base_role/tasks/guest_whonix.yml

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-

---

- name: "base _whonix.yml"
  debug:
    verbosity: 1
    msg: "base guest_whonix.yml"

- block:

  - name: /etc/whonix_firewall.d/30_whonix_gateway_default.conf
    lineinfile:
      dest: /etc/whonix_firewall.d/30_whonix_gateway_default.conf
      regexp: "^.*{{item.val}}.*"
      line: '{{ item.name }}{{ item.val }}'
      state: present
    with_items:
        - { name: EXTERNAL_OPEN_PORTS, val: '+=" 22 "' }
        - { name: EXTERNAL_OPEN_PORTS, val: '+=" 9050 "' }
        - { name: EXTERNAL_OPEN_PORTS, val: '+=" 9053 "' }
        - { name: EXTERNAL_OPEN_PORTS, val: '+=" 9040 "' }
        ## This will simply open incoming port 22 in the Whonix-Gateway firewall.
        - { name: GATEWAY_ALLOW_INCOMING_SSH, val: "1" }

  - name: /etc/sysctl.d/80_whonix_gateway.conf
    blockinfile:
      dest: /etc/sysctl.d/80_whonix_gateway.conf
      create: true
      marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway"
      block: |
        fs.file-max = 100000

  - name: /etc/systemd/system/multi-user.target.wants/tor.service
    blockinfile:
      dest: /etc/systemd/system/multi-user.target.wants/tor.service
      create: true
      marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway"
      insertafter: '^.Service.'
      block: |
        LimitNOFILE=100000

  - name: /usr/local/etc/local.d/Whonix-Lati.rc
    blockinfile:
      dest: /usr/local/etc/local.d/Whonix-Lati.rc
      create: true
      mode: 0770
      marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway"
      insertafter: '^.Service.'
      block: |
        #!/bin/sh

        IP=`ifconfig eth0 | grep inet | sed -e 's/.*inet //' -e 's/ .*//'`
        [ $? -eq 0 ] || return 1$?
        [ -n "$IP" ] || return 2$?

        [ -f /etc/torrc.d/99_gateway.conf ] || touch /etc/torrc.d/99_gateway.conf
        grep -q "SocksPort $IP:9050" /etc/torrc.d/99_gateway.conf || \
          echo "SocksPort $IP:9050" >> /etc/torrc.d/99_gateway.conf
        grep -q "DNSPort $IP:9053" /etc/torrc.d/99_gateway.conf || \
          echo "DNSPort $IP:9053" >> /etc/torrc.d/99_gateway.conf
        grep -q "TransPort $IP:9040" /etc/torrc.d/99_gateway.conf || \
          echo "TransPort $IP:9040 IsolateClientAddr IsolateClientProtocol IsolateDestA$

        netstat -nlp -t inet | grep "$IP:9040" || \
          systemctl --no-pager restart tor@default || exit 2$?

        # systemctl --no-pager status tor@default

        for elt in 22 9050 9053 9040 ; do
            grep '^EXTERNAL_OPEN_PORTS.=" '$elt' "' \
              /etc/whonix_firewall.d/30_whonix_gateway_default.conf || \
              echo 'EXTERNAL_OPEN_PORTS+=" '$elt' "' >> \
                /etc/whonix_firewall.d/30_whonix_gateway_default.conf
          done

        ip route | grep -q ^def && dig @$IP -p 9053 google.com

        exit 0

  # o		/mnt/o		9p	noauto,rw,trans=virtio,version=9p2000.L,cache=none	0	0
  - name: guest_whonix_gateway sanity checks
    shell: |
      su -s /bin/sh -c '/usr/bin/tor --verify-config' debian-tor || exit 1$?
      # always start this?
      # /etc/systemd/system/multi-user.target.wants/vanguards.service
      ip route | grep -q ^def && grep 100% /run/tor/log

  when:
    - BOX_OS_FLAVOR|default('') == 'WhonixGateway'

- block:

  #ansible_virtualization_role|replace('NA', 'host') == 'guest'
  #  - BOX_OS_FLAVOR|default('') == 'WhonixWorkstation' or BOX_OS_FLAVOR|default('') == 'WhonixGateway'

  - name: /etc/fstab
    shell: |
      for elt in {{BOX_HOST_CONTAINER_MOUNTS|join(' ')}} ; do
          grep -q '\t'$elt'\t' /etc/fstab && continue
          base=`basename $elt`
          echo >> /etc/fstab \
          "$base"'		'$elt'		9p	noauto,rw,trans=virtio,version=9p2000.L,cache=none	0	0'
        done
      exit 0

  when:
    - BOX_OS_FLAVOR|default('') == 'WhonixWorkstation'
first 2024-01-06 01:38:28 +00:00			`# -- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix --`

			`---`

			`- name: "base _whonix.yml"`
			`debug:`
			`verbosity: 1`
			`msg: "base guest_whonix.yml"`

			`- block:`

			`- name: /etc/whonix_firewall.d/30_whonix_gateway_default.conf`
			`lineinfile:`
			`dest: /etc/whonix_firewall.d/30_whonix_gateway_default.conf`
			`regexp: "^.{{item.val}}."`
			`line: '{{ item.name }}{{ item.val }}'`
			`state: present`
			`with_items:`
			`- { name: EXTERNAL_OPEN_PORTS, val: '+=" 22 "' }`
			`- { name: EXTERNAL_OPEN_PORTS, val: '+=" 9050 "' }`
			`- { name: EXTERNAL_OPEN_PORTS, val: '+=" 9053 "' }`
			`- { name: EXTERNAL_OPEN_PORTS, val: '+=" 9040 "' }`
			`## This will simply open incoming port 22 in the Whonix-Gateway firewall.`
			`- { name: GATEWAY_ALLOW_INCOMING_SSH, val: "1" }`

			`- name: /etc/sysctl.d/80_whonix_gateway.conf`
			`blockinfile:`
			`dest: /etc/sysctl.d/80_whonix_gateway.conf`
			`create: true`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway"`
			`block: \|`
			`fs.file-max = 100000`

			`- name: /etc/systemd/system/multi-user.target.wants/tor.service`
			`blockinfile:`
			`dest: /etc/systemd/system/multi-user.target.wants/tor.service`
			`create: true`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway"`
			`insertafter: '^.Service.'`
			`block: \|`
			`LimitNOFILE=100000`

			`- name: /usr/local/etc/local.d/Whonix-Lati.rc`
			`blockinfile:`
			`dest: /usr/local/etc/local.d/Whonix-Lati.rc`
			`create: true`
			`mode: 0770`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway"`
			`insertafter: '^.Service.'`
			`block: \|`
			`#!/bin/sh`

			IP=`ifconfig eth0 \| grep inet \| sed -e 's/.inet //' -e 's/ .//'`
			`[ $? -eq 0 ] \|\| return 1$?`
			`[ -n "$IP" ] \|\| return 2$?`

			`[ -f /etc/torrc.d/99_gateway.conf ] \|\| touch /etc/torrc.d/99_gateway.conf`
			`grep -q "SocksPort $IP:9050" /etc/torrc.d/99_gateway.conf \|\| \`
			`echo "SocksPort $IP:9050" >> /etc/torrc.d/99_gateway.conf`
			`grep -q "DNSPort $IP:9053" /etc/torrc.d/99_gateway.conf \|\| \`
			`echo "DNSPort $IP:9053" >> /etc/torrc.d/99_gateway.conf`
			`grep -q "TransPort $IP:9040" /etc/torrc.d/99_gateway.conf \|\| \`
			`echo "TransPort $IP:9040 IsolateClientAddr IsolateClientProtocol IsolateDestA$`

			`netstat -nlp -t inet \| grep "$IP:9040" \|\| \`
			`systemctl --no-pager restart tor@default \|\| exit 2$?`

			`# systemctl --no-pager status tor@default`

			`for elt in 22 9050 9053 9040 ; do`
			`grep '^EXTERNAL_OPEN_PORTS.=" '$elt' "' \`
			`/etc/whonix_firewall.d/30_whonix_gateway_default.conf \|\| \`
			`echo 'EXTERNAL_OPEN_PORTS+=" '$elt' "' >> \`
			`/etc/whonix_firewall.d/30_whonix_gateway_default.conf`
			`done`

			`ip route \| grep -q ^def && dig @$IP -p 9053 google.com`

			`exit 0`

			`# o /mnt/o 9p noauto,rw,trans=virtio,version=9p2000.L,cache=none 0 0`
			`- name: guest_whonix_gateway sanity checks`
			`shell: \|`
			`su -s /bin/sh -c '/usr/bin/tor --verify-config' debian-tor \|\| exit 1$?`
			`# always start this?`
			`# /etc/systemd/system/multi-user.target.wants/vanguards.service`
			`ip route \| grep -q ^def && grep 100% /run/tor/log`

			`when:`
			`- BOX_OS_FLAVOR\|default('') == 'WhonixGateway'`

			`- block:`

			`#ansible_virtualization_role\|replace('NA', 'host') == 'guest'`
			`# - BOX_OS_FLAVOR\|default('') == 'WhonixWorkstation' or BOX_OS_FLAVOR\|default('') == 'WhonixGateway'`

			`- name: /etc/fstab`
			`shell: \|`
			`for elt in {{BOX_HOST_CONTAINER_MOUNTS\|join(' ')}} ; do`
			`grep -q '\t'$elt'\t' /etc/fstab && continue`
			base=`basename $elt`
			`echo >> /etc/fstab \`
			`"$base"' '$elt' 9p noauto,rw,trans=virtio,version=9p2000.L,cache=none 0 0'`
			`done`
			`exit 0`

			`when:`
			`- BOX_OS_FLAVOR\|default('') == 'WhonixWorkstation'`