chrony: rename ntppool.sources -> ntp-pool.sources

etc/resolv.conf

@@ -1,5 +1,12 @@
 # Don't do this, just run this instead:
 #     sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+# Or look at the other scripts in this directory such as
+#  resolv.conf-generate.bash - creates simpler version of this file without
+#  the comments
+#  systemd-resolv.conf-generate.bash - same as the above, but only users
+#  127.0.0.53 as a nameserver
+#  systemd-resolv.conf-restore.bash - restores/creates the symlink of line 2
+
 
 # Problem: unbound is slow to start and everything complains of failing DNS,
 # and systemd-resolved often gets itself stuck with DNSSEC.
@@ -16,7 +23,7 @@ nameserver 127.0.0.1
 
 # systemd-resolved. WARNING: May cause DNS leaks.
 nameserver 127.0.0.53
-# also systemd-resolved, but this is limited to three entries (others ignored)
+# systemd-resolved DNS proxy (to upstream). No DNSSEC, no LLMNR, no mDNS!
 #nameserver 127.0.0.54
 
 # edns0 = extended DNS

etc/systemd-resolv.conf-generate.bash

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -x
+
+# This is otherwise the same as resolv.conf-generate.bash, but only adds
+# systemd-resolved as a DNS server. And then it also took parts of the
+# restore script.
+
+# I know there are old versions that used something else, but I don't remember
+# that name and they are ancient.
+if ! hash resolvectl 2>/dev/null; then
+	echo "You don't seem to have systemd-resolved (or resolvectl) installed." 1>&2
+	exit 1
+fi
+
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root." 1>&2
+	exit 1
+fi
+
+# It's pointless to point at the service if it's not running.
+systemctl enable --now systemd-resolved.service
+
+# In case I am behind the /etc/resolv.conf, it's immutable and read-only,
+# which won't allow it to be rewritten.
+chattr -V -i /etc/resolv.conf
+chmod -v +w /etc/resolv.conf
+# Or it's a symlink to e.g. /run/systemd/resolve/stub-resolv.conf
+rm -v /etc/resolv.conf
+
+# tee -p = operate in a more appropriate MODE with pipes.
+printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf
+
+# Remove all other permissions than everyone reading resolv.conf
+chmod -v a=r /etc/resolv.conf
+# Make resolv.conf immutable again so it's pretty sure nothing else edits it.
+chattr -V +i /etc/resolv.conf
+
+# Let's just see it's ok
+ls -l /etc/resolv.conf
+cat /etc/resolv.conf
+
+set +x

etc/systemd-resolv.conf-restore.bash

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -x
+
+# I just had a feeling I should also have a quick script to quickly restore
+# systemd-resolved handling of the file.
+
+# I know there are old versions that used something else, but I don't remember
+# that name and they are ancient.
+if ! hash resolvectl 2>/dev/null; then
+	echo "You don't seem to have systemd-resolved (or resolvectl) installed." 1>&2
+	exit 1
+fi
+
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root." 1>&2
+	exit 1
+fi
+
+# It's pointless to make a dead symlink as it must be running
+systemctl enable --now systemd-resolved.service
+
+# In case I am behind the /etc/resolv.conf, it's immutable and read-only,
+# which won't allow it to be rewritten.
+chattr -V -i /etc/resolv.conf
+chmod -v +w /etc/resolv.conf
+
+# It must be removed if it's not a symlink
+rm -v /etc/resolv.conf
+
+# and finally making the symlink
+ln -sfv /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+# Let's just see it's ok
+ls -l /etc/resolv.conf
+cat /etc/resolv.conf
+
+set +x

etc/systemd/system/aminda-nocron-reboot.service

@@ -11,6 +11,8 @@ ExecStartPre=-/usr/bin/systemctl enable --now systemd-resolved.service
 ExecStartPre=-/usr/sbin/sysctl net.ipv6.conf.all.disable_ipv6=0
 # These services are called here, so
 ExecStartPre=-/usr/bin/systemctl start firewalld.service
+# https://github.com/systemd/zram-generator
+ExecStart=-/usr/bin/systemctl start /dev/zram0
 # Ensure /etc/sysctl.d/ gets read
 ExecStart=-/usr/sbin/sysctl -p --system
 # Ensure we really allow ICMPv6 on FEDORA (or firewalld)

etc/systemd/timesyncd.conf.d/00-fallback-poolntporg.conf

@@ -1,2 +0,0 @@
-[Time]
-FallbackNTP=pool.ntp.org

etc/systemd/timesyncd.conf.d/ntp-pool.conf

@@ -0,0 +1,11 @@
+[Time]
+# Uncomment only one, if any. https://www.ntppool.org/en/use.html
+
+# https://www.ntppool.org/zone/@
+#NTP=pool.ntp.org
+
+# https://www.ntppool.org/zone/europe
+#NTP=europe.pool.ntp.org
+
+# https://www.ntppool.org/zone/fi
+#NTP=fi.pool.ntp.org

etc/unbound/unbound.conf.d/logging.conf

@@ -11,8 +11,5 @@ server:
 	# Gives validation EDEs more comprehensive human-readable errors
 	# https://blog.nlnetlabs.nl/extended-dns-error-support-for-unbound/
 	val-log-level: 2
-	# Print statistics to the log hourly or quaterly
-	#statistics-interval: 3600
-	statistics-interval: 900
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/min-ttl-fifteen.conf

@@ -0,0 +1,10 @@
+server:
+	# Increases TTL of all queries to 900 seconds (15 minutes) if upstream has
+	# a lower one. I have been using this since August 2019 without issues.
+	cache-min-ttl: 900
+	# I haven't used so common statistics interval though and at the time of
+	# writing I am going by an hour.
+	statistics-interval: 900
+	# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/min-ttl-hour.conf

@@ -10,5 +10,7 @@ server:
 	# Client-Hello that no one has implemented for system resolver (in April
 	# 2024) that I know of.
 	cache-min-ttl: 3600
+	# Also print statistics then
+	statistics-interval: 3600
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/min-ttl.conf.sample

@@ -1,13 +0,0 @@
-server:
-	# Increases TTL of all queries to 900 seconds (5 minutes) if upstream has
-	# a lower one. I have been using this since August 2019 without issues.
-	#cache-min-ttl: 900
-	# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
-	# dares setting the minimum cache to something between 40 minute and 60,
-	# so how about 50 minutes? However it predates RFC 8767.
-	#cache-min-ttl: 3000
-	# Why not just make it hour directly, while that is considered as a
-	# maximum reasonableish value?
-	#cache-min-ttl: 3600
-
-# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/mixed-case-queries.conf

@@ -0,0 +1,9 @@
+# Mix DNS query cases (0x20) in an attempt to make DNS cache poisoning more
+# expensive. I am curious if this will break things.
+# Seems to have no effect for forwarded queries (understandable).
+server:
+use-caps-for-id: yes
+#caps-exempt: "example.org"
+#caps-exempt: "example.net"
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/replace-systemd-resolved.conf.sample

@@ -0,0 +1,12 @@
+# This file is only when one wants to replace systemd-resolved with unbound
+# and to avoid having to mess up with resolv.conf or similar.
+
+server:
+# Change to yes for 0.0.0.0 and ::
+interface-automatic: no
+interface: ::1@53
+interface: 127.0.0.1@53
+interface: 127.0.0.53@53
+interface: 127.0.0.54@53
+
+# vim: filetype=unbound.conf