etc: create systemd-resolv.conf-generate.bash & systemd-resolv.conf-restore.bash, mention them in resolv.conf

2024-04-30 20:05:53 +03:00 · 2024-04-30 20:05:53 +03:00 · d6e4fd1be7
parent fa5462212d
commit d6e4fd1be7
3 changed files with 88 additions and 0 deletions
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@ -1,5 +1,12 @@
 # Don't do this, just run this instead:
 #     sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+# Or look at the other scripts in this directory such as
+#  resolv.conf-generate.bash - creates simpler version of this file without
+#  the comments
+#  systemd-resolv.conf-generate.bash - same as the above, but only users
+#  127.0.0.53 as a nameserver
+#  systemd-resolv.conf-restore.bash - restores/creates the symlink of line 2
+

 # Problem: unbound is slow to start and everything complains of failing DNS,
 # and systemd-resolved often gets itself stuck with DNSSEC.
--- a/etc/systemd-resolv.conf-generate.bash
+++ b/etc/systemd-resolv.conf-generate.bash
@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -x
+
+# This is otherwise the same as resolv.conf-generate.bash, but only adds
+# systemd-resolved as a DNS server. And then it also took parts of the
+# restore script.
+
+# I know there are old versions that used something else, but I don't remember
+# that name and they are ancient.
+if ! hash resolvectl 2>/dev/null; then
+	echo "You don't seem to have systemd-resolved (or resolvectl) installed." 1>&2
+	exit 1
+fi
+
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root." 1>&2
+	exit 1
+fi
+
+# It's pointless to point at the service if it's not running.
+systemctl enable --now systemd-resolved.service
+
+# In case I am behind the /etc/resolv.conf, it's immutable and read-only,
+# which won't allow it to be rewritten.
+chattr -V -i /etc/resolv.conf
+chmod -v +w /etc/resolv.conf
+# Or it's a symlink to e.g. /run/systemd/resolve/stub-resolv.conf
+rm -v /etc/resolv.conf
+
+# tee -p = operate in a more appropriate MODE with pipes.
+printf 'nameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf
+
+# Remove all other permissions than everyone reading resolv.conf
+chmod -v a=r /etc/resolv.conf
+# Make resolv.conf immutable again so it's pretty sure nothing else edits it.
+chattr -V +i /etc/resolv.conf
+
+# Let's just see it's ok
+ls -l /etc/resolv.conf
+cat /etc/resolv.conf
+
+set +x
--- a/etc/systemd-resolv.conf-restore.bash
+++ b/etc/systemd-resolv.conf-restore.bash
@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -x
+
+# I just had a feeling I should also have a quick script to quickly restore
+# systemd-resolved handling of the file.
+
+# I know there are old versions that used something else, but I don't remember
+# that name and they are ancient.
+if ! hash resolvectl 2>/dev/null; then
+	echo "You don't seem to have systemd-resolved (or resolvectl) installed." 1>&2
+	exit 1
+fi
+
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root." 1>&2
+	exit 1
+fi
+
+# It's pointless to make a dead symlink as it must be running
+systemctl enable --now systemd-resolved.service
+
+# In case I am behind the /etc/resolv.conf, it's immutable and read-only,
+# which won't allow it to be rewritten.
+chattr -V -i /etc/resolv.conf
+chmod -v +w /etc/resolv.conf
+
+# It must be removed if it's not a symlink
+rm -v /etc/resolv.conf
+
+# and finally making the symlink
+ln -sfv /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+# Let's just see it's ok
+ls -l /etc/resolv.conf
+cat /etc/resolv.conf
+
+set +x