From 739efea3642e2f8a7a672c4600da152a27bedf1a Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Tue, 8 Jun 2021 16:38:49 -0400 Subject: [PATCH] various fixes and improvements --- fai-wrapper | 3 +- fai/config/class/DEFAULT.var | 3 +- .../etc/apt/sources.list.d/bionic.list/ETIONA | 12 +- .../etc/apt/sources.list.d/focal.list/FOCAL | 15 +- .../VOL_BUSTER_BOOTSTRAP | 0 fai/config/files/usr/bin/myncq/kd | 57 ++++ fai/config/hooks/partition.DEFAULT | 148 ++++++---- fai/config/package_config/STANDARD | 2 + fai/config/scripts/GRUB_PC/11-iank | 50 +++- wrt-setup | 2 +- wrt-setup-local | 259 ++++++++++++++++-- 11 files changed, 448 insertions(+), 103 deletions(-) rename fai/config/files/etc/systemd/system/{fai_check.service => faicheck.service}/VOL_BUSTER_BOOTSTRAP (100%) create mode 100755 fai/config/files/usr/bin/myncq/kd diff --git a/fai-wrapper b/fai-wrapper index 93e1c6d..5efa7f1 100644 --- a/fai-wrapper +++ b/fai-wrapper @@ -31,7 +31,8 @@ eval-fai-classfile() { fai-setclass $(bash $file) } export -f ifclass -classes=DEFAULT # used by fcopy +# DEFAULT is used by fcopy +classes="DEFAULT $(hostname)" export CLASS_DEFAULT=true if [[ ! -d $FAI_ROOT ]]; then export FAI_ROOT=/ diff --git a/fai/config/class/DEFAULT.var b/fai/config/class/DEFAULT.var index 1c8de54..a999512 100644 --- a/fai/config/class/DEFAULT.var +++ b/fai/config/class/DEFAULT.var @@ -8,4 +8,5 @@ LOGUSER=fai # My faiserver's hostname is always faiserver, so just hardcoding it. SERVER=faiserver -APTPROXY=http://faiserver:3142 +# busted for debian, no time to troubleshoot atm +#APTPROXY=http://faiserver:3142 diff --git a/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA b/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA index bc32744..cb92b36 100644 --- a/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA +++ b/fai/config/files/etc/apt/sources.list.d/bionic.list/ETIONA @@ -1,6 +1,6 @@ -deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe -deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe -deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe -deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main universe -deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe -deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe +deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe multiverse +deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe multiverse +deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe multiverse +deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main universe multiverse +deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main universe multiverse +deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe multiverse diff --git a/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL b/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL index c1678f5..a317dfa 100644 --- a/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL +++ b/fai/config/files/etc/apt/sources.list.d/focal.list/FOCAL @@ -1,11 +1,14 @@ +# multiverse needed for libfdk-aac1, which is actually free +# https://www.gnu.org/licenses/license-list.html#fdk + ###### Ubuntu Main Repos -deb http://archive.ubuntu.com/ubuntu/ focal main universe -deb-src http://archive.ubuntu.com/ubuntu/ focal main universe +deb http://archive.ubuntu.com/ubuntu/ focal main universe multiverse +deb-src http://archive.ubuntu.com/ubuntu/ focal main universe multiverse ###### Ubuntu Update Repos -deb http://archive.ubuntu.com/ubuntu/ focal-security main universe -deb http://archive.ubuntu.com/ubuntu/ focal-updates main universe +deb http://archive.ubuntu.com/ubuntu/ focal-security main universe multiverse +deb http://archive.ubuntu.com/ubuntu/ focal-updates main universe multiverse deb http://archive.ubuntu.com/ubuntu/ focal-backports main universe -deb-src http://archive.ubuntu.com/ubuntu/ focal-security main universe -deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main universe +deb-src http://archive.ubuntu.com/ubuntu/ focal-security main universe multiverse +deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main universe multiverse deb-src http://archive.ubuntu.com/ubuntu/ focal-backports main universe diff --git a/fai/config/files/etc/systemd/system/fai_check.service/VOL_BUSTER_BOOTSTRAP b/fai/config/files/etc/systemd/system/faicheck.service/VOL_BUSTER_BOOTSTRAP similarity index 100% rename from fai/config/files/etc/systemd/system/fai_check.service/VOL_BUSTER_BOOTSTRAP rename to fai/config/files/etc/systemd/system/faicheck.service/VOL_BUSTER_BOOTSTRAP diff --git a/fai/config/files/usr/bin/myncq/kd b/fai/config/files/usr/bin/myncq/kd new file mode 100755 index 0000000..e2b6494 --- /dev/null +++ b/fai/config/files/usr/bin/myncq/kd @@ -0,0 +1,57 @@ +#!/bin/bash + +if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi +shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR + +[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" + +# https://wiki.archlinux.org/index.php/Solid_state_drive#Resolving_NCQ_errors +# evo-870 doesnt get along well with d16. +# Dmesg gives us an ata number we could disable specifically on the command line, but I've had that number change on me between oses, so reenabling ncq + +upgrub=true +if [[ $1 == no-upgrub ]]; then + upgrub=false +fi + +byid=/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V +if [[ ! -e $byid ]]; then + # not plugged in we assume + exit 0 +fi + +dev=$(readlink $byid) +if [[ ! $dev ]]; then + exit 1 +fi + +dev=${dev##*/} + +depth=$(cat /sys/block/$dev/device/queue_depth) +if [[ $depth != 0 ]]; then + if grep -qF libata.force=noncq /proc/cmdline; then + echo $0: warning, cant change queue_depth due to globally disabled ncq + else + echo 1 >/sys/block/$dev/device/queue_depth + fi +fi + +sys=$(readlink /sys/block/$dev) +ata=${sys#*/*/*/*/ata} +ata=${ata%%/*} + +arg=libata.force=${ata}.00:noncq + +if ! grep "^GRUB_CMDLINE_LINUX_DEFAULT=.*[\" ]${arg//./\\.}[\" ]" /etc/default/grub; then + sed -ri "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)/GRUB_CMDLINE_LINUX_DEFAULT=\"$arg \1/" /etc/default/grub + if $upgrub; then + echo "$0: warning: grub updated. you may want to reboot" + if type -P update-grub2 &>/dev/null; then + update-grub2 + else + update-grub + fi + fi +fi diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT index 61da95a..09020d2 100755 --- a/fai/config/hooks/partition.DEFAULT +++ b/fai/config/hooks/partition.DEFAULT @@ -94,6 +94,15 @@ fi #### begin configuration +# this is the ordering of the /dev/sdaX, but +# the ordering of the partition layout goes like this: +# bios_grub +# grub_ext +# efi +# root +# swap +# boot + rootn=1 swapn=2 bootn=3 @@ -106,6 +115,7 @@ grub_extn=5 # bios boot partition, # https://wiki.archlinux.org/index.php/GRUB bios_grubn=6 +even_bign=7 lastn=$bios_grubn @@ -114,7 +124,7 @@ lastn=$bios_grubn add-part() { # add partition suffix to $dev - local d ret + local d part if [[ $# == 1 ]]; then d=$dev part=$1 @@ -131,6 +141,7 @@ swapdev() { add-part $@ $swapn; } efidev() { add-part $@ $efin; } grub_extdev() { add-part $@ $grub_extn; } bios_grubdev() { add-part $@ $bios_grubn; } +even_bigdev() { add-part $@ $even_bign; } crypt-dev() { echo /dev/mapper/crypt_dev_${1##*/}; } crypt-name() { echo crypt_dev_${1##*/}; } @@ -140,10 +151,37 @@ root-cryptname() { crypt-name $(rootdev $@); } swap-cryptname() { crypt-name $(swapdev $@); } dev-mib() { - echo $(( $(parted -m $dev unit MiB print | \ + local d=${1:-$dev} + echo $(( $(parted -m $d unit MiB print | \ sed -nr "s#^/dev/[^:]+:([0-9]+).*#\1#p") - 1)) } +luks-setup() { + local luksdev="$1" + # when we move to newer than trisquel 9, we can remove + # --type luks1. We can also check on cryptsetup --help | less /compil + # to see about the other settings. Default in debian 9 is luks2. + # You can convert from luks2 to luks 1 by adding a temporary key: + # cryptsetup luksAddKey --pbkdf pbkdf2 + # then remove the new format keys with cryptsetup luksRemoveKey + # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp. + yes YES | cryptsetup luksFormat $luksdev $luks_file \ + --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]] + yes "$lukspw" | \ + cryptsetup luksAddKey --key-file $luks_file \ + $luksdev || [[ $? == 141 ]] + # background: Keyfile and password are treated just + # like 2 ways to input a passphrase, so we don't actually need to have + # different contents of keyfile and passphrase, but it makes some + # security sense to a really big randomly generated passphrase + # as much as possible, so we have both. + # + # This would remove the keyfile. + # yes 'test' | cryptsetup luksRemoveKey /dev/... \ + # /key/file || [[ $? == 141 ]] + cryptsetup luksOpen $luksdev $(crypt-name $luksdev) --key-file $luks_file +} + ##### end function defs if ifclass REPARTITION; then @@ -157,7 +195,7 @@ else wipe=true fi -if ((`nproc` > 2)); then +if (($(nproc) > 2)); then mopts=,compress=zstd fi @@ -206,7 +244,7 @@ for dev in ${short_devs[@]}; do if $partition; then break; fi y=$(readlink -f $dev) arr=($y?*) - if (( ${#arr[@]} != lastn )); then + if (( ${#arr[@]} < lastn )); then partition=true fi # On one system, blkid is missing some partitions. @@ -415,13 +453,23 @@ if $partition; then ### end wipefs + # When we have 2 disks of at least 100g difference in size, + # make an extra partition on the end of the bigger one. + even_big_part=false + even_diff_min=100000 if $even_raid; then - for dev in ${devs[@]}; do - cur_mib=$(dev-mib) - if [[ ! $disk_mib ]] || (( cur_mib < disk_mib )); then - disk_mib=$cur_mib - fi - done + smalli=0 + bigi=1 + if (( $(dev-mib ${devs[0]}) >= $(dev-mib ${devs[1]}) )); then + smalli=1 + bigi=0 + fi + disk_mib=$(dev-mib ${devs[smalli]}) + even_big_dev=${devs[bigi]} + even_big_mib=$(dev-mib $even_big_dev) + if (( even_big_mib - disk_mib > even_diff_min )); then + even_big_part=true + fi fi for dev in ${devs[@]}; do @@ -438,23 +486,27 @@ if $partition; then if ! $even_raid; then disk_mib=$(dev-mib) fi - root_end=$(( disk_mib - swap_mib - boot_mib / ${#boot_devs[@]} )) + efi_mib=512 + root_end=$(( disk_mib - swap_mib - boot_mib / ${#boot_devs[@]} - efi_mib )) swap_end=$(( root_end + swap_mib)) parted -s $dev mklabel gpt # MiB because parted complains about alignment otherwise. pcmd="parted -a optimal -s -- $dev" + # root partition, the main big one $pcmd mkpart primary ext3 524MiB ${root_end}MiB # without naming, systemd gives us misc errors like: # dev-disk-by\x2dpartlabel-primary.device: Dev dev-disk-by\x2dpartlabel-primary.device appeared twice $pcmd name $rootn root # normally a swap is type "linux-swap", but this is encrypted swap. using that # label will confuse systemd. + # swap partition $pcmd mkpart primary "" ${root_end}MiB ${swap_end}MiB $pcmd name $swapn swap + # boot partition $pcmd mkpart primary "" ${swap_end}MiB ${disk_mib}MiB $pcmd name $bootn boot - # eufi = bloated, half a gig gimme a break. + # uefi partition. efi sucks, half a gig, rediculous. $pcmd mkpart primary "fat32" 12MiB 524MiB $pcmd name $efin efi $pcmd set $efin esp on @@ -466,16 +518,23 @@ if $partition; then # I found someone saying that gparted required # required at least 8 because of their hard drive cylinder size. # And 8 is still very tiny. + # grub_ext partition $pcmd mkpart primary "ext2" 4MiB 12MiB $pcmd name $grub_extn grubext # gpt ubuntu cloud image uses ~4 mb for this partition. fai uses 1 MiB. # so, I use 3, whatever. # note: parted manual saying cheap flash media # should to start at 4. + # biols grub partition $pcmd mkpart primary "" 1MiB 4MiB $pcmd name $bios_grubn biosgrub $pcmd set $bios_grubn bios_grub on $pcmd set $bootn boot on # generally not needed on modern systems + if $even_big_part && [[ $dev == $even_big_dev ]]; then + $pcmd mkpart primary ext3 ${disk_mib}MiB ${even_big_mib}MiB + $pcmd name $even_bign even_big + fi + # the mkfs failed before on a vm, which prompted me to add # sleep .1 # then it failed again on a physical machine @@ -485,15 +544,20 @@ if $partition; then # Then I added the mkfs.ext2, which claimed to succeed, # but then couldn't be found upon reboot. In that case we didn't # wait at all. So I've added a 3 second minimum wait. - sleep 3 secs=0 - while [[ ! -e $(rootdev) ]] && (( secs < 10 )); do + while [[ ! -e $(bios_grubdev) ]] && (( secs < 10 )); do sleep 1 secs=$((secs +1)) done + sleep 3 mkfs.fat -F32 $(efidev) + if $even_big_part && [[ $dev == $even_big_dev ]]; then + luks-setup $(even_bigdev) + mkfs.btrfs -f $(crypt-dev $(even_bigdev)) + fi + # Holds just a single file, rarely written, so # use ext2, like was often used for the /boot partition. # This exists because grub can only persist data to a non-cow fs. @@ -503,30 +567,7 @@ if $partition; then # This is just a bit more robust, and it could work for booting # into ipxe which can't persist data, if we ever got that working. mkfs.ext2 $(grub_extdev) - # when we move to newer than trisquel 9, we can remove - # --type luks1. We can also check on cryptsetup --help | less /compil - # to see about the other settings. Default in debian 9 is luks2. - # You can convert from luks2 to luks 1 by adding a temporary key: - # cryptsetup luksAddKey --pbkdf pbkdf2 - # then remove the new format keys with cryptsetup luksRemoveKey - # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp. - yes YES | cryptsetup luksFormat $(rootdev) $luks_file \ - --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]] - yes "$lukspw" | \ - cryptsetup luksAddKey --key-file $luks_file \ - $(rootdev) || [[ $? == 141 ]] - # background: Keyfile and password are treated just - # like 2 ways to input a passphrase, so we don't actually need to have - # different contents of keyfile and passphrase, but it makes some - # security sense to a really big randomly generated passphrase - # as much as possible, so we have both. - # - # This would remove the keyfile. - # yes 'test' | cryptsetup luksRemoveKey /dev/... \ - # /key/file || [[ $? == 141 ]] - - cryptsetup luksOpen $(rootdev) $(root-cryptname) \ - --key-file $luks_file + luks-setup $(rootdev) if [[ $SPECIAL_DISK ]]; then exit 0 @@ -651,6 +692,25 @@ ROOT_PARTITIONS="${root_devs[@]}" ROOT_PARTITION=\${ROOT_PARTITION:-$first_root_crypt} SWAPLIST=\${SWAPLIST:-"${swaps[@]}"} EOF + + + if [[ $HOSTNAME == kd ]]; then + # note, having these with keyscript and initramfs causes a luks error in fai.log, + # but it is safely ignorable and gets us the ability to just type our password + # in once at boot. A downside is that they are probably needed to be plugged in to boot. + cat >>/tmp/fai/crypttab <> /tmp/fai/fstab <>/tmp/fai/crypttab <> /tmp/fai/fstab <$target/etc/systemd/system/myncq.service <<'EOF' +[Unit] +Description=fix ncq errors + +[Service] +Type=oneshot +ExecStart=/usr/bin/myncq +TimeoutStartSec=20 + +[Install] +# https://www.enricozini.org/blog/2017/debian/systemd-07-devices/ +WantedBy=dev-disk-by\x2did-ata\x2dSamsung_SSD_870_QVO_8TB_S5VUNG0N900656V.device +EOF + + chroot $FAI_ROOT bash <<'EOFOUTER' +systemctl enable myncq.service +/usr/bin/myncq no-upgrub +EOFOUTER + + ;; # per rubens suggestion to make a d16 more stable kd|kw) cmdline+=" pci=realloc=off" ;; esac @@ -132,7 +151,15 @@ EOF chroot $FAI_ROOT bash </dev/null; then + update-grub2 +else + update-grub +fi + EOF fi ##### end != dirinstall && != NOCRYPT @@ -249,7 +281,6 @@ iface eth0 inet6 static address 2600:3c00:e000:280::2/64 EOF fi - fi # I prefer to stick with ifup/down for now. a. networkd is not in its @@ -263,15 +294,14 @@ EOF if ifclass VOL_BUSTER_BOOTSTRAP; then - fcopy -riM /etc/systemd/system + fcopy /etc/systemd/system/faicheck.service chroot $FAI_ROOT bash <<'EOFOUTER' -systemctl enable fai_check.service +systemctl enable faicheck.service EOFOUTER exit 0 # avoid unnecessary stuff in bootstrap vol fi - ## misc settings chroot $FAI_ROOT bash <<'EOFOUTER' #### begin .ssh setup ### diff --git a/wrt-setup b/wrt-setup index 42c4127..9163ad3 100755 --- a/wrt-setup +++ b/wrt-setup @@ -78,4 +78,4 @@ sudo scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_r /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h: scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys -ssh $h wrt-init $HOME_DOMAIN "$@" +ssh $h wrt-init ${HOME_DOMAIN:-b8.nz} "$@" diff --git a/wrt-setup-local b/wrt-setup-local index 1f0a2d5..d900897 100755 --- a/wrt-setup-local +++ b/wrt-setup-local @@ -38,9 +38,6 @@ EOF } - - - secrets=false if [[ -e /root/router-secrets ]]; then secrets=true @@ -53,14 +50,20 @@ fi : ${hostname:=wrt} +zblock=false +if [[ -e /root/zblock ]]; then + zblock=true +fi + dnsmasq_restart=false +unbound_restart=false firewall_restart=false dev2=false test=false client=false libremanage_host=wrt2 lanip=1 -while getopts hm:t: opt; do +while getopts hm:t:yz opt; do case $opt in h) usage ;; t) @@ -86,6 +89,14 @@ while getopts hm:t: opt; do *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;; esac ;; + y) + zblock=false + rm -f /root/zblock + ;; + z) + zblock=true + touch /root/zblock + ;; m) mac=$OPTARG ;; *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;; esac @@ -187,7 +198,9 @@ udel() { eval $restart_var=true fi } - +cedit() { + v command cedit -v "$@" +} ### network config @@ -344,7 +357,8 @@ fi # /root/relay_1.0-1_mips_24kc.ipk v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \ tcpdump openvpn-openssl adblock libusb-compat \ - screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync + screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\ + unbound-daemon-heavy unbound-checkconf cat >/etc/libremanage.conf < [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers => 'fd58:5801:8e02::1' # but i dont want ipv6 dns, just keep it simple to ipv4. -uset dhcp.@odhcpd[0].dns 10.2.0.1 +# I know my isp doesnt have ipv6 right now, +# so just stop this thing. +# note: tried this, it didn't do anything: +# uset dhcp.@odhcpd[0].dns 10.2.0.1 +/etc/init.d/odhcpd stop +/etc/init.d/odhcpd disable +# todo: make the above conditional on which server this is. + +# avoid errors in log. current isp doesnt have ipv6 +uset unbound.@unbound[0].protocol ip4_only + +# todo: im not sure all these are needed, but they all look +# like good options. +# https://blog.cloudflare.com/dns-over-tls-for-openwrt/ +# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2 +#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/ +# +# # i found that the zone example was having no effect on the config +# # here: +# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md +# +# # todo: unbound-control, i'm not sure what the purpose of that thing is, some +# # kind of coordination with dhcp of dnsmasq, but what? +# +# note: for debugging, edit /etc/init.d/unbound, change +# procd_set_param command $PROG -d -c $UB_TOTAL_CONF +# to: +# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF + +{ + cat <<'EOF' +do-tcp: yes +prefetch: yes +qname-minimisation: yes +rrset-roundrobin: yes +use-caps-for-id: yes +do-ip6: no +private-domain: b8.nz +local-zone: "10.in-addr.arpa." transparent +access-control-view: 10.2.0.31/32 "youtube" +EOF + + if $zblock; then + cat <<'EOF' +# amy, amyw, samsungtab +access-control-view: 10.2.0.8/32 "youtube" +access-control-view: 10.2.0.23/32 "youtube" +access-control-view: 10.2.0.32/32 "youtube" +EOF + fi +} | cedit /etc/unbound/unbound_srv.conf || restart_unbound=true + + +# dns based blocking vs ip based. with ip, same +# server can have multiple domains. in dns, +# you have to make sure clients to use the local dns. +# https dns will need to be blocked by ip in +# order to be comprehensive + +cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true +local-data-ptr: "10.2.0.1 cmc.b8.nz" +local-data-ptr: "10.2.0.2 kd.b8.nz" +local-data-ptr: "10.2.0.3 sy.b8.nz" +local-data-ptr: "10.2.0.4 wrt2.b8.nz" +local-data-ptr: "10.2.0.5 x2.b8.nz" +local-data-ptr: "10.2.0.6 x2w.b8.nz" +local-data-ptr: "10.2.0.7 syw.b8.nz" +local-data-ptr: "10.2.0.8 amy.b8.nz" +local-data-ptr: "10.2.0.9 bb8.b8.nz" +local-data-ptr: "10.2.0.12 demohost.b8.nz" +local-data-ptr: "10.2.0.14 wrt3.b8.nz" +local-data-ptr: "10.2.0.19 brother.b8.nz" +local-data-ptr: "10.2.0.23 amyw.b8.nz" +local-data-ptr: "10.2.0.25 hp.b8.nz" +local-data-ptr: "10.2.0.31 amazontab.b8.nz" +local-data-ptr: "10.2.0.32 samsungtab.b8.nz" +local-data-ptr: "10.173.0.2 transmission.b8.nz" +local-data-ptr: "10.173.8.1 defaultnn.b8.nz" +local-data-ptr: "10.173.8.2 nn.b8.nz" + +forward-zone: + name: "." +# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https + forward-addr: 1.1.1.3@853#family.cloudflare-dns.com + forward-addr: 1.0.0.3@853#family.cloudflare-dns.com + forward-ssl-upstream: yes + forward-first: no + +view: + name: "youtube" + local-zone: "googlevideo.com." refuse + local-zone: "video.google.com." refuse + local-zone: "youtu.be." refuse + local-zone: "youtube-nocookie.com." refuse + local-zone: "youtube-ui.l.google.com." refuse + local-zone: "youtube.com." refuse + local-zone: "youtube.googleapis.com." refuse + local-zone: "youtubeeducation.com." refuse + local-zone: "youtubei.googleapis.com." refuse + local-zone: "yt3.ggpht.com." refuse + local-zone: "youtubekids.com." refuse + # try global if no match in view + view-first: yes +EOF + + +if $restart_unbound; then + /etc/init.d/unbound restart + if ! unbound-checkconf; then + echo $0: error: unbound-checkconf failed >&2 + exit 1 + fi +fi # disabled for now. i want to selectively enable it @@ -775,7 +973,7 @@ EOF # so make sure we have this dir or else dnsmasq will fail # to start. mkdir -p /mnt/usb/tftpboot -v cedit /etc/dnsmasq.conf < 2.80. currently at 2.80. - # todo: download https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dnsmasq-full_2.84-1_mipsel_24kc.ipk - # and install it. then we can turn off dnssec in systemd-resolved + # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80. + # also we can turn off dnssec in systemd-resolved if we know the router is doing it. # # Also, reload of dnsmasq seems to break things, wifi # clients were not getting internet connectivity. + v /etc/init.d/dnsmasq restart fi -- 2.30.2