From e4c9e975fb09b2625b872828bc5554787d2f697d Mon Sep 17 00:00:00 2001
From: Eric Schultz <eric@startuperic.com>
Date: Thu, 19 Mar 2020 02:11:22 -0500
Subject: [PATCH] add Unraid.net plugin file

---
 Unraid.net.plg | 813 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 813 insertions(+)
 create mode 100644 Unraid.net.plg

diff --git a/Unraid.net.plg b/Unraid.net.plg
new file mode 100644
index 000000000..097f93305
--- /dev/null
+++ b/Unraid.net.plg
@@ -0,0 +1,813 @@
+<?xml version='1.0' standalone='yes'?>
+
+<!DOCTYPE PLUGIN [
+<!ENTITY name      "Unraid.net">
+<!ENTITY launch    "Settings/ManagementAccess">
+<!ENTITY author    "limetech">
+<!ENTITY version   "2020.02.08">
+<!ENTITY pluginURL "https://raw.githubusercontent.com/limetech/&name;/next/&name;.plg">
+<!ENTITY graphql-api "https://s3.amazonaws.com/dnld.lime-technology.com/unraid-api/unraid-graphql-api-v2.1.27.tgz">
+<!ENTITY plugins     "https://s3.amazonaws.com/dnld.lime-technology.com/unraid-api/unraid-plugins-v1.1.4.tgz">
+]>
+
+<PLUGIN name="&name;" author="&author;" version="&version;" pluginURL="&pluginURL;" launch="&launch;" support="https://forums.unraid.net" min="6.8.0-rc0w">
+
+<CHANGES>
+##&name;
+
+###&version;
+- initial release
+</CHANGES>
+
+<!-- check for plugin update -->
+<FILE Run="/bin/bash" Method="install remove">
+<INLINE>
+if [ -e /etc/rc.d/rc.unraid-api ]; then
+  /etc/rc.d/rc.unraid-api stop
+  rm -f /etc/rc.d/rc.unraid-api
+  rm -f /usr/local/emhttp/plugins/dynamix/Unraid.net.page
+  rm -f /usr/local/emhttp/plugins/dynamix/include/UpdateFlashBackup.php
+  rm -rf /boot/config/plugins/Unraid.net
+  mv -f /usr/local/emhttp/plugins/dynamix/include/UpdateDNS.php- /usr/local/emhttp/plugins/dynamix/include/UpdateDNS.php
+fi
+</INLINE>
+</FILE>
+
+<!-- unraid-api -->
+<FILE Name="/boot/config/plugins/Unraid.net/unraid-graphql-api.tgz">
+<URL>&graphql-api;</URL>
+</FILE>
+<!-- plugins -->
+<FILE Name="/boot/config/plugins/Unraid.net/unraid-plugins.tgz">
+<URL>&plugins;</URL>
+</FILE>
+
+<FILE Name="/etc/rc.d/rc.unraid-api" Mode="0755">
+<INLINE>
+<![CDATA[
+#!/bin/bash
+# unraid-api-handler
+downloads=(graphql-api plugins)
+node_apps=(graphql-api)
+mode="production"
+if [[ $* == *--mode\=dev* ]]; then
+  mode="development"
+fi
+status() {
+  local supervisor_pid=$(ps -C gql-supervisor --no-headers -o pid | xargs)
+  local graphql_api_pid=$(ps -C graphql-api --no-headers -o pid | xargs)
+  if [[ $supervisor_pid ]]; then
+    echo "The supervisor($supervisor_pid) process is running."
+
+    if [[ $graphql_api_pid ]]; then
+      echo "Graphql-api($graphql_api_pid) is running."
+    fi
+  else
+    if [ -S "/var/run/graphql-api.sock" ]; then
+      echo "Graphql-api($graphql_api_pid) is running but we can't find the supervisor process."
+    else
+      echo "No processes are running."
+    fi
+  fi
+}
+version() {
+  # Borrowed from https://gist.github.com/DarrenN/8c6a5b969481725a4413
+  local graphql_version=$(grep '"version"' /usr/local/node/graphql-api/package.json | cut -d '"' -f 4)
+  local plugins_version=$(grep '"version"' /usr/local/node/plugins/package.json | cut -d '"' -f 4)
+
+  echo "Grahpql-api v$graphql_version"
+  echo "Offical plugins v$plugins_version"
+}
+start() {
+  local supervisor_pid=$(ps -C gql-supervisor --no-headers -o pid | xargs)
+  if [[ $supervisor_pid ]]; then
+    echo "The supervisor($supervisor_pid) process is already running, please wait or try the \"reload\" command."
+    exit 1
+  else
+    for i in ${node_apps[@]}; do
+      NODE_ENV=$(echo $mode) nohup node /usr/local/node/${i}/index.js >/var/log/${i}.log 2>&1 &
+    done
+    exit 0
+  fi
+}
+stop() {
+  for i in ${node_apps[@]}; do
+    pkill ${i}
+  done
+}
+reload() {
+  kill -SIGHUP $(ps -C gql-supervisor --no-headers -o pid)
+}
+logs() {
+  if [ -f "/var/log/graphql-api.log" ]; then
+    tail -f /var/log/graphql-api.log
+  else 
+    echo "Process hasn't been started yet, try the \"start\" command."
+  fi
+}
+install() {
+  mkdir -p /usr/local/node
+  for i in ${downloads[@]}; do
+    tar -C /usr/local/node -xf /boot/config/plugins/Unraid.net/unraid-${i}.tgz
+    rm -rf /usr/local/node/${i}
+    mv /usr/local/node/package /usr/local/node/${i}
+  done
+  start
+}
+uninstall() {
+  stop
+  for i in ${node_apps[@]}; do
+    rm -rf /usr/local/node/${i}
+  done
+  rm -rf /var/run/graphql-api.sock
+}
+case "$1" in
+'status')
+  status
+  ;;
+'version')
+  version
+  ;;
+'start')
+  start
+  ;;
+'stop')
+  stop
+  ;;
+'reload')
+  reload
+  ;;
+'logs')
+  logs
+  ;;
+'install')
+  install
+  ;;
+'uninstall')
+  uninstall
+  ;;
+*)
+  echo "usage $0 status|start|stop|reload|logs|install|uninstall"
+esac
+]]>
+</INLINE>
+</FILE>
+
+<!-- README FILE -->
+<FILE Name="/usr/local/emhttp/plugins/&name;/README.md">
+<INLINE>
+**Unraid.net**
+
+Unraid.net provides access to a set web-based services:
+
+* Server status such as online/offline, storage used/available, etc.
+* Links for local and remote access to your server webGUI.
+* Backup and Restore of your USB Flash boot device.
+* much more to come
+
+A server is registered using your Unraid Community Forum credentials.  Registered servers appear under the My Servers forum sub-menu.
+
+This is work in progress. Use this for testing purposes only!
+</INLINE>
+</FILE>
+
+<FILE Name="/usr/local/emhttp/plugins/dynamix/Unraid.net.page">
+<INLINE>
+<![CDATA[
+Menu="ManagementAccess"
+Title="Unraid.net"
+Icon="ident.png"
+Tag="globe"
+---
+<?PHP
+/* Copyright 2005-2018, Lime Technology
+ * Copyright 2012-2018, Bergware International.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ */
+?>
+<?
+// more:
+// - if someone deletes the dynamic.cfg or directly edits [remote] section therein, it may be possible
+// that server will appear 'unregistered' in webgui but not on My Servers.
+// - appears someone could register, enable remote access, then unregister, replace the ssl cert, and
+// now can remotely access using url that matches their cert. This is probably a bug here, but we might
+// want to rework this somewhat to explicitly enable this 'feature' (remote access using user-provided cert).
+
+$keyfile = @file_get_contents($var['regFILE']);
+if ($keyfile !== false)
+  $keyfile = @base64_encode($keyfile);
+
+if (empty($remote)) {
+    $remote = [
+        "apikey" => "",
+        "wanaccess" => "no",
+        "wanport" => "443"
+    ];
+}
+if (empty($remote['wanport'])) {
+    $remote['wanport'] = 443;
+}
+
+$hasCert = file_exists('/boot/config/ssl/certs/certificate_bundle.pem');
+$isRegistered = !empty($remote['apikey']);
+$boolWebUIAuth = $isRegistered || file_exists('/etc/nginx/htpasswd');
+
+$isActivated = false;
+$isUptodate = false;
+if ($isRegistered) {
+  exec("/usr/bin/php -f $docroot/webGui/include/UpdateFlashBackup.php status", $output, $retval);
+  $isActivated = ($retval == 0);
+  if ($isActivated) $isUptodate = empty($output);
+}
+?>
+<script>
+function registerServer(button) {
+    var oldlabel = $.trim($(button).text());
+
+    var failure = function(data) {
+        var status = data.status;
+        var obj = data.responseJSON;
+        var msg = "Sorry, an error ("+status+") occurred registering this server. " +
+                  "The error is: "+obj.error+".";
+        $(button).prop("disabled", false).html(oldlabel);
+        swal('Oops',msg,'error');
+    };
+
+    var success = function(data) {
+        if (data.apikey) {
+            $.post('/webGui/include/Dispatcher.php',{
+                "#cfg": "/boot/config/plugins/dynamix/dynamix.cfg",
+                "remote_apikey": data.apikey,
+                "remote_wanaccess": $('#wanaccess').val(),
+                "remote_wanport": $('#wanport').val()
+            });
+            $(button).prop("disabled", false).html(oldlabel);
+<?if(!$isRegistered):?>
+            swal({title:"",text:"Your server has been registered",type:"success",allowEscapeKey:false},function(){button.form.submit();});
+<?else:?>
+            button.form.submit();
+<?endif?>
+        } else {
+            failure({"status": 403, "responseJSON": {"error": "Unable to register this Unraid Server"}});
+        }
+    };
+
+    $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> "+oldlabel+"ing");
+    $.post("/webGui/include/UpdateDNS.php",{username:$('#ips_username').val(),password:$('#ips_password').val(),externalport:$('#wanport').val(),remoteaccess:$('#wanaccess').val()},success).fail(failure);
+}
+
+function unregisterServer(button) {
+    var oldlabel = $.trim($(button).text());
+
+    var failure = function(data) {
+        var status = data.status;
+        var obj = data.responseJSON;
+        var msg = "Sorry, an error ("+status+") occurred unregistering this server. " +
+                  "The error is: "+obj.error+".";
+        $(button).prop("disabled", false).html(oldlabel);
+        swal('Oops',msg,'error');
+    };
+
+    var success = function(data) {
+        $.post('/webGui/include/Dispatcher.php',{
+            "#cfg": "/boot/config/plugins/dynamix/dynamix.cfg",
+            "remote_apikey": "",
+            "remote_wanaccess": $('#wanaccess').val(),
+            "remote_wanport": $('#wanport').val()
+        });
+        $(button).prop("disabled", false).html(oldlabel);
+        swal({title:"",text:"Your server has been unregistered",type:"success",allowEscapeKey:false},function(){button.form.submit();});
+    };
+
+    swal({title:"Remove Registration",text:"Are you sure you want to unregister your server?",type:'warning',confirmButtonText:'Unregister',showCancelButton:true},function(){
+        $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> "+oldlabel+"ing");
+        $.post("https://keys.lime-technology.com/account/server/unregister",{keyfile:"<?=$keyfile?>"},success).fail(failure);
+    });
+}
+
+function dnsCheckServer(button) {
+    var oldlabel = $.trim($(button).text());
+
+    var failure = function(data) {
+        var status = data.status;
+        var obj = data.responseJSON;
+        var msg = "Sorry, an error ("+status+") occurred checking this server. " +
+                  "The error is: "+obj.error+".";
+        $(button).prop("disabled", false).html(oldlabel);
+        swal('Oops',msg,'error');
+    };
+
+    var success = function(data) {
+        $(button).prop("disabled", false).html(oldlabel);
+        if (data.status) {
+            swal("","Your Unraid Server is reachable from the internet","success");
+        } else {
+            swal("Oops","This Unraid Server was unreachable from the outside","error");
+        }
+    };
+
+    $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> "+oldlabel+"ing");
+    $.post("https://keys.lime-technology.com/account/server/checkdns",{externalport:$('#wanport').val(),keyfile:"<?=$keyfile?>"},success).fail(failure);
+}
+
+function changeRemoteAccess(dropdown) {
+    if ($(dropdown).val() == 'yes') {
+        $("#wanpanel").slideDown('fast');
+    } else {
+        $("#wanpanel").slideUp('fast');
+    }
+}
+
+function enableFlashBackup(button) {
+    var oldlabel = $.trim($(button).text());
+
+    var failure = function(data) {
+        var status = data.status;
+        var obj = data.responseJSON;
+        var msg = "Sorry, an error ("+status+") occurred enabling Flash backup. " +
+                  "The error is: "+obj.error+".";
+        $(button).prop("disabled", false).html(oldlabel);
+        swal({title:"",text:msg,type:"error",allowEscapeKey:false},function(){button.form.submit();});
+    };
+
+    var success = function(data) {
+        $(button).prop("disabled", false).html(oldlabel);
+        button.form.submit();
+    };
+
+    if (oldlabel == 'Activate') {
+        $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Activating");
+        $.post("/webGui/include/UpdateFlashBackup.php",{command:"activate"},success).fail(failure);
+    }
+    if (oldlabel == 'Deactivate') {
+        $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Deactivating");
+        $.post("/webGui/include/UpdateFlashBackup.php",{command:"deactivate"},success).fail(failure);
+    }
+    if (oldlabel == 'Update') {
+        $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Updating");
+        $.post("/webGui/include/UpdateFlashBackup.php",{command:"update"},success).fail(failure);
+    }
+    if (oldlabel == 'Reinitialize') {
+        $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Reinitializing");
+        $.post("/webGui/include/UpdateFlashBackup.php",{command:"reinit"},success).fail(failure);
+    }
+    if (oldlabel == 'Deactivate') {
+        $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Deactivating");
+        $.post("/webGui/include/UpdateFlashBackup.php",{command:"deactivate"},success).fail(failure);
+    }
+    if (oldlabel == 'Changes') {
+	openBox("/webGui/include/gitstatus.php", "Changes", 600,600, false);
+    }
+}
+</script>
+<form markdown="1" name="UnraidNetSettings" method="POST" action="/update.htm" target="progressFrame">
+<?if(!$isRegistered):?>
+Unraid.net Status:
+: <span class='orange p0'>Unregistered</span>
+
+Unraid.net Username:
+: <input type="text" id="ips_username" value="">
+
+Unraid.net Password:
+: <input type="password" id="ips_password" value="">
+
+<?else:?>
+Unraid.net Status:
+: <span class='green p0'>Registered</span>
+
+<?endif?>
+<?if($hasCert):?>
+Allow Remote Access:
+: <select id="wanaccess" size="1" class="narrow" onchange="changeRemoteAccess(this)">
+  <?=mk_option($remote['wanaccess'], "no", "No")?>
+  <?=mk_option($remote['wanaccess'], "yes", "Yes")?>
+  </select>
+
+<div markdown="1" id="wanpanel" style="display:<?=($remote['wanaccess']=='yes'?'block':'none')?>">
+WAN Port:
+: <?if(!$boolWebUIAuth):?><input type="hidden" id="wanport" value="0"><span><i class="fa fa-warning icon warning"></i> Disabled until your root user account is password-protected</span><?else:?><input type="number" id="wanport" class="trim" min="0" max="65535" value="<?=htmlspecialchars($remote['wanport'])?>"> <button type="button" onclick="dnsCheckServer(this)" style="margin-top: 0">Check</button><?endif?>
+
+> WAN Port is the external TCP port number setup on your router to NAT/Port Forward traffic from the internet to this
+> Unraid server SSL port for secure web traffic.
+</div>
+<?else:?>
+<input type="hidden" id="wanaccess" value="no">
+<input type="hidden" id="wanport" value="0">
+<?endif?>
+&nbsp;
+: <button type="button" onclick="registerServer(this)"><?=$isRegistered?'Apply':'Register'?></button><?if($isRegistered):?><button type="button" onclick="unregisterServer(this)">Unregister</button><?endif?>
+
+</form>
+<?if($isRegistered):?>
+<form markdown="1" name="FlashBackup" method="POST" action="/update.htm" target="progressFrame">
+<?if(!$isActivated):?>
+Flash backup:
+: <span class='orange p0'>Not activated</span>
+
+&nbsp;
+: <button type="button" onclick="enableFlashBackup(this)">Activate</button>
+
+> Click Activate to set up a local git repo for your local USB Flash boot device and connect to a dedicated remote on unraid.net tied tothis server.
+
+<?else:?>
+Flash backup:
+: <span class='green p0'>Activated:</span> <?if(!$isUptodate):?><span class='orange p0'>Not up-to-date</span><?else:?><span class='green p0'>Up-to-date</span><?endif?>
+
+<?if(!$isUptodate):?>
+&nbsp;
+: <button type="button" onclick="enableFlashBackup(this)">Update</button> <button type="button" onclick="enableFlashBackup(this)">Changes</button>
+
+> The Not Up-to-date status indicates there are local files which are changed vs. the remote on unraid.net.
+
+> Click Update to push changes to the remote.
+
+> Click Changes to see what has changed.
+
+<?else:?>
+&nbsp;
+: <button type="button" disabled>Update</button>
+
+> The Up-to-date status indicates your local configuration matches that stored on the unraid.net remote.
+
+<?endif?>
+&nbsp;
+: <button type="button" onclick="enableFlashBackup(this)">Deactivate</button> <button type="button" onclick="enableFlashBackup(this)">Reinitialize</button>
+
+> Click Deactivate to pause communication with your remote on unraid.net.
+
+> Click Reinitialize to erase all change history in both local and unraid.net remote.
+
+<?endif?>
+</form>
+<?endif?>
+]]>
+</INLINE>
+</FILE>
+
+<!-- Preserve in case plugin is removed -->
+<FILE Run="/bin/bash" Method="install">
+<INLINE>
+mv -f /usr/local/emhttp/plugins/dynamix/include/UpdateDNS.php /usr/local/emhttp/plugins/dynamix/include/UpdateDNS.php-
+</INLINE>
+</FILE>
+<FILE Name="/usr/local/emhttp/plugins/dynamix/include/UpdateDNS.php">
+<INLINE>
+<![CDATA[
+<?PHP
+/* Copyright 2005-2018, Lime Technology
+ * Copyright 2012-2018, Bergware International.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ */
+?>
+<?
+$cli = php_sapi_name()=='cli';
+
+function response_complete($httpcode, $result, $cli_success_msg='') {
+  global $cli;
+  if ($cli) {
+    $json = @json_decode($result,true);
+    if (!empty($json['error'])) {
+      echo 'Error: '.$json['error'].PHP_EOL;
+      exit(1);
+    }
+    exit($cli_success_msg.PHP_EOL);
+  }
+  header('Content-Type: application/json');
+  http_response_code($httpcode);
+  exit((string)$result);
+}
+
+// remoteaccess, externalport, (if registering) username, password
+extract(parse_ini_file('/boot/config/plugins/dynamix/dynamix.cfg',true));
+if (empty($remote)) {
+  $remote = [
+    "apikey" => "",
+    "wanaccess" => "no",
+    "wanport" => "443"
+  ];
+}
+if (empty($remote['wanport'])) {
+  $remote['wanport'] = 443;
+}
+if ($cli) {
+  $remoteaccess = $remote['wanaccess'];
+  $externalport = $remote['wanport'];
+  $username = '';
+  $password = '';
+} else {
+  $remoteaccess = $_POST['remoteaccess'];
+  $externalport = $_POST['externalport'];
+  $username = $_POST['username'];
+  $password = $_POST['password'];
+}
+$isRegistered = !empty($remote['apikey']);
+
+// protocol, hostname, internalport
+list($protocol, $hostname, $internalport) = explode(":", rtrim(file_get_contents("/var/run/nginx.origin")));
+$hostname = substr($hostname, 2);
+
+if (!$isRegistered && empty($username) && !preg_match('/.*\.unraid\.net$/', $hostname)) {
+  response_complete(406, '{"error":"Nothing to do"}');
+}
+
+// keyfile
+$var = parse_ini_file('/var/local/emhttp/var.ini');
+$keyfile = @file_get_contents($var['regFILE']);
+if ($keyfile === false) {
+  response_complete(406, '{"error":"Registration key required"}');
+}
+$keyfile = @base64_encode($keyfile);
+
+// internalip
+extract(parse_ini_file('/var/local/emhttp/network.ini',true));
+$internalip = $eth0['IPADDR:0'];
+
+$ch = curl_init('https://keys.lime-technology.com/account/server/register');
+curl_setopt($ch, CURLOPT_POST, 1);
+
+if (!$isRegistered && empty($username)) {
+  curl_setopt($ch, CURLOPT_POSTFIELDS, [
+    'internalip' => $internalip,
+    'keyfile' => $keyfile
+  ]);
+} else {
+  // servername, servercomment
+  $servername = $var['NAME'];
+  $servercomment = $var['COMMENT'];
+  if (empty($username)) {
+    curl_setopt($ch, CURLOPT_POSTFIELDS, [
+      'servername' => $servername,
+      'servercomment' => $servercomment,
+      'protocol' => $protocol,
+      'hostname' => $hostname,
+      'internalport' => $internalport,
+      'internalip' => $internalip,
+      'remoteaccess' => $remoteaccess,
+      'externalport' => $externalport,
+      'keyfile' => $keyfile
+    ]);
+  } else {
+    curl_setopt($ch, CURLOPT_POSTFIELDS, [
+      'servername' => $servername,
+      'servercomment' => $servercomment,
+      'protocol' => $protocol,
+      'hostname' => $hostname,
+      'internalport' => $internalport,
+      'internalip' => $internalip,
+      'remoteaccess' => $remoteaccess,
+      'externalport' => $externalport,
+      'username' => $username,
+      'password' => $password,
+      'keyfile' => $keyfile
+    ]);
+  }
+}
+
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+$result = curl_exec($ch);
+$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+$error = curl_error($ch);
+curl_close($ch);
+
+if ($result === false) {
+  response_complete(500, '{"error":"'.$error.'"}');
+}
+
+response_complete($httpcode, $result, 'success');
+?>
+]]>
+</INLINE>
+</FILE>
+
+<FILE Name="/usr/local/emhttp/plugins/dynamix/include/UpdateFlashBackup.php">
+<INLINE>
+<![CDATA[
+<?PHP
+/* Copyright 2005-2018, Lime Technology
+ * Copyright 2012-2018, Bergware International.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ */
+?>
+<?
+$cli = php_sapi_name()=='cli';
+
+function response_complete($httpcode, $result, $cli_success_msg='') {
+  global $cli;
+  if ($cli) {
+    $json = @json_decode($result,true);
+    if (!empty($json['error'])) {
+      echo 'Error: '.$json['error'].PHP_EOL;
+      exit(1);
+    }
+    if (!empty($cli_success_msg)) $cli_success_msg .= PHP_EOL;
+    exit($cli_success_msg);
+  }
+  header('Content-Type: application/json');
+  http_response_code($httpcode);
+  exit((string)$result);
+}
+
+// command
+//  init (default)
+//  activate
+//  status
+//  update
+//  reinit
+//  deactivate
+if ($cli) {
+  if ($argc > 1) $command = $argv[1];
+} else {
+  $command = $_POST['command'];
+}
+if (empty($command)) $command='init';
+
+// keyfile
+$var = parse_ini_file("/var/local/emhttp/var.ini");
+$keyfile = @file_get_contents($var['regFILE']);
+if ($keyfile === false) {
+  response_complete(406, '{"error":"Registration key required"}');
+}
+$keyfile = @base64_encode($keyfile);
+
+// check if activated
+if ($command != 'activate') {
+  exec('git -C /boot config --get remote.origin.url', $config_output, $return_var);
+  if (($return_var != 0) || (strpos($config_output[0],'backup.unraid.net') === false)) {
+    response_complete(406, '{"error":"Not activated"}');
+  }
+}
+
+// if deactivate command, just remove our origin
+if ($command == 'deactivate') {
+  exec('git --git-dir /boot/.git remote remove origin &>/dev/null');
+  response_complete(200, '{}');
+}
+
+// build a list of sha256 hashes of the bzfiles
+$bzfilehashes = [];
+$allbzfiles = ['bzimage','bzfirmware','bzmodules','bzroot','bzroot-gui'];
+foreach ($allbzfiles as $bzfile) {
+  $sha256 = trim(@file_get_contents("/boot/$bzfile.sha256"));
+  if (strlen($sha256) != 64) {
+    response_complete(406, '{"error":"Invalid or missing '.$bzfile.'.sha256 file"}');
+  }
+  $bzfilehashes[] = $sha256;
+}
+
+$ch = curl_init('https://keys.lime-technology.com/backup/flash/activate');
+curl_setopt($ch, CURLOPT_POST, 1);
+curl_setopt($ch, CURLOPT_POSTFIELDS, [
+  'keyfile' => $keyfile,
+  'version' => $var['version'],
+  'bzfiles' => implode(',', $bzfilehashes)
+]);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+$result = curl_exec($ch);
+$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+$error = curl_error($ch);
+curl_close($ch);
+
+if ($result === false) {
+  response_complete(500, '{"error":"'.$error.'"}');
+}
+
+$json = json_decode($result, true);
+if (empty($json) || empty($json['ssh_privkey'])) {
+  response_complete(406, $result);
+}
+
+// save the public and private keys
+if (!file_exists('/root/.ssh')) {
+  mkdir('/root/.ssh', 0700);
+}
+file_put_contents('/root/.ssh/unraidbackup_id_ed25519', $json['ssh_privkey']);
+chmod('/root/.ssh/unraidbackup_id_ed25519', 0600);
+file_put_contents('/root/.ssh/unraidbackup_id_ed25519.pub', $json['ssh_pubkey']);
+chmod('/root/.ssh/unraidbackup_id_ed25519.pub', 0644);
+
+// add configuration to use our keys
+if (!file_exists('/root/.ssh/config') || strpos(file_get_contents('/root/.ssh/config'),'Host backup.unraid.net') === false) {
+  file_put_contents('/root/.ssh/config', 'Host backup.unraid.net
+IdentityFile ~/.ssh/unraidbackup_id_ed25519
+IdentitiesOnly yes
+', FILE_APPEND);
+  chmod('/root/.ssh/config', 0644);
+}
+
+// add our server as a known host
+if (!file_exists('/root/.ssh/known_hosts') || strpos(file_get_contents('/root/.ssh/known_hosts'),'backup.unraid.net,54.70.72.154') === false) {
+  file_put_contents('/root/.ssh/known_hosts', 'backup.unraid.net,54.70.72.154 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKrKXKQwPZTY25MoveIw7fZ3IoZvvffnItrx6q7nkNriDMr2WAsoxu0DrU2QrSLH5zFF1ibv4tChS1hOpiYObiI=', FILE_APPEND);
+  chmod('/root/.ssh/known_hosts', 0644);
+}
+
+// blow away existing repo if reinit command
+if ($command == 'reinit') {
+  exec('rm -rf /boot/.git');
+}
+
+// ensure git repo is setup on the flash drive
+if (!file_exists('/boot/.git/info/exclude')) {
+  exec('git init /boot &>/dev/null');
+}
+
+// setup git ignore for files we dont need in the flash backup
+if (strpos(file_get_contents('/boot/.git/info/exclude'),'Unraid') === false) {
+  file_put_contents('/boot/.git/info/exclude', '# Unraid OS Flash Backup
+
+# Blacklist everything
+/*
+
+# Whitelist selected root files
+!*.sha256
+!changes.txt
+!license.txt
+
+!EFI*/
+EFI*/boot/*
+!EFI*/boot/syslinux.cfg
+
+!syslinux/
+syslinux/*
+!syslinux/syslinux.cfg
+!syslinux/syslinux.cfg-
+
+# Whitelist entire config directory
+!config/
+#  except for selected files
+config/drift
+config/plugins/unRAIDServer.plg
+config/random-seed
+config/shadow
+config/smbpasswd
+config/wireguard/privatekey
+');
+}
+
+// ensure git user is configured
+exec('git --git-dir /boot/.git config user.email \'gitbot@unraid.net\' &>/dev/null');
+exec('git --git-dir /boot/.git config user.name \'gitbot\' &>/dev/null');
+
+// ensure upstream git server is configured and in-sync
+exec('git --git-dir /boot/.git remote add -f -t master -m master origin git@backup.unraid.net:~/flash.git &>/dev/null');
+if ($command != 'reinit') {
+  exec('git --git-dir /boot/.git reset origin/master &>/dev/null');
+  exec('git --git-dir /boot/.git checkout -B master origin/master &>/dev/null');
+}
+
+// establish status
+exec('git -C /boot status --porcelain', $status_output, $return_var);
+if ($return_var != 0) {
+  response_complete(406, '{"error":"'.${status_output[0]}.'"}');
+}
+
+if ($command == 'status') {
+  $data = implode("\n", $status_output);
+  response_complete($httpcode, '{"data":"'.$data.'"}', $data);
+}
+
+if (($command == 'update') || ($command == 'reinit')) {
+  // push changes upstream
+  if (!empty($status_output)) {
+    exec('git -C /boot add -A &>/dev/null');
+    if ($command == 'reinit') {
+      exec('git -C /boot commit -m \'Initial commit\' &>/dev/null');
+      exec('git -C /boot push --force origin master &>/dev/null');
+    } else {
+      exec('git -C /boot commit -m \'Config change\' &>/dev/null');
+      exec('git -C /boot push &>/dev/null');
+    }
+  }
+}
+
+response_complete($httpcode, '{}');
+?>
+]]>
+</INLINE>
+</FILE>
+
+<!-- gitty up -->
+<FILE Run="/bin/bash" Method="install">
+<INLINE>
+echo "/etc/rc.d/rc.unraid-api install" | at -M now + 1 min
+</INLINE>
+</FILE>
+
+</PLUGIN>