unbound: explicitly enable ede and it's log

symlink remains to show what is the correct location

.pre-commit-config.yaml

@@ -130,8 +130,9 @@ repos:
   # ensure nothing breaks the rules.
 
   # prettier, opinionated code formatter
-  - repo: https://github.com/pre-commit/mirrors-prettier
+  #- repo: https://github.com/pre-commit/mirrors-prettier
-    rev: "v4.0.0-alpha.8"
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: "v3.2.5"
     hooks:
       - id: prettier
         # These are handled by Black below or pretty-format-json above

conf/systemd/.gitignore

@@ -0,0 +1 @@
+user

conf/systemd/user

@@ -0,0 +1 @@
+../../etc/systemd/user

etc/opt/chromium/policies/managed/README.md

@@ -297,7 +297,8 @@ their alternative port.
 
 ## `enable-ech-ocsp.json`
 
-Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.
+Enables encrypted client hello (ECH) and Online Certificate Status Protocol
+(OCSP)/Certificate Revocation List (CRL) checks.
 
 However ECH requires `"DnsOverHttpsMode": "secure"` which will break things
 (and thus my files don't enable it),

etc/systemd/system/aminda-nocron-reboot.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=Aminda's cronless boot tasks
+
+[Service]
+Type=oneshot
+TimeoutStartSec=infinity
+# - means it can fail, without failing those after it
+# I always want DNS.
+ExecStartPre=-/usr/bin/systemctl enable --now unbound.service
+ExecStartPre=-/usr/bin/systemctl enable --now systemd-resolved.service
+ExecStartPre=-/usr/sbin/sysctl net.ipv6.conf.all.disable_ipv6=0
+# These services are called here, so
+ExecStartPre=-/usr/bin/systemctl start firewalld.service
+# Ensure /etc/sysctl.d/ gets read
+ExecStart=-/usr/sbin/sysctl -p --system
+# Ensure we really allow ICMPv6 on FEDORA (or firewalld)
+ExecStart=-/usr/bin/firewall-cmd --add-protocol=ipv6-icmp
+# 3rd party Xbox controller initialization. See Mikaela/gist/gayming/
+#ExecStart=-/root/fixcontroller.py
+# This is actually in the delayed variant of this service, but anyway
+ExecStart=-/usr/bin/systemctl start yggdrasil.service
+# BTRFS deduplication
+#ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/home.hash /home
+#ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/flatpak.hash /var/lib/flatpak
+#ExecStart=-/usr/sbin/duperemove -rdhq --hashfile=/root/snap.hash /var/lib/snapd
+User=root
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/aminda-nocron-reboot.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=Run Aminda's crontab boot tasks for when there is no cron
+
+[Timer]
+OnBootSec=0
+# User services
+#OnStartupSec=5
+Persistent=true
+# There is no need to stay loaded after the boot and first run.
+RemainAfterElapse=false
+
+[Install]
+WantedBy=timers.target

etc/systemd/system/aminda-nocron-rebootish.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Aminda's cronless tasks to do a bit after booting
+
+[Service]
+Type=oneshot
+TimeoutStartSec=infinity
+# - means it can fail, without failing those after it
+# Another attempt at ensuring Yggdrasil works with nordvpnd
+ExecStartPre=-/usr/sbin/sysctl net.ipv6.conf.all.disable_ipv6=0
+ExecStart=-/usr/bin/systemctl restart yggdrasil.service
+User=root
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/aminda-nocron-rebootish.timer

@@ -0,0 +1,14 @@
+[Unit]
+Description=Run Aminda's crontab delayed boot tasks for when there is no cron
+
+[Timer]
+OnBootSec=3min
+RandomizedDelaySec=2min
+# User services
+#OnStartupSec=5min
+Persistent=true
+# There is no need to stay loaded after the boot and first run.
+RemainAfterElapse=false
+
+[Install]
+WantedBy=timers.target

etc/systemd/system/matterbridge-cleanup.timer

@@ -2,7 +2,7 @@
 Description=Run matterbridge cleanup every minute
 
 [Timer]
-OnCalendar=*-*-* *:*:00
+OnCalendar=minutely
 OnBootSec=0
 Persistent=true
 

etc/systemd/user/flatpak-update-user.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Install user level flatpak updates and uninstall unused flatpaks
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flatpak update --user --assumeyes --noninteractive
+ExecStartPost=/usr/bin/flatpak uninstall --user --unused --assumeyes --noninteractive

etc/systemd/user/flatpak-update-user.timer

@@ -0,0 +1,15 @@
+[Unit]
+Description=Install user level flatpak updates and uninstall unused flatpaks regularly
+
+[Timer]
+#OnCalendar=*-*-* 19:00:00
+# Executed every 4 hours
+OnUnitActiveSec=4h
+# Executed 5 minutes from boot
+OnBootSec=300
+# Delay execution by something between 0 seconds and 3 hours
+RandomizedDelaySec=3h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

etc/unbound/unbound.conf.d/cache.conf

@@ -23,5 +23,8 @@ server:
 	# Allow expired results to be served if they are in cache. The cache will
 	# get updated the next time.
 	serve-expired: yes
+	# DNSSEC errors for valid and expired records
+	ede: yes
+	ede-serve-expired: yes
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/logging.conf

@@ -6,6 +6,9 @@ server:
 	# gives query level information, output per query.  Level  4  gives
 	# algorithm  level  information.
 	verbosity: 2
+	# Gives validation EDEs more comprehensive human-readable errors
+	# https://blog.nlnetlabs.nl/extended-dns-error-support-for-unbound/
+	val-log-level: 2
 	# Print statistics to the log hourly
 	statistics-interval: 3600