added

2024-01-01 01:04:40 +00:00 · 2024-01-01 01:04:40 +00:00 · c417a6f3f9
commit c417a6f3f9
parent eaf6ffdbef
29 changed files with 16625 additions and 608 deletions
--- a/roles/toxcore/tasks/Gentoo.yml
+++ b/roles/toxcore/tasks/Gentoo.yml
@ -24,7 +24,7 @@
  when:
    - item != '' and item != []
    - BASE_ARE_CONNECTED|default('') != ''
-    - "{{ ansible_virtualization_role|replace('NA', 'host') == 'host' }}"
+    - "ansible_virtualization_role|replace('NA', 'host') == 'host'"

 - name: install toxcore packages GUEST
  environment: "{{ portage_proxy_env }}"
@ -58,19 +58,20 @@
    [ -f "/etc/local.d/rc.local.start" ] && exit 0
    echo /etc/rc.local > /etc/local.d/rc.local.start
    chmod 755  /etc/local.d/rc.local.start
+    if ! grep consolefont /etc/rc.local ; then
    cat >> /etc/rc.local << EOF
    /etc/init.d/consolefont stop; /etc/init.d/consolefont start
    stty -F /dev/tty1 cols 80 rows 24
-    grep vda /proc/partitions && \
-        e2label /dev/vda3 root && \
-        e2label /dev/vda1 boot
    sed -e 's/^#L/L/' -i /etc/fstab
    EOF
+    fi
+    chmod 755 /etc/rc.local
    bash /etc/rc.local
    exit 0
  when:
    - not ansible_check_mode
    - BOX_SERVICE_MGR != 'systemd' # maybe
+    - "ansible_virtualization_role|replace('NA', 'host') != 'host'"

 # safe ones
 - block:
@ -167,5 +168,6 @@
          FCFLAGS="${CFLAGS}"
          FFLAGS="${CFLAGS}"

-  when: true
+  when:
+    - "{{ ansible_virtualization_role|replace('NA', 'host') != 'host' }}"

--- a/roles/toxcore/tasks/libvirt_whonix.yml
+++ b/roles/toxcore/tasks/libvirt_whonix.yml
@ -0,0 +1,275 @@
+# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
+
+---
+
+- name: "proxy libvirt_whonix.yml"
+  debug:
+    verbosity: 1
+    msg: "proxy libvirt_whonix.yml PROXY_FEATURES={{PROXY_FEATURES}}"
+
+- name: "hulahoop .asc"
+  environment: "{{ shell_proxy_env }}"
+  shell: |
+    base="hulahoop"
+    URL="www.whonix.org/$base"
+    dir="{{HARDEN_VAR_LOCAL}}/net/Http/"
+    [ -d $dir ] || mkdir $dir
+    [ -f $dir/$URL.asc ] || wget {{BASE_WGET_ARGS}} -xc -P $dir https://$URL.asc || exit 3
+    # FixMe:
+    gpg --import $dir/$URL.asc > /tmp/V$$.out 2>&1
+    [ $? -eq 0 ] || exit 1$?
+    grep 'imported: 1' /tmp/V$$.out
+    exit 0
+  args:
+    creates: "{{HARDEN_VAR_LOCAL}}/net/Http/www.whonix.org/hulahoop.asc"
+  when:
+    - not ansible_check_mode
+    - BASE_ARE_CONNECTED|default('') != ''
+  ignore_errors: true
+
+- block:
+
+  - name: "/etc/libvirt/virtlogd.conf"
+    lineinfile:
+      path: /etc/libvirt/virtlogd.conf
+      create: yes
+      mode: 0755
+      insertafter: BOF
+      line: '{{item.key}}="{{item.val}}"'
+      regexp: "^#{{item.key}}.*"
+    with_items:
+      - key: log_filters
+        val: "1:logging 4:object 4:json 4:event 1:util"
+      - key: log_outputs
+        val: "3:file:/var/log/libvirt/virtlogd.log"
+
+  when:
+    - "'libvirt' in BOX_HOSTVMS_FEATURES or BOX_WHONIX_PROXY_HOST != ''"
+    - "ansible_virtualization_role|replace('NA', 'host') == 'host'"
+
+- name: /etc/sysctl.d/70_testforge_libvirt.conf
+  blockinfile:
+    dest: /etc/sysctl.d/70_testforge_libvirt.conf
+    create: yes
+    marker: "# {mark} ANSIBLE MANAGED BLOCK ip_forward"
+    block: |
+      # enisables packet forwarding - required on the host for libvirt
+      net.ipv4.ip_forward = 1
+      # Disables IP dynaddr
+      #net.ipv4.ip_dynaddr = 0
+      # Disable ECN
+      #net.ipv4.tcp_ecn = 0
+  when:
+    - false # use lineinfile on the file it is already in
+    - "'hostvms' in ROLES|default([]) or 'toxcore' in ROLES|default([]) or 'privacy' in ROLES|default([])"
+    - "ansible_virtualization_role|replace('NA', 'host') == 'host'"
+  # FixMe: WTF?
+  # The destination directory (/etc/sysctl.d) is not writable by the current user.
+  ignore_errors: true
+
+- block:
+
+  # https://www.whonix.org/wiki/KVM/Whonix_Signing_Key
+  - name: verify an image download.whonix.org/libvirt
+    shell: |
+      HTTP_DIR=/g/Privacy/net/Http/
+      URL=download.whonix.org/libvirt/{{PRIV_WHONIX_VERSION}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.libvirt.xz
+
+      [ -f $HTTP_DIR/$URL ] || \
+          wget -c {{ BASE_WGET_ARGS }} -P $HTTP_DIR https://$URL https://$URL.asc || exit 3
+      gpg --verify  $HTTP_DIR/$URL.asc  $HTTP_DIR/$URL >/tmp/V$$.out
+      [ $? -ne 0 ] && exit $?
+      grep 'Good signature from' /tmp/V$$.out || exit 11
+      grep ' key fingerprint: 04EF 2F66 6D36 C354 058B  9DD4 50C7 8B6F 9FF2 EC85'  /tmp/V$$.out || exit 12
+    # FixMe:
+    ignore_errors: true
+    when:
+      - BASE_ARE_CONNECTED|default('') != ''
+
+  - name: untar
+    shell: |
+      HTTP_DIR=/g/Privacy/net/Http/
+      URL=download.whonix.org/libvirt/{{PRIV_WHONIX_VERSION}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.libvirt.xz
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      [ -d $CDIR ] || mkdir -p $CDIR
+      cd $CDIR || exit
+      [ -f WHONIX_DISCLAIMER ] || tar xvfJ $HTTP_DIR/$URL
+    args:
+      creates: "{{PROXY_GATEWAY_QEMU_DIR}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc"
+
+  - name: sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc
+    shell: |
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      [ -d $CDIR ] || exit 1
+      gpg --verify Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums >/tmp/V$$.out
+      [ $? -ne 0 ] && exit $?
+      grep 'OK' /tmp/V$$.out || exit 11
+
+  - name: sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums
+    shell: |
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      [ -d $CDIR ] || exit 1
+      sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums
+
+  - name: touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+    shell: |
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      cd $CDIR || exit 1
+      [ -f WHONIX_BINARY_LICENSE_AGREEMENT_accepted  ] || \
+        touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+
+  - name: net-define $DIR/Whonix_external*.xml
+    shell: |
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      virsh net-list --all | grep Whonix-External && exit 0
+      cd $CDIR || exit 1
+      virsh -c qemu:///system net-define $DIR/Whonix_external*.xml
+
+  - name: virsh net-info Whonix-Internal
+    shell: |
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      virsh net-list --all | grep Whonix-Internal && exit 0
+      cd $CDIR || exit 1
+      virsh -c qemu:///system net-define $DIR/Whonix_internal*.xml
+
+  - name: virsh define Whonix-Gateway
+    shell: |
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      virsh list --all | grep Whonix-Gateway && exit 0
+      cd $CDIR || exit 1
+      grep -q "{{PRIV_WHONIX_GATE_MEM}}"  Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml || \
+        sed -e "s@<currentMemory unit='KiB'>524288</currentMemory>@<currentMemory unit='KiB'>{{PRIV_WHONIX_GATE_MEM}}</currentMemory>@" -i \
+          Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml
+      virsh define Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml --validate
+    args:
+      creates: /etc/libvirt/qemu/Whonix-Gateway.xml
+
+  - name: virsh define Whonix-Workstation
+    shell: |
+      CDIR={{PROXY_GATEWAY_QEMU_DIR}}
+      virsh list --all | grep Whonix-Workstation && exit 0
+      cd $CDIR || exit 1
+      virsh define Whonix-Workstation-XFCE-{{PRIV_WHONIX_VERSION}}.xml --validate
+    args:
+      creates: /etc/libvirt/qemu/Whonix-Workstation.xml
+    when:
+      - false
+  # FixMe should only edit if not running
+
+  - name: /etc/libvirt/qemu/*xml
+    blockinfile:
+      dest: "{{item}}"
+      marker: "<!-- {mark} ANSIBLE MANAGED BLOCK proxy whonix -->"
+      mode:  0660
+      owner: "{{BOX_ROOT_USER}}"
+      group: "{{BOX_ROOT_GROUP}}"
+      create: no
+      block: |
+        <channel type='unix'>
+          <source mode='bind'/>
+          <target type='virtio' name='org.qemu.guest_agent.0'/>
+          <address type='virtio-serial' controller='0' bus='0' port='2'/>
+        </channel>
+    with_fileglob: /etc/libvirt/qemu/Whonix*.xml
+
+  when:
+    - false # use xml instead
+    - "ansible_virtualization_role|replace('NA', 'host') == 'host'"
+
+# console=tty0 console=ttyS0,115200n8 spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy
+# from Gateway
+
+- block:
+
+  # /usr/portage/app-emulation/libvirt/files/libvirtd.init-r19 after livirt-7.2.0a
+  - name: /usr/local/sbin/proxy_whonix-libvirt-install.bash
+    shell: |
+      cp -p /usr/local/etc/init.d/libvirtd.openrc /etc/init.d/livirtd
+      chmod 755 /etc/init.d/libvirtd
+    args:
+      creates: /etc/init.d/libvirtd
+
+  - name: "/etc/libvirt/qemu.conf"
+    blockinfile:
+      dest: "/etc/libvirt/qemu.conf"
+      create: false
+      marker: "# {mark} ANSIBLE MANAGED BLOCK hostvms vms {{item.name}}"
+      insertafter: '^#* *{{item.name}}.*'
+      block: |
+        {{ item.name }} = {{ item.val }}
+    with_items:
+      - { name: 'migration_address', val: '"0.0.0.0"' }
+      - { name: 'user', val: '"root"' }
+      #? why qemu - serverfault sez must be root for passthrough
+      # root is not enough for passthorugh mounting rw
+      - { name: 'group', val: '"root"' }
+      #? why
+      - { name: 'dynamic_ownership', val: '1' }
+      #??  why
+      # error : virGetUserID:1041 : invalid argument: Failed to parse user 'tss'
+      # - { name: 'swtpm_user', val: '"tss"' }
+      #??  why
+      # error : virGetGroupID:1124 : invalid argument: Failed to parse group 'tss'
+      # - { name: 'swtpm_group', val: '"tss"' }
+      # - { name: '', val: '' }
+    ignore_errors: true
+    # required
+    when: not ansible_check_mode
+
+  - name: "/etc/libvirt/libvirtd.conf"
+    blockinfile:
+      dest: /etc/libvirt/libvirtd.conf
+      create: yes
+      marker: "# {mark} ANSIBLE MANAGED BLOCK hostvms vms {{item.name}}"
+      insertafter: '^#* *{{item.name}}.*'
+      block: |
+        {{ item.name }} = "{{ item.val }}"
+    with_items:
+      #listen_addr = "192.168.0.1"
+      - { name: "listen_addr", val: "127.0.0.1" }
+      #_sock_group = "libvirt"
+      - { name: "unix_sock_group", val: "libvirt" }
+      - { name: "unix_sock_ro_perms", val: "0750" }
+      - { name: "unix_sock_rw_perms", val: "0770" }
+      #ca_file = "/etc/pki/CA/cacert.pem"
+      - { name: "ca_file", val: "{{ PLAY_CA_CERT }}" }
+      - { name: "auth_unix_ro", val: "none" }
+      - { name: "auth_unix_rw", val: "none" }
+      - { name: "log_filters", val: "1:qemu 1:libvirt 4:object 4:json 4:event 1:util" }
+      - { name: "log_outputs", val: "3:file:/var/log/libvirtd.log" }
+      #
+      # - { name: "", val: "" }
+    ignore_errors: true
+    # required
+    when: not ansible_check_mode
+    notify: restart libvirtd
+
+  - name: /etc/modprobe.d/nbd.conf"
+    shell: |
+      file="/etc/modprobe.d/nbd.conf"
+      [ -f $file ] || echo >$file options nbd max_part=16
+    args:
+      creates: /etc/modprobe.d/nbd.conf
+
+  - name: "/etc/default/libvirt-guests"
+    lineinfile:
+      path: /etc/default/libvirt-guests
+      create: yes
+      mode: 0755
+      insertafter: BOF
+      line: '{{item.key}}="{{item.val}}"'
+      regexp: "^#{{item.key}}.*"
+    with_items:
+      - key: ON_BOOT
+        val: ignore
+    when:
+      - "ansible_distribution == 'Debian'"
+
+  - name: /usr/local/sbin/proxy_whonix-libvirt-install.bash
+    shell: |
+      /usr/local/sbin/proxy_whonix-libvirt-install.bash
+    args:
+      creates: /etc/libvirt/qemu/Whonix-Gateway.xml
+
+  when:
+    - ansible_virtualization_role|replace('NA', 'host') == 'host'
--- a/roles/toxcore/tasks/main.yml
+++ b/roles/toxcore/tasks/main.yml
@ -187,6 +187,7 @@
    - LOOP_ITEM  != '' and LOOP_ITEM  != []
  with_items:
    - "vms"
+    - "{{ 'libvirt_whonix' if (BOX_WHONIX_PROXY_HOST != '' or 'libvirt' in BOX_HOSTVMS_FEATURES or 'whonix' in BOX_TOXCORE_FEATURES) else [] }}"
  loop_control:
    loop_var: LOOP_ITEM