From 3d96c2ca70145779c89b4f8a89e773e009bd0c49 Mon Sep 17 00:00:00 2001
From: Daniel Winzen <daniel@danwin1210.me>
Date: Fri, 21 May 2021 08:46:35 +0200
Subject: [PATCH] Add dnssec validating recursive resolver and razorfy+rspamd
 users

---
 etc/dnsmasq.d/custom               |  5 +++--
 etc/rc.local                       |  8 ++++----
 etc/resolv.conf                    |  1 +
 etc/systemd/system/razorfy.service | 32 ++++++++++++++++++++++++++++++
 etc/systemd/system/rspamd.service  | 17 ++++++++++++++++
 install_binaries.sh                | 13 ++++++++++--
 6 files changed, 68 insertions(+), 8 deletions(-)
 create mode 100644 etc/systemd/system/razorfy.service
 create mode 100644 etc/systemd/system/rspamd.service

diff --git a/etc/dnsmasq.d/custom b/etc/dnsmasq.d/custom
index 2184b92..5b1e08c 100644
--- a/etc/dnsmasq.d/custom
+++ b/etc/dnsmasq.d/custom
@@ -1,5 +1,6 @@
 interface=lo
-server=127.0.0.1#54
+server=127.0.0.1#55
+server=/.onion/127.0.0.1#54
 no-resolv
 cache-size=10000
-
+dnssec
diff --git a/etc/rc.local b/etc/rc.local
index 2e58304..879c0a4 100755
--- a/etc/rc.local
+++ b/etc/rc.local
@@ -23,15 +23,12 @@ ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #allow tor traffic
-for tor in debian-tor _tor-a _tor-b _tor-c _tor-d _tor-e _tor-f _tor-g _tor-h _tor-i _tor-j _tor-k _tor-l _tor-m _tor-n _tor-o _tor-p _tor-q _tor-r _tor-s; do(
+for tor in bind9 debian-tor _tor-a _tor-b _tor-c _tor-d _tor-e _tor-f _tor-g _tor-h _tor-i _tor-j _tor-k _tor-l _tor-m _tor-n _tor-o _tor-p _tor-q _tor-r _tor-s; do(
 iptables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 ip6tables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 iptables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT;
 ip6tables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT;
 )done
-#redirect all outgoing DNS querries to our tor
-iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
 #allow querriying ntp servers (must mach /etc/systemd/timesyncd.conf
 for clearnet in 88.191.68.178 51.15.142.60 51.255.197.148 91.121.181.58; do(
 iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN;
@@ -58,6 +55,9 @@ for clearnet in ::1; do(
 ip6tables -t nat -A OUTPUT -d $clearnet -j RETURN;
 ip6tables -A OUTPUT -d $clearnet -j ACCEPT;
 ) done
+#redirect all outgoing DNS querries to our tor
+iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
+ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
 #redirect everything else
 iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
 ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
diff --git a/etc/resolv.conf b/etc/resolv.conf
index bbc8559..e9d5066 100644
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@@ -1 +1,2 @@
 nameserver 127.0.0.1
+options edns0 trust-ad
diff --git a/etc/systemd/system/razorfy.service b/etc/systemd/system/razorfy.service
new file mode 100644
index 0000000..3314498
--- /dev/null
+++ b/etc/systemd/system/razorfy.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=Razorfy Service
+Requires=network.target local-fs.target time-sync.target
+
+[Service]
+Type=simple
+User=razorfy
+Group=razorfy
+
+EnvironmentFile=/etc/razorfy.conf
+ExecStart=/usr/local/bin/razorfy.pl
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill $MAINPID
+
+Restart=always
+RestartSec=3
+
+PIDFile=/var/run/razor.pid
+TimeoutStopSec=30
+
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+
+[Install]
+WantedBy=multi-user.target
diff --git a/etc/systemd/system/rspamd.service b/etc/systemd/system/rspamd.service
new file mode 100644
index 0000000..21f45b0
--- /dev/null
+++ b/etc/systemd/system/rspamd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=rapid spam filtering system
+After=nss-lookup.target network-online.target
+Documentation=https://rspamd.com/doc/
+
+[Service]
+LimitNOFILE=1048576
+NonBlocking=true
+ExecStart=/usr/local/bin/rspamd -c /usr/local/etc/rspamd/rspamd.conf -f
+ExecReload=/bin/kill -HUP $MAINPID
+User=_rspamd
+RuntimeDirectory=rspamd
+RuntimeDirectoryMode=0755
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/install_binaries.sh b/install_binaries.sh
index e13fe71..905ce82 100755
--- a/install_binaries.sh
+++ b/install_binaries.sh
@@ -3,7 +3,7 @@ set -e
 
 # install all required packages
 DEBIAN_FRONTEND=noninteractive apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion brotli bzip2 ca-certificates clamav-daemon clamav-freshclam clamav-milter curl dovecot-imapd dovecot-pop3d git dnsmasq hardlink haveged iptables libsasl2-modules locales locales-all logrotate lsb-release mariadb-server nano postfix postfix-mysql quota quotatool redis rsync ssh subversion tor unzip vim wget xz-utils zip zopfli
+DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 brotli bzip2 ca-certificates clamav-daemon clamav-freshclam clamav-milter curl dovecot-imapd dovecot-pop3d git dnsmasq hardlink haveged iptables libio-socket-ip-perl libsasl2-modules locales locales-all logrotate lsb-release mariadb-server nano postfix postfix-mysql quota quotatool razor redis rsync ssh subversion tor unzip vim wget xz-utils zip zopfli
 # build dependencies
 DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y autoconf automake bison cmake g++ gcc ghostscript gnupg `apt-cache search --names-only 'libargon2(-0)?-dev' | awk '{print $1;}' | head -n1` libbrotli-dev libbz2-dev libc-client2007e-dev libcurl4-openssl-dev libde265-dev libdjvulibre-dev libedit-dev `apt-cache search --names-only 'libenchant(-2)?-dev' | awk '{print $1;}' | head -n1` libffi-dev `apt-cache search --names-only libfreetype6?-dev | awk '{print $1;}' | head -n1` libfftw3-dev libfribidi-dev libgd-dev libgmp-dev libgpg-error-dev libgpgme-dev libharfbuzz-dev libkrb5-dev libldap2-dev liblmdb-dev liblqr-1-0-dev libmariadb-dev libonig-dev libopenexr-dev libopenjp2-7-dev libpango1.0-dev libpcre3-dev libpng-dev libpspell-dev libqdbm-dev libraqm-dev libraw-dev libreadline-dev librsvg2-dev libsasl2-dev libsodium-dev libsqlite3-dev libssl-dev libsystemd-dev libtidy-dev libtool libwebp-dev libwmf-dev libx265-dev libxml2-dev libxpm-dev libxslt1-dev libzip-dev libzstd-dev make poppler-utils ragel re2c yasm zlib1g-dev
 
@@ -1746,6 +1746,15 @@ cd ..
 ldconfig
 
 # install composer
-curl -sSL https://github.com/composer/composer/releases/download/2.0.8/composer.phar > /usr/bin/composer
+curl -sSL https://github.com/composer/composer/releases/download/2.0.13/composer.phar > /usr/bin/composer
 chmod +x /usr/bin/composer
 composer self-update
+
+#rspamd user
+id -u _rspamd >/dev/null 2>&1 ||useradd -M -r -s /bin/false -d /var/lib/rspamd _rspamd
+mkdir -p /var/lib/rspamd /var/log/rspamd
+chown _rspamd: /var/lib/rspamd /var/log/rspamd
+
+#razorfy
+id -u razorfy >/dev/null 2>&1 || useradd -M -r -s /bin/false razorfy
+cp razorfy.pl /usr/local/bin/