From 3b5434eb1de25d27492c28da6b32a1cb191397e8 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Tue, 7 May 2024 19:29:05 +0300
Subject: [PATCH] etc: add traditional-resolv.conf-generate.bash which takes
 three arguments and has no trust-ad

---
 etc/traditional-resolv.conf-generate.bash | 37 +++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100755 etc/traditional-resolv.conf-generate.bash

diff --git a/etc/traditional-resolv.conf-generate.bash b/etc/traditional-resolv.conf-generate.bash
new file mode 100755
index 00000000..35cec6d6
--- /dev/null
+++ b/etc/traditional-resolv.conf-generate.bash
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -x
+
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root. (And the 3 nameserver IPs as arguments)" 1>&2
+	exit 1
+fi
+
+# Three arguments or quit.
+if [ $# -ne 3 ]; then
+	echo "This script requires three arguments that will be passed as nameservers."
+	exit 1
+fi
+
+# In case I am behind the /etc/resolv.conf, it's immutable and read-only,
+# which won't allow it to be rewritten.
+chattr -V -i /etc/resolv.conf
+chmod -v +w /etc/resolv.conf
+# Or it's a symlink to e.g. /run/systemd/resolve/stub-resolv.conf
+rm -v /etc/resolv.conf
+
+# No trust-ad here as chances are these resolvers are unencrypted and the
+# path to them isn't trusted.
+# tee -p = operate in a more appropriate MODE with pipes.
+printf "nameserver %b\nnameserver %b\nnameserver %b\nsearch .\noptions timeout:2 attempts:2 rotate edns0\n" "$1" "$2" "$3" | tee -p /etc/resolv.conf
+
+# Remove all other permissions than everyone reading resolv.conf
+chmod -v a=r /etc/resolv.conf
+# Make resolv.conf immutable again so it's pretty sure nothing else edits it.
+chattr -V +i /etc/resolv.conf
+
+# Let's just see it's ok
+ls -l /etc/resolv.conf
+cat /etc/resolv.conf
+
+set +x