diff --git a/Makefile b/Makefile index 06714c3..5d56d14 100644 --- a/Makefile +++ b/Makefile @@ -20,3 +20,5 @@ lint:: test:: sudo -u ${USER} /var/local/src/var_local_$(ROLE).bash $@ +up:: + sh .rsync.sh diff --git a/README.md b/README.md index 43df9e5..482b433 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,12 @@ -This base role is from https://github.com/gentoo-ansible/role-base/ -and is just a starting point. +This role was from https://github.com/gentoo-ansible/role-base/ +and is a starting point that lays down the basics for subsequent roles. +It is required to be run before ../proxy_role Also look at the variables +in defaults/main.yml to customize the role, and double-check the settings +in vars/*.yml. + +It is multi-target and should run on Gentoo2, Debian4, Devuan5, Ubuntu18 +athough only tested on Gentoo. To bring it up to date, just copy the +existing files in vars and maybe tasks to the new name and edit to suit, +but be advised that it is systemd-challenged, like its author. + diff --git a/overlay/Linux/usr/local/bin/proxy_ping_test.bash b/overlay/Linux/usr/local/bin/proxy_ping_test.bash index f0fa7d4..b4c2195 100755 --- a/overlay/Linux/usr/local/bin/proxy_ping_test.bash +++ b/overlay/Linux/usr/local/bin/proxy_ping_test.bash @@ -7,6 +7,7 @@ ROLE=proxy PYVER=3 # DEBUG=1 +# TRACE=1 . /usr/local/bin/proxy_ping_lib.bash || \ { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; } @@ -19,17 +20,17 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0 which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0 [ -z "$prog" ] || prog=proxy_ping_test -proxy_ping_get_socks +proxy_ping_get_socks >/dev/null [ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1 [ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050 [ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053 HTTPS_PORT=9128 HTTPS_HOST=127.0.0.1 -proxy_ping_get_https +proxy_ping_get_https >/dev/null [ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1 HTTP_PORT=3128 HTTP_PROXY_HOST=127.0.0.1 -proxy_ping_get_http +proxy_ping_get_http >/dev/null [ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1 [ -f $PREFIX/etc/testforge/testforge.bash ] && \ @@ -80,9 +81,15 @@ SCURL="/usr/local/bin/scurl.bash --output /dev/null" NSL='nslookup -querytype=A -debug' NETS='netstat -nl4e' ALL="" +USAGE="$prog without arguments tests the current MODE=$MODE, +or with 0 to list the tests by number, +or one or more of the groups: + +" [ -z "$USER" ] && USER=$(id -un ) -[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0 +[ $USER = root -a -n "$TRACE" -a "$TRACE" != '0' ] && DMESG_LINES=1 || DMESG_LINES=0 + [ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan` # fixme - required PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' ) @@ -91,11 +98,6 @@ PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' ) # fixme - required PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' ) MODE=$( proxy_ping_mode ) -USAGE="$prog without arguments tests the current MODE=$MODE, -or 0 to list the tests by number, -or one or more of the groups: - -" DNS_HOST=$SOCKS_HOST [ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin @@ -244,20 +246,21 @@ proxy_run_as_root () { DBUG proxy_run_as_root $* ; return 1 } -## proxy_test_pretests -proxy_test_pretests () { - if [ "$1" = panic ] ; then +# could pull these out as tests and add them to +## proxy_test_pretest_exit +proxy_test_pretest_exit () { + proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } + if [ "$1" = panic -o "$1" = firewall ] ; then : dont ping on panic proxy_ping_broken || proxy_do_ping || \ { WARN ping failed for panic so skipping ; exit 0 ; } elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then - proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } proxy_ping_broken || proxy_do_ping || exit 3$? proxy_ping_test_resolv $MODE ||\ { WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; } proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; } elif [ "$1" = nat ] ; then - proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } + : proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } else proxy_do_ping || exit 4$? proxy_ping_test_resolv $MODE || \ @@ -270,9 +273,25 @@ proxy_test_pretests () { ## proxy_test_help_args proxy_test_help_args () { + declare -a elts=() declare -a ret=() - ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \ - sed -e 's/.=.*//' -e 's/.*tests.//') ) + local elt + if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then + elts=($1 socks http dns https tordns firefail) + elif [ "$1" = torlibvirthost ] ; then + elts=($1 libvirthost socks http https tordns firefail) + elts+=($MODE) + elif [ "$1" = gateway ] ; then + elts=($1 libvirtguest socks dns http https firefail) + else + elts=($1) + fi + for elt in "${elts[@]}" ; do +# DBUG proxy_test_help_args $elt $1 >&2 + ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \ + sed -e 's/.=.*//' -e 's/.*tests.//') ) + done + DBUG proxy_test_help_args "${ret[@]}" >&2 echo "${ret[@]}" return 0 } @@ -293,9 +312,6 @@ proxy_ping_test_set_args () { ## vda - through the Gateway with the firewall - also polipo,panic - uses env [ "$1" = vda ] && aret=( 35 3 20 ) # -## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition -[ "$1" = tor ] && - aret=( 21 30 20 4 5 36 3 ) ## kick - open firewall with tor running - call dns,polipo +tor in addition [ "$1" = kick -o "$1" = host ] && aret=( 24 31 13 16 6 )# 30 24 31 6 13 16 @@ -304,15 +320,19 @@ proxy_ping_test_set_args () { aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16 # aliases +# socks defines http as the target of a user using socks [ "$1" = "$SOCKS_PORT" ] && set -- socks +# http defines http as the target of a user using http [ "$1" = "$HTTP_PORT" ] && set -- http +# https defines http as the target of a user using https [ "$1" = "$HTTPS_PORT" ] && set -- https +# dns defines http as the target of a user using dns [ "$1" = "53" ] && set -- dns +# tordns defines http as the target of a user using tordns [ "$1" = "9053" ] && set -- tordns [ "$1" = scan ] && set -- iwlist [ "$1" = panic ] && set -- firewall -[ "$1" = tor ] && set -- torhost [ "$1" = to_gateway ] && set -- whonix [ "$1" = from_tor ] && set -- whonix [ "$1" = from_gateway ] && set -- gateway @@ -326,11 +346,11 @@ proxy_ping_test_set_args () { set -- ping dns socks http https tordns firefail libvirtguest # wifi? [ "$1" = whonix ] && \ - set -- ping tordns dns socks http https torhost tordns firefail gw -[ "$1" = tor ] && \ - set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw -[ "$1" = selektor ] && \ - set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw + set -- ping tordns dns socks http https torhost tordns firefail gw +[ "$1" = tor -o "$1" = selektor ] && \ + set -- ping tordns dns trace torhost nmap gw +## torhost implies - +#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition [ "$1" = direct -o "$1" = '' ] && \ set -- ping dns trace nmap gw @@ -339,33 +359,34 @@ proxy_ping_test_set_args () { # aret="${#tests[@]}" ## gw - test if we are connected to the gateway -## torhost - running tor with the firewall ## env - from the cmdline with a properly setup env ## firefail - test the proxy without env vars to expect failure +## torhost - running tor with the firewall ## http - assumes torhost or whonix and env setup ## https - assumes torhost or whonix and env setup ## socks - assumes torhost or whonix and env setup +## tordns - test 9053 for dns using tor-resolve +## dns - dns using tor or the gateway, with the firewall - does not assume env ## ping - connected routed test the ping to DNS hosts ## ntp - ntpdate through the firewall ## nmap - nmap sgid through the firewall - does not assume env -## iwlist - wlan scan +## iwlist - wlan scan of a wifi host ## firewall - test that the firewall blocks -## virbr1 - assumes tor or whonix -## gateway - ssh to the whonix gateway +## virbr1 - looks for virbr1 on a libvirt host torhost or whonix +## gateway - ssh to the whonix gateway from the torhost ## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda ## wifi - test if we are connected - call scan in addition ## libvirthost - hosting a libvirt container ## libvirtguest - in a libvirt container -## tordns - test 9053 for dns using tor-resolve -## dns - dns using tor or the gateway, with the firewall - does not assume env -## whonix - whonix to the Gateway with the firewall - also panic - not assume env -## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env -r +## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor +## direct - assume no firewall and no proxy - but may work depend on env + for elt in "$@" ; do if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \ "$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \ "$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \ - "$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \ + "$elt" = libvirthost -o "$elt" = torlibvirthost -o \ + "$elt" = libvirtguest -o "$elt" = virbr1 -o \ "$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \ "$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \ "$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \ @@ -405,9 +426,8 @@ if [ $1 = '-h' -o $1 = '--help' ] ; then set -- `proxy_ping_test_set_args "$@"` DBUG running tests numbered "$@" fi -proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } -proxy_test_pretests "$1" +proxy_test_pretest_exit "$1" # https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379 if [ $( id -u ) -eq 0 ] ; then @@ -471,6 +491,7 @@ while [ "$#" -gt 0 ] ; do [ $DEBIAN -eq 0 ] && continue [ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT + # mode whonix implies torhost if [ $MODE = whonix ] ; then ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || { retval=$? @@ -496,14 +517,16 @@ while [ "$#" -gt 0 ] ; do GREP="$SOCKS_PORT" elif [ $ARG -eq 4 ] ; then - tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns " + tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET - tordns " [ $HAVE_DIG = 1 ] || continue if [ $MODE = whonix ] ; then + # test ssh to the whonix_gateway libvirt container + # and make sure that the socks proxy is runninh ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS fi - dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \ + dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? - WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com + WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" @@ -513,7 +536,7 @@ while [ "$#" -gt 0 ] ; do elif [ $ARG -eq 5 ] ; then tests[5]="nslookup_socks_as_user - tordns " [ $HAVE_NSLOOKUP = 1 ] || continue - desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}" + desc="$NSL -port=$SOCKS_DNS $DNS_TARGET ${DNS_HOST}" $desc >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc @@ -697,8 +720,9 @@ while [ "$#" -gt 0 ] ; do [ $DEBIAN -eq 0 ] && continue socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT - proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \ - || { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT + proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null || { + retval=$? ; + ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" @@ -742,11 +766,11 @@ while [ "$#" -gt 0 ] ; do INFO $prog test=$ARG "${tests[$ARG]}" elif [ $ARG -eq 24 ] ; then - tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct " + tests[24]="dig_direct_or_dnsmasq dig -b $IP $DNS_TARGET - direct " [ $HAVE_DIG = 1 ] || continue [ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue [ -n "$IP" ] || continue - dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \ + dig -b $IP $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP [ -z "$ALL" ] && exit $ARG$retval || continue @@ -758,9 +782,9 @@ while [ "$#" -gt 0 ] ; do [ $HAVE_NSLOOKUP = 1 ] || continue # noenv with or without proxy # @$DNS_HOST1 should fail for firewall unless dnsmasq is working - $NSL >/dev/null www.whatismypublicip.com || { \ + $NSL >/dev/null $DNS_TARGET || { \ retval=$? - WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com + WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" nslookup @@ -768,7 +792,7 @@ while [ "$#" -gt 0 ] ; do elif [ $ARG -eq 26 ] ; then tests[26]="route_connected_ping_scan - direct " [ $HAVE_DIG = 1 ] || continue - #? proxy_test_pretests + #? done already in proxy_test_pretest_exit proxy_do_ping && \ INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \ WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP @@ -777,7 +801,7 @@ while [ "$#" -gt 0 ] ; do tests[27]="dns_as_user dig -b 127.0.0.1 - direct " [ $HAVE_DIG = 1 ] || continue [ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue - dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \ + dig -b 127.0.0.1 $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP [ -z "$ALL" ] && exit $ARG$retval || continue @@ -808,9 +832,9 @@ while [ "$#" -gt 0 ] ; do elif [ $ARG -eq 30 ] ; then tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost " - [ $MODE = tor -o $MODE = selektor ] || { - ERROR $prog MODE != tor test=$ARG - [ -z "$ALL" ] && exit $ARG$retval || continue + [ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || { + # are there other roles that run tor? + WARN $prog MODE != tor test=$ARG } port=$SOCKS_PORT $NETS | grep -q :$port || { @@ -834,7 +858,7 @@ while [ "$#" -gt 0 ] ; do tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http " proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \ retval=$? - ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT + ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" @@ -923,7 +947,7 @@ while [ "$#" -gt 0 ] ; do INFO $prog test=$ARG "${tests[$ARG]}" GREP="" elif [ $ARG -eq 38 ] ; then - tests[38]="qemu-guest-agent and ports - libvirthost whonix " + tests[38]="qemu-guest-agent and ports - libvirthost " [ $USER = root ] || continue $PL proxy_libvirt_list aret=$? @@ -932,9 +956,10 @@ while [ "$#" -gt 0 ] ; do elif [ $aret -ne 10 -a $aret -ne 0 ] ; then DBUG proxy_libvirt_status aret=$aret else - $PL proxy_libvirt_list | grep -q "$GATEW_DOM" || { - ERROR MODE=$MODE and $GATEW_DOM not running ; - [ -z "$ALL" ] && exit $ARG$retval || continue + # was $GATEW_DOM but now can be gentoo_vm-2 etc + $PL proxy_libvirt_list 2>&1 | grep -q "running" || { + WARN MODE=$MODE and nothing libvirt running ; + continue } INFO $prog test=$ARG "${tests[$ARG]}" fi @@ -959,8 +984,6 @@ exit 0 curl $D -k --proxy 3) curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure - 5) - nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \ 6) curl -k --proxy $HTTP_PORT 16) diff --git a/overlay/Linux/usr/local/bin/usr_local_tput.bash b/overlay/Linux/usr/local/bin/usr_local_tput.bash index db90d0f..9dd0947 100755 --- a/overlay/Linux/usr/local/bin/usr_local_tput.bash +++ b/overlay/Linux/usr/local/bin/usr_local_tput.bash @@ -24,10 +24,11 @@ else fi FATL () { + local code=0 [ $# -eq 1 ] && code=1 [ $# -gt 1 ] && code=$1 && shift echo ${red}FATL:${normal} $* - exit 1 + exit $code } ftal () { FATL >&2 "$@" ; } panic () { FATL >&2 "$@" ; }