DNS config working

.gitignore

@@ -12,3 +12,4 @@ bin/nodejs/node_modules
 weechat/weeget/*
 weechat/logs/*
 *.sublime-*
+config/karabiner/automatic_backups/

config.json

@@ -56,6 +56,7 @@
         "shellcheck",
         "smpeg",
         "socat",
+        "stubby",
         "swiftlint",
         "tag",
         "tailor",
@@ -64,6 +65,7 @@
         "texinfo",
         "the_silver_searcher",
         "tmux",
+        "unbound",
         "unison",
         "vim",
         "watchman",
@@ -145,7 +147,9 @@
         "bin/*": "~/.local/bin/",
         "config/*": "~/.config/",
         "launchagents/*.plist":"~/Library/LaunchAgents/",
-        "hammerspoon/*": "~/.hammerspoon/"
+        "hammerspoon/*": "~/.hammerspoon/",
+        "etc/unbound/*": "/usr/local/opt/unbound/etc/unbound/",
+        "etc/stubby/*": "/usr/local/etc/stubby/"
     },
     "post-install": [
         "brew cleanup",

etc/stubby/stubby.yml

@@ -0,0 +1,35 @@
+resolution_type: GETDNS_RESOLUTION_STUB
+dns_transport_list:
+  - GETDNS_TRANSPORT_TLS
+tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
+tls_query_padding_blocksize: 256
+edns_client_subnet_private : 1
+idle_timeout: 10000
+listen_addresses:
+  - 127.0.0.1@8053
+  -  0::1@8053
+round_robin_upstreams: 1
+upstream_recursive_servers:
+  ####### IPv4 addresses ######
+  ## Cloudflare 1.1.1.1 and 1.0.0.1
+  - address_data: 1.1.1.1
+    tls_auth_name: "cloudflare-dns.com"
+  - address_data: 1.0.0.1
+    tls_auth_name: "cloudflare-dns.com"
+
+  ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
+  - address_data: 9.9.9.9
+    tls_auth_name: "dns.quad9.net"
+  - address_data: 149.112.112.112
+    tls_auth_name: "dns.quad9.net"
+
+  ####### IPv6 addresses ######
+  ## Cloudflare servers
+  - address_data: 2606:4700:4700::1111
+    tls_auth_name: "cloudflare-dns.com"
+  - address_data: 2606:4700:4700::1001
+    tls_auth_name: "cloudflare-dns.com"
+
+  ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
+  - address_data: 2620:fe::fe
+    tls_auth_name: "dns.quad9.net"

etc/unbound/unbound.conf

@@ -0,0 +1,57 @@
+server:
+  verbosity: 1
+  num-threads: 4
+  interface: 0.0.0.0@53
+  so-reuseport: yes
+  edns-buffer-size: 1472
+  delay-close: 10000
+  cache-min-ttl: 60
+  cache-max-ttl: 86400
+  do-daemonize: no
+  deny-any: yes
+  username: "unbound"
+  log-queries: no
+  hide-version: yes
+  hide-identity: yes
+  identity: "DNS"
+  harden-algo-downgrade: yes
+  harden-short-bufsize: yes
+  harden-large-queries: yes
+  harden-glue: yes
+  harden-dnssec-stripped: yes
+  harden-below-nxdomain: yes
+  harden-referral-path: no
+  do-not-query-localhost: no
+  prefetch: yes
+  prefetch-key: yes
+  qname-minimisation: yes
+  aggressive-nsec: yes
+  ratelimit: 1000
+  rrset-roundrobin: yes
+  minimal-responses: yes
+  chroot: "/usr/local/opt/unbound"
+  directory: "/usr/local/opt/unbound"
+  auto-trust-anchor-file: "var/root.key"
+  root-hints: "etc/unbound/root.hints"
+  num-queries-per-thread: 4096
+  outgoing-range: 8192
+  neg-cache-size: 4M
+  serve-expired: yes
+  use-caps-for-id: yes
+  unwanted-reply-threshold: 10000
+  val-clean-additional: yes
+  private-address: 10.0.0.0/8
+  private-address: 172.16.0.0/12
+  private-address: 192.168.0.0/16
+  private-address: 169.254.0.0/16
+  private-address: fd00::/8
+  private-address: fe80::/10
+  private-address: ::ffff:0:0/96
+  access-control: 127.0.0.1/32 allow
+  do-not-query-localhost:  no
+forward-zone:
+  name: "."
+    forward-addr: 127.0.0.1@8053
+    forward-addr: ::1@8053
+remote-control:
+  control-enable: no

install.py

@@ -2,6 +2,7 @@
 from contextlib import contextmanager
 from glob import glob
 import json
+import platform
 from subprocess import check_output, STDOUT
 from tempfile import NamedTemporaryFile
 import sys
@@ -159,7 +160,7 @@ def install_mas(apps, tags):
             runcmd('xargs <{} mas install'.format(tf.name))
 
 
-def check_install_deps():
+def check_install_deps_macos():
     if not os.path.isdir("/usr/local/Cellar"):
         print('Installing homebrew')
         runcmd('/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"', stderr=STDOUT, shell=True)
@@ -180,15 +181,17 @@ def install_from_config(config_file, tags):
     with open(config_file, 'r') as f:
         config = json.loads(f.read(), object_pairs_hook=collections.OrderedDict)
 
-    check_install_deps()
     try:
         os.mkdir(os.path.expanduser("~/.config/zsh"))
     except OSError:
         pass
-    install_taps(config.get('brew-taps', []))
-    install_brew(config.get('brew', []), tags)
-    install_casks(config.get('casks', []), tags)
-    install_mas(config.get('mas', []), tags)
+    # FIXME: only do the following four on macos hosts
+    if platform.system() == 'Darwin':
+        check_install_deps_macos()
+        install_taps(config.get('brew-taps', []))
+        install_brew(config.get('brew', []), tags)
+        install_casks(config.get('casks', []), tags)
+        install_mas(config.get('mas', []), tags)
     install_sources(config.get('sources', {}))
     install_symlinks(config.get('symlinks', {}))
     post_install(config)

launchdaemons/local.timods.stubby.plist

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key>
+    <string>local.timods.stubby</string>
+    <key>KeepAlive</key>
+    <true/>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>ProgramArguments</key>
+    <array>
+      <string>/usr/local/opt/stubby/bin/stubby</string>
+      <string>-C</string>
+      <string>/usr/local/etc/stubby/stubby.yml</string>
+      <string>-l</string>
+    </array>
+    <key>StandardErrorPath</key>
+    <string>/usr/local/var/log/stubby/stubby.log</string>
+    <key>StandardOutPath</key>
+    <string>/usr/local/var/log/stubby/stubby.log</string>
+  </dict>
+</plist>

launchdaemons/local.timods.unbound.plist

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key>
+    <string>local.timods.unbound</string>
+    <key>KeepAlive</key>
+    <true/>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>ProgramArguments</key>
+    <array>
+      <string>/usr/local/opt/unbound/sbin/unbound</string>
+      <string>-d</string>
+      <string>-c</string>
+      <string>/usr/local/opt/unbound/etc/unbound/unbound.conf</string>
+    </array>
+    <key>UserName</key>
+    <string>root</string>
+    <key>StandardErrorPath</key>
+    <string>/dev/null</string>
+    <key>StandardOutPath</key>
+    <string>/dev/null</string>
+  </dict>
+</plist>

setup.sh

@@ -1,5 +1,24 @@
 #!/bin/bash
 
-python3 install.py config.json $*
+quietly () {
+	eval $* > /dev/null 2>&1
+}
+
+python3 install.py config.json $* || (echo "Setup failed!" && exit 1)
 # cask requires passwords sometimes
 test -f /tmp/casks && xargs </tmp/casks brew cask install
+case $(uname -s) in
+  Darwin)
+    for plist in launchdaemons/*; do
+      daemon_path="/Library/LaunchDaemons/${plist#launchdaemons/}"
+      sudo cp "./${plist}" "$daemon_path"
+      quietly sudo launchctl stop "$daemon_path"
+      quietly sudo launchctl unload "$daemon_path"
+      sudo launchctl load "$daemon_path"
+      sudo launchctl start "$daemon_path" || echo "Error loading ${plist}!"
+    done
+    quietly test /usr/local/sbin/stubby-setdns-macos.sh && sudo /usr/local/sbin/stubby-setdns-macos.sh
+    ;;
+  *) # Linux setup
+    ;;
+esac