enable DOH/DOQ using Let's Encrypt certs out of the box

.github/ISSUE_TEMPLATE.md

@@ -5,13 +5,15 @@ about: When creating a bug report, please use the following template to provide
 ---
 
 **How to post a meaningful bug report**
+
 1. *Read this whole template first.*
 2. *Determine if you are on the right place:*
    - *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!*
    - *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.*
    - *When in doubt, post here and we will figure it out together.*
 3. *Delete the italic comments as you write over them below, and remove this guide.*
---- 
+
+---
 
 ### Describe the bug
 
@@ -26,13 +28,16 @@ about: When creating a bug report, please use the following template to provide
   - If yes, please explain:
 - Using, or trying to install package version/branch:
 - If upgrading, current package version: *can be found in the admin, or with `yunohost app info $app_id`*
+- Is DNS over HTTP or DNS over QUIC activated?: *no / yes*
 
 ### Steps to reproduce
 
 - *If you performed a command from the CLI, the command itself is enough. For example:*
+
     ```sh
     sudo yunohost app install the_app
     ```
+
 - *If you used the webadmin, please perform the equivalent command from the CLI first.*
 - *If the error occurs in your browser, explain what you did:*
    1. *Go to '...'*
@@ -47,6 +52,7 @@ about: When creating a bug report, please use the following template to provide
 ### Logs
 
 *When an operation fails, YunoHost provides a simple way to share the logs.*
+
 - *In the webadmin, the error message contains a link to the relevant log page. On that page, you will be able to 'Share with Yunopaste'. If you missed it, the logs of previous operations are also available under Tools > Logs.*
 - *In command line, the command to share the logs is displayed at the end of the operation and looks like `yunohost log display [log name] --share`. If you missed it, you can find the log ID of a previous operation using `yunohost log list`.*
 

.shellcheckrc

@@ -0,0 +1,15 @@
+# ~/.shellcheckrc
+
+# follow source _common.sh
+external-sources=true
+
+# disable common errors with yunohost scripting:
+
+# Not following: (error message here)
+disable=SC1091
+
+# foo appears unused. Verify it or export it.
+disable=SC2034
+
+# var is referenced but not assigned.
+disable=SC2154

README.md

@@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
 
 
-**Shipped version:** 0.107.48~ynh2
+**Shipped version:** 0.107.48~ynh3
 
 ## Screenshots
 

README_es.md

@@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
 
 
-**Versión actual:** 0.107.48~ynh2
+**Versión actual:** 0.107.48~ynh3
 
 ## Capturas
 

README_eu.md

@@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
 
 
-**Paketatutako bertsioa:** 0.107.48~ynh2
+**Paketatutako bertsioa:** 0.107.48~ynh3
 
 ## Pantaila-argazkiak
 

README_fr.md

@@ -24,7 +24,7 @@ Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un
 Cependant, Dnsmasq n'est pas désactivé et continuera à fonctionner en tant que *serveur DNS localhost*.
 
 
-**Version incluse :** 0.107.48~ynh2
+**Version incluse :** 0.107.48~ynh3
 
 ## Captures d’écran
 

README_gl.md

@@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
 
 
-**Versión proporcionada:** 0.107.48~ynh2
+**Versión proporcionada:** 0.107.48~ynh3
 
 ## Capturas de pantalla
 

README_zh_Hans.md

@@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t
 However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*.
 
 
-**分发版本：** 0.107.48~ynh2
+**分发版本：** 0.107.48~ynh3
 
 ## 截图
 

conf/10-adguardhome.conf

@@ -0,0 +1,5 @@
+# This is a configuration file linked to the AdGuardHome YunoHost package
+
+# augment the packet buffer size for DNS over QUIC to work properly
+net.core.rmem_max = 2500000
+net.core.wmem_max = 2500000

conf/AdGuardHome.yaml

@@ -1,109 +1,120 @@
-bind_host: 127.0.0.1
-bind_port: __PORT__
-beta_bind_port: 0
+http:
+  pprof:
+    port: 6060
+    enabled: false
+  address: 127.0.0.1:__PORT__
+  session_ttl: 720h
 users:
-- name: __ADMIN__
-  password: __PASSWORD__
+  - name: __ADMIN__
+    password: __PASSWORD__
 auth_attempts: 5
 block_auth_min: 15
 http_proxy: ""
-language: ""
-rlimit_nofile: 0
-debug_pprof: false
-web_session_ttl: 720
+language: en
+theme: auto
 dns:
-  bind_hosts:
-  __IPV4_ADDR__
-  __IPV6_ADDR__
+  bind_hosts: []
   port: 53
-  statistics_interval: 1
-  querylog_enabled: true
-  querylog_file_enabled: true
-  querylog_interval: 90
-  querylog_size_memory: 1000
   anonymize_client_ip: false
-  protection_enabled: true
-  blocking_mode: default
-  blocking_ipv4: ""
-  blocking_ipv6: ""
-  blocked_response_ttl: 10
-  parental_block_host: family-block.dns.adguard.com
-  safebrowsing_block_host: standard-block.dns.adguard.com
   ratelimit: 20
+  ratelimit_subnet_len_ipv4: 24
+  ratelimit_subnet_len_ipv6: 56
   ratelimit_whitelist: []
   refuse_any: true
   upstream_dns:
-  - https://dns10.quad9.net/dns-query
+    - https://dns10.quad9.net/dns-query
+    - https://dns.mullvad.net/dns-query
+    - https://dns-unfiltered.adguard.com/dns-query
   upstream_dns_file: ""
   bootstrap_dns:
   - 9.9.9.10
   - 149.112.112.10
+  - 194.242.2.2
   - 2620:fe::10
   - 2620:fe::fe:10
-  all_servers: false
+  - 2a07:e340::2
+  fallback_dns: []
+  all_servers: true
   fastest_addr: false
+  fastest_timeout: 1s
   allowed_clients: []
   disallowed_clients: []
   blocked_hosts:
-  - version.bind
-  - id.server
-  - hostname.bind
-  cache_size: 4194304
-  cache_ttl_min: 0
-  cache_ttl_max: 0
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 41943040
+  cache_ttl_min: 10800
+  cache_ttl_max: 86400
+  cache_optimistic: true
   bogus_nxdomain: []
   aaaa_disabled: false
   enable_dnssec: false
-  edns_client_subnet: false
+  edns_client_subnet:
+    custom_ip: ""
+    enabled: false
+    use_custom: false
   max_goroutines: 300
+  handle_ddr: true
   ipset: []
-  filtering_enabled: true
-  filters_update_interval: 24
-  parental_enabled: false
-  safesearch_enabled: false
-  safebrowsing_enabled: false
-  safebrowsing_cache_size: 1048576
-  safesearch_cache_size: 1048576
-  parental_cache_size: 1048576
-  cache_time: 30
-  rewrites: []
-  blocked_services: []
-  local_domain_name: lan
-  resolve_clients: true
+  ipset_file: ""
+  bootstrap_prefer_ipv6: true
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: false
   local_ptr_upstreams: []
+  use_dns64: false
+  dns64_prefixes: []
+  serve_http3: true
+  use_http3_upstreams: true
+  serve_plain_dns: true
 tls:
-  enabled: false
-  server_name: ""
+  enabled: __DNS_OVER_HTTPS__
+  server_name: "__DOMAIN__"
   force_https: false
-  port_https: 443
-  port_dns_over_tls: 853
-  port_dns_over_quic: 784
+  port_https: 0
+  port_dns_over_tls: __PORT_DNS_OVER_TLS__
+  port_dns_over_quic: __PORT_DNS_OVER_QUIC__
   port_dnscrypt: 0
   dnscrypt_config_file: ""
-  allow_unencrypted_doh: __DNS_OVER_HTTPS__
-  strict_sni_check: false
+  allow_unencrypted_doh: true
   certificate_chain: ""
   private_key: ""
-  certificate_path: ""
-  private_key_path: ""
+  certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem"
+  private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem"
+  strict_sni_check: false
+querylog:
+  ignored: []
+  interval: 24h
+  size_memory: 1000
+  enabled: true
+  file_enabled: true
+statistics:
+  ignored: []
+  interval: 720h
+  enabled: true
 filters:
-- enabled: true
-  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
-  name: AdGuard DNS filter
-  id: 1
-- enabled: false
-  url: https://adaway.org/hosts.txt
-  name: AdAway Default Blocklist
-  id: 2
-- enabled: false
-  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
-  name: MalwareDomainList.com Hosts List
-  id: 4
+  - enabled: true
+    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: false
+    url: https://adaway.org/hosts.txt
+    name: AdAway Default Blocklist
+    id: 2
+  - enabled: false
+    url: https://www.malwaredomainlist.com/hostslist/hosts.txt
+    name: MalwareDomainList.com Hosts List
+    id: 3
 whitelist_filters: []
 user_rules: []
 dhcp:
   enabled: false
   interface_name: ""
+  local_domain_name: lan
   dhcpv4:
     gateway_ip: ""
     subnet_mask: ""
@@ -117,13 +128,54 @@ dhcp:
     lease_duration: 86400
     ra_slaac_only: false
     ra_allow_slaac: false
-clients: []
+filtering:
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_services:
+    schedule:
+      time_zone: Local
+    ids: []
+  protection_disabled_until: null
+  safe_search:
+    enabled: false
+    bing: false
+    duckduckgo: false
+    google: false
+    pixabay: false
+    yandex: false
+    youtube: false
+  blocking_mode: refused
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  rewrites: []
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  filters_update_interval: 12
+  blocked_response_ttl: 10
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: true
+  protection_enabled: true
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
 log:
-  compress: false
-  localtime: false
+  file: ""
   max_backups: 0
   max_size: 100
   max_age: 3
-  file: ""
-verbose: false
-schema_version: 10
+  compress: false
+  local_time: false
+  verbose: false
+os:
+  group: "__APP__"
+  user: "__APP__"
+  rlimit_nofile: 0
+schema_version: 27