iankelling.org / git / distro-setup / blob
? search:


d065009ff547e96ed96a7485b42bd30af6203e15
[distro-setup] / trusted-network
1 #!/bin/bash
2 # I, Ian Kelling, follow the GNU license recommendations at
3 # https://www.gnu.org/licenses/license-recommendations.en.html. They
4 # recommend that small programs, < 300 lines, be licensed under the
5 # Apache License 2.0. This file contains or is part of one or more small
6 # programs. If a small program grows beyond 300 lines, I plan to switch
7 # its license to GPL.
8
9 # Copyright 2024 Ian Kelling
10
11 # Licensed under the Apache License, Version 2.0 (the "License");
12 # you may not use this file except in compliance with the License.
13 # You may obtain a copy of the License at
14
15 # http://www.apache.org/licenses/LICENSE-2.0
16
17 # Unless required by applicable law or agreed to in writing, software
18 # distributed under the License is distributed on an "AS IS" BASIS,
19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 # See the License for the specific language governing permissions and
21 # limitations under the License.
22
23
24 # Usage: run to trust or untrust dns. public wifi sometimes needs to
25 # trust dns initially to log in.
26
27
28 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
29
30 source /a/bin/bash-bear-trap/bash-bear
31
32 script_name="${BASH_SOURCE[0]}"
33 script_name="${script_name##*/}"
34
35 # removes malware and adult content
36 servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)
37
38 servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)
39
40 ## trying out google
41 servers=(8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844)
42
43
44
45 m() { printf "%s\n" "$*"; "$@"; }
46 e() { printf "%s\n" "$@"; }
47 i() { # install file
48 local tmp tmpdir dest="$1"
49 local base="${dest##*/}"
50 mkdir -p ${dest%/*}
51 ir=false # i result
52 tmpdir=$(mktemp -d)
53 cat >$tmpdir/"$base"
54 tmp=$(rsync -ic $tmpdir/"$base" "$dest")
55 if [[ $tmp ]]; then
56 printf "%s\n" "$tmp"
57 ir=true
58 fi
59 rm -rf $tmpdir
60 }
61
62 # i symlinked the script to another name to make it work different
63 trust=true
64 case $script_name in
65 untrusted-network)
66 trust=false
67 ;;
68 esac
69
70
71 if $trust; then
72 if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
73 rm -fv /etc/NetworkManager/conf.d/dns.conf
74 if [[ $(systemctl is-active NetworkManager) == active ]]; then
75 m systemctl restart NetworkManager
76 fi
77 fi
78
79 # https://github.com/jonathanio/update-systemd-resolved
80 # suggests this will help prevent leakage into a vpn interface
81 cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
82 Domains=~.
83 EOF
84 else #untrusted
85 # https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
86 cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
87 [Resolve]
88 DNS=${servers[@]}
89 Domains=~. b8.nz
90 DNSOverTLS=yes
91 EOF
92
93 i /etc/NetworkManager/conf.d/dns.conf <<'EOF'
94 [main]
95 dns=none
96 systemd-resolved=false
97 EOF
98
99 if $ir && [[ $(systemctl is-active NetworkManager) == active ]]; then
100 m systemctl restart NetworkManager
101 fi
102 fi
103
104 # t11 uses dhclient.conf
105 dhclient_restart=false
106 # man dhclient.conf
107 f=/etc/dhcp/dhclient.conf
108 if [[ -e $f ]]; then
109 if $trust; then
110 if ! grep -qP '\bdomain-name-servers\b' $f; then
111 sed -i 's/^ *request/request domain-name-servers,/' $f
112 dhclient_restart=true
113 e $0: dhclient_restart=true
114 fi
115 else
116 if grep -qP '\bdomain-name-servers\b' $f; then
117 sed -i 's/^ *request domain-name-servers,/request/' $f
118 dhclient_restart=true
119 e $0: dhclient_restart=true
120 fi
121 fi
122 fi
123
124 # t12 uses dhclient.conf
125 f=/etc/dhcpcd.conf
126 # note: haven't tested
127 if ! $trust; then
128 line="nooption domain_name_servers"
129 fi
130 if [[ -e $f ]] && ! echo $line | cedit $f; then
131 dhclient_restart=true
132 e $0: dhclient_restart=true
133 fi
134
135
136 # wait for networkmanager to come back
137 for ((i=0; i<10; i++)); do
138 if read -r _ _ _ _ gateway_if _ < <(ip route get 8.8.8.8); then
139 break
140 fi
141 m sleep 2
142 done
143
144
145 if [[ $gateway_if ]]; then
146 # we could do this, but dhclient is still running and will use its old settings
147 # from dependencies of ifupdown,
148 # from man dhclient-script
149 # from /etc/dhcp/dhclient-enter-hooks.d/resolved
150 # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
151
152
153 if $dhclient_restart && grep -Pq "^ *auto ($gateway_if|.* $gateway_if( |$))" /etc/network/interfaces &>/dev/null; then
154 m ifdown $gateway_if
155 m ifup $gateway_if
156 fi
157
158 # At least on systemd 237 ifupdown it sets a global and this is not
159 # needed. we are way past that, but I dont think it hurts.
160 resolvectl revert $gateway_if
161 else
162 e $0: no gateway_if found
163 fi
164
165 m systemctl restart systemd-resolved
166
167
168
169 # just for curiosity i did a
170 # wrapper around dhclient, then ifdown eth0; ifup eth0:
171
172 # Tue Mar 9 18:29:05 EST 2021
173 # args -4 -v -r -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
174 # env
175 # ADDRFAM=inet
176 # PHASE=pre-down
177 # VERBOSITY=0
178 # PWD=/sbin
179 # IFACE=eth0
180 # METHOD=dhcp
181 # SHLVL=1
182 # LOGICAL=eth0
183 # MODE=stop
184 # PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 # IFUPDOWN_eth0=pre-down
186 # _=/usr/bin/env
187 # Tue Mar 9 18:29:07 EST 2021
188 # args -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
189 # env
190 # ADDRFAM=inet
191 # PHASE=post-up
192 # VERBOSITY=0
193 # PWD=/sbin
194 # IFACE=eth0
195 # METHOD=dhcp
196 # SHLVL=1
197 # LOGICAL=eth0
198 # MODE=start
199 # PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
200 # IFUPDOWN_eth0=post-up
201 # _=/usr/bin/env
~16k lines of my .bashrc + lots of my configs