iankelling.org Git - distro-setup/blob - trusted-network

   1 #!/bin/bash
   2
   3 # Usage: run to trust or untrust dns. public wifi sometimes needs to
   4 # trust dns initially to log in.
   5
   6
   7 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
   8
   9 source /a/bin/bash-bear-trap/bash-bear
  10
  11 script_name="${BASH_SOURCE[0]}"
  12 script_name="${script_name##*/}"
  13
  14 # removes malware and adult content
  15 servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)
  16
  17 servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)
  18
  19 ## trying out google
  20 servers=(8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844)
  21
  22
  23
  24 m() { printf "%s\n" "$*";  "$@"; }
  25 e() { printf "%s\n" "$@"; }
  26 i() { # install file
  27   local tmp tmpdir dest="$1"
  28   local base="${dest##*/}"
  29   mkdir -p ${dest%/*}
  30   ir=false # i result
  31   tmpdir=$(mktemp -d)
  32   cat >$tmpdir/"$base"
  33   tmp=$(rsync -ic $tmpdir/"$base" "$dest")
  34   if [[ $tmp ]]; then
  35     printf "%s\n" "$tmp"
  36     ir=true
  37   fi
  38   rm -rf $tmpdir
  39 }
  40
  41 # i symlinked the script to another name to make it work different
  42 trust=true
  43 case $script_name in
  44   untrusted-network)
  45     trust=false
  46     ;;
  47 esac
  48
  49
  50 if $trust; then
  51   if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
  52     rm -fv /etc/NetworkManager/conf.d/dns.conf
  53     if [[ $(systemctl is-active NetworkManager) == active ]]; then
  54       m systemctl restart NetworkManager
  55     fi
  56   fi
  57
  58   # https://github.com/jonathanio/update-systemd-resolved
  59   # suggests this will help prevent leakage into a vpn interface
  60   cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
  61 Domains=~.
  62 EOF
  63 else  #untrusted
  64   # https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
  65   cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
  66 [Resolve]
  67 DNS=${servers[@]}
  68 Domains=~. b8.nz
  69 DNSOverTLS=yes
  70 EOF
  71
  72   i /etc/NetworkManager/conf.d/dns.conf <<'EOF'
  73 [main]
  74 dns=none
  75 systemd-resolved=false
  76 EOF
  77
  78   if $ir && [[ $(systemctl is-active NetworkManager) == active ]]; then
  79     m systemctl restart NetworkManager
  80   fi
  81 fi
  82
  83 dhclient_restart=false
  84 # man dhclient.conf
  85 if ! grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
  86   sed -i 's/^ *request/request domain-name-servers,/' /etc/dhcp/dhclient.conf
  87   dhclient_restart=true
  88   e $0: dhclient_restart=true
  89 fi
  90
  91
  92 # wait for networkmanager to come back
  93 for ((i=0; i<10; i++)); do
  94   if read -r _ _ _ _  gateway_if _ < <(ip route get 8.8.8.8); then
  95     break
  96   fi
  97   m sleep 2
  98 done
  99
 100
 101 if [[ $gateway_if ]]; then
 102   # we could do this, but dhclient is still running and will use its old settings
 103   # from dependencies of ifupdown,
 104   # from man dhclient-script
 105   # from /etc/dhcp/dhclient-enter-hooks.d/resolved
 106   # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
 107
 108
 109   if $dhclient_restart && grep -Pq "^ *auto ($gateway_if|.* $gateway_if( |$))" /etc/network/interfaces; then
 110     m ifdown $gateway_if
 111     m ifup $gateway_if
 112   fi
 113
 114   # At least on systemd 237 ifupdown it sets a global and this is not
 115   # needed. we are way past that, but I dont think it hurts.
 116   resolvectl revert $gateway_if
 117 else
 118   e $0: no gateway_if found
 119 fi
 120
 121 m systemctl restart systemd-resolved
 122
 123
 124
 125 # just for curiosity i did a
 126 # wrapper around dhclient, then ifdown eth0; ifup eth0:
 127
 128 # Tue Mar  9 18:29:05 EST 2021
 129 # args -4 -v -r -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
 130 # env
 131 # ADDRFAM=inet
 132 # PHASE=pre-down
 133 # VERBOSITY=0
 134 # PWD=/sbin
 135 # IFACE=eth0
 136 # METHOD=dhcp
 137 # SHLVL=1
 138 # LOGICAL=eth0
 139 # MODE=stop
 140 # PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 141 # IFUPDOWN_eth0=pre-down
 142 # _=/usr/bin/env
 143 # Tue Mar  9 18:29:07 EST 2021
 144 # args -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
 145 # env
 146 # ADDRFAM=inet
 147 # PHASE=post-up
 148 # VERBOSITY=0
 149 # PWD=/sbin
 150 # IFACE=eth0
 151 # METHOD=dhcp
 152 # SHLVL=1
 153 # LOGICAL=eth0
 154 # MODE=start
 155 # PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 156 # IFUPDOWN_eth0=post-up
 157 # _=/usr/bin/env