#!/bin/bash
# I, Ian Kelling, follow the GNU license recommendations at
# https://www.gnu.org/licenses/license-recommendations.en.html. They
# recommend that small programs, < 300 lines, be licensed under the
# Apache License 2.0. This file contains or is part of one or more small
# programs. If a small program grows beyond 300 lines, I plan to switch
# its license to GPL.

# Copyright 2024 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


# Usage: run to trust or untrust dns. public wifi sometimes needs to
# trust dns initially to log in.


[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"

source /a/bin/bash-bear-trap/bash-bear

script_name="${BASH_SOURCE[0]}"
script_name="${script_name##*/}"

# removes malware and adult content
servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)

servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)

## trying out google
servers=(8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844)



m() { printf "%s\n" "$*";  "$@"; }
e() { printf "%s\n" "$@"; }
i() { # install file
  local tmp tmpdir dest="$1"
  local base="${dest##*/}"
  mkdir -p ${dest%/*}
  ir=false # i result
  tmpdir=$(mktemp -d)
  cat >$tmpdir/"$base"
  tmp=$(rsync -ic $tmpdir/"$base" "$dest")
  if [[ $tmp ]]; then
    printf "%s\n" "$tmp"
    ir=true
  fi
  rm -rf $tmpdir
}

# i symlinked the script to another name to make it work different
trust=true
case $script_name in
  untrusted-network)
    trust=false
    ;;
esac


if $trust; then
  if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
    rm -fv /etc/NetworkManager/conf.d/dns.conf
    if [[ $(systemctl is-active NetworkManager) == active ]]; then
      m systemctl restart NetworkManager
    fi
  fi

  # https://github.com/jonathanio/update-systemd-resolved
  # suggests this will help prevent leakage into a vpn interface
  cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
Domains=~.
EOF
else  #untrusted
  # https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
  cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
[Resolve]
DNS=${servers[@]}
Domains=~. b8.nz
DNSOverTLS=yes
EOF

  i /etc/NetworkManager/conf.d/dns.conf <<'EOF'
[main]
dns=none
systemd-resolved=false
EOF

  if $ir && [[ $(systemctl is-active NetworkManager) == active ]]; then
    m systemctl restart NetworkManager
  fi
fi

dhclient_restart=false
# man dhclient.conf
if ! grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
  sed -i 's/^ *request/request domain-name-servers,/' /etc/dhcp/dhclient.conf
  dhclient_restart=true
  e $0: dhclient_restart=true
fi


# wait for networkmanager to come back
for ((i=0; i<10; i++)); do
  if read -r _ _ _ _  gateway_if _ < <(ip route get 8.8.8.8); then
    break
  fi
  m sleep 2
done


if [[ $gateway_if ]]; then
  # we could do this, but dhclient is still running and will use its old settings
  # from dependencies of ifupdown,
  # from man dhclient-script
  # from /etc/dhcp/dhclient-enter-hooks.d/resolved
  # rm -f /run/systemd/resolved.conf.d/*$gateway_if*


  if $dhclient_restart && grep -Pq "^ *auto ($gateway_if|.* $gateway_if( |$))" /etc/network/interfaces; then
    m ifdown $gateway_if
    m ifup $gateway_if
  fi

  # At least on systemd 237 ifupdown it sets a global and this is not
  # needed. we are way past that, but I dont think it hurts.
  resolvectl revert $gateway_if
else
  e $0: no gateway_if found
fi

m systemctl restart systemd-resolved



# just for curiosity i did a
# wrapper around dhclient, then ifdown eth0; ifup eth0:

# Tue Mar  9 18:29:05 EST 2021
# args -4 -v -r -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
# env
# ADDRFAM=inet
# PHASE=pre-down
# VERBOSITY=0
# PWD=/sbin
# IFACE=eth0
# METHOD=dhcp
# SHLVL=1
# LOGICAL=eth0
# MODE=stop
# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# IFUPDOWN_eth0=pre-down
# _=/usr/bin/env
# Tue Mar  9 18:29:07 EST 2021
# args -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
# env
# ADDRFAM=inet
# PHASE=post-up
# VERBOSITY=0
# PWD=/sbin
# IFACE=eth0
# METHOD=dhcp
# SHLVL=1
# LOGICAL=eth0
# MODE=start
# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# IFUPDOWN_eth0=post-up
# _=/usr/bin/env