-##### use systemd-resolved for glibc resolutions
-
-pi libnss-resolve
-
-if [[ ! -L /etc/nsswitch.conf ]]; then
- sudo mkdir -p /etc/resolved-nsswitch
- sudo mv /etc/nsswitch.conf /etc/resolved-nsswitch
- sudo ln -sf /etc/resolved-nsswitch/nsswitch.conf /etc
-fi
-
-f=/etc/basic-nsswitch/nsswitch.conf
-if [[ ! -e $f ]]; then
- sudo mkdir -p ${f%/*}
- sudo cp /etc/nsswitch.conf $f
- sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
-fi
-case $HOSTNAME in
- bk|je)
- # je should be able to get along systemd-resolved, but ive had some odd
- # very intermittent dns failures with spamassassin, it seems it might only
- # be happening with systemd-resolved, so just use unbound
- # to make it consistent with the other hosts.
- sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf
- soff systemd-resolved
- sudo ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
- sgo unbound
- # cautious measure to make sure resolution is working
- sleep 1
- ;;
- *)
- # default is
- # files mdns4_minimal [NOTFOUND=return] dns myhostname
- # mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
- # https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
- # seems more important than some potential use case.
- # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
- # removing files makes hostname -f not actually give the fully qualified domain name.
- sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/resolved-nsswitch/nsswitch.conf
- ;;
-esac
-
-case $HOSTNAME in
- bk)
- sgo named
- ;;
-esac
-
-
-lines=(
- "/etc/resolved-nsswitch/nsswitch.conf r,"
- "/etc/basic-nsswitch/nsswitch.conf r,"
- # Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
- # I dont know if this is quite the right fix, but I saw other sockets
- # in the nameservice files that were rw, so figured it was ok to add this and it worked.
- "/run/systemd/resolve/io.systemd.Resolve rw,"
-)
-f=/etc/apparmor.d/abstractions/nameservice
-apparmor_reload=false
-if [[ -e $f ]]; then
- for l in "${lines[@]}"; do
- if ! grep -qF "$l" $f; then
- sudo sed -i "/\/nsswitch.conf/a $l" $f
- apparmor_reload=true
- if ! grep -qF "$l" $f; then
- echo "$0: failed editing $f. investigate"
- exit 1
- fi
- fi
- done
- if $apparmor_reload && systemctl is-active apparmor; then
- m ser reload apparmor
- fi
-fi
-