From 563bfffe3ef753586334a40cc25a9fcc5257259b Mon Sep 17 00:00:00 2001
From: Tim Deeb-Swihart <tim@deebswih.art>
Date: Fri, 15 Mar 2019 18:23:02 -0400
Subject: [PATCH] DNS config working

---
 .gitignore                               |  1 +
 config.json                              |  6 ++-
 etc/stubby/stubby.yml                    | 35 +++++++++++++++
 etc/unbound/unbound.conf                 | 57 ++++++++++++++++++++++++
 freshrc                                  | 52 ---------------------
 install.py                               | 15 ++++---
 launchdaemons/local.timods.stubby.plist  | 23 ++++++++++
 launchdaemons/local.timods.unbound.plist | 25 +++++++++++
 setup.sh                                 | 21 ++++++++-
 9 files changed, 175 insertions(+), 60 deletions(-)
 create mode 100644 etc/stubby/stubby.yml
 create mode 100644 etc/unbound/unbound.conf
 delete mode 100644 freshrc
 create mode 100644 launchdaemons/local.timods.stubby.plist
 create mode 100644 launchdaemons/local.timods.unbound.plist

diff --git a/.gitignore b/.gitignore
index f311bf8..a1ad329 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ bin/nodejs/node_modules
 weechat/weeget/*
 weechat/logs/*
 *.sublime-*
+config/karabiner/automatic_backups/
diff --git a/config.json b/config.json
index c2bc16f..1c99fbf 100644
--- a/config.json
+++ b/config.json
@@ -56,6 +56,7 @@
         "shellcheck",
         "smpeg",
         "socat",
+        "stubby",
         "swiftlint",
         "tag",
         "tailor",
@@ -64,6 +65,7 @@
         "texinfo",
         "the_silver_searcher",
         "tmux",
+        "unbound",
         "unison",
         "vim",
         "watchman",
@@ -145,7 +147,9 @@
         "bin/*": "~/.local/bin/",
         "config/*": "~/.config/",
         "launchagents/*.plist":"~/Library/LaunchAgents/",
-        "hammerspoon/*": "~/.hammerspoon/"
+        "hammerspoon/*": "~/.hammerspoon/",
+        "etc/unbound/*": "/usr/local/opt/unbound/etc/unbound/",
+        "etc/stubby/*": "/usr/local/etc/stubby/"
     },
     "post-install": [
         "brew cleanup",
diff --git a/etc/stubby/stubby.yml b/etc/stubby/stubby.yml
new file mode 100644
index 0000000..5a78eb6
--- /dev/null
+++ b/etc/stubby/stubby.yml
@@ -0,0 +1,35 @@
+resolution_type: GETDNS_RESOLUTION_STUB
+dns_transport_list:
+  - GETDNS_TRANSPORT_TLS
+tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
+tls_query_padding_blocksize: 256
+edns_client_subnet_private : 1
+idle_timeout: 10000
+listen_addresses:
+  - 127.0.0.1@8053
+  -  0::1@8053
+round_robin_upstreams: 1
+upstream_recursive_servers:
+  ####### IPv4 addresses ######
+  ## Cloudflare 1.1.1.1 and 1.0.0.1
+  - address_data: 1.1.1.1
+    tls_auth_name: "cloudflare-dns.com"
+  - address_data: 1.0.0.1
+    tls_auth_name: "cloudflare-dns.com"
+
+  ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
+  - address_data: 9.9.9.9
+    tls_auth_name: "dns.quad9.net"
+  - address_data: 149.112.112.112
+    tls_auth_name: "dns.quad9.net"
+
+  ####### IPv6 addresses ######
+  ## Cloudflare servers
+  - address_data: 2606:4700:4700::1111
+    tls_auth_name: "cloudflare-dns.com"
+  - address_data: 2606:4700:4700::1001
+    tls_auth_name: "cloudflare-dns.com"
+
+  ## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
+  - address_data: 2620:fe::fe
+    tls_auth_name: "dns.quad9.net"
diff --git a/etc/unbound/unbound.conf b/etc/unbound/unbound.conf
new file mode 100644
index 0000000..86dfd81
--- /dev/null
+++ b/etc/unbound/unbound.conf
@@ -0,0 +1,57 @@
+server:
+  verbosity: 1
+  num-threads: 4
+  interface: 0.0.0.0@53
+  so-reuseport: yes
+  edns-buffer-size: 1472
+  delay-close: 10000
+  cache-min-ttl: 60
+  cache-max-ttl: 86400
+  do-daemonize: no
+  deny-any: yes
+  username: "unbound"
+  log-queries: no
+  hide-version: yes
+  hide-identity: yes
+  identity: "DNS"
+  harden-algo-downgrade: yes
+  harden-short-bufsize: yes
+  harden-large-queries: yes
+  harden-glue: yes
+  harden-dnssec-stripped: yes
+  harden-below-nxdomain: yes
+  harden-referral-path: no
+  do-not-query-localhost: no
+  prefetch: yes
+  prefetch-key: yes
+  qname-minimisation: yes
+  aggressive-nsec: yes
+  ratelimit: 1000
+  rrset-roundrobin: yes
+  minimal-responses: yes
+  chroot: "/usr/local/opt/unbound"
+  directory: "/usr/local/opt/unbound"
+  auto-trust-anchor-file: "var/root.key"
+  root-hints: "etc/unbound/root.hints"
+  num-queries-per-thread: 4096
+  outgoing-range: 8192
+  neg-cache-size: 4M
+  serve-expired: yes
+  use-caps-for-id: yes
+  unwanted-reply-threshold: 10000
+  val-clean-additional: yes
+  private-address: 10.0.0.0/8
+  private-address: 172.16.0.0/12
+  private-address: 192.168.0.0/16
+  private-address: 169.254.0.0/16
+  private-address: fd00::/8
+  private-address: fe80::/10
+  private-address: ::ffff:0:0/96
+  access-control: 127.0.0.1/32 allow
+  do-not-query-localhost:  no
+forward-zone:
+  name: "."
+    forward-addr: 127.0.0.1@8053
+    forward-addr: ::1@8053
+remote-control:
+  control-enable: no
diff --git a/freshrc b/freshrc
deleted file mode 100644
index c25c0bf..0000000
--- a/freshrc
+++ /dev/null
@@ -1,52 +0,0 @@
-iter () {
-	echo "$*" | tr " " "\n"
-}
-
-fresh freshshell/fresh bin/fresh --bin=~/.local/bin/fresh
-
-# dotfiles
-fresh https://gitlab.com/timods/dotfiles 'config/*' --file
-fresh https://gitlab.com/timods/dotfiles 'shell/*'
-fresh https://gitlab.com/timods/dotfiles 'aliases/*'
-fresh https://gitlab.com/timods/dotfiles 'xresources/*' --file=~/.Xresources
-
-fresh gdbinit/Gdbinit 'gdbinit' --file=~/.gdbinit
-fresh larkery/zsh-histdb . --file=~/.zsh-histdb/
-fresh tarjoilija/zgen 'zgen.zsh' --file=~/.zgen.zsh
-fresh tarjoilija/zgen '_zgen' --file=~/.zsh/_zgen
-
-fresh https://gitlab.com/timods/dotfiles 'colors' --file=~/.colors/
-
-## alacritty
-fresh-options --file=~/.config/alacritty/alacritty.yml
-  fresh https://gitlab.com/timods/dotfiles alacritty/$(uname -s).alacritty
-  fresh https://gitlab.com/timods/dotfiles alacritty/colors.alacritty
-fresh-options
-
-SRCD=~/.fresh/source/gitlab.com/timods-dotfiles
-for binf in "$SRCD/bin"/*; do
-  if [ -f "$binf" ]; then
-    binf=$(basename "${binf}")
-    fresh https://gitlab.com/timods/dotfiles
-  fi
-done
-
-## platform-specific setup
-un=$(uname -s)
-if [ -d "${SRCD}/bin/${un}" ]; then
-  for binf in "${SRCD}"/bin/${un}/*; do
-    binf=$(basename "${binf}")
-    fresh https://gitlab.com/timods/dotfiles "bin/${un}/${binf}" --bin="$HOME/.local/bin/${binf}"
-  done
-fi
-
-# Install platform-specific deps
-test -f "${SRCD}/deps/${un}.sh" && source "${SRCD}/deps/${un}.sh"
-
-if [[ "${un}" == "Darwin" ]]; then
-  # Grab all my launchagents
-  for la in "${SRCD}"/launchagents/*.plist; do
-    la=$(basename "${la}")
-    fresh https://gitlab.com/timods/dotfiles "launchagents/$la" --file="~/Library/LaunchAgents/$la"
-  done
-fi
diff --git a/install.py b/install.py
index d21efb8..950e92c 100644
--- a/install.py
+++ b/install.py
@@ -2,6 +2,7 @@
 from contextlib import contextmanager
 from glob import glob
 import json
+import platform
 from subprocess import check_output, STDOUT
 from tempfile import NamedTemporaryFile
 import sys
@@ -159,7 +160,7 @@ def install_mas(apps, tags):
             runcmd('xargs <{} mas install'.format(tf.name))
 
 
-def check_install_deps():
+def check_install_deps_macos():
     if not os.path.isdir("/usr/local/Cellar"):
         print('Installing homebrew')
         runcmd('/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"', stderr=STDOUT, shell=True)
@@ -180,15 +181,17 @@ def install_from_config(config_file, tags):
     with open(config_file, 'r') as f:
         config = json.loads(f.read(), object_pairs_hook=collections.OrderedDict)
 
-    check_install_deps()
     try:
         os.mkdir(os.path.expanduser("~/.config/zsh"))
     except OSError:
         pass
-    install_taps(config.get('brew-taps', []))
-    install_brew(config.get('brew', []), tags)
-    install_casks(config.get('casks', []), tags)
-    install_mas(config.get('mas', []), tags)
+    # FIXME: only do the following four on macos hosts
+    if platform.system() == 'Darwin':
+        check_install_deps_macos()
+        install_taps(config.get('brew-taps', []))
+        install_brew(config.get('brew', []), tags)
+        install_casks(config.get('casks', []), tags)
+        install_mas(config.get('mas', []), tags)
     install_sources(config.get('sources', {}))
     install_symlinks(config.get('symlinks', {}))
     post_install(config)
diff --git a/launchdaemons/local.timods.stubby.plist b/launchdaemons/local.timods.stubby.plist
new file mode 100644
index 0000000..e0a88f8
--- /dev/null
+++ b/launchdaemons/local.timods.stubby.plist
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key>
+    <string>local.timods.stubby</string>
+    <key>KeepAlive</key>
+    <true/>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>ProgramArguments</key>
+    <array>
+      <string>/usr/local/opt/stubby/bin/stubby</string>
+      <string>-C</string>
+      <string>/usr/local/etc/stubby/stubby.yml</string>
+      <string>-l</string>
+    </array>
+    <key>StandardErrorPath</key>
+    <string>/usr/local/var/log/stubby/stubby.log</string>
+    <key>StandardOutPath</key>
+    <string>/usr/local/var/log/stubby/stubby.log</string>
+  </dict>
+</plist>
diff --git a/launchdaemons/local.timods.unbound.plist b/launchdaemons/local.timods.unbound.plist
new file mode 100644
index 0000000..f3a72ea
--- /dev/null
+++ b/launchdaemons/local.timods.unbound.plist
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key>
+    <string>local.timods.unbound</string>
+    <key>KeepAlive</key>
+    <true/>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>ProgramArguments</key>
+    <array>
+      <string>/usr/local/opt/unbound/sbin/unbound</string>
+      <string>-d</string>
+      <string>-c</string>
+      <string>/usr/local/opt/unbound/etc/unbound/unbound.conf</string>
+    </array>
+    <key>UserName</key>
+    <string>root</string>
+    <key>StandardErrorPath</key>
+    <string>/dev/null</string>
+    <key>StandardOutPath</key>
+    <string>/dev/null</string>
+  </dict>
+</plist>
diff --git a/setup.sh b/setup.sh
index ed86635..8886ef1 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,5 +1,24 @@
 #!/bin/bash
 
-python3 install.py config.json $*
+quietly () {
+	eval $* > /dev/null 2>&1
+}
+
+python3 install.py config.json $* || (echo "Setup failed!" && exit 1)
 # cask requires passwords sometimes
 test -f /tmp/casks && xargs </tmp/casks brew cask install
+case $(uname -s) in
+  Darwin)
+    for plist in launchdaemons/*; do
+      daemon_path="/Library/LaunchDaemons/${plist#launchdaemons/}"
+      sudo cp "./${plist}" "$daemon_path"
+      quietly sudo launchctl stop "$daemon_path"
+      quietly sudo launchctl unload "$daemon_path"
+      sudo launchctl load "$daemon_path"
+      sudo launchctl start "$daemon_path" || echo "Error loading ${plist}!"
+    done
+    quietly test /usr/local/sbin/stubby-setdns-macos.sh && sudo /usr/local/sbin/stubby-setdns-macos.sh
+    ;;
+  *) # Linux setup
+    ;;
+esac