2025-08-20 05:07:34 +02:00
7 changed files with 28 additions and 72 deletions
--- a/conf/tmux.conf
+++ b/conf/tmux.conf
@ -44,6 +44,5 @@ set -g escape-time 300
 # Or for tmux >= 2.6
 set -sg escape-time 300

-# Turn the clock yellow. Red would be better at night, but I am used to
-# looking at amber in my terminals and thus yellow is less distracting.
-setw -g clock-mode-colour yellow
+# Turn the clock red. It's the least bad colour especially at night.
+setw -g clock-mode-colour red
--- a/etc/systemd/resolved.conf.d/00-no-local-resolver.conf
+++ b/etc/systemd/resolved.conf.d/00-no-local-resolver.conf
@ -1,5 +1,4 @@
 [Resolve]
-# Use this together with other files other than 00-only-unbound.conf!
 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 #DNSSEC=allow-downgrade
 # Regardless of the above DNS breaking issues when DNSSEC is
--- a/etc/systemd/resolved.conf.d/00-only-local-resolver.conf
+++ b/etc/systemd/resolved.conf.d/00-only-local-resolver.conf
@ -1,12 +0,0 @@
-[Resolve]
-# All this is done by Unbound. Don't use other files together with this one.
-DNSSEC=false
-DNSOverTLS=false
-Cache=false
-DNS=127.0.0.1
-DNS=::1
-Domains=~.
-# .local domains
-MulticastDNS=true
-# Microsoft Windows compatibility?
-LLMNR=true
--- a/etc/systemd/resolved.conf.d/README.md
+++ b/etc/systemd/resolved.conf.d/README.md
@ -26,15 +26,9 @@ sudo systemctl restart systemd-resolved

 ## Files explained

- `00-no-local-resolver.conf` - configuration that should be used everywhere.
+- `00-defaults.conf` - configuration that should be used everywhere.
  Enables DNSSEC (regardless of systemd-resolved not handling it properly),
-  enables opportunistic DoT, caching and local DNS servers (because they
-  should exist anyway as I don't trust systemd-resolved entirely. Anyway if
-  there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
-  - To rephrase, this is sto be used together with other files, especially
-    some of those beginning with `dot-`.
- `00-only-local-resolver.conf` - for when there is known local resolver.
-  **_Don't combine this with the other files._**
+  enables opportunistic DoT, caching and local DNS servers.
 - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
  captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
  should be used in addition to `00-defaults.conf`
--- a/etc/systemd/resolved.conf.d/dot-quad9.conf
+++ b/etc/systemd/resolved.conf.d/dot-quad9.conf
@ -1,12 +1,7 @@
 [Resolve]
-# Secure
 #DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
-# No Threat Blocking
-#DNS=2620:fe::10#dns10.quad9.net 149.112.112.10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net 9.9.9.10#dns10.quad9.net
-# Secure + ECS
+# ECS
 DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
-# No Threat Blocking + ECS
-#DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
 #DNSOverTLS=true
--- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
@ -35,24 +35,15 @@ forward-zone:
 	# forward-addr: 193.110.81.9@853#zero.dns0.eu
 	# forward-addr: 2a0f:fc81::9@853#zero.dns0.eu
 	# forward-addr: 185.253.5.9@853#zero.dns0.eu
+
 ## Quad9
-	## Secure
+	## Default
 	# forward-addr: 2620:fe::fe@853#dns.quad9.net
 	# forward-addr: 9.9.9.9@853#dns.quad9.net
 	# forward-addr: 2620:fe::9@853#dns.quad9.net
 	# forward-addr: 149.112.112.112@853#dns.quad9.net
-	## No Threat Blocking
-	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
-	#forward-addr: 149.112.112.10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::10@853#dns10.quad9.net
-	#forward-addr: 9.9.9.10@853#dns10.quad9.net
-	## Secure + ECS
+	## ECS
 	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
 	forward-addr: 9.9.9.11@853#dns11.quad9.net
 	forward-addr: 2620:fe::11@853#dns11.quad9.net
 	forward-addr: 149.112.112.11@853#dns11.quad9.net
-	## No Threat Blocking + ECS
-	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
-	#forward-addr: 9.9.9.12@853#dns12.quad9.net
-	#forward-addr: 2620:fe::12@853#dns12.quad9.net
-	#forward-addr: 149.112.112.12@853#dns12.quad9.net
--- a/etc/unbound/unbound.conf.d/dot-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-quad9.conf
@ -12,23 +12,13 @@ server:
 forward-zone:
 	name: "."
 	forward-tls-upstream: yes
-	## Secure
+	## Default
 	# forward-addr: 2620:fe::fe@853#dns.quad9.net
 	# forward-addr: 9.9.9.9@853#dns.quad9.net
 	# forward-addr: 2620:fe::9@853#dns.quad9.net
 	# forward-addr: 149.112.112.112@853#dns.quad9.net
-	## No Threat Blocking
-	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
-	#forward-addr: 149.112.112.10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::10@853#dns10.quad9.net
-	#forward-addr: 9.9.9.10@853#dns10.quad9.net
-	## Secure + ECS
+	## ECS
 	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
 	forward-addr: 9.9.9.11@853#dns11.quad9.net
 	forward-addr: 2620:fe::11@853#dns11.quad9.net
 	forward-addr: 149.112.112.11@853#dns11.quad9.net
-	## No Threat Blocking + ECS
-	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
-	#forward-addr: 9.9.9.12@853#dns12.quad9.net
-	#forward-addr: 2620:fe::12@853#dns12.quad9.net
-	#forward-addr: 149.112.112.12@853#dns12.quad9.net