diff --git a/.gitignore b/.gitignore
index f311bf8..a1ad329 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ bin/nodejs/node_modules
weechat/weeget/*
weechat/logs/*
*.sublime-*
+config/karabiner/automatic_backups/
diff --git a/config.json b/config.json
index c2bc16f..1c99fbf 100644
--- a/config.json
+++ b/config.json
@@ -56,6 +56,7 @@
"shellcheck",
"smpeg",
"socat",
+ "stubby",
"swiftlint",
"tag",
"tailor",
@@ -64,6 +65,7 @@
"texinfo",
"the_silver_searcher",
"tmux",
+ "unbound",
"unison",
"vim",
"watchman",
@@ -145,7 +147,9 @@
"bin/*": "~/.local/bin/",
"config/*": "~/.config/",
"launchagents/*.plist":"~/Library/LaunchAgents/",
- "hammerspoon/*": "~/.hammerspoon/"
+ "hammerspoon/*": "~/.hammerspoon/",
+ "etc/unbound/*": "/usr/local/opt/unbound/etc/unbound/",
+ "etc/stubby/*": "/usr/local/etc/stubby/"
},
"post-install": [
"brew cleanup",
diff --git a/etc/stubby/stubby.yml b/etc/stubby/stubby.yml
new file mode 100644
index 0000000..5a78eb6
--- /dev/null
+++ b/etc/stubby/stubby.yml
@@ -0,0 +1,35 @@
+resolution_type: GETDNS_RESOLUTION_STUB
+dns_transport_list:
+ - GETDNS_TRANSPORT_TLS
+tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
+tls_query_padding_blocksize: 256
+edns_client_subnet_private : 1
+idle_timeout: 10000
+listen_addresses:
+ - 127.0.0.1@8053
+ - 0::1@8053
+round_robin_upstreams: 1
+upstream_recursive_servers:
+ ####### IPv4 addresses ######
+ ## Cloudflare 1.1.1.1 and 1.0.0.1
+ - address_data: 1.1.1.1
+ tls_auth_name: "cloudflare-dns.com"
+ - address_data: 1.0.0.1
+ tls_auth_name: "cloudflare-dns.com"
+
+ ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
+ - address_data: 9.9.9.9
+ tls_auth_name: "dns.quad9.net"
+ - address_data: 149.112.112.112
+ tls_auth_name: "dns.quad9.net"
+
+ ####### IPv6 addresses ######
+ ## Cloudflare servers
+ - address_data: 2606:4700:4700::1111
+ tls_auth_name: "cloudflare-dns.com"
+ - address_data: 2606:4700:4700::1001
+ tls_auth_name: "cloudflare-dns.com"
+
+ ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
+ - address_data: 2620:fe::fe
+ tls_auth_name: "dns.quad9.net"
diff --git a/etc/unbound/unbound.conf b/etc/unbound/unbound.conf
new file mode 100644
index 0000000..86dfd81
--- /dev/null
+++ b/etc/unbound/unbound.conf
@@ -0,0 +1,57 @@
+server:
+ verbosity: 1
+ num-threads: 4
+ interface: 0.0.0.0@53
+ so-reuseport: yes
+ edns-buffer-size: 1472
+ delay-close: 10000
+ cache-min-ttl: 60
+ cache-max-ttl: 86400
+ do-daemonize: no
+ deny-any: yes
+ username: "unbound"
+ log-queries: no
+ hide-version: yes
+ hide-identity: yes
+ identity: "DNS"
+ harden-algo-downgrade: yes
+ harden-short-bufsize: yes
+ harden-large-queries: yes
+ harden-glue: yes
+ harden-dnssec-stripped: yes
+ harden-below-nxdomain: yes
+ harden-referral-path: no
+ do-not-query-localhost: no
+ prefetch: yes
+ prefetch-key: yes
+ qname-minimisation: yes
+ aggressive-nsec: yes
+ ratelimit: 1000
+ rrset-roundrobin: yes
+ minimal-responses: yes
+ chroot: "/usr/local/opt/unbound"
+ directory: "/usr/local/opt/unbound"
+ auto-trust-anchor-file: "var/root.key"
+ root-hints: "etc/unbound/root.hints"
+ num-queries-per-thread: 4096
+ outgoing-range: 8192
+ neg-cache-size: 4M
+ serve-expired: yes
+ use-caps-for-id: yes
+ unwanted-reply-threshold: 10000
+ val-clean-additional: yes
+ private-address: 10.0.0.0/8
+ private-address: 172.16.0.0/12
+ private-address: 192.168.0.0/16
+ private-address: 169.254.0.0/16
+ private-address: fd00::/8
+ private-address: fe80::/10
+ private-address: ::ffff:0:0/96
+ access-control: 127.0.0.1/32 allow
+ do-not-query-localhost: no
+forward-zone:
+ name: "."
+ forward-addr: 127.0.0.1@8053
+ forward-addr: ::1@8053
+remote-control:
+ control-enable: no
diff --git a/freshrc b/freshrc
deleted file mode 100644
index c25c0bf..0000000
--- a/freshrc
+++ /dev/null
@@ -1,52 +0,0 @@
-iter () {
- echo "$*" | tr " " "\n"
-}
-
-fresh freshshell/fresh bin/fresh --bin=~/.local/bin/fresh
-
-# dotfiles
-fresh https://gitlab.com/timods/dotfiles 'config/*' --file
-fresh https://gitlab.com/timods/dotfiles 'shell/*'
-fresh https://gitlab.com/timods/dotfiles 'aliases/*'
-fresh https://gitlab.com/timods/dotfiles 'xresources/*' --file=~/.Xresources
-
-fresh gdbinit/Gdbinit 'gdbinit' --file=~/.gdbinit
-fresh larkery/zsh-histdb . --file=~/.zsh-histdb/
-fresh tarjoilija/zgen 'zgen.zsh' --file=~/.zgen.zsh
-fresh tarjoilija/zgen '_zgen' --file=~/.zsh/_zgen
-
-fresh https://gitlab.com/timods/dotfiles 'colors' --file=~/.colors/
-
-## alacritty
-fresh-options --file=~/.config/alacritty/alacritty.yml
- fresh https://gitlab.com/timods/dotfiles alacritty/$(uname -s).alacritty
- fresh https://gitlab.com/timods/dotfiles alacritty/colors.alacritty
-fresh-options
-
-SRCD=~/.fresh/source/gitlab.com/timods-dotfiles
-for binf in "$SRCD/bin"/*; do
- if [ -f "$binf" ]; then
- binf=$(basename "${binf}")
- fresh https://gitlab.com/timods/dotfiles
- fi
-done
-
-## platform-specific setup
-un=$(uname -s)
-if [ -d "${SRCD}/bin/${un}" ]; then
- for binf in "${SRCD}"/bin/${un}/*; do
- binf=$(basename "${binf}")
- fresh https://gitlab.com/timods/dotfiles "bin/${un}/${binf}" --bin="$HOME/.local/bin/${binf}"
- done
-fi
-
-# Install platform-specific deps
-test -f "${SRCD}/deps/${un}.sh" && source "${SRCD}/deps/${un}.sh"
-
-if [[ "${un}" == "Darwin" ]]; then
- # Grab all my launchagents
- for la in "${SRCD}"/launchagents/*.plist; do
- la=$(basename "${la}")
- fresh https://gitlab.com/timods/dotfiles "launchagents/$la" --file="~/Library/LaunchAgents/$la"
- done
-fi
diff --git a/install.py b/install.py
index d21efb8..950e92c 100644
--- a/install.py
+++ b/install.py
@@ -2,6 +2,7 @@
from contextlib import contextmanager
from glob import glob
import json
+import platform
from subprocess import check_output, STDOUT
from tempfile import NamedTemporaryFile
import sys
@@ -159,7 +160,7 @@ def install_mas(apps, tags):
runcmd('xargs <{} mas install'.format(tf.name))
-def check_install_deps():
+def check_install_deps_macos():
if not os.path.isdir("/usr/local/Cellar"):
print('Installing homebrew')
runcmd('/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"', stderr=STDOUT, shell=True)
@@ -180,15 +181,17 @@ def install_from_config(config_file, tags):
with open(config_file, 'r') as f:
config = json.loads(f.read(), object_pairs_hook=collections.OrderedDict)
- check_install_deps()
try:
os.mkdir(os.path.expanduser("~/.config/zsh"))
except OSError:
pass
- install_taps(config.get('brew-taps', []))
- install_brew(config.get('brew', []), tags)
- install_casks(config.get('casks', []), tags)
- install_mas(config.get('mas', []), tags)
+ # FIXME: only do the following four on macos hosts
+ if platform.system() == 'Darwin':
+ check_install_deps_macos()
+ install_taps(config.get('brew-taps', []))
+ install_brew(config.get('brew', []), tags)
+ install_casks(config.get('casks', []), tags)
+ install_mas(config.get('mas', []), tags)
install_sources(config.get('sources', {}))
install_symlinks(config.get('symlinks', {}))
post_install(config)
diff --git a/launchdaemons/local.timods.stubby.plist b/launchdaemons/local.timods.stubby.plist
new file mode 100644
index 0000000..e0a88f8
--- /dev/null
+++ b/launchdaemons/local.timods.stubby.plist
@@ -0,0 +1,23 @@
+
+
+
+
+ Label
+ local.timods.stubby
+ KeepAlive
+
+ RunAtLoad
+
+ ProgramArguments
+
+ /usr/local/opt/stubby/bin/stubby
+ -C
+ /usr/local/etc/stubby/stubby.yml
+ -l
+
+ StandardErrorPath
+ /usr/local/var/log/stubby/stubby.log
+ StandardOutPath
+ /usr/local/var/log/stubby/stubby.log
+
+
diff --git a/launchdaemons/local.timods.unbound.plist b/launchdaemons/local.timods.unbound.plist
new file mode 100644
index 0000000..f3a72ea
--- /dev/null
+++ b/launchdaemons/local.timods.unbound.plist
@@ -0,0 +1,25 @@
+
+
+
+
+ Label
+ local.timods.unbound
+ KeepAlive
+
+ RunAtLoad
+
+ ProgramArguments
+
+ /usr/local/opt/unbound/sbin/unbound
+ -d
+ -c
+ /usr/local/opt/unbound/etc/unbound/unbound.conf
+
+ UserName
+ root
+ StandardErrorPath
+ /dev/null
+ StandardOutPath
+ /dev/null
+
+
diff --git a/setup.sh b/setup.sh
index ed86635..8886ef1 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,5 +1,24 @@
#!/bin/bash
-python3 install.py config.json $*
+quietly () {
+ eval $* > /dev/null 2>&1
+}
+
+python3 install.py config.json $* || (echo "Setup failed!" && exit 1)
# cask requires passwords sometimes
test -f /tmp/casks && xargs