# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- --- - name: "base _whonix.yml" debug: verbosity: 1 msg: "base guest_whonix.yml" - block: - name: /etc/whonix_firewall.d/30_whonix_gateway_default.conf lineinfile: dest: /etc/whonix_firewall.d/30_whonix_gateway_default.conf regexp: "^.*{{item.val}}.*" line: '{{ item.name }}{{ item.val }}' state: present with_items: - { name: EXTERNAL_OPEN_PORTS, val: '+=" 22 "' } - { name: EXTERNAL_OPEN_PORTS, val: '+=" 9050 "' } - { name: EXTERNAL_OPEN_PORTS, val: '+=" 9053 "' } - { name: EXTERNAL_OPEN_PORTS, val: '+=" 9040 "' } ## This will simply open incoming port 22 in the Whonix-Gateway firewall. - { name: GATEWAY_ALLOW_INCOMING_SSH, val: "1" } - name: /etc/sysctl.d/80_whonix_gateway.conf blockinfile: dest: /etc/sysctl.d/80_whonix_gateway.conf create: true marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway" block: | fs.file-max = 100000 - name: /etc/systemd/system/multi-user.target.wants/tor.service blockinfile: dest: /etc/systemd/system/multi-user.target.wants/tor.service create: true marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway" insertafter: '^.Service.' block: | LimitNOFILE=100000 - name: /usr/local/etc/local.d/Whonix-Lati.rc blockinfile: dest: /usr/local/etc/local.d/Whonix-Lati.rc create: true mode: 0770 marker: "# {mark} ANSIBLE MANAGED BLOCK base guest_whonix_gateway" insertafter: '^.Service.' block: | #!/bin/sh IP=`ifconfig eth0 | grep inet | sed -e 's/.*inet //' -e 's/ .*//'` [ $? -eq 0 ] || return 1$? [ -n "$IP" ] || return 2$? [ -f /etc/torrc.d/99_gateway.conf ] || touch /etc/torrc.d/99_gateway.conf grep -q "SocksPort $IP:9050" /etc/torrc.d/99_gateway.conf || \ echo "SocksPort $IP:9050" >> /etc/torrc.d/99_gateway.conf grep -q "DNSPort $IP:9053" /etc/torrc.d/99_gateway.conf || \ echo "DNSPort $IP:9053" >> /etc/torrc.d/99_gateway.conf grep -q "TransPort $IP:9040" /etc/torrc.d/99_gateway.conf || \ echo "TransPort $IP:9040 IsolateClientAddr IsolateClientProtocol IsolateDestA$ netstat -nlp -t inet | grep "$IP:9040" || \ systemctl --no-pager restart tor@default || exit 2$? # systemctl --no-pager status tor@default for elt in 22 9050 9053 9040 ; do grep '^EXTERNAL_OPEN_PORTS.=" '$elt' "' \ /etc/whonix_firewall.d/30_whonix_gateway_default.conf || \ echo 'EXTERNAL_OPEN_PORTS+=" '$elt' "' >> \ /etc/whonix_firewall.d/30_whonix_gateway_default.conf done ip route | grep -q ^def && dig @$IP -p 9053 google.com exit 0 # o /mnt/o 9p noauto,rw,trans=virtio,version=9p2000.L,cache=none 0 0 - name: guest_whonix_gateway sanity checks shell: | su -s /bin/sh -c '/usr/bin/tor --verify-config' debian-tor || exit 1$? # always start this? # /etc/systemd/system/multi-user.target.wants/vanguards.service ip route | grep -q ^def && grep 100% /run/tor/log when: - BOX_OS_FLAVOR|default('') == 'WhonixGateway' - block: #ansible_virtualization_role|replace('NA', 'host') == 'guest' # - BOX_OS_FLAVOR|default('') == 'WhonixWorkstation' or BOX_OS_FLAVOR|default('') == 'WhonixGateway' - name: /etc/fstab shell: | for elt in {{BOX_HOST_CONTAINER_MOUNTS|join(' ')}} ; do grep -q '\t'$elt'\t' /etc/fstab && continue base=`basename $elt` echo >> /etc/fstab \ "$base"' '$elt' 9p noauto,rw,trans=virtio,version=9p2000.L,cache=none 0 0' done exit 0 when: - BOX_OS_FLAVOR|default('') == 'WhonixWorkstation'