From d6e4fd1be7bf9aedf167888460c449eef3f6d360 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Tue, 30 Apr 2024 20:05:53 +0300 Subject: [PATCH] etc: create systemd-resolv.conf-generate.bash & systemd-resolv.conf-restore.bash, mention them in resolv.conf --- etc/resolv.conf | 7 +++++ etc/systemd-resolv.conf-generate.bash | 43 +++++++++++++++++++++++++++ etc/systemd-resolv.conf-restore.bash | 38 +++++++++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100755 etc/systemd-resolv.conf-generate.bash create mode 100755 etc/systemd-resolv.conf-restore.bash diff --git a/etc/resolv.conf b/etc/resolv.conf index 84434099..0682d6bb 100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -1,5 +1,12 @@ # Don't do this, just run this instead: # sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +# Or look at the other scripts in this directory such as +# resolv.conf-generate.bash - creates simpler version of this file without +# the comments +# systemd-resolv.conf-generate.bash - same as the above, but only users +# 127.0.0.53 as a nameserver +# systemd-resolv.conf-restore.bash - restores/creates the symlink of line 2 + # Problem: unbound is slow to start and everything complains of failing DNS, # and systemd-resolved often gets itself stuck with DNSSEC. diff --git a/etc/systemd-resolv.conf-generate.bash b/etc/systemd-resolv.conf-generate.bash new file mode 100755 index 00000000..afbbbdcc --- /dev/null +++ b/etc/systemd-resolv.conf-generate.bash @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +set -x + +# This is otherwise the same as resolv.conf-generate.bash, but only adds +# systemd-resolved as a DNS server. And then it also took parts of the +# restore script. + +# I know there are old versions that used something else, but I don't remember +# that name and they are ancient. +if ! hash resolvectl 2>/dev/null; then + echo "You don't seem to have systemd-resolved (or resolvectl) installed." 1>&2 + exit 1 +fi + +# Require root or exit +if [ "$(id -u)" != "0" ]; then + echo "This script requires root." 1>&2 + exit 1 +fi + +# It's pointless to point at the service if it's not running. +systemctl enable --now systemd-resolved.service + +# In case I am behind the /etc/resolv.conf, it's immutable and read-only, +# which won't allow it to be rewritten. +chattr -V -i /etc/resolv.conf +chmod -v +w /etc/resolv.conf +# Or it's a symlink to e.g. /run/systemd/resolve/stub-resolv.conf +rm -v /etc/resolv.conf + +# tee -p = operate in a more appropriate MODE with pipes. +printf 'nameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf + +# Remove all other permissions than everyone reading resolv.conf +chmod -v a=r /etc/resolv.conf +# Make resolv.conf immutable again so it's pretty sure nothing else edits it. +chattr -V +i /etc/resolv.conf + +# Let's just see it's ok +ls -l /etc/resolv.conf +cat /etc/resolv.conf + +set +x diff --git a/etc/systemd-resolv.conf-restore.bash b/etc/systemd-resolv.conf-restore.bash new file mode 100755 index 00000000..c1cf89ff --- /dev/null +++ b/etc/systemd-resolv.conf-restore.bash @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +set -x + +# I just had a feeling I should also have a quick script to quickly restore +# systemd-resolved handling of the file. + +# I know there are old versions that used something else, but I don't remember +# that name and they are ancient. +if ! hash resolvectl 2>/dev/null; then + echo "You don't seem to have systemd-resolved (or resolvectl) installed." 1>&2 + exit 1 +fi + +# Require root or exit +if [ "$(id -u)" != "0" ]; then + echo "This script requires root." 1>&2 + exit 1 +fi + +# It's pointless to make a dead symlink as it must be running +systemctl enable --now systemd-resolved.service + +# In case I am behind the /etc/resolv.conf, it's immutable and read-only, +# which won't allow it to be rewritten. +chattr -V -i /etc/resolv.conf +chmod -v +w /etc/resolv.conf + +# It must be removed if it's not a symlink +rm -v /etc/resolv.conf + +# and finally making the symlink +ln -sfv /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf + +# Let's just see it's ok +ls -l /etc/resolv.conf +cat /etc/resolv.conf + +set +x