###################################################################
# unbound-adblock 0.4 SystemD/Linux Installation Instructions 
# Copyright 2020 Jordan Geoghegan <jordan@geoghegan.ca>
###################################################################

###################################################################
# Notes:
###################################################################

1) This guide should work for almost any SystemD based distro
   It is known to work on Ubuntu 20.04 and CentOS 8

2) If something doesn't work, then the script can be easily tweaked
   to make it work. The variables set based on OS declaration can be 
   very easily modified to accomodate nearly any OS/setup

3) This guide assumes you know how to setup Unbound. If not,
   there are plenty of online guides to setting up Unbound.

Linux Unbound Quick Start:

	{apt,yum} install unbound
	fetch https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example
	install -m 644 -o root unbound.conf.example /etc/unbound/unbound.conf

	# Modify unbound.conf to suit your needs:
	vi /etc/unbound/unbound.conf

	# Enable and Start
	systemctl enable unbound
	systemctl start unbound

###################################################################
# Fresh Installation Guide 
###################################################################

1) Install and configure Unbound as a local recursive DNS server
   An example unbound.conf can be found here:
	https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example

2) Download script:
	$ wget https://geoghegan.ca/pub/unbound-adblock/0.4/unbound-adblock.sh

3) Create a new user (we'll call ours "_adblock")
   The user should be created with default shell of "nologin" and an empty
   password (disables password logins). 
	# useradd -s /sbin/nologin _adblock

4) Install script with appropriate permissions
	# install -m 755 -o root -g bin unbound-adblock.sh /usr/local/bin/unbound-adblock.sh

5) Create /etc/unbound/adblock.conf:
	# install -m 644 -o _adblock /dev/null /etc/unbound/adblock.conf

6) Give user '_adblock' strict sudo permission for the exact command the 
   script needs run as superuser. 
	# visudo
	_adblock    ALL=(root) NOPASSWD: /bin/systemctl restart unbound
	

7) Add a line to your unbound.conf located BEFORE the forwarders section:
	...
	include: /etc/unbound/adblock.conf 
	...

8) Run script manually using the '-linux' argument
	# sudo -u _adblock sh /usr/local/bin/unbound-adblock.sh -linux
	  unbound(ok)
	
9) For good measure, we'll run the unbound-adblock.sh script once more
	# sudo -u _adblock sh /usr/local/bin/unbound-adblock.sh -linux
	
10) Edit _adblock crontab to run unbound-adblock.sh every night at midnight 
	# crontab -u _adblock -e
	@midnight	/bin/sh /usr/local/bin/unbound-adblock.sh -linux


Yay! unbound-adblock is now installed!

With the nightly cron job, the list will be be regularly updated with
the latest known bad hosts.

NOTE: 
X) Google mandates the use of their DNS servers in many apps and services
   and many devices also use hardcoded Google DNS that cannot be changed.
   This is both a privacy and freedom concern. If you can, redirect all
   DNS traffic to the machine running Unbound. Example PF ruleset:
   (This rule should be run on your router/gateway)
	...
	# Replace $adblock with the IP address of the Unbound machine
	pass in quick to {8.8.8.8, 8.8.4.4} rdr-to $adblock
	...