIT trap to be executed, so we trap EXIT after INT
trap '' EXIT
(exit $err) # execute in a subshell just to pass $? to clean_exit()
clean_exit
}
# Called on signal EXIT, or indirectly on INT QUIT TERM
clean_exit() {
# save the return code of the script
err=$?
# reset trap for all signals to not interrupt clean_tempfiles() on any next signal
trap '' EXIT INT QUIT TERM
# restore terminal settings if they have been changed (e.g. user cancled script while at password input prompt)
if [ "$(stty -g)" != "${stty_orig}" ]; then
stty "${stty_orig}"
fi
# Delete sessions from FTL servers
DeleteSession "${main_API}" "${main_SID}"
DeleteSession "${secondary_API}" "${secondary_SID}"
exit $err # exit the script with saved $?
}
################################# Main ################
# Process all options (if present)
while [ "$#" -gt 0 ]; do
case "$1" in
"-h" | "--help" ) DisplayHelp; exit 0;;
"--main" ) main_pihole="$2"; shift;;
"--secret_main" ) password_main="$2"; shift;;
"--secondary" ) secondary_pihole="$2"; shift;;
"--secret_secondary" ) password_secondary="$2"; shift;;
"--save" ) save_teleporter=true;;
* ) DisplayHelp; exit 1;;
esac
shift
done
# Save current terminal settings (needed for later restore after password prompt)
stty_orig=$(stty -g)
# Traps for graceful shutdown
# https://unix.stackexchange.com/a/681201
trap clean_exit EXIT
trap sig_cleanup INT QUIT TERM
# Test if the authentication endpoints are availabe
main_API=$(GetAPI "${main_pihole}")
secondary_API=$(GetAPI "${secondary_pihole}")
# Authenticate with the servers
main_SID=$(Authenthication "${main_API}" "${password_main}")
secondary_SID=$(Authenthication "${secondary_API}" "${password_secondary}")
# Download Teleporter archive
DownloadTeleporter "${main_API}" "${main_SID}"
# Upload Teleporter archive
UploadTeleporter "${secondary_API}" "${secondary_SID}"
# Remove Teleporter archive if not requested otherwise
if [ -z "${save_teleporter}" ]; then
rm teleporter.zip
fi
# with set -e set, script will exit here and sessions will be deleted