4 files changed, 4 insertions, 314 deletions
diff --git a/system/modules/darwin/kresd.nix b/system/modules/darwin/kresd.nix
deleted file mode 100644
index 6bce8af1..00000000
--- a/system/modules/darwin/kresd.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.kresd;
-  package = pkgs.knot-resolver;
-
-  configFile = pkgs.writeText "kresd.conf" cfg.extraConfig;
-in
-{
-  options = {
-    services.kresd.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Whether to enable knot-resolver daemon.";
-    };
-
-    services.kresd.extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      description = ''
-        Extra configuration to be added to the generated configuration file.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    launchd.daemons.kresd = {
-      command = "${package}/bin/kresd -c ${configFile}";
-
-      serviceConfig = {
-        ProcessType = "Interactive";
-        # Sockets = {
-        #   Listeners = {
-        #     SockServiceName = "dns";
-        #     SockFamily = "IPv4";
-        #   };
-        # };
-      };
-    };
-
-    environment.systemPackages = [ package ];
-  };
-}
diff --git a/system/modules/darwin/stubby.nix b/system/modules/darwin/stubby.nix
deleted file mode 100644
index fab1c3d8..00000000
--- a/system/modules/darwin/stubby.nix
+++ /dev/null
@@ -1,219 +0,0 @@
-{ config, lib, pkgs, ...}:
-
-with lib;
-
-let
-  cfg = config.services.stubby;
-  package = pkgs.stubby;
-
-  fallbacks = concatMapStringsSep "\n  " (x: "- ${x}") cfg.fallbackProtocols;
-  listeners = concatMapStringsSep "\n  " (x: "- ${x}") cfg.listenAddresses;
-
-  # By default, the recursive resolvers maintained by the getdns
-  # project itself are enabled. More information about both getdns's servers,
-  # as well as third party options for upstream resolvers, can be found here:
-  # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
-  #
-  # You can override these values by supplying a yaml-formatted array of your
-  # preferred upstream resolvers in the following format:
-  #
-  # 106 # - address_data: IPv4 or IPv6 address of the upstream
-  #   port: Port for UDP/TCP (default is 53)
-  #   tls_auth_name: Authentication domain name checked against the server
-  #                  certificate
-  #   tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
-  #                      certificate
-  #     - digest: Only "sha256" is currently supported
-  #       value: Base64 encoded value of the sha256 fingerprint of the public
-  #              key
-  #   tls_port: Port for TLS (default is 853)
-
-  defaultUpstream = ''
-    - address_data: 145.100.185.15
-      tls_auth_name: "dnsovertls.sinodun.com"
-      tls_pubkey_pinset:
-        - digest: "sha256"
-          value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
-    - address_data: 145.100.185.16
-      tls_auth_name: "dnsovertls1.sinodun.com"
-      tls_pubkey_pinset:
-        - digest: "sha256"
-          value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
-    - address_data: 185.49.141.37
-      tls_auth_name: "getdnsapi.net"
-      tls_pubkey_pinset:
-        - digest: "sha256"
-          value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
-    - address_data: 2001:610:1:40ba:145:100:185:15
-      tls_auth_name: "dnsovertls.sinodun.com"
-      tls_pubkey_pinset:
-        - digest: "sha256"
-          value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
-    - address_data: 2001:610:1:40ba:145:100:185:16
-      tls_auth_name: "dnsovertls1.sinodun.com"
-      tls_pubkey_pinset:
-        - digest: "sha256"
-          value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
-    - address_data: 2a04:b900:0:100::38
-      tls_auth_name: "getdnsapi.net"
-      tls_pubkey_pinset:
-        - digest: "sha256"
-          value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
-  '';
-
-  # Resolution type is not changeable here because it is required per the
-  # stubby documentation:
-  #
-  # "resolution_type: Work in stub mode only (not recursive mode) - required for Stubby
-  # operation."
-  #
-  # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
-
-  confFile = pkgs.writeText "stubby.yml" ''
-    resolution_type: GETDNS_RESOLUTION_STUB
-    dns_transport_list:
-      ${fallbacks}
-    tls_authentication: ${cfg.authenticationMode}
-    tls_query_padding_blocksize: ${toString cfg.queryPaddingBlocksize}
-    edns_client_subnet_private: ${if cfg.subnetPrivate then "1" else "0"}
-    idle_timeout: ${toString cfg.idleTimeout}
-    listen_addresses:
-      ${listeners}
-    round_robin_upstreams: ${if cfg.roundRobinUpstreams then "1" else "0"}
-    ${cfg.extraConfig}
-    upstream_recursive_servers:
-    ${cfg.upstreamServers}
-  '';
-in
-
-{
-  options = {
-    services.stubby = {
-
-      enable = mkEnableOption "Stubby DNS resolver";
-
-      fallbackProtocols = mkOption {
-        default = [ "GETDNS_TRANSPORT_TLS" ];
-        type = with types; listOf (enum [
-          "GETDNS_TRANSPORT_TLS"
-          "GETDNS_TRANSPORT_TCP"
-          "GETDNS_TRANSPORT_UDP"
-        ]);
-        description = ''
-          Ordered list composed of one or more transport protocols.
-          Strict mode should only use <literal>GETDNS_TRANSPORT_TLS</literal>.
-          Other options are <literal>GETDNS_TRANSPORT_UDP</literal> and
-          <literal>GETDNS_TRANSPORT_TCP</literal>.
-        '';
-      };
-
-      authenticationMode = mkOption {
-        default = "GETDNS_AUTHENTICATION_REQUIRED";
-        type = types.enum [
-          "GETDNS_AUTHENTICATION_REQUIRED"
-          "GETDNS_AUTHENTICATION_NONE"
-        ];
-        description = ''
-          Selects the Strict or Opportunistic usage profile.
-          For strict, set to <literal>GETDNS_AUTHENTICATION_REQUIRED</literal>.
-          for opportunistic, use <literal>GETDNS_AUTHENTICATION_NONE</literal>.
-        '';
-      };
-
-      queryPaddingBlocksize = mkOption {
-        default = 128;
-        type = types.int;
-        description = ''
-          EDNS0 option to pad the size of the DNS query to the given blocksize.
-        '';
-      };
-
-      subnetPrivate = mkOption {
-        default = true;
-        type = types.bool;
-        description = ''
-          EDNS0 option for ECS client privacy. Default is
-          <literal>true</literal>. If set, this option prevents the client
-          subnet from being sent to authoritative nameservers.
-        '';
-      };
-
-      idleTimeout = mkOption {
-        default = 10000;
-        type = types.int;
-        description = "EDNS0 option for keepalive idle timeout expressed in
-        milliseconds.";
-      };
-
-      listenAddresses = mkOption {
-        default = [ "127.0.0.1" "0::1" ];
-        type = with types; listOf str;
-        description = ''
-          Sets the listen address for the stubby daemon.
-          Uses port 53 by default.
-          Ise IP@port to specify a different port.
-        '';
-      };
-
-      roundRobinUpstreams = mkOption {
-        default = true;
-        type = types.bool;
-        description = ''
-          Instructs stubby to distribute queries across all available name
-          servers. Default is <literal>true</literal>. Set to
-          <literal>false</literal> in order to use the first available.
-        '';
-      };
-
-      upstreamServers = mkOption {
-        default = defaultUpstream;
-        type = types.lines;
-        description = ''
-          Replace default upstreams. See <citerefentry><refentrytitle>stubby
-          </refentrytitle><manvolnum>1</manvolnum></citerefentry> for an
-          example of the entry formatting. In Strict mode, at least one of the
-          following settings must be supplied for each nameserver:
-          <literal>tls_auth_name</literal> or
-          <literal>tls_pubkey_pinset</literal>.
-        '';
-      };
-
-      debugLogging = mkOption {
-        default = false;
-        type = types.bool;
-        description = "Enable or disable debug level logging.";
-      };
-
-      extraConfig = mkOption {
-        default = "";
-        type = types.lines;
-        description = ''
-          Add additional configuration options. see <citerefentry>
-          <refentrytitle>stubby</refentrytitle><manvolnum>1</manvolnum>
-          </citerefentry>for more options.
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    launchd.daemons.stubby = {
-      command = "${package}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
-
-      serviceConfig = {
-        ProcessType = "Interactive";
-        RunAtLoad = true;
-        KeepAlive = true;
-        StandardErrorPath = "/var/log/stubby.log";
-        # Sockets = {
-        #   Listeners = {
-        #     SockServiceName = "dns";
-        #     SockFamily = "IPv4";
-        #   };
-        # };
-      };
-    };
-
-    environment.systemPackages = [ package ];
-  };
-}
diff --git a/system/modules/nextdns.nix b/system/modules/nextdns.nix
index 830215e6..021c65d3 100644
--- a/system/modules/nextdns.nix
+++ b/system/modules/nextdns.nix
@@ -20,22 +20,6 @@ let
       })))
     '';
   };
-
-  stubbyConfig = {
-    enable = true;
-    fallbackProtocols = lib.mkDefault [ "GETDNS_TRANSPORT_TLS" ];
-    roundRobinUpstreams = lib.mkDefault false;
-    upstreamServers = ''
-      - address_data: 45.90.28.0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
-      - address_data: 2a07:a8c0::0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns1.nextdns.io"
-      - address_data: 45.90.30.0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
-      - address_data: 2a07:a8c1::0
-        tls_auth_name: "${identifyingPrefix}${cfg.configID}.dns2.nextdns.io"
-    '';
-  };
 in
 {
   options = {
@@ -57,40 +41,20 @@ in
       default = false;
       description = "Whether to send hostname for identifying in your logs";
     };
-
-    networking.nextdns.resolver = mkOption {
-      type = types.enum [ "kresd" "stubby" ];
-      default = if stdenv.isDarwin then "stubby" else "kresd";
-      description = "Resolver to use";
-    };
   };
 
   config = mkIf cfg.enable {
 
     assertions = [
       {
-        assertion = !(stdenv.isDarwin && cfg.resolver == "kresd");
-        message = "kresd is not supported on Darwin";
+        assertion = !(stdenv.isDarwin);
+        message = "NextDNS module is not supported on Darwin";
       }
     ];
-    networking = if stdenv.isDarwin then
-    {
-      dns = [
-        "::1"
-        "127.0.0.1"
-        "2a07:a8c0::ab:d6e5"
-        "2a07:a8c1::ab:d6e5"
-        "45.90.28.25"
-        "45.90.30.25"
-      ];
-    } else {
+    networking = {
       networkmanager.dns = "none";
       resolvconf.useLocalResolver = true;
     };
-    services = {
-      stubby = mkIf (cfg.resolver == "stubby") stubbyConfig;
-    } // mkIf (!stdenv.isDarwin) {
-      kresd = mkIf (cfg.resolver == "kresd") kresdConfig;
-    };
+    services.kresd = kresdConfig;
   };
 }
diff --git a/system/trillian.nix b/system/trillian.nix
index 0600fec6..9cc0c72d 100644
--- a/system/trillian.nix
+++ b/system/trillian.nix
@@ -2,9 +2,6 @@
 
 {
   imports = [
-    ./modules/darwin/stubby.nix
-    ./modules/nextdns.nix
-
     ./settings/darwin.nix
     ./settings/programs/shell.nix
   ];
@@ -15,13 +12,6 @@
 
   networking = {
     hostName = "trillian";
-    knownNetworkServices = [ "Wi-Fi" "USB 10/100/1000 LAN" ];
-    nextdns = {
-      enable = true;
-      resolver = "stubby";
-      configID = "abd6e5";
-      identifyDevice = true;
-    };
   };
 
   # Use a custom configuration.nix location.