Make sure we touched /etc/pihole/dhcp.leases before we try to chown it

Signed-off-by: DL6ER <dl6er@dl6er.de>

advanced/Templates/init.d/pihole-FTL

@@ -41,7 +41,7 @@ start() {
     chmod 0644 /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log
     echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.piholeFTL
     if setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN+eip "$(which pihole-FTL)"; then
-      su -s /bin/sh -c "/usr/bin/pihole-FTL" "$FTLUSER"
+      runuser -u "$FTLUSER" "/usr/bin/pihole-FTL"
     else
       echo "Warning: Starting pihole-FTL as root because setting capabilities is not supported on this system"
       pihole-FTL

advanced/Templates/systemd/pihole-FTL.service

@@ -0,0 +1,46 @@
+[Unit]
+Description=Pi-hole FTLDNS
+; This unit is supposed to indicate when network functionality is available, but it is only
+; very weakly defined what that is supposed to mean, with one exception: at shutdown, a unit
+; that is ordered after network.target will be stopped before the network
+After=network.target
+; A target that should be used as synchronization point for all host/network name service lookups.
+; All services for which the availability of full host/network name resolution is essential should
+; be ordered after this target, but not pull it in.
+Wants=nss-lookup.target
+Before=nss-lookup.target
+
+[Service]
+Restart=on-abnormal
+User=pihole
+Group=pihole
+PermissionsStartOnly=true
+
+Type=forking
+PIDFile=/run/pihole-FTL.pid
+
+ExecStartPre=/bin/touch /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log /etc/pihole/dhcp.leases
+ExecStartPre=/bin/chown pihole:pihole /etc/pihole /etc/pihole/dhcp.leases
+ExecStartPre=/bin/mkdir -p /var/run/pihole /var/log/pihole
+ExecStartPre=/bin/chown pihole:pihole /var/run/pihole /var/log/pihole
+ExecStartPre=-/bin/rm /var/run/pihole/FTL.sock
+ExecStartPre=/bin/chown pihole:pihole /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log
+ExecStartPre=/bin/chmod 0644 /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log
+ExecStartPre=/bin/echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.piholeFTL
+
+ExecStart=/usr/bin/pihole-FTL
+RestartSec=30s
+ExecReload=/bin/kill -HUP $MAINPID
+
+; Use graceful shutdown with a reasonable timeout
+TimeoutStopSec=10s
+
+; Make /usr, /boot, /etc and possibly some more folders read-only...
+ProtectSystem=full
+; ... except /etc/pihole
+; This merely retains r/w access rights, it does not add any new.
+; Must still be writable on the host!
+ReadWriteDirectories=/etc/pihole
+
+[Install]
+WantedBy=multi-user.target

automated install/basic-install.sh

@@ -2156,7 +2156,8 @@ FTLinstall() {
     pushd "$(mktemp -d)" > /dev/null || { printf "Unable to make temporary directory for FTL binary download\\n"; return 1; }
 
     # Always replace pihole-FTL.service
-    install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/pihole-FTL.service" "/etc/init.d/pihole-FTL"
+    install -T -m 0755 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/init.d/pihole-FTL" "/etc/init.d/pihole-FTL"
+    install -T -m 0644 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/systemd/pihole-FTL.service" "/etc/systemd/system/pihole-FTL.service"
 
     local ftlBranch
     local url
@@ -2190,6 +2191,8 @@ FTLinstall() {
             stop_service pihole-FTL &> /dev/null
             # Install the new version with the correct permissions
             install -T -m 0755 "${binary}" /usr/bin/pihole-FTL
+            # Set net admin permissions so that FTL can serve DNS, DHCP and IMAP (for DHCPv6)
+            setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN+eip "/usr/bin/pihole-FTL"
             # Move back into the original directory the user was in
             popd > /dev/null || { printf "Unable to return to original directory after FTL binary download.\\n"; return 1; }
             # Install the FTL service