From af7042bda1888e5bc53429dee37ecca1ebd3cea6 Mon Sep 17 00:00:00 2001
From: jeka <lev@npau.ru>
Date: Sat, 16 Dec 2023 23:44:37 +0500
Subject: [PATCH] extras provision stage2

---
 .../common/root/autoprovision-stage2.sh       | 115 ++++++++++++++++--
 .../etc/uci-defaults/99-defaults              |  13 ++
 2 files changed, 116 insertions(+), 12 deletions(-)

diff --git a/image-extras/common/root/autoprovision-stage2.sh b/image-extras/common/root/autoprovision-stage2.sh
index a7e0a9c..594d4e2 100755
--- a/image-extras/common/root/autoprovision-stage2.sh
+++ b/image-extras/common/root/autoprovision-stage2.sh
@@ -4,6 +4,104 @@
 
 . /root/autoprovision-functions.sh
 
+dnsmasqfull() 
+{
+		if opkg list-installed | grep -q dnsmasq-full; then
+		        printf "\033[32;1mdnsmasq-full already installed\033[0m\n"
+		else
+		        printf "\033[32;1mInstalled dnsmasq-full\033[0m\n"
+		cd /tmp/ && opkg download dnsmasq-full
+		opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/
+		[ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
+                /etc/init.d/dnsmasq restart
+		fi
+}
+
+dnscrypt2() 
+{
+        if opkg list-installed | grep -q dnscrypt-proxy2; then
+            printf "\033[32;1mDNSCrypt2 already installed\033[0m\n"
+        else
+            printf "\033[32;1mInstalled dnscrypt-proxy2\033[0m\n"
+            opkg install dnscrypt-proxy2
+        if grep -q "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml; then
+            sed -i "s/^# server_names =.*/server_names = [\'google\', \'cloudflare\', \'scaleway-fr\', \'yandex\']/g" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
+        fi
+
+        printf "\033[32;1mDNSCrypt restart\033[0m\n"
+            service dnscrypt-proxy restart
+        printf "\033[32;1mDNSCrypt needs to load the relays list. Please wait\033[0m\n"
+            sleep 30
+
+        if [ -f /etc/dnscrypt-proxy2/relays.md ]; then
+                uci set dhcp.@dnsmasq[0].noresolv="1"
+                uci -q delete dhcp.@dnsmasq[0].server
+                uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53"
+                uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/'
+                uci commit dhcp
+                
+                printf "\033[32;1mDnsmasq restart\033[0m\n"
+
+                /etc/init.d/dnsmasq restart
+        else
+                printf "\033[31;1mDNSCrypt not download list on /etc/dnscrypt-proxy2. Repeat install DNSCrypt by script.\033[0m\n"
+        fi
+    fi
+}
+
+
+add_getdomains() 
+{
+   COUNTRY=russia_inside
+   EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-nfset.lst
+   if [ "$COUNTRY" != '0' ]; then
+        printf "\033[32;1mCreate script /etc/init.d/getdomains\033[0m\n"
+
+cat << EOF > /etc/init.d/getdomains
+#!/bin/sh /etc/rc.common
+
+START=99
+
+start () {
+    $EOF_DOMAINS
+EOF
+cat << 'EOF' >> /etc/init.d/getdomains
+    count=0
+    while true; do
+        if curl -m 3 github.com; then
+            curl -f $DOMAINS --output /tmp/dnsmasq.d/domains.lst
+            break
+        else
+            echo "GitHub is not available. Check the internet availability [$count]"
+            count=$((count+1))
+        fi
+    done
+
+    if dnsmasq --conf-file=/tmp/dnsmasq.d/domains.lst --test 2>&1 | grep -q "syntax check OK"; then
+        /etc/init.d/dnsmasq restart
+    fi
+}
+EOF
+
+        chmod +x /etc/init.d/getdomains
+        /etc/init.d/getdomains enable
+
+        if crontab -l | grep -q /etc/init.d/getdomains; then
+            printf "\033[32;1mCrontab already configured\033[0m\n"
+
+        else
+            crontab -l | { cat; echo "0 */8 * * * /etc/init.d/getdomains start"; } | crontab -
+            printf "\033[32;1mIgnore this error. This is normal for a new installation\033[0m\n"
+            /etc/init.d/cron restart
+        fi
+
+        printf "\033[32;1mStart script\033[0m\n"
+
+        /etc/init.d/getdomains start
+    fi
+}
+
+
 installPackages()
 {
     signalAutoprovisionWaitingForUser
@@ -33,18 +131,7 @@ installPackages()
     # CUSTOMIZE
     # install some more packages that don't need any extra steps
     #opkg install lua luci ppp-mod-pppoe screen mc unzip logrotate
-    opkg install logrotate curl sing-box dnscrypt-proxy2
-
-	dnsmasqfull() {
-		if opkg list-installed | grep -q dnsmasq-full; then
-		        printf "\033[32;1mdnsmasq-full already installed\033[0m\n"
-		else
-		        printf "\033[32;1mInstalled dnsmasq-full\033[0m\n"
-		cd /tmp/ && opkg download dnsmasq-full
-		opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/
-		[ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
-		fi
-	}
+    opkg install logrotate curl
 
     # this is needed for the vlans on tp-link 3020 with only a single hw ethernet port
     #opkg install kmod-macvlan ip
@@ -97,3 +184,7 @@ EOF
 }
 
 autoprovisionStage2
+dnsmasqfull
+dnscrypt2
+add_getdomains
+
diff --git a/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults b/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults
index b7d04cc..2c270d6 100644
--- a/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults
+++ b/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults
@@ -311,6 +311,19 @@ uci set network.@rule[-1].name='mark0x1'
 uci set network.@rule[-1].mark='0x1'
 uci set network.@rule[-1].priority='100'
 uci set network.@rule[-1].lookup='vpn'
+uci add firewall ipset
+uci set firewall.@ipset[-1].name='vpn_domains'
+uci set firewall.@ipset[-1].match='dst_net'
+uci add firewall rule
+uci set firewall.@rule[-1]=rule
+uci set firewall.@rule[-1].name='mark_domains'
+uci set firewall.@rule[-1].src='lan'
+uci set firewall.@rule[-1].dest='*'
+uci set firewall.@rule[-1].proto='all'
+uci set firewall.@rule[-1].ipset='vpn_domains'
+uci set firewall.@rule[-1].set_mark='0x1'
+uci set firewall.@rule[-1].target='MARK'
+uci set firewall.@rule[-1].family='ipv4'
 
 # ADD REDIRECT
 uci add firewall redirect