etc/resolv.conf: fix comment explaining rotate

etc/resolv.conf

@@ -26,15 +26,28 @@ nameserver 127.0.0.53
 # systemd-resolved DNS proxy (to upstream). No DNSSEC, no LLMNR, no mDNS!
 #nameserver 127.0.0.54
 
-# edns0 = extended DNS
-# trust-ad = trust DNSSEC authenticated data
-# timeout:1 = nameserver timeout 1 s (default 5, max 30), then next
-# attempts:5 = if all nameservers fail, attempt again 5 times (def 2, max 5)
-options edns0 trust-ad timeout:1 attempts:5
-
 # no sending local domain to upstream whenever NXDOMAIN happens
 search .
 
+# timeout:2 = nameserver timeout 2 s (default 5, max 30), then next
+# attempts:2 = if all nameservers fail, attempt again 2 times (def 2, max 5)
+# rotate = For long running processes that perform more than one query (so not
+# dig/host), use the first resolver for the first query, second resolver for
+# the second query, third resolver for the third query and repeat.
+# They are all theoretically the same, except that NordVPN disables IPv6 so
+# ::1 will fail and occassionally only systemd-resolved works and I am
+# under the impression that some apps are aware of systemd-resolved and will
+# use it directly bypassing resolv.conf. In other words while everything
+# works, this affects nothing, and when unbound is down (before it's started
+# on desktop?), every second query will be faster with every third reaching
+# systemd-resolved instantly without the timeout of two seconds.
+# edns0 = extended DNS
+# trust-ad = trust DNSSEC authenticated data
+options timeout:2 attempts:2 rotate edns0 trust-ad
+# AMINDA! Remember, you are specifying these here, a couple of bash scripts
+# in this directory, see the comment on top, ../rc/{bash,zsh}rc
+# ($RES_OPTIONS) and systemd/system/service.d/resolv.conf !
+
 # PS. Remove empty lines and comments if this ends up in /etc/resolv.conf
 # PPS. The traditional spell is:
 #    sudo chattr -i /etc/resolv.conf;sudo nvim /etc/resolv.conf;sudo chattr +i /etc/resolv.conf

etc/resolv.conf-generate.bash

@@ -17,7 +17,7 @@ rm -v /etc/resolv.conf
 # Actual resolv.conf creation. OK, this could read resolv.conf in this
 # directory, but I like this being self-contained.
 # tee -p = operate in a more appropriate MODE with pipes.
-printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf
+printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
 
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf

etc/systemd-resolv.conf-generate.bash

@@ -29,7 +29,7 @@ chmod -v +w /etc/resolv.conf
 rm -v /etc/resolv.conf
 
 # tee -p = operate in a more appropriate MODE with pipes.
-printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf
+printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
 
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf

etc/systemd/system/aminda-duperemove.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Aminda's deduplication service
+
+[Service]
+Type=oneshot
+TimeoutStartSec=infinity
+ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/home.hash /home
+ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/flatpak.hash /var/lib/flatpak
+ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/snap.hash /var/lib/snapd
+User=root
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/aminda-duperemove.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run Aminda's deduplication tasks
+
+[Timer]
+OnBootSec=0
+Persistent=true
+RemainAfterElapse=false
+
+[Install]
+WantedBy=timers.target

etc/systemd/system/aminda-nocron-reboot.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=Aminda's cronless boot tasks
+Wants=sysctl-p--system.service
 
 [Service]
 Type=oneshot
@@ -12,19 +13,14 @@ ExecStartPre=-/usr/sbin/sysctl net.ipv6.conf.all.disable_ipv6=0
 # These services are called here, so
 ExecStartPre=-/usr/bin/systemctl start firewalld.service
 # https://github.com/systemd/zram-generator
-ExecStart=-/usr/bin/systemctl start /dev/zram0
+#ExecStart=-/usr/bin/systemctl start /dev/zram0
-# Ensure /etc/sysctl.d/ gets read
+ExecStart=-/usr/bin/systemctl enable --now systemd-zram-setup@zram0.service
-ExecStart=-/usr/sbin/sysctl -p --system
 # Ensure we really allow ICMPv6 on FEDORA (or firewalld)
 ExecStart=-/usr/bin/firewall-cmd --add-protocol=ipv6-icmp
 # 3rd party Xbox controller initialization. See Mikaela/gist/gayming/
 #ExecStart=-/root/fixcontroller.py
 # This is actually in the delayed variant of this service, but anyway
 ExecStart=-/usr/bin/systemctl start yggdrasil.service
-# BTRFS deduplication
-#ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/home.hash /home
-#ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/flatpak.hash /var/lib/flatpak
-#ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/snap.hash /var/lib/snapd
 User=root
 StandardOutput=journal
 StandardError=journal

etc/systemd/system/service.d/resolv.conf

@@ -5,6 +5,6 @@
 # note that this is possible.
 [Service]
 Environment=LOCALDOMAIN=.
-Environment=RES_OPTIONS="edns0 trust-ad timeout:1 attempts:5"
+Environment=RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
 
 # vim: filetype=systemd

etc/systemd/system/sysctl-p--system.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Read /etc/sysctl.conf and /etc/sysctl.d/
+
+[Service]
+Type=oneshot
+TimeoutStartSec=infinity
+ExecStart=-/usr/sbin/sysctl -p --system
+User=root
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/sysctl-p--system.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run reading of /etc/sysctl.conf and /etc/sysctl.d/
+
+[Timer]
+OnBootSec=0
+Persistent=true
+RemainAfterElapse=false
+
+[Install]
+WantedBy=timers.target

etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf

@@ -13,10 +13,7 @@ server:
 	serve-expired-reply-ttl: 30
 	# Serve expired data to client if there is no answer in 1.8 seconds as per
 	# common timeout 2 seconds according to the RFC 8767
-	#serve-expired-client-timeout: 1800
+	serve-expired-client-timeout: 1800
-	# However my /etc/resolv.conf timeout is 1 second since all my nameservers
-	# are localhost, so let's wait 0.8 seconds instead.
-	serve-expired-client-timeout: 800
 	# Human readable DNSSEC errors for expired records
 	ede-serve-expired: yes
 

rc/bashrc

@@ -258,7 +258,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx
 export LOCALDOMAIN=.
 # Secureish resolv.conf options (except trust-ad, but systemd also sets it
 # regardless of whether DNSSEC=true or not.
-export RES_OPTIONS="edns0 trust-ad timeout:1 attempts:5"
+export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
 
 #####	Aliases						RJ706I	#####
 

rc/zshrc

@@ -217,7 +217,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx
 export LOCALDOMAIN=.
 # Secureish resolv.conf options (except trust-ad, but systemd also sets it
 # regardless of whether DNSSEC=true or not.
-export RES_OPTIONS="edns0 trust-ad timeout:1 attempts:5"
+export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
 
 #####	Aliases						RJ706I	#####