Pi-hole Core v6.1 (#6221 )

Allow to get API URL from local.api.ftl even if DNS port has changed (#6252 )
Use PID1 to determine which command to use when toggeling services (#6245 )
2025-05-30 22:56:55 +01:00 · 2025-05-30 21:57:23 +02:00 · 2025-05-30 12:24:09 -07:00 · 2025-05-30 21:05:08 +02:00 · 2025-05-30 20:52:37 +02:00 · 2025-05-30 19:03:12 +02:00
47 changed files with 1047 additions and 1029 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1,5 @@
 # see https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-syntax
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence,
 *       @pi-hole/core-maintainers
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,8 +8,6 @@ updates:
    time: "10:00"
  open-pull-requests-limit: 10
  target-branch: development
  reviewers:
    - "pi-hole/core-maintainers"
 - package-ecosystem: pip
  directory: "/test"
  schedule:
@@ -18,5 +16,3 @@ updates:
    time: "10:00"
  open-pull-requests-limit: 10
  target-branch: development
  reviewers:
    - "pi-hole/core-maintainers"
--- a/.github/workflows/merge-conflict.yml
+++ b/.github/workflows/merge-conflict.yml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check if PRs are have merge conflicts
-        uses: eps1lon/actions-label-merge-conflict@v3.0.2
+        uses: eps1lon/actions-label-merge-conflict@v3.0.3
        with:
          dirtyLabel: "PR: Merge Conflict"
          repoToken: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -17,7 +17,7 @@ jobs:
      issues: write
    steps:
-      - uses: actions/stale@v9.0.0
+      - uses: actions/stale@v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 30
--- a/.github/workflows/stale_pr.yml
+++ b/.github/workflows/stale_pr.yml
@@ -17,7 +17,7 @@ jobs:
      pull-requests: write
    steps:
-      - uses: actions/stale@v9.0.0
+      - uses: actions/stale@v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          # Do not automatically mark PR/issue as stale
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -19,6 +19,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0 # Differential ShellCheck requires full git history
      - name: Check scripts in repository are executable
        run: |
@@ -28,12 +30,12 @@ jobs:
          # If FAIL is 1 then we fail.
          [[ $FAIL == 1 ]] && exit 1 || echo "Scripts are executable!"
-      - name: Run shellcheck
+      - name: Differential ShellCheck
-        uses: ludeeus/action-shellcheck@master
+        uses: redhat-plumbers-in-action/differential-shellcheck@v5
        with:
-          check_together: 'yes'
+          severity: warning
-          format: tty
+          display-engine: sarif-fmt
-          severity: error
+
      - name: Spell-Checking
        uses: codespell-project/actions-codespell@master
@@ -67,8 +69,10 @@ jobs:
            ubuntu_22,
            ubuntu_24,
            centos_9,
            centos_10,
            fedora_40,
            fedora_41,
            fedora_42,
          ]
    env:
      DISTRO: ${{matrix.distro}}
@@ -77,7 +81,7 @@ jobs:
        uses: actions/checkout@v4.2.2
      - name: Set up Python 3.10
-        uses: actions/setup-python@v5.3.0
+        uses: actions/setup-python@v5.6.0
        with:
          python-version: "3.10"
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,6 @@ __pycache__
 .idea/
 *.iml
 .vscode/
 .venv/
 .fleet/
 .cache/
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -0,0 +1,2 @@
 external-sources=true # allow shellcheck to read external sources
 disable=SC3043 #disable SC3043: In POSIX sh, local is undefined.
--- a/README.md
+++ b/README.md
@@ -3,13 +3,9 @@
 #
 <p align="center">
-  <picture>
+  <img src="https://raw.githubusercontent.com/pi-hole/graphics/refs/heads/master/Vortex/vortex_with_text.svg" alt="Pi-hole website" width="168" height="270">
-    <source media="(prefers-color-scheme: dark)" srcset="https://pi-hole.github.io/graphics/Vortex/Vortex_Vertical_wordmark_darkmode.png">
+  <br>
-    <source media="(prefers-color-scheme: light)" srcset="https://pi-hole.github.io/graphics/Vortex/Vortex_Vertical_wordmark_lightmode.png">
+  <strong>Network-wide ad blocking via your own Linux hardware</strong>
    <img src="https://pi-hole.github.io/graphics/Vortex/Vortex_Vertical_wordmark_lightmode.png" width="168" height="270" alt="Pi-hole website">
  </picture>
    <br>
    <strong>Network-wide ad blocking via your own Linux hardware</strong>
 </p>
 <!-- markdownlint-enable MD033 -->
@@ -132,7 +128,10 @@ Some of the statistics you can integrate include:
 - Queries cached
 - Unique clients
-Access the API via [`telnet`](https://github.com/pi-hole/FTL), the Web (`admin/api.php`) and Command Line (`pihole -c -j`). You can find out [more details over here](https://discourse.pi-hole.net/t/pi-hole-api/1863).
+Access the API using:
 - your browser: http://pi.hole/api/docs
 - `curl`: `curl --connect-timeout 2 -ks "https://pi.hole/api/stats/summary" -H "Accept: application/json"`;
 - the command line - examples: `pihole api config/webserver/port` or `pihole api stats/summary`.
 ### The Command-Line Interface
@@ -140,7 +139,7 @@ The [pihole](https://docs.pi-hole.net/core/pihole-command/) command has all the
 Some notable features include:
- [Whitelisting, Blacklisting, and Regex](https://docs.pi-hole.net/core/pihole-command/#whitelisting-blacklisting-and-regex)
+- [Allowlisting, Denylisting (fka Whitelisting, Blacklisting), and Regex](https://docs.pi-hole.net/core/pihole-command/#allowlisting-denylisting-and-regex)
 - [Debugging utility](https://docs.pi-hole.net/core/pihole-command/#debugger)
 - [Viewing the live log file](https://docs.pi-hole.net/core/pihole-command/#tail)
 - [Updating Ad Lists](https://docs.pi-hole.net/core/pihole-command/#gravity)
--- a/advanced/Scripts/COL_TABLE
+++ b/advanced/Scripts/COL_TABLE
@@ -1,5 +1,6 @@
 #!/usr/bin/env sh
 # Determine if terminal is capable of showing colors
-if ([ -t 1 ] && [ $(tput colors) -ge 8 ]) || [ "${WEBCALL}" ]; then
+if [ -t 1 ] && [ "$(tput colors)" -ge 8 ]; then
  # Bold and underline may not show up on all clients
  # If something MUST be emphasized, use both
  COL_BOLD='[1m'
--- a/advanced/Scripts/api.sh
+++ b/advanced/Scripts/api.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC3043 #https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@@ -20,13 +19,19 @@
 TestAPIAvailability() {
    local chaos_api_list authResponse authStatus authData apiAvailable DNSport
    # as we are running locally, we can get the port value from FTL directly
-    local chaos_api_list availabilityResponse
+    readonly utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
    # shellcheck source=./advanced/Scripts/utils.sh
    . "${utilsfile}"
    DNSport=$(getFTLConfigValue dns.port)
    # Query the API URLs from FTL using CHAOS TXT local.api.ftl
    # The result is a space-separated enumeration of full URLs
    # e.g., "http://localhost:80/api/" "https://localhost:443/api/"
-    chaos_api_list="$(dig +short chaos txt local.api.ftl @127.0.0.1)"
+    chaos_api_list="$(dig +short -p "${DNSport}" chaos txt local.api.ftl @127.0.0.1)"
    # If the query was not successful, the variable is empty
    if [ -z "${chaos_api_list}" ]; then
@@ -34,6 +39,12 @@ TestAPIAvailability() {
        exit 1
    fi
    # If an error occurred, the variable starts with ;;
    if [ "${chaos_api_list#;;}" != "${chaos_api_list}" ]; then
        echo "Communication error. Is FTL running?"
        exit 1
    fi
    # Iterate over space-separated list of URLs
    while [ -n "${chaos_api_list}" ]; do
        # Get the first URL
@@ -42,39 +53,50 @@ TestAPIAvailability() {
        API_URL="${API_URL%\"}"
        API_URL="${API_URL#\"}"
-        # Test if the API is available at this URL
+        # Test if the API is available at this URL, include delimiter for ease in splitting payload
-        availabilityResponse=$(curl -skS -o /dev/null -w "%{http_code}" "${API_URL}auth")
+        authResponse=$(curl --connect-timeout 2 -skS -w ">>%{http_code}" "${API_URL}auth")
        # authStatus is the response http_code, eg. 200, 401.
        # Shell parameter expansion, remove everything up to and including the >> delim
        authStatus=${authResponse#*>>}
        # data is everything from response
        # Shell parameter expansion, remove the >> delim and everything after
        authData=${authResponse%>>*}
        # Test if http status code was 200 (OK) or 401 (authentication required)
-        if [ ! "${availabilityResponse}" = 200 ] && [ ! "${availabilityResponse}" = 401 ]; then
+        if [ "${authStatus}" = 200 ]; then
-            # API is not available at this port/protocol combination
+            # API is available without authentication
-            API_PORT=""
+            apiAvailable=true
-        else
+            needAuth=false
            # API is available at this URL combination
            if [ "${availabilityResponse}" = 200 ]; then
                # API is available without authentication
                needAuth=false
            fi
            break
        fi
-        # Remove the first URL from the list
+        elif [ "${authStatus}" = 401 ]; then
-        local last_api_list
+            # API is available with authentication
-        last_api_list="${chaos_api_list}"
+            apiAvailable=true
-        chaos_api_list="${chaos_api_list#* }"
+            needAuth=true
            # Check if 2FA is required
            needTOTP=$(echo "${authData}"| jq --raw-output .session.totp 2>/dev/null)
            break
-        # If the list did not change, we are at the last element
+        else
-        if [ "${last_api_list}" = "${chaos_api_list}" ]; then
+            # API is not available at this port/protocol combination
-            # Remove the last element
+            apiAvailable=false
-            chaos_api_list=""
+            # Remove the first URL from the list
            local last_api_list
            last_api_list="${chaos_api_list}"
            chaos_api_list="${chaos_api_list#* }"
            # If the list did not change, we are at the last element
            if [ "${last_api_list}" = "${chaos_api_list}" ]; then
                # Remove the last element
                chaos_api_list=""
            fi
        fi
    done
-    # if API_PORT is empty, no working API port was found
+    # if apiAvailable is false, no working API was found
-    if [ -n "${API_PORT}" ]; then
+    if [ "${apiAvailable}" = false ]; then
-        echo "API not available at: ${API_URL}"
+        echo "API not available. Please check FTL.log"
        echo "Exiting."
        exit 1
    fi
@@ -102,22 +124,51 @@ LoginAPI() {
            echo "API Authentication: Trying to use CLI password"
        fi
-        # Try to authenticate using the CLI password
+        # If we can read the CLI password, we can skip 2FA even when it's required otherwise
-        Authentication "${1}"
+        needTOTP=false
    elif [ "${1}" = "verbose" ]; then
        echo "API Authentication: CLI password not available"
    fi
    if [ -z "${password}" ]; then
        # no password read from CLI file
        echo "Please enter your password:"
        # secretly read the password
        secretRead; printf '\n'
    fi
    if [ "${needTOTP}" = true ]; then
        # 2FA required
        echo "Please enter the correct second factor."
        echo "(Can be any number if you used the app password)"
        read -r totp
    fi
-    # If this did not work, ask the user for the password
+    # Try to authenticate using the supplied password (CLI file or user input) and TOTP
-    while [ "${validSession}" = false ] || [ -z "${validSession}" ] ; do
+    Authentication "${1}"
    # Try to login again until the session is valid
    while [ ! "${validSession}" = true ]  ; do
        echo "Authentication failed. Please enter your Pi-hole password"
        # Print the error message if there is one
        if  [ ! "${sessionError}" = "null"  ] && [ "${1}" = "verbose" ]; then
            echo "Error: ${sessionError}"
        fi
        # Print the session message if there is one
        if  [ ! "${sessionMessage}" = "null" ] && [ "${1}" = "verbose" ]; then
            echo "Error: ${sessionMessage}"
        fi
        # secretly read the password
        secretRead; printf '\n'
        if [ "${needTOTP}" = true ]; then
            echo "Please enter the correct second factor:"
            echo "(Can be any number if you used the app password)"
            read -r totp
        fi
        # Try to authenticate again
        Authentication "${1}"
    done
@@ -125,23 +176,27 @@ LoginAPI() {
 }
 Authentication() {
-  sessionResponse="$(curl -skS -X POST "${API_URL}auth" --user-agent "Pi-hole cli " --data "{\"password\":\"${password}\"}" )"
+    sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" --user-agent "Pi-hole cli" --data "{\"password\":\"${password}\", \"totp\":${totp:-null}}" )"
-  if [ -z "${sessionResponse}" ]; then
+    if [ -z "${sessionResponse}" ]; then
-    echo "No response from FTL server. Please check connectivity"
+        echo "No response from FTL server. Please check connectivity"
-    exit 1
+        exit 1
-  fi
+    fi
-  # obtain validity and session ID from session response
+    # obtain validity, session ID and sessionMessage from session response
-  validSession=$(echo "${sessionResponse}"| jq .session.valid 2>/dev/null)
+    validSession=$(echo "${sessionResponse}"| jq .session.valid 2>/dev/null)
-  SID=$(echo "${sessionResponse}"| jq --raw-output .session.sid 2>/dev/null)
+    SID=$(echo "${sessionResponse}"| jq --raw-output .session.sid 2>/dev/null)
-
+    sessionMessage=$(echo "${sessionResponse}"| jq --raw-output .session.message 2>/dev/null)
-  if [ "${1}" = "verbose" ]; then
+
-    if [ "${validSession}" = true ]; then
+    # obtain the error message from the session response
-      echo "API Authentication: ${COL_GREEN}Success${COL_NC}"
+    sessionError=$(echo "${sessionResponse}"| jq --raw-output .error.message 2>/dev/null)
-    else
+
-      echo "API Authentication: ${COL_RED}Failed${COL_NC}"
+    if [ "${1}" = "verbose" ]; then
        if [ "${validSession}" = true ]; then
            echo "API Authentication: ${COL_GREEN}Success${COL_NC}"
        else
            echo "API Authentication: ${COL_RED}Failed${COL_NC}"
        fi
    fi
  fi
 }
 LogoutAPI() {
@@ -165,19 +220,21 @@ GetFTLData() {
  # get the data from querying the API as well as the http status code
  response=$(curl -skS -w "%{http_code}" -X GET "${API_URL}$1" -H "Accept: application/json" -H "sid: ${SID}" )
  # status are the last 3 characters
  status="${response#"${response%???}"}"
  # data is everything from response without the last 3 characters
  data="${response%???}"
  if [ "${2}" = "raw" ]; then
    # return the raw response
    echo "${response}"
  else
    # status are the last 3 characters
    # not using ${response#"${response%???}"}" here because it's extremely slow on big responses
    status=$(printf "%s" "${response}" | tail -c 3)
    # data is everything from response without the last 3 characters
    data="${response%???}"
    # return only the data
    if [ "${status}" = 200 ]; then
        # response OK
-        echo "${data}"
+        printf %s "${data}"
    else
        # connection lost
        echo "${status}"
@@ -251,20 +308,30 @@ secretRead() {
 }
 apiFunc() {
-  local data response status status_col
+  local data response status status_col verbosity
  # Define if the output will be silent (default) or verbose
  verbosity="silent"
  if [ "$1" = "verbose" ]; then
    verbosity="verbose"
    shift
  fi
  # Authenticate with the API
-  LoginAPI verbose
+  LoginAPI "${verbosity}"
  echo ""
-  echo "Requesting: ${COL_PURPLE}GET ${COL_CYAN}${API_URL}${COL_YELLOW}$1${COL_NC}"
+  if [ "${verbosity}" = "verbose" ]; then
-  echo ""
+    echo ""
    echo "Requesting: ${COL_PURPLE}GET ${COL_CYAN}${API_URL}${COL_YELLOW}$1${COL_NC}"
    echo ""
  fi
  # Get the data from the API
  response=$(GetFTLData "$1" raw)
  # status are the last 3 characters
-  status="${response#"${response%???}"}"
+  # not using ${response#"${response%???}"}" here because it's extremely slow on big responses
  status=$(printf "%s" "${response}" | tail -c 3)
  # data is everything from response without the last 3 characters
  data="${response%???}"
@@ -274,11 +341,18 @@ apiFunc() {
  else
    status_col="${COL_RED}"
  fi
-  echo "Status: ${status_col}${status}${COL_NC}"
+
  # Only print the status in verbose mode or if the status is not 200
  if [ "${verbosity}" = "verbose" ] || [ "${status}" != 200 ]; then
    echo "Status: ${status_col}${status}${COL_NC}"
  fi
  # Output the data. Format it with jq if available and data is actually JSON.
  # Otherwise just print it
-  echo "Data:"
+  if [ "${verbosity}" = "verbose" ]; then
    echo "Data:"
  fi
  if command -v jq >/dev/null && echo "${data}" | jq . >/dev/null 2>&1; then
    echo "${data}" | jq .
  else
@@ -286,5 +360,5 @@ apiFunc() {
  fi
  # Delete the session
-  LogoutAPI verbose
+  LogoutAPI "${verbosity}"
 }
--- a/advanced/Scripts/database_migration/gravity-db.sh
+++ b/advanced/Scripts/database_migration/gravity-db.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC1090
+
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2019 Pi-hole, LLC (https://pi-hole.net)
@@ -13,9 +13,8 @@
 readonly scriptPath="/etc/.pihole/advanced/Scripts/database_migration/gravity"
 upgrade_gravityDB(){
-    local database piholeDir version
+    local database version
    database="${1}"
    piholeDir="${2}"
    # Exit early if the database does not exist (e.g. in CI tests)
    if [[ ! -f "${database}" ]]; then
--- a/advanced/Scripts/list.sh
+++ b/advanced/Scripts/list.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@@ -12,9 +11,11 @@
 readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 readonly utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "${utilsfile}"
 readonly apifile="${PI_HOLE_SCRIPT_DIR}/api.sh"
 # shellcheck source="./advanced/Scripts/api.sh"
 source "${apifile}"
 # Determine database location
@@ -39,6 +40,7 @@ typeId=""
 comment=""
 colfile="/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 source ${colfile}
 helpFunc() {
--- a/advanced/Scripts/piholeARPTable.sh
+++ b/advanced/Scripts/piholeARPTable.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2019 Pi-hole, LLC (https://pi-hole.net)
@@ -12,13 +11,22 @@
 coltable="/opt/pihole/COL_TABLE"
 if [[ -f ${coltable} ]]; then
 # shellcheck source="./advanced/Scripts/COL_TABLE"
    source ${coltable}
 fi
 readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source=./advanced/Scripts/utils.sh
 source "${utilsfile}"
 readonly PI_HOLE_FILES_DIR="/etc/.pihole"
 SKIP_INSTALL="true"
 # shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 # stop_service() is defined in basic-install.sh
 # restart_service() is defined in basic-install.sh
 # Determine database location
 DBFILE=$(getFTLConfigValue "files.database")
 if [ -z "$DBFILE" ]; then
@@ -32,7 +40,7 @@ flushARP(){
    fi
    # Stop FTL to prevent database access
-    if ! output=$(service pihole-FTL stop 2>&1); then
+    if ! output=$(stop_service pihole-FTL 2>&1); then
        echo -e "${OVER}  ${CROSS} Failed to stop FTL"
        echo "  Output: ${output}"
        return 1
@@ -64,7 +72,7 @@ flushARP(){
    fi
    # Start FTL again
-    if ! output=$(service pihole-FTL restart 2>&1); then
+    if ! output=$(restart_service pihole-FTL 2>&1); then
        echo -e "${OVER}  ${CROSS} Failed to restart FTL"
        echo "  Output: ${output}"
        return 1
--- a/advanced/Scripts/piholeCheckout.sh
+++ b/advanced/Scripts/piholeCheckout.sh
@@ -10,6 +10,7 @@
 readonly PI_HOLE_FILES_DIR="/etc/.pihole"
 SKIP_INSTALL="true"
 # shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 # webInterfaceGitUrl set in basic-install.sh
@@ -109,7 +110,7 @@ checkout() {
            echo -e "${OVER}  ${CROSS} $str"
            exit 1
        fi
-        corebranches=($(get_available_branches "${PI_HOLE_FILES_DIR}"))
+        mapfile -t corebranches < <(get_available_branches "${PI_HOLE_FILES_DIR}")
        if [[ "${corebranches[*]}" == *"master"* ]]; then
            echo -e "${OVER}  ${TICK} $str"
@@ -136,7 +137,7 @@ checkout() {
            echo -e "${OVER}  ${CROSS} $str"
            exit 1
        fi
-        webbranches=($(get_available_branches "${webInterfaceDir}"))
+        mapfile -t webbranches < <(get_available_branches "${webInterfaceDir}")
        if [[ "${webbranches[*]}" == *"master"* ]]; then
            echo -e "${OVER}  ${TICK} $str"
@@ -167,7 +168,7 @@ checkout() {
        # Check if requested branch is available
        echo -e "  ${INFO} Checking for availability of branch ${COL_CYAN}${2}${COL_NC} on GitHub"
-        ftlbranches=( $(git ls-remote https://github.com/pi-hole/ftl | grep "refs/heads" | cut -d'/' -f3- -) )
+        mapfile -t ftlbranches < <(git ls-remote https://github.com/pi-hole/ftl | grep "refs/heads" | cut -d'/' -f3- -)
        # If returned array is empty -> connectivity issue
        if [[ ${#ftlbranches[@]} -eq 0 ]]; then
            echo -e "  ${CROSS} Unable to fetch branches from GitHub. Please check your Internet connection and try again later."
@@ -209,13 +210,15 @@ checkout() {
            # Update local and remote versions via updatechecker
            /opt/pihole/updatecheck.sh
        else
-            if [ $? -eq 1 ]; then
+            local status
            status=$?
            if [ $status -eq 1 ]; then
                # Binary for requested branch is not available, may still be
                # int he process of being built or CI build job failed
-                printf "  %b Binary for requested branch is not available, please try again later.\\n" ${CROSS}
+                printf "  %b Binary for requested branch is not available, please try again later.\\n" "${CROSS}"
                printf "      If the issue persists, please contact Pi-hole Support and ask them to re-generate the binary.\\n"
                exit 1
-            elif [ $? -eq 2 ]; then
+            elif [ $status -eq 2 ]; then
                printf "  %b Unable to download from ftl.pi-hole.net. Please check your Internet connection and try again later.\\n" "${CROSS}"
                exit 1
            else
--- a/advanced/Scripts/piholeDebug.sh
+++ b/advanced/Scripts/piholeDebug.sh
@@ -8,7 +8,6 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
 # shellcheck source=/dev/null
 # -e option instructs bash to immediately exit if any command [1] has a non-zero exit status
 # -u a reference to any variable you haven't previously defined
@@ -27,6 +26,7 @@ PIHOLE_COLTABLE_FILE="${PIHOLE_SCRIPTS_DIRECTORY}/COL_TABLE"
 # These provide the colors we need for making the log more readable
 if [[ -f ${PIHOLE_COLTABLE_FILE} ]]; then
 # shellcheck source=./advanced/Scripts/COL_TABLE
    source ${PIHOLE_COLTABLE_FILE}
 else
    COL_NC='\e[0m' # No Color
@@ -41,9 +41,17 @@ else
    #OVER="\r\033[K"
 fi
-# shellcheck disable=SC1091
+# shellcheck source=/dev/null
 . /etc/pihole/versions
 # Read the value of an FTL config key. The value is printed to stdout.
 get_ftl_conf_value() {
    local key=$1
    # Obtain setting from FTL directly
    pihole-FTL --config "${key}"
 }
 # FAQ URLs for use in showing the debug log
 FAQ_HARDWARE_REQUIREMENTS="${COL_CYAN}https://docs.pi-hole.net/main/prerequisites/${COL_NC}"
 FAQ_HARDWARE_REQUIREMENTS_PORTS="${COL_CYAN}https://docs.pi-hole.net/main/prerequisites/#ports${COL_NC}"
@@ -61,10 +69,10 @@ DNSMASQ_D_DIRECTORY="/etc/dnsmasq.d"
 PIHOLE_DIRECTORY="/etc/pihole"
 PIHOLE_SCRIPTS_DIRECTORY="/opt/pihole"
 BIN_DIRECTORY="/usr/local/bin"
 RUN_DIRECTORY="/run"
 LOG_DIRECTORY="/var/log/pihole"
-HTML_DIRECTORY="/var/www/html"
+HTML_DIRECTORY="$(get_ftl_conf_value "webserver.paths.webroot")"
-WEB_GIT_DIRECTORY="${HTML_DIRECTORY}/admin"
+WEBHOME_PATH="$(get_ftl_conf_value "webserver.paths.webhome")"
 WEB_GIT_DIRECTORY="${HTML_DIRECTORY}${WEBHOME_PATH}"
 SHM_DIRECTORY="/dev/shm"
 ETC="/etc"
@@ -79,14 +87,6 @@ PIHOLE_FTL_CONF_FILE="${PIHOLE_DIRECTORY}/pihole.toml"
 PIHOLE_DNSMASQ_CONF_FILE="${PIHOLE_DIRECTORY}/dnsmasq.conf"
 PIHOLE_VERSIONS_FILE="${PIHOLE_DIRECTORY}/versions"
 # Read the value of an FTL config key. The value is printed to stdout.
 get_ftl_conf_value() {
    local key=$1
    # Obtain setting from FTL directly
    pihole-FTL --config "${key}"
 }
 PIHOLE_GRAVITY_DB_FILE="$(get_ftl_conf_value "files.gravity")"
 PIHOLE_FTL_DB_FILE="$(get_ftl_conf_value "files.database")"
@@ -94,7 +94,7 @@ PIHOLE_FTL_DB_FILE="$(get_ftl_conf_value "files.database")"
 PIHOLE_COMMAND="${BIN_DIRECTORY}/pihole"
 PIHOLE_COLTABLE_FILE="${BIN_DIRECTORY}/COL_TABLE"
-FTL_PID="${RUN_DIRECTORY}/pihole-FTL.pid"
+FTL_PID="$(get_ftl_conf_value "files.pid")"
 PIHOLE_LOG="${LOG_DIRECTORY}/pihole.log"
 PIHOLE_LOG_GZIPS="${LOG_DIRECTORY}/pihole.log.[0-9].*"
@@ -202,7 +202,7 @@ compare_local_version_to_git_version() {
        if git status &> /dev/null; then
            # The current version the user is on
            local local_version
-            local_version=$(git describe --tags --abbrev=0);
+            local_version=$(git describe --tags --abbrev=0 2> /dev/null);
            # What branch they are on
            local local_branch
            local_branch=$(git rev-parse --abbrev-ref HEAD);
@@ -213,7 +213,13 @@ compare_local_version_to_git_version() {
            local local_status
            local_status=$(git status -s)
            # echo this information out to the user in a nice format
-            log_write "${TICK} Version: ${local_version}"
+            if [ "${local_version}" ]; then
              log_write "${TICK} Version: ${local_version}"
            elif [ -n "${DOCKER_VERSION}" ]; then
              log_write "${TICK} Version: Pi-hole Docker Container ${COL_BOLD}${DOCKER_VERSION}${COL_NC}"
            else
              log_write "${CROSS} Version: not detected"
            fi
            # Print the repo upstreams
            remotes=$(git remote -v)
@@ -290,88 +296,12 @@ check_component_versions() {
    check_ftl_version
 }
 os_check() {
    # This function gets a list of supported OS versions from a TXT record at versions.pi-hole.net
    # and determines whether or not the script is running on one of those systems
    local remote_os_domain valid_os valid_version detected_os detected_version cmdResult digReturnCode response
    remote_os_domain=${OS_CHECK_DOMAIN_NAME:-"versions.pi-hole.net"}
    detected_os=$(grep "\bID\b" /etc/os-release | cut -d '=' -f2 | tr -d '"')
    detected_version=$(grep VERSION_ID /etc/os-release | cut -d '=' -f2 | tr -d '"')
    cmdResult="$(dig -4 +short -t txt "${remote_os_domain}" @ns1.pi-hole.net 2>&1; echo $?)"
    #Get the return code of the previous command (last line)
    digReturnCode="${cmdResult##*$'\n'}"
    # Extract dig response
    response="${cmdResult%%$'\n'*}"
    if [ "${digReturnCode}" -ne 0 ]; then
        log_write "${INFO} Distro: ${detected_os^}"
        log_write "${INFO} Version: ${detected_version}"
        log_write "${CROSS} dig IPv4 return code: ${COL_RED}${digReturnCode}${COL_NC}"
        log_write "${CROSS} dig response: ${response}"
        log_write "${INFO} Retrying via IPv6"
        cmdResult="$(dig -6 +short -t txt "${remote_os_domain}" @ns1.pi-hole.net 2>&1; echo $?)"
        #Get the return code of the previous command (last line)
        digReturnCode="${cmdResult##*$'\n'}"
        # Extract dig response
        response="${cmdResult%%$'\n'*}"
    fi
    # If also no success via IPv6
    if [ "${digReturnCode}" -ne 0 ]; then
        log_write "${CROSS} dig IPv6 return code: ${COL_RED}${digReturnCode}${COL_NC}"
        log_write "${CROSS} dig response: ${response}"
        log_write "${CROSS} Error: ${COL_RED}dig command failed - Unable to check OS${COL_NC}"
    else
        IFS=" " read -r -a supportedOS < <(echo "${response}" | tr -d '"')
        for distro_and_versions in "${supportedOS[@]}"
        do
            distro_part="${distro_and_versions%%=*}"
            versions_part="${distro_and_versions##*=}"
            if [[ "${detected_os^^}" =~ ${distro_part^^} ]]; then
                valid_os=true
                IFS="," read -r -a supportedVer <<<"${versions_part}"
                for version in "${supportedVer[@]}"
                do
                    if [[ "${detected_version}" =~ $version ]]; then
                        valid_version=true
                        break
                    fi
                done
                break
            fi
        done
        local finalmsg
        if [ "$valid_os" = true ]; then
            log_write "${TICK} Distro:  ${COL_GREEN}${detected_os^}${COL_NC}"
            if [ "$valid_version" = true ]; then
                log_write "${TICK} Version: ${COL_GREEN}${detected_version}${COL_NC}"
                finalmsg="${TICK} ${COL_GREEN}Distro and version supported${COL_NC}"
            else
                log_write "${CROSS} Version: ${COL_RED}${detected_version}${COL_NC}"
                finalmsg="${CROSS} Error: ${COL_RED}${detected_os^} is supported but version ${detected_version} is currently unsupported ${COL_NC}(${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
            fi
        else
            log_write "${CROSS} Distro:  ${COL_RED}${detected_os^}${COL_NC}"
            finalmsg="${CROSS} Error: ${COL_RED}${detected_os^} is not a supported distro ${COL_NC}(${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
        fi
        # Print dig response and the final check result
        log_write "${TICK} dig return code: ${COL_GREEN}${digReturnCode}${COL_NC}"
        log_write "${INFO} dig response: ${response}"
        log_write "${finalmsg}"
    fi
 }
 diagnose_operating_system() {
    # error message in a variable so we can easily modify it later (or reuse it)
    local error_msg="Distribution unknown -- most likely you are on an unsupported platform and may run into issues."
    local detected_os
    local detected_version
    # Display the current test that is running
    echo_current_diagnostic "Operating system"
@@ -380,8 +310,13 @@ diagnose_operating_system() {
    # If there is a /etc/*release file, it's probably a supported operating system, so we can
    if ls /etc/*release 1> /dev/null 2>&1; then
-        # display the attributes to the user from the function made earlier
+        # display the attributes to the user
-        os_check
+
        detected_os=$(grep "\bID\b" /etc/os-release | cut -d '=' -f2 | tr -d '"')
        detected_version=$(grep VERSION_ID /etc/os-release | cut -d '=' -f2 | tr -d '"')
        log_write "${INFO} Distro: ${detected_os^}"
        log_write "${INFO} Version: ${detected_version}"
    else
        # If it doesn't exist, it's not a system we currently support and link to FAQ
        log_write "${CROSS} ${COL_RED}${error_msg}${COL_NC} (${FAQ_HARDWARE_REQUIREMENTS})"
@@ -479,7 +414,9 @@ run_and_print_command() {
    local output
    output=$(${cmd} 2>&1)
    # If the command was successful,
-    if [[ $? -eq 0 ]]; then
+    local return_code
    return_code=$?
    if [[ "${return_code}" -eq 0 ]]; then
        # show the output
        log_write "${output}"
    else
@@ -489,13 +426,25 @@ run_and_print_command() {
 }
 hardware_check() {
    # Note: the checks are skipped if Pi-hole is running in a docker container
    local skip_msg="${INFO} Not enough permissions inside Docker container ${COL_YELLOW}(skipped)${COL_NC}"
    echo_current_diagnostic "System hardware configuration"
-    # Store the output of the command in a variable
+    if [ -n "${DOCKER_VERSION}" ]; then
-    run_and_print_command "lshw -short"
+        log_write "${skip_msg}"
    else
        # Store the output of the command in a variable
        run_and_print_command "lshw -short"
    fi
    echo_current_diagnostic "Processor details"
-    # Store the output of the command in a variable
+    if [ -n "${DOCKER_VERSION}" ]; then
-    run_and_print_command "lscpu"
+        log_write "${skip_msg}"
    else
        # Store the output of the command in a variable
        run_and_print_command "lscpu"
    fi
 }
 disk_usage() {
@@ -808,26 +757,24 @@ dig_at() {
 process_status(){
    # Check to make sure Pi-hole's services are running and active
    echo_current_diagnostic "Pi-hole processes"
    # Local iterator
    local i
    # For each process,
    for i in "${PIHOLE_PROCESSES[@]}"; do
        local status_of_process
        # If systemd
        if command -v systemctl &> /dev/null; then
            # get its status via systemctl
            local status_of_process
            status_of_process=$(systemctl is-active "${i}")
        else
            # Otherwise, use the service command and mock the output of `systemctl is-active`
            local status_of_process
-            # If DOCKER_VERSION is set, the output is slightly different (s6 init system on Docker)
+            # If it is a docker container, there is no systemctl or service. Do nothing.
            if [ -n "${DOCKER_VERSION}" ]; then
-                if service "${i}" status | grep -E '^up' &> /dev/null; then
+                :
                    status_of_process="active"
                else
                    status_of_process="inactive"
                fi
            else
            # non-Docker system
                if service "${i}" status | grep -E 'is\srunning' &> /dev/null; then
@@ -837,8 +784,12 @@ process_status(){
                fi
            fi
        fi
        # and print it out to the user
-        if [[ "${status_of_process}" == "active" ]]; then
+        if [ -n "${DOCKER_VERSION}" ]; then
            # If it's a Docker container, the test was skipped
            log_write "${INFO} systemctl/service not installed inside docker container ${COL_YELLOW}(skipped)${COL_NC}"
        elif [[ "${status_of_process}" == "active" ]]; then
            # If it's active, show it in green
            log_write "${TICK} ${COL_GREEN}${i}${COL_NC} daemon is ${COL_GREEN}${status_of_process}${COL_NC}"
        else
@@ -855,6 +806,8 @@ ftl_full_status(){
    if command -v systemctl &> /dev/null; then
      FTL_status=$(systemctl status --full --no-pager pihole-FTL.service)
      log_write "   ${FTL_status}"
    elif [ -n "${DOCKER_VERSION}" ]; then
      log_write "${INFO} systemctl/service not installed inside docker container ${COL_YELLOW}(skipped)${COL_NC}"
    else
      log_write "${INFO} systemctl:  command not found"
    fi
@@ -908,7 +861,6 @@ parse_file() {
    # Get the lines that are in the file(s) and store them in an array for parsing later
    local file_info
    if [[ -f "$filename" ]]; then
        #shellcheck disable=SC2016
        IFS=$'\r\n' command eval 'file_info=( $(cat "${filename}") )'
    else
        read -r -a file_info <<< "$filename"
@@ -1112,7 +1064,7 @@ show_FTL_db_entries() {
 }
 check_dhcp_servers() {
-    echo_current_diagnostic "Discovering active DHCP servers (takes 10 seconds)"
+    echo_current_diagnostic "Discovering active DHCP servers (takes 6 seconds)"
    OLD_IFS="$IFS"
    IFS=$'\n'
@@ -1196,7 +1148,7 @@ database_integrity_check(){
    local database="${1}"
    log_write "${INFO} Checking integrity of ${database} ... (this can take several minutes)"
-    result="$(pihole-FTL "${database}" "PRAGMA integrity_check" 2>&1 & spinner)"
+    result="$(pihole-FTL sqlite3 -ni "${database}" "PRAGMA integrity_check" 2>&1 & spinner)"
    if [[ ${result} = "ok" ]]; then
      log_write "${TICK} Integrity of ${database} intact"
@@ -1317,19 +1269,16 @@ upload_to_tricorder() {
        curl_to_tricorder
        # If we're not running in automated mode,
    else
-        # if not being called from the web interface
+        echo ""
-        if [[ ! "${WEBCALL}" ]]; then
+        # give the user a choice of uploading it or not
-            echo ""
+        # Users can review the log file locally (or the output of the script since they are the same) and try to self-diagnose their problem
-            # give the user a choice of uploading it or not
+        read -r -p "[?] Would you like to upload the log? [y/N] " response
-            # Users can review the log file locally (or the output of the script since they are the same) and try to self-diagnose their problem
+        case ${response} in
-            read -r -p "[?] Would you like to upload the log? [y/N] " response
+            # If they say yes, run our function for uploading the log
-            case ${response} in
+            [yY][eE][sS]|[yY]) curl_to_tricorder;;
-                # If they say yes, run our function for uploading the log
+            # If they choose no, just exit out of the script
-                [yY][eE][sS]|[yY]) curl_to_tricorder;;
+            *) log_write "    * Log will ${COL_GREEN}NOT${COL_NC} be uploaded to tricorder.\\n    * A local copy of the debug log can be found at: ${COL_CYAN}${PIHOLE_DEBUG_LOG}${COL_NC}\\n";exit;
-                # If they choose no, just exit out of the script
+        esac
                *) log_write "    * Log will ${COL_GREEN}NOT${COL_NC} be uploaded to tricorder.\\n    * A local copy of the debug log can be found at: ${COL_CYAN}${PIHOLE_DEBUG_LOG}${COL_NC}\\n";exit;
            esac
        fi
    fi
    # Check if tricorder.pi-hole.net is reachable and provide token
    # along with some additional useful information
@@ -1349,13 +1298,8 @@ upload_to_tricorder() {
    # If no token was generated
    else
        # Show an error and some help instructions
-        # Skip this if being called from web interface and automatic mode was not chosen (users opt-out to upload)
+        log_write "${CROSS} ${COL_RED}There was an error uploading your debug log.${COL_NC}"
-        if [[ "${WEBCALL}" ]] && [[ ! "${AUTOMATED}" ]]; then
+        log_write "   * Please try again or contact the Pi-hole team for assistance."
            :
        else
            log_write "${CROSS} ${COL_RED}There was an error uploading your debug log.${COL_NC}"
            log_write "   * Please try again or contact the Pi-hole team for assistance."
        fi
    fi
    # Finally, show where the log file is no matter the outcome of the function so users can look at it
    log_write "   * A local copy of the debug log can be found at: ${COL_CYAN}${PIHOLE_DEBUG_LOG}${COL_NC}\\n"
--- a/advanced/Scripts/piholeLogFlush.sh
+++ b/advanced/Scripts/piholeLogFlush.sh
@@ -9,12 +9,20 @@
 # Please see LICENSE file for your rights under this license.
 colfile="/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 source ${colfile}
 readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "${utilsfile}"
 SKIP_INSTALL="true"
 # shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 # stop_service() is defined in basic-install.sh
 # restart_service() is defined in basic-install.sh
 # In case we're running at the same time as a system logrotate, use a
 # separate logrotate state file to prevent stepping on each other's
 # toes.
@@ -35,6 +43,46 @@ FTLFILE=$(getFTLConfigValue "files.log.ftl")
 if [ -z "$FTLFILE" ]; then
    FTLFILE="/var/log/pihole/FTL.log"
 fi
 WEBFILE=$(getFTLConfigValue "files.log.webserver")
 if [ -z "$WEBFILE" ]; then
    WEBFILE="/var/log/pihole/webserver.log"
 fi
 # Helper function to handle log rotation for a single file
 rotate_log() {
    # This function copies x.log over to x.log.1
    # and then empties x.log
    # Note that moving the file is not an option, as
    # dnsmasq would happily continue writing into the
    # moved file (it will have the same file handler)
    local logfile="$1"
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Rotating ${logfile} ..."
    fi
    cp -p "${logfile}" "${logfile}.1"
    echo " " > "${logfile}"
    chmod 640 "${logfile}"
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Rotated ${logfile} ..."
    fi
 }
 # Helper function to handle log flushing for a single file
 flush_log() {
    local logfile="$1"
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Flushing ${logfile} ..."
    fi
    echo " " > "${logfile}"
    chmod 640 "${logfile}"
    if [ -f "${logfile}.1" ]; then
        echo " " > "${logfile}.1"
        chmod 640 "${logfile}.1"
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Flushed ${logfile} ..."
    fi
 }
 if [[ "$*" == *"once"* ]]; then
    # Nightly logrotation
@@ -46,75 +94,30 @@ if [[ "$*" == *"once"* ]]; then
        fi
        /usr/sbin/logrotate --force --state "${STATEFILE}" /etc/pihole/logrotate
    else
-        # Copy pihole.log over to pihole.log.1
+        # Handle rotation for each log file
-        # and empty out pihole.log
+        rotate_log "${LOGFILE}"
-        # Note that moving the file is not an option, as
+        rotate_log "${FTLFILE}"
-        # dnsmasq would happily continue writing into the
+        rotate_log "${WEBFILE}"
        # moved file (it will have the same file handler)
        if [[ "$*" != *"quiet"* ]]; then
            echo -ne "  ${INFO} Rotating ${LOGFILE} ..."
        fi
        cp -p "${LOGFILE}" "${LOGFILE}.1"
        echo " " > "${LOGFILE}"
        chmod 640 "${LOGFILE}"
        if [[ "$*" != *"quiet"* ]]; then
            echo -e "${OVER}  ${TICK} Rotated ${LOGFILE} ..."
        fi
        # Copy FTL.log over to FTL.log.1
        # and empty out FTL.log
        if [[ "$*" != *"quiet"* ]]; then
            echo -ne "  ${INFO} Rotating ${FTLFILE} ..."
        fi
        cp -p "${FTLFILE}" "${FTLFILE}.1"
        echo " " > "${FTLFILE}"
        chmod 640 "${FTLFILE}"
        if [[ "$*" != *"quiet"* ]]; then
            echo -e "${OVER}  ${TICK} Rotated ${FTLFILE} ..."
        fi
    fi
 else
    # Manual flushing
-
+    flush_log "${LOGFILE}"
-    # Flush both pihole.log and pihole.log.1 (if existing)
+    flush_log "${FTLFILE}"
-    if [[ "$*" != *"quiet"* ]]; then
+    flush_log "${WEBFILE}"
        echo -ne "  ${INFO} Flushing ${LOGFILE} ..."
    fi
    echo " " > "${LOGFILE}"
    chmod 640 "${LOGFILE}"
    if [ -f "${LOGFILE}.1" ]; then
        echo " " > "${LOGFILE}.1"
        chmod 640 "${LOGFILE}.1"
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Flushed ${LOGFILE} ..."
    fi
    # Flush both FTL.log and FTL.log.1 (if existing)
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Flushing ${FTLFILE} ..."
    fi
    echo " " > "${FTLFILE}"
    chmod 640 "${FTLFILE}"
    if [ -f "${FTLFILE}.1" ]; then
        echo " " > "${FTLFILE}.1"
        chmod 640 "${FTLFILE}.1"
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Flushed ${FTLFILE} ..."
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Flushing database, DNS resolution temporarily unavailable ..."
    fi
    # Stop FTL to make sure it doesn't write to the database while we're deleting data
-    service pihole-FTL stop
+    stop_service pihole-FTL >/dev/null
    # Delete most recent 24 hours from FTL's database, leave even older data intact (don't wipe out all history)
    deleted=$(pihole-FTL sqlite3 -ni "${DBFILE}" "DELETE FROM query_storage WHERE timestamp >= strftime('%s','now')-86400; select changes() from query_storage limit 1")
    # Restart FTL
-    service pihole-FTL restart
+    restart_service pihole-FTL >/dev/null
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Deleted ${deleted} queries from long-term query database"
    fi
--- a/advanced/Scripts/query.sh
+++ b/advanced/Scripts/query.sh
@@ -1,9 +1,4 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC1090
 # Ignore warning about `local` being undefinded in POSIX
 # shellcheck disable=SC3043
 # https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2023 Pi-hole, LLC (https://pi-hole.net)
@@ -22,9 +17,11 @@ domain=""
 # Source color table
 colfile="/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 . "${colfile}"
 # Source api functions
 # shellcheck source="./advanced/Scripts/api.sh"
 . "${PI_HOLE_INSTALL_DIR}/api.sh"
 Help() {
--- a/advanced/Scripts/update.sh
+++ b/advanced/Scripts/update.sh
@@ -12,26 +12,31 @@
 # Variables
 readonly ADMIN_INTERFACE_GIT_URL="https://github.com/pi-hole/web.git"
 readonly ADMIN_INTERFACE_DIR="/var/www/html/admin"
 readonly PI_HOLE_GIT_URL="https://github.com/pi-hole/pi-hole.git"
 readonly PI_HOLE_FILES_DIR="/etc/.pihole"
 # shellcheck disable=SC2034
 SKIP_INSTALL=true
 # when --check-only is passed to this script, it will not perform the actual update
 CHECK_ONLY=false
-# shellcheck disable=SC1090
+# shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
-# shellcheck disable=SC1091
+# shellcheck source=./advanced/Scripts/COL_TABLE
 source "/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "${PI_HOLE_INSTALL_DIR}/utils.sh"
 # is_repo() sourced from basic-install.sh
 # make_repo() sourced from basic-install.sh
 # update_repo() source from basic-install.sh
 # getGitFiles() sourced from basic-install.sh
 # FTLcheckUpdate() sourced from basic-install.sh
 # getFTLConfigValue() sourced from utils.sh
 # Honour configured paths for the web application.
 ADMIN_INTERFACE_DIR=$(getFTLConfigValue "webserver.paths.webroot")$(getFTLConfigValue "webserver.paths.webhome")
 readonly ADMIN_INTERFACE_DIR
 GitCheckUpdateAvail() {
    local directory
@@ -107,6 +112,7 @@ main() {
    web_update=false
    FTL_update=false
    # Install packages used by this installation script (necessary if users have removed e.g. git from their systems)
    package_manager_detect
    build_dependency_package
@@ -206,7 +212,7 @@ main() {
        echo ""
        echo -e "  ${INFO} Pi-hole Web Admin files out of date, updating local repo."
        getGitFiles "${ADMIN_INTERFACE_DIR}" "${ADMIN_INTERFACE_GIT_URL}"
-        echo -e "  ${INFO} If you had made any changes in '/var/www/html/admin/', they have been stashed using 'git stash'"
+        echo -e "  ${INFO} If you had made any changes in '${ADMIN_INTERFACE_DIR}', they have been stashed using 'git stash'"
    fi
    if [[ "${FTL_update}" == true ]]; then
@@ -215,7 +221,7 @@ main() {
    fi
    if [[ "${FTL_update}" == true || "${core_update}" == true ]]; then
-        ${PI_HOLE_FILES_DIR}/automated\ install/basic-install.sh --reconfigure --unattended || \
+        ${PI_HOLE_FILES_DIR}/automated\ install/basic-install.sh --repair --unattended || \
            echo -e "${basicError}" && exit 1
    fi
--- a/advanced/Scripts/updatecheck.sh
+++ b/advanced/Scripts/updatecheck.sh
@@ -39,9 +39,12 @@ function get_remote_hash() {
 }
 # Source the utils file for addOrEditKeyValPair()
-# shellcheck disable=SC1091
+# shellcheck source="./advanced/Scripts/utils.sh"
 . /opt/pihole/utils.sh
 ADMIN_INTERFACE_DIR=$(getFTLConfigValue "webserver.paths.webroot")$(getFTLConfigValue "webserver.paths.webhome")
 readonly ADMIN_INTERFACE_DIR
 # Remove the below three legacy files if they exist
 rm -f "/etc/pihole/GitHubVersions"
 rm -f "/etc/pihole/localbranches"
@@ -85,13 +88,13 @@ addOrEditKeyValPair "${VERSION_FILE}" "GITHUB_CORE_HASH" "${GITHUB_CORE_HASH}"
 # get Web versions
-WEB_VERSION="$(get_local_version /var/www/html/admin)"
+WEB_VERSION="$(get_local_version "${ADMIN_INTERFACE_DIR}")"
 addOrEditKeyValPair "${VERSION_FILE}" "WEB_VERSION" "${WEB_VERSION}"
-WEB_BRANCH="$(get_local_branch /var/www/html/admin)"
+WEB_BRANCH="$(get_local_branch "${ADMIN_INTERFACE_DIR}")"
 addOrEditKeyValPair "${VERSION_FILE}" "WEB_BRANCH" "${WEB_BRANCH}"
-WEB_HASH="$(get_local_hash /var/www/html/admin)"
+WEB_HASH="$(get_local_hash "${ADMIN_INTERFACE_DIR}")"
 addOrEditKeyValPair "${VERSION_FILE}" "WEB_HASH" "${WEB_HASH}"
 GITHUB_WEB_VERSION="$(get_remote_version web "${WEB_BRANCH}")"
--- a/advanced/Scripts/utils.sh
+++ b/advanced/Scripts/utils.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC3043 #https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@@ -88,8 +87,8 @@ getFTLConfigValue(){
 #######################
 setFTLConfigValue(){
  pihole-FTL --config "${1}" "${2}" >/dev/null
-  if [[ $? -eq 5 ]]; then
+  if [ $? -eq 5 ]; then
-    echo -e "  ${CROSS} ${1} set by environment variable. Please unset it to use this function"
+    printf "  %s %s set by environment variable. Please unset it to use this function\n" "${CROSS}" "${1}"
    exit 5
  fi
 }
--- a/advanced/Scripts/version.sh
+++ b/advanced/Scripts/version.sh
@@ -8,20 +8,16 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
-# Ignore warning about `local` being undefinded in POSIX
+# Source the versions file populated by updatechecker.sh
 # shellcheck disable=SC3043
 # https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Source the versions file poupulated by updatechecker.sh
 cachedVersions="/etc/pihole/versions"
 if [ -f ${cachedVersions} ]; then
-    # shellcheck disable=SC1090
+    # shellcheck source=/dev/null
    . "$cachedVersions"
 else
    echo "Could not find /etc/pihole/versions. Running update now."
    pihole updatechecker
-    # shellcheck disable=SC1090
+     # shellcheck source=/dev/null
    . "$cachedVersions"
 fi
--- a/advanced/Templates/gravity.db.sql
+++ b/advanced/Templates/gravity.db.sql
@@ -43,8 +43,8 @@ CREATE TABLE adlist
 CREATE TABLE adlist_by_group
 (
-    adlist_id INTEGER NOT NULL REFERENCES adlist (id),
+    adlist_id INTEGER NOT NULL REFERENCES adlist (id) ON DELETE CASCADE,
-    group_id INTEGER NOT NULL REFERENCES "group" (id),
+    group_id INTEGER NOT NULL REFERENCES "group" (id) ON DELETE CASCADE,
    PRIMARY KEY (adlist_id, group_id)
 );
@@ -67,11 +67,16 @@ CREATE TABLE info
 );
 INSERT INTO "info" VALUES('version','19');
 /* This is a flag to indicate if gravity was restored from a backup
    false = not restored,
    failed = restoration failed due to no backup
    other string = restoration successful with the string being the backup file used */
 INSERT INTO "info" VALUES('gravity_restored','false');
 CREATE TABLE domainlist_by_group
 (
-    domainlist_id INTEGER NOT NULL REFERENCES domainlist (id),
+    domainlist_id INTEGER NOT NULL REFERENCES domainlist (id) ON DELETE CASCADE,
-    group_id INTEGER NOT NULL REFERENCES "group" (id),
+    group_id INTEGER NOT NULL REFERENCES "group" (id) ON DELETE CASCADE,
    PRIMARY KEY (domainlist_id, group_id)
 );
@@ -86,8 +91,8 @@ CREATE TABLE client
 CREATE TABLE client_by_group
 (
-    client_id INTEGER NOT NULL REFERENCES client (id),
+    client_id INTEGER NOT NULL REFERENCES client (id) ON DELETE CASCADE,
-    group_id INTEGER NOT NULL REFERENCES "group" (id),
+    group_id INTEGER NOT NULL REFERENCES "group" (id) ON DELETE CASCADE,
    PRIMARY KEY (client_id, group_id)
 );
--- a/advanced/Templates/pihole-FTL-poststop.sh
+++ b/advanced/Templates/pihole-FTL-poststop.sh
@@ -3,7 +3,7 @@
 # Source utils.sh for getFTLConfigValue()
 PI_HOLE_SCRIPT_DIR='/opt/pihole'
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source="./advanced/Scripts/utils.sh"
 . "${utilsfile}"
 # Get file paths
--- a/advanced/Templates/pihole-FTL-prestart.sh
+++ b/advanced/Templates/pihole-FTL-prestart.sh
@@ -3,32 +3,32 @@
 # Source utils.sh for getFTLConfigValue()
 PI_HOLE_SCRIPT_DIR='/opt/pihole'
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source="./advanced/Scripts/utils.sh"
 . "${utilsfile}"
 # Get file paths
 FTL_PID_FILE="$(getFTLConfigValue files.pid)"
 # Ensure that permissions are set so that pihole-FTL can edit all necessary files
-# shellcheck disable=SC2174
+mkdir -p /var/log/pihole
-mkdir -pm 0640 /var/log/pihole
+chown -R pihole:pihole /etc/pihole/ /var/log/pihole/
 chown -R pihole:pihole /etc/pihole /var/log/pihole
 chmod -R 0640 /var/log/pihole
 chmod -R 0660 /etc/pihole
-# Logrotate config file need to be owned by root and must not be writable by group and others
+# allow all users read version file (and use pihole -v)
-chown root:root /etc/pihole/logrotate
+chmod 0644 /etc/pihole/versions
 chmod 0644 /etc/pihole/logrotate
 # allow all users to enter the directories
 chmod 0755 /etc/pihole /var/log/pihole
 # allow pihole to access subdirs in /etc/pihole (sets execution bit on dirs)
-# credits https://stackoverflow.com/a/11512211
+find /etc/pihole/ /var/log/pihole/ -type d -exec chmod 0755 {} +
-find /etc/pihole -type d -exec chmod 0755 {} \;
+# Set all files (except TLS-related ones) to u+rw g+r
 find /etc/pihole/ /var/log/pihole/ -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} +
 # Set TLS-related files to a more restrictive u+rw *only* (they may contain private keys)
 find /etc/pihole/ -type f \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0600 {} +
 # Logrotate config file need to be owned by root
 chown root:root /etc/pihole/logrotate
 # Touch files to ensure they exist (create if non-existing, preserve if existing)
 [ -f "${FTL_PID_FILE}" ] || install -D -m 644 -o pihole -g pihole /dev/null "${FTL_PID_FILE}"
 [ -f /var/log/pihole/FTL.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/FTL.log
 [ -f /var/log/pihole/pihole.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/pihole.log
 [ -f /var/log/pihole/webserver.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/webserver.log
 [ -f /etc/pihole/dhcp.leases ] || install -m 644 -o pihole -g pihole /dev/null /etc/pihole/dhcp.leases
--- a/advanced/Templates/pihole-FTL.service
+++ b/advanced/Templates/pihole-FTL.service
@@ -12,7 +12,7 @@
 # Source utils.sh for getFTLConfigValue(), getFTLPID()
 PI_HOLE_SCRIPT_DIR="/opt/pihole"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source="./advanced/Scripts/utils.sh"
 . "${utilsfile}"
@@ -57,13 +57,16 @@ start() {
 stop() {
  if is_running; then
    kill "${FTL_PID}"
-    for i in 1 2 3 4 5; do
+    # Give FTL 60 seconds to gracefully stop
    i=1
    while [ "${i}" -le 60 ]; do
      if ! is_running; then
        break
      fi
      printf "."
      sleep 1
      i=$((i + 1))
    done
    echo
--- a/advanced/Templates/pihole-FTL.systemd
+++ b/advanced/Templates/pihole-FTL.systemd
@@ -28,7 +28,7 @@ ExecReload=/bin/kill -HUP $MAINPID
 ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh
 # Use graceful shutdown with a reasonable timeout
-TimeoutStopSec=10s
+TimeoutStopSec=60s
 # Make /usr, /boot, /etc and possibly some more folders read-only...
 ProtectSystem=full
--- a/advanced/bash-completion/pihole
+++ b/advanced/bash-completion/pihole
@@ -7,7 +7,7 @@ _pihole() {
    case "${prev}" in
        "pihole")
-            opts="allow allow-regex allow-wild deny checkout debug disable enable flush help logging query reconfigure regex reloaddns reloadlists status tail uninstall updateGravity updatePihole version wildcard arpflush api"
+            opts="allow allow-regex allow-wild deny checkout debug disable enable flush help logging query repair regex reloaddns reloadlists status tail uninstall updateGravity updatePihole version wildcard arpflush api"
            COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
        ;;
        "allow"|"deny"|"wildcard"|"regex"|"allow-regex"|"allow-wild")
--- a/install/basic-install.sh
+++ b/install/basic-install.sh
--- a/install/uninstall.sh
+++ b/install/uninstall.sh
@@ -8,7 +8,18 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 source "/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "/opt/pihole/utils.sh"
 SKIP_INSTALL="true"
 # shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 # stop_service() is defined in basic-install.sh
 ADMIN_INTERFACE_DIR=$(getFTLConfigValue "webserver.paths.webroot")$(getFTLConfigValue "webserver.paths.webhome")
 readonly ADMIN_INTERFACE_DIR
 while true; do
    read -rp "  ${QST} Are you sure you would like to remove ${COL_WHITE}Pi-hole${COL_NC}? [y/N] " answer
@@ -37,6 +48,7 @@ fi
 readonly PI_HOLE_FILES_DIR="/etc/.pihole"
 SKIP_INSTALL="true"
 # shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 # package_manager_detect() sourced from basic-install.sh
@@ -53,17 +65,9 @@ removeMetaPackage() {
 }
 removePiholeFiles() {
-    # Only web directories/files that are created by Pi-hole should be removed
+    # Remove the web interface of Pi-hole
    echo -ne "  ${INFO} Removing Web Interface..."
-    ${SUDO} rm -rf /var/www/html/admin &> /dev/null
+    ${SUDO} rm -rf "${ADMIN_INTERFACE_DIR}" &> /dev/null
    # If the web directory is empty after removing these files, then the parent html directory can be removed.
    if [ -d "/var/www/html" ]; then
        if [[ ! "$(ls -A /var/www/html)" ]]; then
            ${SUDO} rm -rf /var/www/html &> /dev/null
        fi
    fi
    echo -e "${OVER}  ${TICK} Removed Web Interface"
    # Attempt to preserve backwards compatibility with older versions
@@ -94,19 +98,16 @@ removePiholeFiles() {
    echo -e "  ${TICK} Removed config files"
    # Restore Resolved
-    if [[ -e /etc/systemd/resolved.conf.orig ]]; then
+    if [[ -e /etc/systemd/resolved.conf.orig ]] || [[ -e /etc/systemd/resolved.conf.d/90-pi-hole-disable-stub-listener.conf ]]; then
-        ${SUDO} cp -p /etc/systemd/resolved.conf.orig /etc/systemd/resolved.conf
+        ${SUDO} cp -p /etc/systemd/resolved.conf.orig /etc/systemd/resolved.conf &> /dev/null || true
        ${SUDO} rm -f /etc/systemd/resolved.conf.d/90-pi-hole-disable-stub-listener.conf
        systemctl reload-or-restart systemd-resolved
    fi
    # Remove FTL
    if command -v pihole-FTL &> /dev/null; then
        echo -ne "  ${INFO} Removing pihole-FTL..."
-        if [[ -x "$(command -v systemctl)" ]]; then
+        stop_service pihole-FTL
            systemctl stop pihole-FTL
        else
            service pihole-FTL stop
        fi
        ${SUDO} rm -f /etc/systemd/system/pihole-FTL.service
        if [[ -d '/etc/systemd/system/pihole-FTL.service.d' ]]; then
            read -rp "  ${QST} FTL service override directory /etc/systemd/system/pihole-FTL.service.d detected. Do you wish to remove this from your system? [y/N] " answer
--- a/gravity.sh
+++ b/gravity.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@@ -16,13 +15,13 @@ export LC_ALL=C
 PI_HOLE_SCRIPT_DIR="/opt/pihole"
 # Source utils.sh for GetFTLConfigValue
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source=./advanced/Scripts/utils.sh
 . "${utilsfile}"
 coltable="${PI_HOLE_SCRIPT_DIR}/COL_TABLE"
-# shellcheck disable=SC1090
+# shellcheck source=./advanced/Scripts/COL_TABLE
 . "${coltable}"
-# shellcheck disable=SC1091
+# shellcheck source=./advanced/Scripts/database_migration/gravity-db.sh
 . "/etc/.pihole/advanced/Scripts/database_migration/gravity-db.sh"
 basename="pihole"
@@ -30,6 +29,9 @@ PIHOLE_COMMAND="/usr/local/bin/${basename}"
 piholeDir="/etc/${basename}"
 # Gravity aux files directory
 listsCacheDir="${piholeDir}/listsCache"
 # Legacy (pre v5.0) list file locations
 whitelistFile="${piholeDir}/whitelist.txt"
 blacklistFile="${piholeDir}/blacklist.txt"
@@ -44,6 +46,7 @@ gravityDBcopy="${piholeGitDir}/advanced/Templates/gravity_copy.sql"
 domainsExtension="domains"
 curl_connect_timeout=10
 etag_support=false
 # Check gravity temp directory
 if [ ! -d "${GRAVITY_TMPDIR}" ] || [ ! -w "${GRAVITY_TMPDIR}" ]; then
@@ -54,10 +57,12 @@ fi
 # Set this only after sourcing pihole-FTL.conf as the gravity database path may
 # have changed
 gravityDBfile="${GRAVITYDB}"
-gravityDBfile_default="/etc/pihole/gravity.db"
+gravityDBfile_default="${piholeDir}/gravity.db"
 gravityTEMPfile="${GRAVITYDB}_temp"
 gravityDIR="$(dirname -- "${gravityDBfile}")"
 gravityOLDfile="${gravityDIR}/gravity_old.db"
 gravityBCKdir="${gravityDIR}/gravity_backups"
 gravityBCKfile="${gravityBCKdir}/gravity.db"
 fix_owner_permissions() {
  # Fix ownership and permissions for the specified file
@@ -91,11 +96,21 @@ gravity_build_tree() {
  if [[ "${status}" -ne 0 ]]; then
    echo -e "\\n  ${CROSS} Unable to build gravity tree in ${gravityTEMPfile}\\n  ${output}"
    echo -e "  ${INFO} If you have a large amount of domains, make sure your Pi-hole has enough RAM available\\n"
    return 1
  fi
  echo -e "${OVER}  ${TICK} ${str}"
 }
 # Rotate gravity backup files
 rotate_gravity_backup() {
  for i in {9..1}; do
    if [ -f "${gravityBCKfile}.${i}" ]; then
      mv "${gravityBCKfile}.${i}" "${gravityBCKfile}.$((i + 1))"
    fi
  done
 }
 # Copy data from old to new database file and swap them
 gravity_swap_databases() {
  str="Swapping databases"
@@ -111,10 +126,32 @@ gravity_swap_databases() {
  oldAvail=false
  if [ "${availableBlocks}" -gt "$((gravityBlocks * 2))" ] && [ -f "${gravityDBfile}" ]; then
    oldAvail=true
-    mv "${gravityDBfile}" "${gravityOLDfile}"
+    cp -p "${gravityDBfile}" "${gravityOLDfile}"
  else
    rm "${gravityDBfile}"
  fi
  # Drop the gravity and antigravity tables + subsequent VACUUM the current
  # database for compaction
  output=$({ printf ".timeout 30000\\nDROP TABLE IF EXISTS gravity;\\nDROP TABLE IF EXISTS antigravity;\\nVACUUM;\\n" | pihole-FTL sqlite3 -ni "${gravityDBfile}"; } 2>&1)
  status="$?"
  if [[ "${status}" -ne 0 ]]; then
    echo -e "\\n  ${CROSS} Unable to clean current database for backup\\n  ${output}"
  else
    # Check if the backup directory exists
    if [ ! -d "${gravityBCKdir}" ]; then
      mkdir -p "${gravityBCKdir}" && chown pihole:pihole "${gravityBCKdir}"
    fi
    # If multiple gravityBCKfile's are present (appended with a number), rotate them
    # We keep at most 10 backups
    rotate_gravity_backup
    # Move the old database to the backup location
    mv "${gravityDBfile}" "${gravityBCKfile}.1"
  fi
  # Move the new database to the correct location
  mv "${gravityTEMPfile}" "${gravityDBfile}"
  echo -e "${OVER}  ${TICK} ${str}"
@@ -268,7 +305,7 @@ migrate_to_database() {
    fi
    # Check if gravity database needs to be updated
-    upgrade_gravityDB "${gravityDBfile}" "${piholeDir}"
+    upgrade_gravityDB "${gravityDBfile}"
    # Migrate list files to new database
    if [ -e "${adListFile}" ]; then
@@ -296,7 +333,7 @@ migrate_to_database() {
  fi
  # Check if gravity database needs to be updated
-  upgrade_gravityDB "${gravityDBfile}" "${piholeDir}"
+  upgrade_gravityDB "${gravityDBfile}"
 }
 # Determine if DNS resolution is available before proceeding
@@ -311,17 +348,72 @@ gravity_CheckDNSResolutionAvailable() {
    echo -e "  ${CROSS} DNS resolution is currently unavailable"
  fi
-  str="Waiting until DNS resolution is available..."
+  str="Waiting up to 120 seconds for DNS resolution..."
  echo -ne "  ${INFO} ${str}"
-  until getent hosts github.com &> /dev/null; do
+
-  # Append one dot for each second waiting
+ # Default DNS timeout is two seconds, plus 1 second for each dot > 120 seconds
-    str="${str}."
+  for ((i = 0; i < 40; i++)); do
-    echo -ne "  ${OVER}  ${INFO} ${str}"
+      if getent hosts github.com &> /dev/null; then
-    sleep 1
+        # If we reach this point, DNS resolution is available
        echo -e "${OVER}  ${TICK} DNS resolution is available"
        return 0
      fi
      # Append one dot for each second waiting
      echo -ne "."
      sleep 1
  done
-  # If we reach this point, DNS resolution is available
+  # DNS resolution is still unavailable after 120 seconds
-  echo -e "${OVER}  ${TICK} DNS resolution is available"
+  return 1
 }
 # Function: try_restore_backup
 # Description: Attempts to restore the previous Pi-hole gravity database from a
 #              backup file. If a backup exists, it copies the backup to the
 #              gravity database file and prepares a new gravity database. If the
 #              restoration is successful, it returns 0. Otherwise, it returns 1.
 # Returns:
 #   0 - If the backup is successfully restored.
 #   1 - If no backup is available or if the restoration fails.
 try_restore_backup () {
  local num filename timestamp
  num=$1
  filename="${gravityBCKfile}.${num}"
  # Check if a backup exists
  if [ -f "${filename}" ]; then
    echo -e "  ${INFO} Attempting to restore previous database from backup no. ${num}"
    cp "${filename}" "${gravityDBfile}"
    # If the backup was successfully copied, prepare a new gravity database from
    # it
    if [ -f "${gravityDBfile}" ]; then
      output=$({ pihole-FTL sqlite3 -ni "${gravityTEMPfile}" <<<"${copyGravity}"; } 2>&1)
      status="$?"
      # Error checking
      if [[ "${status}" -ne 0 ]]; then
        echo -e "\\n  ${CROSS} Unable to copy data from ${gravityDBfile} to ${gravityTEMPfile}\\n  ${output}"
        gravity_Cleanup "error"
      fi
      # Get the timestamp of the backup file in a human-readable format
      # Note that this timestamp will be in the server timezone, this may be
      # GMT, e.g., on a Raspberry Pi where the default timezone has never been
      # changed
      timestamp=$(date -r "${filename}" "+%Y-%m-%d %H:%M:%S %Z")
      # Add a record to the info table to indicate that the gravity database was restored
      pihole-FTL sqlite3 "${gravityTEMPfile}" "INSERT OR REPLACE INTO info (property,value) values ('gravity_restored','${timestamp}');"
      echo -e "  ${TICK} Successfully restored from backup (${gravityBCKfile}.${num} at ${timestamp})"
      return 0
    else
      echo -e "  ${CROSS} Unable to restore backup no. ${num}"
    fi
  fi
  echo -e "  ${CROSS} Backup no. ${num} not available"
  return 1
 }
 # Retrieve blocklist URLs and parse domains from adlist.list
@@ -332,33 +424,7 @@ gravity_DownloadBlocklists() {
    echo -e "  ${INFO} Storing gravity database in ${COL_BOLD}${gravityDBfile}${COL_NC}"
  fi
-  # Retrieve source URLs from gravity database
+  local url domain str compression adlist_type directory success
  # We source only enabled adlists, SQLite3 stores boolean values as 0 (false) or 1 (true)
  mapfile -t sources <<<"$(pihole-FTL sqlite3 -ni "${gravityDBfile}" "SELECT address FROM vw_adlist;" 2>/dev/null)"
  mapfile -t sourceIDs <<<"$(pihole-FTL sqlite3 -ni "${gravityDBfile}" "SELECT id FROM vw_adlist;" 2>/dev/null)"
  mapfile -t sourceTypes <<<"$(pihole-FTL sqlite3 -ni "${gravityDBfile}" "SELECT type FROM vw_adlist;" 2>/dev/null)"
  # Parse source domains from $sources
  mapfile -t sourceDomains <<<"$(
    # Logic: Split by folder/port
    awk -F '[/:]' '{
      # Remove URL protocol & optional username:password@
      gsub(/(.*:\/\/|.*:.*@)/, "", $0)
      if(length($1)>0){print $1}
      else {print "local"}
    }' <<<"$(printf '%s\n' "${sources[@]}")" 2>/dev/null
  )"
  local str="Pulling blocklist source list into range"
  echo -e "${OVER}  ${TICK} ${str}"
  if [[ -z "${sources[*]}" ]] || [[ -z "${sourceDomains[*]}" ]]; then
    echo -e "  ${INFO} No source list found, or it is empty"
    echo ""
    unset sources
  fi
  local url domain str target compression adlist_type directory
  echo ""
  # Prepare new gravity database
@@ -390,10 +456,55 @@ gravity_DownloadBlocklists() {
  if [[ "${status}" -ne 0 ]]; then
    echo -e "\\n  ${CROSS} Unable to copy data from ${gravityDBfile} to ${gravityTEMPfile}\\n  ${output}"
-    return 1
+
    # Try to attempt a backup restore
    success=false
    if [[ -d "${gravityBCKdir}" ]]; then
      for i in {1..10}; do
        if try_restore_backup "${i}"; then
          success=true
          break
        fi
      done
    fi
    # If none of the attempts worked, return 1
    if [[ "${success}" == false ]]; then
      pihole-FTL sqlite3 "${gravityTEMPfile}" "INSERT OR REPLACE INTO info (property,value) values ('gravity_restored','failed');"
      return 1
    fi
    echo -e "  ${TICK} ${str}"
  else
    echo -e "${OVER}  ${TICK} ${str}"
  fi
  # Retrieve source URLs from gravity database
  # We source only enabled adlists, SQLite3 stores boolean values as 0 (false) or 1 (true)
  mapfile -t sources <<<"$(pihole-FTL sqlite3 -ni "${gravityDBfile}" "SELECT address FROM vw_adlist;" 2>/dev/null)"
  mapfile -t sourceIDs <<<"$(pihole-FTL sqlite3 -ni "${gravityDBfile}" "SELECT id FROM vw_adlist;" 2>/dev/null)"
  mapfile -t sourceTypes <<<"$(pihole-FTL sqlite3 -ni "${gravityDBfile}" "SELECT type FROM vw_adlist;" 2>/dev/null)"
  # Parse source domains from $sources
  mapfile -t sourceDomains <<<"$(
    # Logic: Split by folder/port
    awk -F '[/:]' '{
      # Remove URL protocol & optional username:password@
      gsub(/(.*:\/\/|.*:.*@)/, "", $0)
      if(length($1)>0){print $1}
      else {print "local"}
    }' <<<"$(printf '%s\n' "${sources[@]}")" 2>/dev/null
  )"
  local str="Pulling blocklist source list into range"
  echo -e "${OVER}  ${TICK} ${str}"
  if [[ -z "${sources[*]}" ]] || [[ -z "${sourceDomains[*]}" ]]; then
    echo -e "  ${INFO} No source list found, or it is empty"
    echo ""
    unset sources
  fi
  # Use compression to reduce the amount of data that is transferred
  # between the Pi-hole and the ad list provider. Use this feature
  # only if it is supported by the locally available version of curl
@@ -404,6 +515,15 @@ gravity_DownloadBlocklists() {
    compression=""
    echo -e "  ${INFO} Libz compression not available\n"
  fi
  # Check if etag is supported by the locally available version of curl
  # (available as of curl 7.68.0, released Jan 2020)
  # https://github.com/curl/curl/pull/4543 +
  # https://github.com/curl/curl/pull/4678
  if curl --help all | grep -q "etag-save"; then
    etag_support=true
  fi
  # Loop through $sources and download each one
  for ((i = 0; i < "${#sources[@]}"; i++)); do
    url="${sources[$i]}"
@@ -420,8 +540,8 @@ gravity_DownloadBlocklists() {
    fi
    # Save the file as list.#.domain
-    saveLocation="${piholeDir}/list.${id}.${domain}.${domainsExtension}"
+    saveLocation="${listsCacheDir}/list.${id}.${domain}.${domainsExtension}"
-    activeDomains[$i]="${saveLocation}"
+    activeDomains[i]="${saveLocation}"
    # Check if we can write to the save location file without actually creating
    # it (in case it doesn't exist)
@@ -453,12 +573,12 @@ gravity_DownloadBlocklists() {
    if [[ "${check_url}" =~ ${regex} ]]; then
      echo -e "  ${CROSS} Invalid Target"
    else
-      timeit gravity_DownloadBlocklistFromUrl "${url}" "${sourceIDs[$i]}" "${saveLocation}" "${target}" "${compression}" "${adlist_type}" "${domain}"
+      timeit gravity_DownloadBlocklistFromUrl "${url}" "${sourceIDs[$i]}" "${saveLocation}" "${compression}" "${adlist_type}" "${domain}"
    fi
    echo ""
  done
-  gravity_Blackbody=true
+  DownloadBlocklists_done=true
 }
 compareLists() {
@@ -487,8 +607,8 @@ compareLists() {
 # Download specified URL and perform checks on HTTP status and file content
 gravity_DownloadBlocklistFromUrl() {
-  local url="${1}" adlistID="${2}" saveLocation="${3}" target="${4}" compression="${5}" gravity_type="${6}" domain="${7}"
+  local url="${1}" adlistID="${2}" saveLocation="${3}" compression="${4}" gravity_type="${5}" domain="${6}"
-  local heisenbergCompensator="" listCurlBuffer str httpCode success="" ip cmd_ext
+  local modifiedOptions="" listCurlBuffer str httpCode success="" ip cmd_ext
  local file_path permissions ip_addr port blocked=false download=true
  # Create temp file to store content on disk instead of RAM
@@ -497,43 +617,42 @@ gravity_DownloadBlocklistFromUrl() {
  mv "${listCurlBuffer}" "${listCurlBuffer%.*}.phgpb"
  listCurlBuffer="${listCurlBuffer%.*}.phgpb"
-  # Determine if $saveLocation has read permission
+  # For all remote files, we try to determine if the file has changed to skip
-  if [[ -r "${saveLocation}" && $url != "file"* ]]; then
+  # downloading them whenever possible.
-    # Have curl determine if a remote file has been modified since last retrieval
+  if [[ $url != "file"* ]]; then
-    # Uses "Last-Modified" header, which certain web servers do not provide (e.g: raw github urls)
+    # Use the HTTP ETag header to determine if the file has changed if supported
-    # Note: Don't do this for local files, always download them
+    # by curl. Using ETags is supported by raw.githubusercontent.com URLs.
-    heisenbergCompensator="-z ${saveLocation}"
+    if [[ "${etag_support}" == true ]]; then
      # Save HTTP ETag to the specified file. An ETag is a caching related header,
      # usually returned in a response. If no ETag is sent by the server, an empty
      # file is created and can later be used consistently.
      modifiedOptions="--etag-save ${saveLocation}.etag"
      if [[ -f "${saveLocation}.etag" ]]; then
        # This option makes a conditional HTTP request for the specific ETag read
        # from the given file by sending a custom If-None-Match header using the
        # stored ETag. This way, the server will only send the file if it has
        # changed since the last request.
        modifiedOptions="${modifiedOptions} --etag-compare ${saveLocation}.etag"
      fi
    fi
    # Add If-Modified-Since header to the request if we did already download the
    # file once
    if [[ -f "${saveLocation}" ]]; then
      # Request a file that has been modified later than the given time and
      # date. We provide a file here which makes curl use the modification
      # timestamp (mtime) of this file.
      # Interstingly, this option is not supported by raw.githubusercontent.com
      # URLs, however, it is still supported by many older web servers which may
      # not support the HTTP ETag method so we keep it as a fallback.
      modifiedOptions="${modifiedOptions} -z ${saveLocation}"
    fi
  fi
  str="Status:"
  echo -ne "  ${INFO} ${str} Pending..."
  blocked=false
  case $(getFTLConfigValue dns.blocking.mode) in
  "IP-NODATA-AAAA" | "IP")
    # Get IP address of this domain
    ip="$(dig "${domain}" +short)"
    # Check if this IP matches any IP of the system
    if [[ -n "${ip}" && $(grep -Ec "inet(|6) ${ip}" <<<"$(ip a)") -gt 0 ]]; then
      blocked=true
    fi
    ;;
  "NXDOMAIN")
    if [[ $(dig "${domain}" | grep "NXDOMAIN" -c) -ge 1 ]]; then
      blocked=true
    fi
    ;;
  "NODATA")
    if [[ $(dig "${domain}" | grep "NOERROR" -c) -ge 1 ]] && [[ -z $(dig +short "${domain}") ]]; then
      blocked=true
    fi
    ;;
  "NULL" | *)
    if [[ $(dig "${domain}" +short | grep "0.0.0.0" -c) -ge 1 ]]; then
      blocked=true
    fi
    ;;
  esac
  # Check if this domain is blocked by Pi-hole but only if the domain is not a
  # local file or empty
  if [[ $url != "file"* ]] && [[ -n "${domain}" ]]; then
@@ -631,8 +750,9 @@ gravity_DownloadBlocklistFromUrl() {
  fi
  if [[ "${download}" == true ]]; then
    # See https://github.com/pi-hole/pi-hole/issues/6159 for justification of the below disable directive
    # shellcheck disable=SC2086
-    httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression} ${cmd_ext} ${heisenbergCompensator} -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2>/dev/null)
+    httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression} ${cmd_ext} ${modifiedOptions} -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2>/dev/null)
  fi
  case $url in
@@ -675,20 +795,21 @@ gravity_DownloadBlocklistFromUrl() {
  # Determine if the blocklist was downloaded and saved correctly
  if [[ "${success}" == true ]]; then
    if [[ "${httpCode}" == "304" ]]; then
      # Set list status to "unchanged/cached"
      database_adlist_status "${adlistID}" "2"
      # Add domains to database table file
      pihole-FTL "${gravity_type}" parseList "${saveLocation}" "${gravityTEMPfile}" "${adlistID}"
      database_adlist_status "${adlistID}" "2"
      done="true"
    # Check if $listCurlBuffer is a non-zero length file
    elif [[ -s "${listCurlBuffer}" ]]; then
-      # Determine if blocklist is non-standard and parse as appropriate
+      # Move the downloaded list to the final location
-      gravity_ParseFileIntoDomains "${listCurlBuffer}" "${saveLocation}"
+      mv "${listCurlBuffer}" "${saveLocation}"
-      # Remove curl buffer file after its use
+      # Ensure the file has the correct permissions
-      rm "${listCurlBuffer}"
+      fix_owner_permissions "${saveLocation}"
      # Compare lists if they are identical
      compareLists "${adlistID}" "${saveLocation}"
      # Add domains to database table file
      pihole-FTL "${gravity_type}" parseList "${saveLocation}" "${gravityTEMPfile}" "${adlistID}"
      # Compare lists, are they identical?
      compareLists "${adlistID}" "${saveLocation}"
      done="true"
    else
      # Fall back to previously cached list if $listCurlBuffer is empty
@@ -701,9 +822,10 @@ gravity_DownloadBlocklistFromUrl() {
    # Determine if cached list has read permission
    if [[ -r "${saveLocation}" ]]; then
      echo -e "  ${CROSS} List download failed: ${COL_LIGHT_GREEN}using previously cached list${COL_NC}"
      # Set list status to "download-failed/cached"
      database_adlist_status "${adlistID}" "3"
      # Add domains to database table file
      pihole-FTL "${gravity_type}" parseList "${saveLocation}" "${gravityTEMPfile}" "${adlistID}"
      database_adlist_status "${adlistID}" "3"
    else
      echo -e "  ${CROSS} List download failed: ${COL_LIGHT_RED}no cached list available${COL_NC}"
      # Manually reset these two numbers because we do not call parseList here
@@ -713,37 +835,6 @@ gravity_DownloadBlocklistFromUrl() {
  fi
 }
 # Parse source files into domains format
 gravity_ParseFileIntoDomains() {
  local src="${1}" destination="${2}"
  # Remove comments and print only the domain name
  # Most of the lists downloaded are already in hosts file format but the spacing/formatting is not contiguous
  # This helps with that and makes it easier to read
  # It also helps with debugging so each stage of the script can be researched more in depth
  # 1) Convert all characters to lowercase
  tr '[:upper:]' '[:lower:]' <"${src}" >"${destination}"
  # 2) Remove carriage returns
  # 3) Remove lines starting with ! (ABP Comments)
  # 4) Remove lines starting with [ (ABP Header)
  # 5) Remove lines containing ABP extended CSS selectors ("##", "#$#", "#@#", "#?#") and Adguard JavaScript (#%#) preceded by a letter
  # 6) Remove comments (text starting with "#", include possible spaces before the hash sign)
  # 7) Remove leading tabs, spaces, etc. (Also removes leading IP addresses)
  # 8) Remove empty lines
  sed -i -r \
    -e 's/\r$//' \
    -e 's/\s*!.*//g' \
    -e 's/\s*\[.*//g' \
    -e '/[a-z]\#[$?@%]{0,3}\#/d' \
    -e 's/\s*#.*//g' \
    -e 's/^.*\s+//g' \
    -e '/^$/d' "${destination}"
  fix_owner_permissions "${destination}"
 }
 # Report number of entries in a table
 gravity_Table_Count() {
  local table="${1}"
@@ -764,11 +855,11 @@ gravity_Table_Count() {
 gravity_ShowCount() {
  # Here we use the table "gravity" instead of the view "vw_gravity" for speed.
  # It's safe to replace it here, because right after a gravity run both will show the exactly same number of domains.
-  gravity_Table_Count "gravity" "gravity domains" ""
+  gravity_Table_Count "gravity" "gravity domains"
-  gravity_Table_Count "vw_blacklist" "exact denied domains"
+  gravity_Table_Count "domainlist WHERE type = 1 AND enabled = 1" "exact denied domains"
-  gravity_Table_Count "vw_regex_blacklist" "regex denied filters"
+  gravity_Table_Count "domainlist WHERE type = 3 AND enabled = 1" "regex denied filters"
-  gravity_Table_Count "vw_whitelist" "exact allowed domains"
+  gravity_Table_Count "domainlist WHERE type = 0 AND enabled = 1" "exact allowed domains"
-  gravity_Table_Count "vw_regex_whitelist" "regex allowed filters"
+  gravity_Table_Count "domainlist WHERE type = 2 AND enabled = 1" "regex allowed filters"
 }
 # Trap Ctrl-C
@@ -791,13 +882,13 @@ gravity_Cleanup() {
  # invalid_domains location
  rm "${GRAVITY_TMPDIR}"/*.ph-non-domains 2>/dev/null
-  # Ensure this function only runs when gravity_SetDownloadOptions() has completed
+  # Ensure this function only runs when gravity_DownloadBlocklists() has completed
-  if [[ "${gravity_Blackbody:-}" == true ]]; then
+  if [[ "${DownloadBlocklists_done:-}" == true ]]; then
-    # Remove any unused .domains files
+    # Remove any unused .domains/.etag/.sha files
-    for file in "${piholeDir}"/*."${domainsExtension}"; do
+    for file in "${listsCacheDir}"/*."${domainsExtension}"; do
-      # If list is not in active array, then remove it
+      # If list is not in active array, then remove it and all associated files
      if [[ ! "${activeDomains[*]}" == *"${file}"* ]]; then
-        rm -f "${file}" 2>/dev/null ||
+        rm -f "${file}"* 2>/dev/null ||
          echo -e "  ${CROSS} Failed to remove ${file##*/}"
      fi
    done
@@ -917,11 +1008,33 @@ timeit(){
  elapsed_time=$((end_time - start_time))
  # Display the elapsed time
-  printf "  %b--> took %d.%03d seconds%b\n" ${COL_BLUE} $((elapsed_time / 1000)) $((elapsed_time % 1000)) ${COL_NC}
+  printf "  %b--> took %d.%03d seconds%b\n" "${COL_BLUE}" $((elapsed_time / 1000)) $((elapsed_time % 1000)) "${COL_NC}"
  return $ret
 }
 migrate_to_listsCache_dir() {
  # If the ${listsCacheDir} directory already exists, this has been done before
  if [[ -d "${listsCacheDir}" ]]; then
    return
  fi
  # If not, we need to migrate the old files to the new directory
  local str="Migrating the list's cache directory to new location"
  echo -ne "  ${INFO} ${str}..."
  mkdir -p "${listsCacheDir}" && chown pihole:pihole "${listsCacheDir}"
  # Move the old files to the new directory
  if mv "${piholeDir}"/list.* "${listsCacheDir}/" 2>/dev/null; then
    echo -e "${OVER}  ${TICK} ${str}"
  else
    echo -e "${OVER}  ${CROSS} ${str}"
  fi
  # Update the list's paths in the corresponding .sha1 files to the new location
  sed -i "s|${piholeDir}/|${listsCacheDir}/|g" "${listsCacheDir}"/*.sha1 2>/dev/null
 }
 helpFunc() {
  echo "Usage: pihole -g
 Update domains from blocklists specified in adlists.list
@@ -968,13 +1081,19 @@ for var in "$@"; do
  "-t" | "--timeit") timed=true ;;
  "-r" | "--repair") repairSelector "$3" ;;
  "-u" | "--upgrade")
-    upgrade_gravityDB "${gravityDBfile}" "${piholeDir}"
+    upgrade_gravityDB "${gravityDBfile}"
    exit 0
    ;;
  "-h" | "--help") helpFunc ;;
  esac
 done
 # Check if DNS is available, no need to do any database manipulation if we're not able to download adlists
 if ! timeit gravity_CheckDNSResolutionAvailable; then
  echo -e "   ${CROSS} No DNS resolution available. Please contact support."
  exit 1
 fi
 # Remove OLD (backup) gravity file, if it exists
 if [[ -f "${gravityOLDfile}" ]]; then
  rm "${gravityOLDfile}"
@@ -997,6 +1116,9 @@ if [[ "${recover_database:-}" == true ]]; then
  timeit database_recovery "$4"
 fi
 # Migrate scattered list files to the new cache directory
 migrate_to_listsCache_dir
 # Move possibly existing legacy files to the gravity database
 if ! timeit migrate_to_database; then
  echo -e "   ${CROSS} Unable to migrate to database. Please contact support."
@@ -1007,16 +1129,11 @@ if [[ "${forceDelete:-}" == true ]]; then
  str="Deleting existing list cache"
  echo -ne "${INFO} ${str}..."
-  rm /etc/pihole/list.* 2>/dev/null || true
+  rm "${listsCacheDir}/list.*" 2>/dev/null || true
  echo -e "${OVER}  ${TICK} ${str}"
 fi
 # Gravity downloads blocklists next
 if ! timeit gravity_CheckDNSResolutionAvailable; then
  echo -e "   ${CROSS} Can not complete gravity update, no DNS is available. Please contact support."
  exit 1
 fi
 if ! gravity_DownloadBlocklists; then
  echo -e "   ${CROSS} Unable to create gravity database. Please try again later. If the problem persists, please contact support."
  exit 1
--- a/manpages/pihole.8
+++ b/manpages/pihole.8
@@ -23,7 +23,7 @@ pihole -r
 .br
 \fBpihole -g\fR
 .br
-\fBpihole\fR -\fBq\fR [options]
+\fBpihole\fR \fB-q\fR [options]
 .br
 \fBpihole\fR \fB-l\fR (\fBon|off|off noflush\fR)
 .br
@@ -43,7 +43,7 @@ pihole -r
 .br
 \fBpihole\fR \fBcheckout\fR repo [branch]
 .br
-\fBpihole\fR \api\fR endpoint
+\fBpihole\fR \fBapi\fR [verbose] endpoint
 .br
 \fBpihole\fR \fBhelp\fR
 .br
@@ -234,10 +234,14 @@ Available commands and options:
      branchname        Update subsystems to the specified branchname
 .br
-\fBapi\fR endpoint
+\fBapi\fR [verbose] endpoint
 .br
    Query the Pi-hole API at <endpoint>
 .br
      verbose           Show authentication and status messages
 .br
 .SH "EXAMPLE"
 Some usage examples
@@ -323,6 +327,11 @@ Switching Pi-hole subsystem branches
    Queries FTL for the stats/summary endpoint
 .br
 \fBpihole api verbose stats/summary\fR
 .br
    Same as above, but shows authentication and status messages
 .br
 .SH "COLOPHON"
 Get sucked into the latest news and community activity by entering Pi-hole's orbit. Information about Pi-hole, and the latest version of the software can be found at https://pi-hole.net.
--- a/41
+++ b/41
@@ -17,13 +17,16 @@ readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 PI_HOLE_BIN_DIR="/usr/local/bin"
 readonly colfile="${PI_HOLE_SCRIPT_DIR}/COL_TABLE"
 # shellcheck source=./advanced/Scripts/COL_TABLE
 source "${colfile}"
 readonly utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source=./advanced/Scripts/utils.sh
 source "${utilsfile}"
 # Source api functions
 readonly apifile="${PI_HOLE_SCRIPT_DIR}/api.sh"
 # shellcheck source=./advanced/Scripts/api.sh
 source "${apifile}"
 versionsfile="/etc/pihole/versions"
@@ -31,6 +34,7 @@ if [ -f "${versionsfile}" ]; then
    # Only source versionsfile if the file exits
    # fixes a warning during installation where versionsfile does not exist yet
    # but gravity calls `pihole -status` and thereby sourcing the file
    # shellcheck source=/dev/null
    source "${versionsfile}"
 fi
@@ -73,19 +77,17 @@ listFunc() {
 debugFunc() {
    local automated
    local web
    local check_database_integrity
    # Pull off the `debug` leaving passed call augmentation flags in $1
    shift
    for value in "$@"; do
        [[ "$value"  == *"-a"* ]] && automated="true"
        [[ "$value"  == *"-w"* ]] && web="true"
        [[ "$value"  == *"-c"* ]] && check_database_integrity="true"
        [[ "$value" == *"--check_database"* ]] && check_database_integrity="true"
    done
-  AUTOMATED=${automated:-} WEBCALL=${web:-} CHECK_DATABASE=${check_database_integrity:-} "${PI_HOLE_SCRIPT_DIR}"/piholeDebug.sh
+  AUTOMATED=${automated:-} CHECK_DATABASE=${check_database_integrity:-} "${PI_HOLE_SCRIPT_DIR}"/piholeDebug.sh
  exit 0
 }
@@ -109,11 +111,11 @@ updatePiholeFunc() {
  fi
 }
-reconfigurePiholeFunc() {
+repairPiholeFunc() {
  if [ -n "${DOCKER_VERSION}" ]; then
    unsupportedFunc
  else
-    /etc/.pihole/automated\ install/basic-install.sh --reconfigure
+    /etc/.pihole/automated\ install/basic-install.sh --repair
    exit 0;
  fi
 }
@@ -249,12 +251,14 @@ Time:
  data=$(PostFTLData "dns/blocking" "{ \"blocking\": ${1}, \"timer\": ${tt} }")
  # Check the response
-  local extra=" forever"
+  local extra timer
-  local timer="$(echo "${data}"| jq --raw-output '.timer' )"
+  extra=" forever"
  timer="$(echo "${data}"| jq --raw-output '.timer' )"
  if [[ "${timer}" != "null" ]]; then
    extra=" for ${timer}s"
  fi
-  local str="Pi-hole $(echo "${data}" | jq --raw-output '.blocking')${extra}"
+  local str
  str="Pi-hole $(echo "${data}" | jq --raw-output '.blocking')${extra}"
  # Logout from the API
  LogoutAPI
@@ -377,14 +381,16 @@ statusFunc() {
 tailFunc() {
  # Warn user if Pi-hole's logging is disabled
-  local logging_enabled=$(getFTLConfigValue dns.queryLogging)
+  local logging_enabled
  logging_enabled=$(getFTLConfigValue dns.queryLogging)
  if [[ "${logging_enabled}" != "true" ]]; then
    echo "  ${CROSS} Warning: Query logging is disabled"
  fi
  echo -e "  ${INFO} Press Ctrl-C to exit"
  # Get logfile path
-  readonly LOGFILE=$(getFTLConfigValue files.log.dnsmasq)
+  readonly LOGFILE
  LOGFILE=$(getFTLConfigValue files.log.dnsmasq)
  # Strip date from each line
  # Color blocklist/denylist/wildcard entries as red
@@ -400,7 +406,10 @@ tailFunc() {
 piholeCheckoutFunc() {
  if [ -n "${DOCKER_VERSION}" ]; then
-    unsupportedFunc
+    echo -e "${CROSS} Function not supported in Docker images"
    echo "Please build a custom image following the steps at"
    echo "https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#building-the-image-locally"
    exit 0
  else
    if [[ "$2" == "-h" ]] || [[ "$2" == "--help" ]]; then
      echo "Switch Pi-hole subsystems to a different GitHub branch
@@ -422,6 +431,7 @@ piholeCheckoutFunc() {
      exit 0
    fi
    #shellcheck source=./advanced/Scripts/piholeCheckout.sh
    source "${PI_HOLE_SCRIPT_DIR}"/piholeCheckout.sh
    shift
    checkout "$@"
@@ -478,11 +488,12 @@ Debugging Options:
                        Add '-c' or '--check-database' to include a Pi-hole database integrity check
                        Add '-a' to automatically upload the log to tricorder.pi-hole.net
  -f, flush           Flush the Pi-hole log
-  -r, reconfigure     Reconfigure or Repair Pi-hole subsystems
+  -r, repair          Repair Pi-hole subsystems
  -t, tail [arg]      View the live output of the Pi-hole log.
                      Add an optional argument to filter the log
                      (regular expressions are supported)
  api <endpoint>      Query the Pi-hole API at <endpoint>
                        Precede <endpoint> with 'verbose' option to show authentication and status messages
 Options:
@@ -535,7 +546,7 @@ case "${1}" in
  "--allow-wild" | "allow-wild"   ) need_root=0;;
  "-f" | "flush"                  ) ;;
  "-up" | "updatePihole"          ) ;;
-  "-r"  | "reconfigure"           ) ;;
+  "-r"  | "repair"                ) ;;
  "-l" | "logging"                ) ;;
  "uninstall"                     ) ;;
  "enable"                        ) need_root=0;;
@@ -578,7 +589,7 @@ case "${1}" in
  "-d" | "debug"                  ) debugFunc "$@";;
  "-f" | "flush"                  ) flushFunc "$@";;
  "-up" | "updatePihole"          ) updatePiholeFunc "$@";;
-  "-r"  | "reconfigure"           ) reconfigurePiholeFunc;;
+  "-r"  | "repair"                ) repairPiholeFunc;;
  "-g" | "updateGravity"          ) updateGravityFunc "$@";;
  "-l" | "logging"                ) piholeLogging "$@";;
  "uninstall"                     ) uninstallFunc;;
@@ -591,6 +602,6 @@ case "${1}" in
  "updatechecker"                 ) shift; updateCheckFunc "$@";;
  "arpflush"                      ) arpFunc "$@";;
  "-t" | "tail"                   ) tailFunc "$2";;
-  "api"                           ) apiFunc "$2";;
+  "api"                           ) shift; apiFunc "$@";;
  *                               ) helpFunc;;
 esac
--- a/test/_centos_10.Dockerfile
+++ b/test/_centos_10.Dockerfile
@@ -0,0 +1,19 @@
 FROM quay.io/centos/centos:stream10
 # Disable SELinux
 RUN echo "SELINUX=disabled" > /etc/selinux/config
 RUN yum install -y --allowerasing curl git
 ENV GITDIR=/etc/.pihole
 ENV SCRIPTDIR=/opt/pihole
 RUN mkdir -p $GITDIR $SCRIPTDIR /etc/pihole
 ADD . $GITDIR
 RUN cp $GITDIR/advanced/Scripts/*.sh $GITDIR/gravity.sh $GITDIR/pihole $GITDIR/automated\ install/*.sh $GITDIR/advanced/Scripts/COL_TABLE $SCRIPTDIR/
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$SCRIPTDIR
 RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_centos_9.Dockerfile
+++ b/test/_centos_9.Dockerfile
@@ -1,7 +1,7 @@
 FROM quay.io/centos/centos:stream9
 # Disable SELinux
 RUN echo "SELINUX=disabled" > /etc/selinux/config
-RUN yum install -y --allowerasing curl git initscripts
+RUN yum install -y --allowerasing curl git
 ENV GITDIR=/etc/.pihole
 ENV SCRIPTDIR=/opt/pihole
@@ -15,6 +15,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_debian_11.Dockerfile
+++ b/test/_debian_11.Dockerfile
@@ -12,6 +12,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_debian_12.Dockerfile
+++ b/test/_debian_12.Dockerfile
@@ -12,6 +12,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_fedora_40.Dockerfile
+++ b/test/_fedora_40.Dockerfile
@@ -1,5 +1,5 @@
 FROM fedora:40
-RUN dnf install -y git initscripts
+RUN dnf install -y git
 ENV GITDIR=/etc/.pihole
 ENV SCRIPTDIR=/opt/pihole
@@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_fedora_41.Dockerfile
+++ b/test/_fedora_41.Dockerfile
@@ -1,5 +1,5 @@
 FROM fedora:41
-RUN dnf install -y git initscripts
+RUN dnf install -y git
 ENV GITDIR=/etc/.pihole
 ENV SCRIPTDIR=/opt/pihole
@@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_fedora_42.Dockerfile
+++ b/test/_fedora_42.Dockerfile
@@ -1,4 +1,5 @@
-FROM buildpack-deps:lunar-scm
+FROM fedora:42
 RUN dnf install -y git gawk
 ENV GITDIR=/etc/.pihole
 ENV SCRIPTDIR=/opt/pihole
@@ -7,12 +8,10 @@ RUN mkdir -p $GITDIR $SCRIPTDIR /etc/pihole
 ADD . $GITDIR
 RUN cp $GITDIR/advanced/Scripts/*.sh $GITDIR/gravity.sh $GITDIR/pihole $GITDIR/automated\ install/*.sh $GITDIR/advanced/Scripts/COL_TABLE $SCRIPTDIR/
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$SCRIPTDIR
 ENV DEBIAN_FRONTEND=noninteractive
 RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_ubuntu_20.Dockerfile
+++ b/test/_ubuntu_20.Dockerfile
@@ -12,6 +12,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_ubuntu_22.Dockerfile
+++ b/test/_ubuntu_22.Dockerfile
@@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_ubuntu_24.Dockerfile
+++ b/test/_ubuntu_24.Dockerfile
@@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/requirements.txt
+++ b/test/requirements.txt
@@ -1,6 +1,6 @@
 pyyaml == 6.0.2
-pytest == 8.3.4
+pytest == 8.3.5
 pytest-xdist == 3.6.1
-pytest-testinfra == 10.1.1
+pytest-testinfra == 10.2.2
-tox == 4.23.2
+tox == 4.26.0
 pytest-clarity == 1.0.1
--- a/test/test_any_automated_install.py
+++ b/test/test_any_automated_install.py
@@ -66,6 +66,14 @@ def test_installPihole_fresh_install_readableFiles(host):
    mock_command("dialog", {"*": ("", "0")}, host)
    # mock git pull
    mock_command_passthrough("git", {"pull": ("", "0")}, host)
    # mock PID 1 to pretend to be systemd
    mock_command_2(
        "ps",
        {
            "--pid 1": ("systemd", "0"),
        },
        host,
    )
    # mock systemctl to not start FTL
    mock_command_2(
        "systemctl",
@@ -73,6 +81,7 @@ def test_installPihole_fresh_install_readableFiles(host):
            "enable pihole-FTL": ("", "0"),
            "restart pihole-FTL": ("", "0"),
            "start pihole-FTL": ("", "0"),
            "stop pihole-FTL": ("", "0"),
            "*": ('echo "systemctl call with $@"', "0"),
        },
        host,
@@ -89,10 +98,10 @@ def test_installPihole_fresh_install_readableFiles(host):
    export DEBIAN_FRONTEND=noninteractive
    umask 0027
    runUnattended=true
-    useUpdateVars=true
+    fresh_install=false
    source /opt/pihole/basic-install.sh > /dev/null
    runUnattended=true
-    useUpdateVars=true
+    fresh_install=false
    main
    /opt/pihole/pihole-FTL-prestart.sh
    """
@@ -119,11 +128,6 @@ def test_installPihole_fresh_install_readableFiles(host):
    assert exit_status_success == actual_rc
    check_leases = test_cmd.format("w", "/etc/pihole/dhcp.leases", piholeuser)
    actual_rc = host.run(check_leases).rc
    # readable dns-servers.conf
    assert exit_status_success == actual_rc
    check_servers = test_cmd.format("r", "/etc/pihole/dns-servers.conf", piholeuser)
    actual_rc = host.run(check_servers).rc
    assert exit_status_success == actual_rc
    # readable install.log
    check_install = test_cmd.format("r", "/etc/pihole/install.log", piholeuser)
    actual_rc = host.run(check_install).rc
@@ -132,21 +136,10 @@ def test_installPihole_fresh_install_readableFiles(host):
    check_localversion = test_cmd.format("r", "/etc/pihole/versions", piholeuser)
    actual_rc = host.run(check_localversion).rc
    assert exit_status_success == actual_rc
    # readable logrotate
    check_logrotate = test_cmd.format("r", "/etc/pihole/logrotate", piholeuser)
    actual_rc = host.run(check_logrotate).rc
    assert exit_status_success == actual_rc
    # readable macvendor.db
    check_macvendor = test_cmd.format("r", "/etc/pihole/macvendor.db", piholeuser)
    actual_rc = host.run(check_macvendor).rc
    assert exit_status_success == actual_rc
    # check readable and executable /etc/init.d/pihole-FTL
    check_init = test_cmd.format("x", "/etc/init.d/pihole-FTL", piholeuser)
    actual_rc = host.run(check_init).rc
    assert exit_status_success == actual_rc
    check_init = test_cmd.format("r", "/etc/init.d/pihole-FTL", piholeuser)
    actual_rc = host.run(check_init).rc
    assert exit_status_success == actual_rc
    # check readable and executable manpages
    if maninstalled is True:
        check_man = test_cmd.format("x", "/usr/local/share/man", piholeuser)
@@ -254,6 +247,7 @@ def test_FTL_detect_no_errors(host, arch, detected_string, supported):
        {
            "-A /bin/sh": ("Tag_CPU_arch: " + arch, "0"),
            "-A /usr/bin/sh": ("Tag_CPU_arch: " + arch, "0"),
            "-A /usr/sbin/sh": ("Tag_CPU_arch: " + arch, "0"),
        },
        host,
    )
@@ -474,50 +468,6 @@ def test_validate_ip(host):
    test_address("0.0.0.0#00001", False)
 def test_os_check_fails(host):
    """Confirms install fails on unsupported OS"""
    host.run(
        """
    source /opt/pihole/basic-install.sh
    package_manager_detect
    build_dependency_package
    install_dependent_packages
    cat <<EOT > /etc/os-release
 ID=UnsupportedOS
 VERSION_ID="2"
 EOT
    """
    )
    detectOS = host.run(
        """t
    source /opt/pihole/basic-install.sh
    os_check
    """
    )
    expected_stdout = "Unsupported OS detected: UnsupportedOS"
    assert expected_stdout in detectOS.stdout
 def test_os_check_passes(host):
    """Confirms OS meets the requirements"""
    host.run(
        """
    source /opt/pihole/basic-install.sh
    package_manager_detect
    build_dependency_package
    install_dependent_packages
    """
    )
    detectOS = host.run(
        """
    source /opt/pihole/basic-install.sh
    os_check
    """
    )
    expected_stdout = "Supported OS detected"
    assert expected_stdout in detectOS.stdout
 def test_package_manager_has_pihole_deps(host):
    """Confirms OS is able to install the required packages for Pi-hole"""
    mock_command("dialog", {"*": ("", "0")}, host)
--- a/test/tox.centos_10.ini
+++ b/test/tox.centos_10.ini
@@ -0,0 +1,10 @@
 [tox]
 envlist = py3
 [testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
 setenv =
    COLUMNS=120
 commands = docker buildx build --load --progress plain -f _centos_10.Dockerfile -t pytest_pihole:test_container ../
           pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py
--- a/test/tox.fedora_42.ini
+++ b/test/tox.fedora_42.ini
@@ -0,0 +1,10 @@
 [tox]
 envlist = py3
 [testenv]
 allowlist_externals = docker
 deps = -rrequirements.txt
 setenv =
    COLUMNS=120
 commands = docker buildx build --load --progress plain -f _fedora_42.Dockerfile -t pytest_pihole:test_container ../
           pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py
		`@@ -0,0 +1,2 @@`
							`external-sources=true # allow shellcheck to read external sources`
							`disable=SC3043 #disable SC3043: In POSIX sh, local is undefined.`