rename: trust-dns -> hickory-dns

TODO.md

@@ -2,14 +2,14 @@
 - `rmDbusServices` may break sandboxing
   - e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
   - `rmDbusServicesInPlace` is not affected
-- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/trust-dns/dhcp-configs doesn't get reset
+- when moby wlan is explicitly set down (via ip link set wlan0 down), /var/lib/hickory-dns/dhcp-configs doesn't get reset
   - `ip monitor` can detect those manual link state changes (NM-dispatcher it seems cannot)
   - or try dnsmasq?
-- trust-dns can't resolve `abs.twimg.com`
+- hickory-dns can't resolve `abs.twimg.com`
-- trust-dns can't resolve `social.kernel.org`
+- hickory-dns can't resolve `social.kernel.org`
-- trust-dns can't resolve `pe.usps.com`
+- hickory-dns can't resolve `pe.usps.com`
-- trust-dns can't resolve `social.seattle.wa.us`
+- hickory-dns can't resolve `social.seattle.wa.us`
-- trust-dns can't resolve `support.mozilla.org`
+- hickory-dns can't resolve `support.mozilla.org`
 - sandbox: link cache means that if i update ~/.config/... files inline, sandboxed programs still see the old version
 - mpv: continues to play past the end of some audio files
 - mpv: audiocast has mpv sending its output to the builtin speakers unless manually changed

hosts/by-name/desko/default.nix

@@ -4,7 +4,7 @@
     ./fs.nix
   ];
 
-  sane.services.trust-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable trust-dns
+  sane.services.hickory-dns.asSystemResolver = false;  # TEMPORARY: TODO: re-enable hickory-dns
   # sane.programs.devPkgs.enableFor.user.colin = true;
   # sane.guest.enable = true;
 

hosts/by-name/servo/default.nix

@@ -21,7 +21,7 @@
     "sane-scripts.stop-all-servo"
   ];
   sane.services.dyn-dns.enable = true;
-  sane.services.trust-dns.asSystemResolver = false;  # TODO: enable once it's all working well
+  sane.services.hickory-dns.asSystemResolver = false;  # TODO: enable once it's all working well
   sane.services.wg-home.enable = true;
   sane.services.wg-home.visibleToWan = true;
   sane.services.wg-home.forwardToWan = true;

hosts/by-name/servo/services/default.nix

@@ -7,6 +7,7 @@
     ./ejabberd.nix
     ./freshrss.nix
     ./export
+    ./hickory-dns.nix
     ./gitea.nix
     ./goaccess.nix
     ./ipfs.nix
@@ -27,7 +28,6 @@
     ./prosody
     ./slskd.nix
     ./transmission
-    ./trust-dns.nix
     ./wikipedia.nix
   ];
 }

hosts/by-name/servo/services/hickory-dns.nix

@@ -55,7 +55,7 @@ in
     ];
   };
 
-  services.trust-dns.settings.zones = [ "uninsane.org" ];
+  services.hickory-dns.settings.zones = [ "uninsane.org" ];
 
 
   networking.nat.enable = true;  #< TODO: try removing this?
@@ -83,8 +83,8 @@ in
   # };
 
 
-  sane.services.trust-dns.enable = true;
+  sane.services.hickory-dns.enable = true;
-  sane.services.trust-dns.instances = let
+  sane.services.hickory-dns.instances = let
     mkSubstitutions = flavor: {
       "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
       "%ANATIVE%" = nativeAddrs."servo.${flavor}";
@@ -141,5 +141,5 @@ in
     # };
   };
 
-  sane.services.dyn-dns.restartOnChange = lib.map (c: "${c.service}.service") (builtins.attrValues config.sane.services.trust-dns.instances);
+  sane.services.dyn-dns.restartOnChange = lib.map (c: "${c.service}.service") (builtins.attrValues config.sane.services.hickory-dns.instances);
 }

hosts/common/ids.nix

@@ -45,8 +45,8 @@
   sane.ids.pict-rs.gid = 2409;
   sane.ids.sftpgo.uid = 2410;
   sane.ids.sftpgo.gid = 2410;
-  sane.ids.trust-dns.uid = 2411;
+  sane.ids.hickory-dns.uid = 2411;  #< previously "trust-dns"
-  sane.ids.trust-dns.gid = 2411;
+  sane.ids.hickory-dns.gid = 2411;  #< previously "trust-dns"
   sane.ids.export.gid = 2412;
   sane.ids.nfsuser.uid = 2413;
   sane.ids.media.gid = 2414;

hosts/common/net/dns.nix

@@ -23,16 +23,16 @@
 { config, lib, pkgs, ... }:
 lib.mkMerge [
 {
-  sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
+  sane.services.hickory-dns.enable = lib.mkDefault config.sane.services.hickory-dns.asSystemResolver;
-  sane.services.trust-dns.asSystemResolver = lib.mkDefault true;
+  sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
 }
-(lib.mkIf (!config.sane.services.trust-dns.asSystemResolver) {
+(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
   # use systemd's stub resolver.
   # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
   # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
   # in servo's ovnps namespace to use the provider's DNS resolvers.
   # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # TODO: improve trust-dns recursive resolver and then remove this
+  # TODO: improve hickory-dns recursive resolver and then remove this
   services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
   # without DNSSEC:
   # - dig matrix.org => works
@@ -40,7 +40,7 @@ lib.mkMerge [
   # with default DNSSEC:
   # - dig matrix.org => works
   # - curl https://matrix.org => fails
-  # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
+  # i don't know why. this might somehow be interfering with the DNS run on this device (hickory-dns)
   services.resolved.dnssec = "false";
   networking.nameservers = [
     # use systemd-resolved resolver
@@ -74,7 +74,7 @@ lib.mkMerge [
   sane.silencedAssertions = [''.*Loading NSS modules from system.nssModules.*requires services.nscd.enable being set to true.*''];
   # add NSS modules into their own subdirectory.
   # then i can add just the NSS modules library path to the global LD_LIBRARY_PATH, rather than ALL of /run/current-system/sw/lib.
-  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have trust-dns delegate .local to avahi
+  # TODO: i'm doing this so as to achieve mdns DNS resolution (avahi). it would be better to just have hickory-dns delegate .local to avahi
   #   (except avahi doesn't act as a local resolver over DNS protocol -- only dbus).
   environment.systemPackages = [(pkgs.symlinkJoin {
     name = "nss-modules";

hosts/common/net/networkmanager.nix

@@ -119,13 +119,13 @@ in {
     # - "/proc/net"
     # - "/proc/sys/net"
     # - "/run/NetworkManager"
-    # - "/run/systemd"  # for trust-dns-nmhook
+    # - "/run/systemd"  # for hickory-dns-nmhook
     # - "/run/udev"
     # - # "/run/wg-home.priv"
     # - "/sys/class"
     # - "/sys/devices"
     # - "/var/lib/NetworkManager"
-    # - "/var/lib/trust-dns"  #< for trust-dns-nmhook
+    # - "/var/lib/hickory-dns"  #< for hickory-dns-nmhook
     # - "/run/systemd"
   };
 
@@ -137,12 +137,12 @@ in {
   # fix NetworkManager-dispatcher to actually run as a daemon,
   # and sandbox it a bit
   systemd.services.NetworkManager-dispatcher = {
-    #VVV so that /var/lib/trust-dns will exist (the hook needs to write here).
+    #VVV so that /var/lib/hickory-dns will exist (the hook needs to write here).
-    # but this creates a cycle: trust-dns-localhost > network.target > NetworkManager-dispatcher > trust-dns-localhost.
+    # but this creates a cycle: hickory-dns-localhost > network.target > NetworkManager-dispatcher > hickory-dns-localhost.
     # (seemingly) impossible to remove the network.target dep on NetworkManager-dispatcher.
-    # beffore would be to have the dispatcher not write trust-dns files
+    # beffore would be to have the dispatcher not write hickory-dns files
-    # but rather just its own, and create a .path unit which restarts trust-dns appropriately.
+    # but rather just its own, and create a .path unit which restarts hickory-dns appropriately.
-    # after = [ "trust-dns-localhost.service" ];
+    # after = [ "hickory-dns-localhost.service" ];
     # serviceConfig.ExecStart = [
     #   ""  # first blank line is to clear the upstream `ExecStart` field.
     #   "${cfg.package}/libexec/nm-dispatcher --persist"  # --persist is needed for it to actually run as a daemon
@@ -150,7 +150,7 @@ in {
     # serviceConfig.Restart = "always";
     # serviceConfig.RestartSec = "1s";
 
-    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `trust-dns`'s files in the nm hook)
+    # serviceConfig.DynamicUser = true;  #< not possible, else we lose group perms (so can't write to `hickory-dns`'s files in the nm hook)
     serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
     serviceConfig.Group = "networkmanager";
     serviceConfig.LockPersonality = true;
@@ -166,7 +166,7 @@ in {
     serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
     serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
     serviceConfig.ProtectKernelTunables = true;
-    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to hickory-dns hook
     serviceConfig.RestrictAddressFamilies = [
       "AF_UNIX"  # required, probably for dbus or systemd connectivity
     ];
@@ -234,7 +234,7 @@ in {
     # note that NM's resolv.conf isn't (necessarily) /etc/resolv.conf -- that is managed by nixos (via symlinking)
     main.dns = if config.services.resolved.enable then
       "systemd-resolved"
-    else if config.sane.services.trust-dns.enable && config.sane.services.trust-dns.asSystemResolver then
+    else if config.sane.services.hickory-dns.enable && config.sane.services.hickory-dns.asSystemResolver then
       "none"
     else
       "internal"
@@ -276,7 +276,7 @@ in {
   users.users.networkmanager = {
     isSystemUser = true;
     group = "networkmanager";
-    extraGroups = [ "trust-dns" ];
+    extraGroups = [ "hickory-dns" ];
   };
 
   # there is, unfortunately, no proper interface by which to plumb wpa_supplicant into the NixOS service, except by overlay.

modules/dns.nix

@@ -11,7 +11,7 @@ let
     # - any character may be encoded by `\DDD`, where `DDD` represents its ascii value in base 8.
     # - any non-digit `X` may be encoded by `\X`.
     # - stated in: <https://www.ietf.org/rfc/rfc1035.txt>: 5.1 Format
-    # - visible in <trust-dns:crates/proto/src/serialize/txt/zone_lex.rs:escape_seq>
+    # - visible in <hickory-dns:crates/proto/src/serialize/txt/zone_lex.rs:escape_seq>
     # for us, we can just replace `\` => `\\ and `"` -> `\"`
     TXT = value: "\"" + (lib.escape [ "\\" "\"" ] value) + "\"";
   };

modules/services/default.nix

@@ -5,7 +5,7 @@
     ./clightning.nix
     ./dyn-dns.nix
     ./eg25-manager.nix
+    ./hickory-dns
     ./kiwix-serve.nix
-    ./trust-dns
   ];
 }

modules/services/hickory-dns/default.nix

@@ -1,20 +1,20 @@
 { config, lib, pkgs, ... }:
 let
-  trust-dns-nmhook = pkgs.static-nix-shell.mkPython3 {
+  hickory-dns-nmhook = pkgs.static-nix-shell.mkPython3 {
-    pname = "trust-dns-nmhook";
+    pname = "hickory-dns-nmhook";
     srcRoot = ./.;
     pkgs = [
       "systemd"
     ];
   };
-  cfg = config.sane.services.trust-dns;
+  cfg = config.sane.services.hickory-dns;
   dns = config.sane.dns;
   toml = pkgs.formats.toml { };
   instanceModule = with lib; types.submodule ({ config, name, ...}: {
     options = {
       service = mkOption {
         type = types.str;
-        default = "trust-dns-${name}";
+        default = "hickory-dns-${name}";
         description = ''
           systemd service name corresponding to this instance (used internally and automatically set).
         '';
@@ -41,7 +41,7 @@ let
         type = types.attrsOf types.str;
         default = {};
         description = ''
-          text substitutions to make on the config and zone file before starting trust-dns.
+          text substitutions to make on the config and zone file before starting hickory-dns.
         '';
         example = {
           "%CNAMESELF%" = "lappy";
@@ -98,12 +98,12 @@ let
   mkSystemdService = flavor: { includes, listenAddrsIpv4, listenAddrsIpv6, port, substitutions, extraConfig, ... }: let
     sed = "${pkgs.gnused}/bin/sed";
     baseConfig = (
-      lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
+      lib.filterAttrsRecursive (_: v: v != null) config.services.hickory-dns.settings
     ) // {
       listen_addrs_ipv4 = listenAddrsIpv4;
       listen_addrs_ipv6 = listenAddrsIpv6;
     };
-    configTemplate = toml.generate "trust-dns-${flavor}.toml" (baseConfig //
+    configTemplate = toml.generate "hickory-dns-${flavor}.toml" (baseConfig //
       (lib.mapAttrs (k: v:
         if k == "zones" then
           # append to the baseConfig instead of overriding it
@@ -113,7 +113,7 @@ let
       )
       extraConfig
     ));
-    configPath = "/var/lib/trust-dns/${flavor}-config.toml";
+    configPath = "/var/lib/hickory-dns/${flavor}-config.toml";
     sedArgs = builtins.map (key: ''-e "s/${key}/${substitutions."${key}"}/g"'') (
       # HACK: %ANATIVE% often expands to one of the other subtitutions (e.g. %AWAN%)
       # so we must expand it *first*.
@@ -123,34 +123,34 @@ let
     );
     subs = lib.concatStringsSep " " sedArgs;
   in {
-    description = "trust-dns Domain Name Server (serving ${flavor})";
+    description = "hickory-dns Domain Name Server (serving ${flavor})";
-    unitConfig.Documentation = "https://trust-dns.org/";
+    unitConfig.Documentation = "https://hickory-dns.org/";
     after = [ "network.target" ];
     before = [ "network-online.target" ];  # most things assume they'll have DNS services alongside routability
     wantedBy = [ "network.target" ];
 
     preStart = lib.concatStringsSep "\n" (
       [''
-        mkdir -p "/var/lib/trust-dns/${flavor}"
+        mkdir -p "/var/lib/hickory-dns/${flavor}"
         ${sed} ${subs} -e "" "${configTemplate}" \
           | cat - \
             ${lib.concatStringsSep " " includes} \
             > "${configPath}" || true
       ''] ++ lib.mapAttrsToList (zone: { rendered, ... }: ''
         ${sed} ${subs} -e "" ${pkgs.writeText "${zone}.zone.in" rendered} \
-          > "/var/lib/trust-dns/${flavor}/${zone}.zone"
+          > "/var/lib/hickory-dns/${flavor}/${zone}.zone"
       '') dns.zones
     );
 
-    serviceConfig = (config.systemd.services.hickory-dns or config.systemd.services.trust-dns).serviceConfig // {
+    serviceConfig = config.systemd.services.hickory-dns.serviceConfig // {
       ExecStart = lib.escapeShellArgs ([
-        "${lib.getExe config.services.trust-dns.package}"
+        "${lib.getExe config.services.hickory-dns.package}"
         "--port"     (builtins.toString port)
-        "--zonedir"  "/var/lib/trust-dns/${flavor}"
+        "--zonedir"  "/var/lib/hickory-dns/${flavor}"
         "--config"   "${configPath}"
-      ] ++ lib.optionals config.services.trust-dns.debug [
+      ] ++ lib.optionals config.services.hickory-dns.debug [
         "--debug"
-      ] ++ lib.optionals config.services.trust-dns.quiet [
+      ] ++ lib.optionals config.services.hickory-dns.quiet [
         "--quiet"
       ]);
       # servo/dyn-dns needs /var/lib/uninsane/wan.txt.
@@ -158,14 +158,14 @@ let
       # so just bind the deepest path which is guaranteed to exist.
       ReadOnlyPaths = [ "/var/lib" ];  #< TODO: scope this down!
     } // lib.optionalAttrs cfg.asSystemResolver {
-      # allow the group to write trust-dns state (needed by NetworkManager hook)
+      # allow the group to write hickory-dns state (needed by NetworkManager hook)
       StateDirectoryMode = "775";
     };
   };
 in
 {
   options = with lib; {
-    sane.services.trust-dns = {
+    sane.services.hickory-dns = {
       enable = mkOption {
         default = false;
         type = types.bool;
@@ -182,19 +182,19 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # enable nixpkgs' trust-dns so that i get its config generation
+    # enable nixpkgs' hickory-dns so that i get its config generation
     # but don't actually enable the systemd service... i'll instantiate *multiple* instances per interface further below
-    services.trust-dns.enable = true;
+    services.hickory-dns.enable = true;
-    services.trust-dns.settings.zones = [];  #< TODO: remove once upstreamed (bad default)
+    services.hickory-dns.settings.zones = [];  #< TODO: remove once upstreamed (bad default)
 
     # don't bind to IPv6 until i explicitly test that stack
-    services.trust-dns.settings.listen_addrs_ipv6 = [];
+    services.hickory-dns.settings.listen_addrs_ipv6 = [];
-    services.trust-dns.quiet = true;
+    services.hickory-dns.quiet = true;
-    # FIXME(2023/11/26): services.trust-dns.debug doesn't log requests: use RUST_LOG=debug env for that.
+    # FIXME(2023/11/26): services.hickory-dns.debug doesn't log requests: use RUST_LOG=debug env for that.
     # - see: <https://github.com/hickory-dns/hickory-dns/issues/2082>
-    # services.trust-dns.debug = true;
+    # services.hickory-dns.debug = true;
 
-    services.trust-dns.package = pkgs.trust-dns.override {
+    services.hickory-dns.package = pkgs.hickory-dns.override {
       rustPlatform.buildRustPackage = args: pkgs.rustPlatform.buildRustPackage (args // {
         buildFeatures = [
           "recursor"
@@ -214,11 +214,11 @@ in
         cargoHash = "sha256-6Es5/gRqgsteWUHICdgcNlujJE9vrdr3tj/EKKyFsrY=";
       });
     };
-    services.trust-dns.settings.directory = "/var/lib/trust-dns";
+    services.hickory-dns.settings.directory = "/var/lib/hickory-dns";
 
-    users.groups.trust-dns = {};
+    users.groups.hickory-dns = {};
-    users.users.trust-dns = {
+    users.users.hickory-dns = {
-      group = "trust-dns";
+      group = "hickory-dns";
       isSystemUser = true;
     };
 
@@ -227,27 +227,15 @@ in
         hickory-dns.enable = false;
         hickory-dns.serviceConfig = {
           DynamicUser = lib.mkForce false;
-          User = "trust-dns";
+          User = "hickory-dns";
-          Group = "trust-dns";
+          Group = "hickory-dns";
           wantedBy = lib.mkForce [];
           # there can be a lot of restarts as interfaces toggle,
           # particularly around the DHCP/NetworkManager stuff.
           StartLimitBurst = 60;
-          StateDirectory = lib.mkForce "trust-dns";
+          StateDirectory = lib.mkForce "hickory-dns";
         };
-
+        # hickory-dns.unitConfig.StartLimitIntervalSec = 60;
-        trust-dns.enable = false;
-        trust-dns.serviceConfig = {
-          DynamicUser = lib.mkForce false;
-          User = "trust-dns";
-          Group = "trust-dns";
-          wantedBy = lib.mkForce [];
-          # there can be a lot of restarts as interfaces toggle,
-          # particularly around the DHCP/NetworkManager stuff.
-          StartLimitBurst = 60;
-          StateDirectory = lib.mkForce "trust-dns";
-        };
-        # trust-dns.unitConfig.StartLimitIntervalSec = 60;
       }
       (lib.mapAttrs'
         (flavor: instanceConfig: {
@@ -259,28 +247,28 @@ in
     ];
 
     # run a hook whenever networking details change, so the DNS zone can be updated to reflect this
-    environment.etc."NetworkManager/dispatcher.d/60-trust-dns-nmhook" = lib.mkIf cfg.asSystemResolver {
+    environment.etc."NetworkManager/dispatcher.d/60-hickory-dns-nmhook" = lib.mkIf cfg.asSystemResolver {
-      source = "${trust-dns-nmhook}/bin/trust-dns-nmhook";
+      source = "${hickory-dns-nmhook}/bin/hickory-dns-nmhook";
     };
 
-    # allow NetworkManager (via trust-dns-nmhook) to restart trust-dns when necessary
+    # allow NetworkManager (via hickory-dns-nmhook) to restart hickory-dns when necessary
     # - source: <https://stackoverflow.com/questions/61480914/using-policykit-to-allow-non-root-users-to-start-and-stop-a-service>
     security.polkit.extraConfig = lib.mkIf cfg.asSystemResolver ''
       polkit.addRule(function(action, subject) {
-        if (subject.isInGroup("trust-dns") &&
+        if (subject.isInGroup("hickory-dns") &&
             action.id == "org.freedesktop.systemd1.manage-units" &&
-            action.lookup("unit") == "trust-dns-localhost.service") {
+            action.lookup("unit") == "hickory-dns-localhost.service") {
           return polkit.Result.YES;
         }
       });
     '';
 
-    sane.services.trust-dns.instances.localhost = lib.mkIf cfg.asSystemResolver {
+    sane.services.hickory-dns.instances.localhost = lib.mkIf cfg.asSystemResolver {
       listenAddrsIpv4 = [ "127.0.0.1" ];
       listenAddrsIpv6 = [ "::1" ];
       enableRecursiveResolver = true;
       # append zones discovered via DHCP to the resolver config.
-      includes = [ "/var/lib/trust-dns/dhcp-configs/*" ];
+      includes = [ "/var/lib/hickory-dns/dhcp-configs/*" ];
     };
     networking.nameservers = lib.mkIf cfg.asSystemResolver [
       "127.0.0.1"

modules/services/hickory-dns/hickory-dns-nmhook

@@ -2,7 +2,7 @@
 #!nix-shell -i python3 -p python3 -p systemd
 # vim: set filetype=python :
 
-# /etc/NetworkManager/dispatcher.d/trust-dns-nmhook:
+# /etc/NetworkManager/dispatcher.d/hickory-dns-nmhook:
 # NetworkManager-dispatcher.service calls this script whenever any network changes state.
 # this includes when we activate a new network and receive DHCP info.
 # specifically, this script propagates DHCP info to my DNS setup,
@@ -23,7 +23,7 @@ import subprocess
 
 logger = logging.getLogger(__name__)
 
-DNS_DIR = "/var/lib/trust-dns"
+DNS_DIR = "/var/lib/hickory-dns"
 DHCP_CONFIGS = "dhcp-configs"
 
 class Ops:
@@ -103,11 +103,11 @@ stores = {{ type = "forward", name_servers = [
     return lines
 
 def apply_zone(nm_config: NmConfig, ops: Ops) -> None:
-    # if we want to write /var/lib/trust-dns here, then we have to make sure the service is started, so systemd can create the directory.
+    # if we want to write /var/lib/hickory-dns here, then we have to make sure the service is started, so systemd can create the directory.
     # ops.exec_([
     #     "systemctl",
     #     "start",
-    #     "trust-dns-localhost",
+    #     "hickory-dns-localhost",
     # ])
     specialized_config = ""
     for domain in nm_config.search_domains:
@@ -125,7 +125,7 @@ def apply_zone(nm_config: NmConfig, ops: Ops) -> None:
     ops.exec_([
         "systemctl",
         "restart",
-        "trust-dns-localhost",
+        "hickory-dns-localhost",
     ])
 
 def main():
@@ -134,7 +134,7 @@ def main():
 
     logger.info('invoked')
 
-    parser = argparse.ArgumentParser(description='update trust-dns config in response to NetworkManager event')
+    parser = argparse.ArgumentParser(description='update hickory-dns config in response to NetworkManager event')
     parser.add_argument('--dns-dir', default=DNS_DIR)
     parser.add_argument('--verbose', action='store_true')
     parser.add_argument('--dry-run', action='store_true')

pkgs/additional/sane-scripts/src/sane-stop-all-servo

@@ -9,6 +9,11 @@ systemctl stop \
   ejabberd \
   gitea \
   goaccess \
+  hickory-dns-doof \
+  hickory-dns-hn \
+  hickory-dns-hn-resolver \
+  hickory-dns-lan \
+  hickory-dns-wan \
   i2p \
   jackett \
   jellyfin \
@@ -38,11 +43,6 @@ systemctl stop \
   systemctl \
   tor \
   transmission \
-  trust-dns-doof \
-  trust-dns-hn \
-  trust-dns-hn-resolver \
-  trust-dns-lan \
-  trust-dns-wan \
   wireguard-wg-ovpns \
   ntfy-waiter-0 \
   ntfy-waiter-1 \

pkgs/additional/sane-scripts/src/sane-vpn

@@ -296,9 +296,9 @@ stores = {{ type = "forward", name_servers = [
 '''
     elif dir_ == ToggleDir.Down:
         text = ""
-    with open("/var/lib/trust-dns/dhcp-configs/sane-vpn.toml", "w") as f:
+    with open("/var/lib/hickory-dns/dhcp-configs/sane-vpn.toml", "w") as f:
         f.write(text)
-    subprocess.check_call([ "systemctl", "restart", "trust-dns-localhost" ])
+    subprocess.check_call([ "systemctl", "restart", "hickory-dns-localhost" ])
 
 def main():
     logging.basicConfig()