--domainname on the container sets the kernel domainname, which c-ares
uses to infer a search domain even when /etc/resolv.conf has no search
line. This caused c-ares to query github.com.casjay.work AAAA and get
the host's own IPv6 address, routing all outbound HTTPS to the local
nginx instead of the real server.
Adding 'search .' and 'options ndots:0' explicitly disables search
domain inference regardless of the kernel domainname setting.
- rootfs/usr/local/etc/resolv.conf: add search . and options ndots:0
rootfs/usr/local/etc/resolv.conf
Hosts with a search domain cause containers to inherit it. When the
zone has a wildcard AAAA record, public hostnames resolve to the host's
own IPv6 address instead of the real server, breaking all outbound
HTTPS and DNS from inside the container.
The entrypoint already has a hook: if /usr/local/etc/resolv.conf
exists it replaces /etc/resolv.conf at container startup. Ship a
clean resolv.conf with Cloudflare + Google DNS and no search domain
so container DNS is always correct regardless of host configuration.
- rootfs/usr/local/etc/resolv.conf: new file — clean DNS, no search domain
rootfs/usr/local/etc/resolv.conf
Update all template-derived files to the 202605261603-git template
version. Service-specific init scripts were committed separately in
fd24da283f03; this commit covers the remaining boilerplate files.
- .env.scripts: bump version 202510220838-git → 202605261603-git, copyright 2025 → 2026
- .gitattributes: update template-generation timestamp
- .gitignore: expand with editor configs, AI tool configs, env/secret, build artifact, test/coverage, and local-override patterns
- rootfs/root/docker/setup/00-init.sh: sync to new template version
- rootfs/root/docker/setup/01-system.sh: sync to new template version
- rootfs/root/docker/setup/02-packages.sh: sync to new template version (CA cert update commands)
- rootfs/root/docker/setup/03-files.sh: sync to new template version (explicit /tmp/{bin,var,etc,data} loops)
- rootfs/root/docker/setup/04-users.sh: sync to new template version
- rootfs/root/docker/setup/05-custom.sh: sync to new template version
- rootfs/root/docker/setup/06-post.sh: sync to new template version
- rootfs/root/docker/setup/07-cleanup.sh: sync to new template version (__find_and_remove helper)
- rootfs/usr/local/bin/entrypoint.sh: sync to new template version
- rootfs/usr/local/etc/docker/functions/entrypoint.sh: sync to new template version
- rootfs/usr/local/share/template-files/config/env/default.sample: bump version stamp
- rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh: bump version stamp
.env.scripts
.gitattributes
.gitignore
rootfs/root/docker/setup/00-init.sh
rootfs/root/docker/setup/01-system.sh
rootfs/root/docker/setup/02-packages.sh
rootfs/root/docker/setup/03-files.sh
rootfs/root/docker/setup/04-users.sh
rootfs/root/docker/setup/05-custom.sh
rootfs/root/docker/setup/06-post.sh
rootfs/root/docker/setup/07-cleanup.sh
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/etc/docker/functions/entrypoint.sh
rootfs/usr/local/share/template-files/config/env/default.sample
rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
Replace all boilerplate in the 7 service init scripts with the new
template structure from 00-template.sh while preserving all
service-specific content (function bodies, variables, heredoc configs).
Key boilerplate changes applied to all scripts:
- WTFPL license header, 2026 copyright, 49-char separators
- shellcheck disable list updated (SC2317, SC2329 added)
- set -e placed before trap lines
- New __trap_err_handler() with smart critical vs non-critical detection
- SIGPWR trap added as separate line with 2>/dev/null || true
- ${VAR##*/} replacing $(basename -- ...) for SCRIPT_NAME/EXEC_CMD_NAME
- if-block style throughout (replacing one-liner && / || guards)
- _resolved pattern for binary path resolution
- New __run_start_script with printf/hash-cache/bash "$START_SCRIPT"
- __run_secure_function with [ -n "$SERVICE_USER" ] && guard
- SERVICE_USES_PID='' variable added after EXEC_PRE_SCRIPT
- ${PIPESTATUS[0]} replacing $? after pipelines
- sleep 2 (not sleep 5) in __pre_execute
- fire-and-forget pattern in __post_execute (retVal=0)
- No __banner call at end; no SERVICE_PID_NUMBER= at bottom
- Remove duplicate "create needed dirs" block
- Remove IP4_ADDRESS/IP6_ADDRESS lines
- path: rootfs/usr/local/etc/docker/init.d/01-tor-server.sh: refactor to new template boilerplate; preserve tor-server service logic
- path: rootfs/usr/local/etc/docker/init.d/02-tor-bridge.sh: refactor to new template boilerplate; preserve tor-bridge service logic
- path: rootfs/usr/local/etc/docker/init.d/03-tor-relay.sh: refactor to new template boilerplate; preserve tor-relay service logic
- path: rootfs/usr/local/etc/docker/init.d/04-tor-exit.sh: refactor to new template boilerplate; preserve tor-exit service logic
- path: rootfs/usr/local/etc/docker/init.d/09-unbound.sh: refactor to new template boilerplate; preserve unbound service logic
- path: rootfs/usr/local/etc/docker/init.d/98-privoxy.sh: refactor to new template boilerplate; preserve privoxy service logic
- path: rootfs/usr/local/etc/docker/init.d/zz-nginx.sh: refactor to new template boilerplate; preserve nginx/onion service logic
README.md
rootfs/usr/local/etc/docker/init.d/01-tor-server.sh
rootfs/usr/local/etc/docker/init.d/02-tor-bridge.sh
rootfs/usr/local/etc/docker/init.d/03-tor-relay.sh
rootfs/usr/local/etc/docker/init.d/04-tor-exit.sh
rootfs/usr/local/etc/docker/init.d/09-unbound.sh
rootfs/usr/local/etc/docker/init.d/98-privoxy.sh
rootfs/usr/local/etc/docker/init.d/zz-nginx.sh
Update the embedded entrypoint copies in rootfs/ to match the
upstream template change. Internal state files renamed to dotfiles
so they're not matched by `/run/*.pid` cleanup globs:
- /run/init.d/entrypoint.pid -> /run/.entrypoint.pid
- /run/no_exit.pid -> /run/.no_exit.pid
- /run/backup.pid -> /run/.backup.pid
- /run/__start_init_scripts.pid -> /run/.start_init_scripts.pid
Per-service PIDs in /run/init.d/ are unchanged.
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/etc/docker/functions/entrypoint.sh
rootfs/usr/local/etc/docker/init.d/01-tor-server.sh
rootfs/usr/local/etc/docker/init.d/02-tor-bridge.sh
rootfs/usr/local/etc/docker/init.d/03-tor-relay.sh
rootfs/usr/local/etc/docker/init.d/04-tor-exit.sh
rootfs/usr/local/etc/docker/init.d/09-unbound.sh
rootfs/usr/local/etc/docker/init.d/98-privoxy.sh
rootfs/usr/local/etc/docker/init.d/zz-nginx.sh
rootfs/usr/local/share/template-files/config/env/default.sample
rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
jason
