From c95680fd90d59c71a5eacc64345dc877d2f4ab79 Mon Sep 17 00:00:00 2001
From: Alan Pearce
Date: Sat, 4 Jan 2025 23:14:51 +0100
Subject: linde: remove recursive/blocking DNS setup

---
 system/linde.nix | 129 -------------------------------------------------------
 1 file changed, 129 deletions(-)

diff --git a/system/linde.nix b/system/linde.nix
index da353bde..b18015bb 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -12,7 +12,6 @@ let
   net-mask4 = "32";
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
-  net-rdnsip = "2a01:4f8:c012:23a4::53";
   net-redisip = "2a01:4f8:c012:23a4::6379";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
@@ -157,7 +156,6 @@ in
     hosts = lib.mkForce {
       ${net-ip4} = [ "${hostname}.${domain}" hostname ];
       ${net-ip6} = [ "${hostname}.${domain}" hostname ];
-      ${net-rdnsip} = [ "dns" ];
       ${net-redisip} = [ "redis" ];
     };
     firewall = {
@@ -216,7 +214,6 @@ in
         ];
         address = [
           "${net-ip6}/${net-mask6}"
-          "${net-rdnsip}/${net-mask6}"
           "${net-redisip}/${net-mask6}"
         ];
         addresses = [{
@@ -402,59 +399,6 @@ in
       '';
     };
 
-  systemd.services.hagezi-blocklist-update = {
-    enable = true;
-    startAt = "daily";
-    serviceConfig = {
-      CacheDirectory = "blocklist";
-      UMask = "0077";
-      DynamicUser = "yes";
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      PrivateUsers = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      ProtectProc = "invisible";
-      RestrictAddressFamilies = "AF_INET AF_INET6";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = "true";
-      SystemCallFilter = [
-        "~@clock"
-        "~@cpu-emulation"
-        "~@debug"
-        "~@module"
-        "~@mount"
-        "~@obsolete"
-        "~@privileged"
-        "~@raw-io"
-        "~@reboot"
-        "~@resources"
-        "~@swap"
-      ];
-      SystemCallArchitectures = "native";
-      CapabilityBoundingSet = "";
-      DevicePolicy = "closed";
-      ProcSubset = "pid";
-      NoNewPrivileges = true;
-      ExecStart = "${pkgs.curl}/bin/curl --no-progress-meter --output %C/blocklist/hagezi.rpz https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/pro.plus.txt";
-      #  https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/pro.plus.txt"
-      ExecStartPost = [
-        "+/bin/sh -c 'exec install --compare --mode=644 %C/blocklist/hagezi.rpz /etc/knot-resolver/blocklist.rpz'"
-        "-/bin/sh -c 'exec rm -f %C/blocklist/hagezi.rpz'"
-      ];
-      Environment = [
-        "HOME=%C/blocklist"
-      ];
-    };
-  };
-
   services.postfix =
     let
       localUser = "alan";
@@ -473,75 +417,6 @@ in
       };
     };
 
-  services.kresd = {
-    enable = true;
-    # package = pkgs.knot-resolver.override { extraFeatures = true; };
-    listenPlain = [
-      "[${net-rdnsip}]:53"
-    ];
-    listenTLS = [
-      "127.0.0.1:853"
-      "[::1]:853"
-      "${net-ip4}:853"
-      "[${net-ip6}]:853"
-    ];
-    listenDoH = [
-      "[::1]:443"
-      "127.0.0.1:443"
-    ];
-    instances = 2;
-    extraConfig = ''
-      modules = {
-        'rebinding < iterate',
-        'hints > iterate',
-        'serve_stale < cache',
-        'stats',
-        predict = {
-          window = 30,
-          period = 24 * (60/30),
-        },
-        'nsid',
-      }
-
-      local systemd_instance = os.getenv("SYSTEMD_INSTANCE")
-      nsid.name(systemd_instance)
-
-      log_groups({ 'policy' })
-
-      cache.size = 500 * MB
-
-      net.tls(
-        '/var/lib/acme/dns.alanpearce.eu/cert.pem',
-        '/var/lib/acme/dns.alanpearce.eu/key.pem'
-      )
-
-      -- override blocklist
-      policy.add(policy.suffix(policy.PASS, policy.todnames({
-      })))
-
-      policy.add(policy.rpz(
-        policy.DENY_MSG('domain blocked by hagezi'),
-        '/etc/knot-resolver/blocklist.rpz',
-        false -- needs wrapped kresd
-        -- true -- will watch the file for updates
-      ))
-
-      policy.add(policy.domains(policy.REFUSE, policy.todnames({
-        'use-application-dns.net',
-        'telemetry.astro.build',
-      })))
-
-      -- disable DNSSEC when using Quad9 since they do it
-      -- trust_anchors.remove('.')
-      -- policy.add(policy.all(policy.TLS_FORWARD({
-      --   {'2620:fe::fe', hostname='dns.quad9.net'},
-      --   {'2620:fe::9', hostname='dns.quad9.net'},
-      --   {'9.9.9.9', hostname='dns.quad9.net'},
-      --   {'149.112.122.122', hostname='dns.quad9.net'},
-      -- })))
-    '';
-  };
-
   users.groups.ntfy = { };
   users.users.ntfy = {
     isSystemUser = true;
@@ -621,10 +496,6 @@ in
     certs."alanpearce.eu" = {
       extraDomainNames = [ "*.alanpearce.eu" "*.linde.alanpearce.eu" ];
     };
-    certs."dns.alanpearce.eu" = {
-      reloadServices = map (x: "kresd@${toString x}") (range 1 config.services.kresd.instances);
-      group = "knot-resolver";
-    };
     certs."stats.alanpearce.eu" = {
       extraDomainNames = [ "*.stats.alanpearce.eu" ];
     };
-- 
cgit 1.4.1