X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=blobdiff_plain;f=trusted-network;h=7cd754cf861476854f5ab6fe69f7e076b37da98a;hp=894815ebed59fa7aa5588827765807ffb995dd1d;hb=HEAD;hpb=ad09c51104f62d1da1782387025b44327a081872

diff --git a/trusted-network b/trusted-network
index 894815e..a432533 100755
--- a/trusted-network
+++ b/trusted-network
@@ -1,4 +1,25 @@
 #!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 
 # Usage: run to trust or untrust dns. public wifi sometimes needs to
 # trust dns initially to log in.
@@ -6,10 +27,8 @@
 
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 
-source /a/bin/errhandle/err
+source /a/bin/bash-bear-trap/bash-bear
 
-readonly this_file=$(readlink -f -- "${BASH_SOURCE[0]}")
-readonly this_dir="${this_file%/*}"
 script_name="${BASH_SOURCE[0]}"
 script_name="${script_name##*/}"
 
@@ -57,13 +76,17 @@ if $trust; then
     fi
   fi
 
-  rm -fv /etc/systemd/resolved.conf.d/untrusted-network.conf
+  # https://github.com/jonathanio/update-systemd-resolved
+  # suggests this will help prevent leakage into a vpn interface
+  cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
+Domains=~.
+EOF
 else  #untrusted
   # https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
   cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
 [Resolve]
 DNS=${servers[@]}
-Domains=b8.nz
+Domains=~. b8.nz
 DNSOverTLS=yes
 EOF
 
@@ -88,7 +111,7 @@ fi
 
 
 # wait for networkmanager to come back
-for f in {1..20}; do
+for ((i=0; i<10; i++)); do
   if read -r _ _ _ _  gateway_if _ < <(ip route get 8.8.8.8); then
     break
   fi
@@ -109,8 +132,9 @@ if [[ $gateway_if ]]; then
     m ifup $gateway_if
   fi
 
-  # at least on systemd 237 ifupdown it sets a global and this is not needed
-  systemd-resolve --interface=$gateway_if --revert
+  # At least on systemd 237 ifupdown it sets a global and this is not
+  # needed. we are way past that, but I dont think it hurts.
+  resolvectl revert $gateway_if
 else
   e $0: no gateway_if found
 fi