etc/resolv.conf-generate.bash: also be verbose with chattr & chmod

etc/hosts/README.md: add forgotten blocklist and formatting
etc/resolv.conf-generate.bash: simple resolv.conf writer the way I want
2024-04-24 12:09:15 +03:00 · 2024-04-24 11:55:35 +03:00 · 2024-04-24 11:06:35 +03:00 · 2024-04-24 09:21:42 +03:00 · 2024-04-24 07:31:10 +03:00
4 changed files with 60 additions and 2 deletions
--- a/etc/hosts/README.md
+++ b/etc/hosts/README.md
@ -8,7 +8,8 @@ This file is DNS before DNS and legacy remain which is still used.
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

- [dns](#dns)
+- [`blocklist`](#blocklist)
+- [`dns`](#dns)
 - [`hosts.fedora`](#hostsfedora)
 - [`hosts.debian`](#hostsdebian)

@ -17,7 +18,11 @@ This file is DNS before DNS and legacy remain which is still used.
 <!-- prettier-ignore-end -->
 <!-- editorconfig-checker-enable -->

-## dns
+## `blocklist`
+
+Hosts that I dislike enough to mention in my `hosts` file.
+
+## `dns`

 This began from question why should I have DNS to have DNS, but having it
 on DNS resolver level broke DNSSEC due to my weird mixing of systemd-resolved
--- a/etc/hosts/blocklist
+++ b/etc/hosts/blocklist
@ -0,0 +1,12 @@
+##### BEGIN AMINDA BLOCKLIST #####
+
+# Facebook API that a lot of things call, will break things for Facebook
+# users, so don't apply on hosts those use
+:: graph.facebook.com
+0.0.0.0 graph.facebook.com
+
+# Unnecessary service for Matrix rooms. I was dared to block it.
+:: matrix.to www.matrix.to
+0.0.0.0 matrix.to www.matrix.to
+
+##### END AMINDA BLOCKLIST #####
--- a/etc/resolv.conf-generate.bash
+++ b/etc/resolv.conf-generate.bash
@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -x
+
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root." 1>&2
+	exit 1
+fi
+
+# In case I am behind the /etc/resolv.conf, it's immutable and read-only,
+# which won't allow it to be rewritten.
+chattr -V -i /etc/resolv.conf
+chmod -v +w /etc/resolv.conf
+# Or it's a symlink to e.g. /run/systemd/resolve/stub-resolv.conf
+rm -v /etc/resolv.conf
+
+# Actual resolv.conf creation. OK, this could read resolv.conf in this
+# directory, but I like this being self-contained.
+# tee -p = operate in a more appropriate MODE with pipes.
+printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:1 attempts:5\nsearch .\n' | tee -p /etc/resolv.conf
+
+# Remove all other permissions than everyone reading resolv.conf
+chmod -v a=r /etc/resolv.conf
+# Make resolv.conf immutable again so it's pretty sure nothing else edits it.
+chattr -V +i /etc/resolv.conf
+
+# Let's just see it's ok
+ls -l /etc/resolv.conf
+cat /etc/resolv.conf
+
+set +x
--- a/etc/systemd/system/service.d/resolv.conf
+++ b/etc/systemd/system/service.d/resolv.conf
@ -0,0 +1,10 @@
+# Unlike everything else(?), this can actually be placed to
+# /etc/systemd/system/service.d if /etc/resolv.conf cannot be modified
+# for some reason and specify the search and options options.
+#  I would just edit /etc/resolv.conf directly though, but this is just a
+# note that this is possible.
+[Service]
+Environment=LOCALDOMAIN=.
+Environment=RES_OPTIONS="edns0 trust-ad timeout:1 attempts:5"
+
+# vim: filetype=systemd
Author	SHA1	Message	Date
Aminda Suomalainen	32c5da4422	etc/resolv.conf-generate.bash: also be verbose with chattr & chmod	2024-04-24 12:09:15 +03:00
Aminda Suomalainen	9b01bc5260	etc/hosts/README.md: add forgotten blocklist and formatting	2024-04-24 11:55:35 +03:00
Aminda Suomalainen	c00f750d96	etc/resolv.conf-generate.bash: simple resolv.conf writer the way I want	2024-04-24 11:06:35 +03:00
Aminda Suomalainen	fa9da0901d	etc/hosts/blocklist: initial commit	2024-04-24 09:21:42 +03:00
Aminda Suomalainen	b36ba70a70	systemd/service.d: add resolv.conf example with warnings	2024-04-24 07:31:10 +03:00