159 lines
5.6 KiB
YAML
159 lines
5.6 KiB
YAML
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
|
|
|
---
|
|
|
|
- name: "proxy libvirt_whonix.yml"
|
|
debug:
|
|
verbosity: 1
|
|
msg: "proxy libvirt_whonix.yml PROXY_FEATURES={{PROXY_FEATURES}}"
|
|
|
|
- name: "hulahoop .asc"
|
|
environment: "{{ shell_proxy_env }}"
|
|
shell: |
|
|
base="hulahoop"
|
|
URL="www.whonix.org/$base"
|
|
dir="{{TOXCORE_USR_LOCAL}}/net/Http/"
|
|
[ -d $dir ] || mkdir $dir
|
|
[ -f $dir/$URL.asc ] || wget {{BASE_WGET_ARGS}} -xc -P $dir https://$URL.asc || exit 3
|
|
# FixMe:
|
|
gpg --import $dir/$URL.asc > /tmp/V$$.out 2>&1
|
|
[ $? -eq 0 ] || exit 1$?
|
|
grep 'imported: 1' /tmp/V$$.out
|
|
exit 0
|
|
args:
|
|
creates: "{{TOXCORE_USR_LOCAL}}/net/Http/www.whonix.org/hulahoop.asc"
|
|
when:
|
|
- not ansible_check_mode
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
ignore_errors: true
|
|
|
|
- name: /etc/sysctl.d/70_testforge_libvirt.conf
|
|
blockinfile:
|
|
dest: /etc/sysctl.d/70_testforge_libvirt.conf
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK ip_forward"
|
|
block: |
|
|
# enisables packet forwarding - required on the host for libvirt
|
|
net.ipv4.ip_forward = 1
|
|
# Disables IP dynaddr
|
|
#net.ipv4.ip_dynaddr = 0
|
|
# Disable ECN
|
|
#net.ipv4.tcp_ecn = 0
|
|
when:
|
|
- false # use lineinfile on the file it is already in
|
|
- "'hostvms' in ROLES|default([]) or 'toxcore' in ROLES|default([]) or 'privacy' in ROLES|default([])"
|
|
- "ansible_virtualization_role|replace('NA', 'host') == 'host'"
|
|
# FixMe: WTF?
|
|
# The destination directory (/etc/sysctl.d) is not writable by the current user.
|
|
ignore_errors: true
|
|
|
|
- block:
|
|
|
|
# https://www.whonix.org/wiki/KVM/Whonix_Signing_Key
|
|
- name: verify an image download.whonix.org/libvirt
|
|
shell: |
|
|
HTTP_DIR=/g/Privacy/net/Http/
|
|
URL=download.whonix.org/libvirt/{{PRIV_WHONIX_VERSION}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.libvirt.xz
|
|
|
|
[ -f $HTTP_DIR/$URL ] || \
|
|
wget -c {{ BASE_WGET_ARGS }} -P $HTTP_DIR https://$URL https://$URL.asc || exit 3
|
|
gpg --verify $HTTP_DIR/$URL.asc $HTTP_DIR/$URL >/tmp/V$$.out
|
|
[ $? -ne 0 ] && exit $?
|
|
grep 'Good signature from' /tmp/V$$.out || exit 11
|
|
grep ' key fingerprint: 04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85' /tmp/V$$.out || exit 12
|
|
# FixMe:
|
|
ignore_errors: true
|
|
when:
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
|
|
- name: untar
|
|
shell: |
|
|
HTTP_DIR=/g/Privacy/net/Http/
|
|
URL=download.whonix.org/libvirt/{{PRIV_WHONIX_VERSION}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.libvirt.xz
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
[ -d $CDIR ] || mkdir -p $CDIR
|
|
cd $CDIR || exit
|
|
[ -f WHONIX_DISCLAIMER ] || tar xvfJ $HTTP_DIR/$URL
|
|
args:
|
|
creates: "{{PROXY_GATEWAY_QEMU_DIR}}/Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc"
|
|
|
|
- name: sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc
|
|
shell: |
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
[ -d $CDIR ] || exit 1
|
|
gpg --verify Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums.asc Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums >/tmp/V$$.out
|
|
[ $? -ne 0 ] && exit $?
|
|
grep 'OK' /tmp/V$$.out || exit 11
|
|
|
|
- name: sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums
|
|
shell: |
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
[ -d $CDIR ] || exit 1
|
|
sha256sum -c Whonix-XFCE-{{PRIV_WHONIX_VERSION}}.sha256sums
|
|
|
|
- name: touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
|
|
shell: |
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
cd $CDIR || exit 1
|
|
[ -f WHONIX_BINARY_LICENSE_AGREEMENT_accepted ] || \
|
|
touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
|
|
|
|
- name: net-define $DIR/Whonix_external*.xml
|
|
shell: |
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
virsh net-list --all | grep Whonix-External && exit 0
|
|
cd $CDIR || exit 1
|
|
virsh -c qemu:///system net-define $DIR/Whonix_external*.xml
|
|
|
|
- name: virsh net-info Whonix-Internal
|
|
shell: |
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
virsh net-list --all | grep Whonix-Internal && exit 0
|
|
cd $CDIR || exit 1
|
|
virsh -c qemu:///system net-define $DIR/Whonix_internal*.xml
|
|
|
|
- name: virsh define Whonix-Gateway
|
|
shell: |
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
virsh list --all | grep Whonix-Gateway && exit 0
|
|
cd $CDIR || exit 1
|
|
grep -q "{{PRIV_WHONIX_GATE_MEM}}" Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml || \
|
|
sed -e "s@<currentMemory unit='KiB'>524288</currentMemory>@<currentMemory unit='KiB'>{{PRIV_WHONIX_GATE_MEM}}</currentMemory>@" -i \
|
|
Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml
|
|
virsh define Whonix-Gateway-XFCE-{{PRIV_WHONIX_VERSION}}.xml --validate
|
|
args:
|
|
creates: /etc/libvirt/qemu/Whonix-Gateway.xml
|
|
|
|
- name: virsh define Whonix-Workstation
|
|
shell: |
|
|
CDIR={{PROXY_GATEWAY_QEMU_DIR}}
|
|
virsh list --all | grep Whonix-Workstation && exit 0
|
|
cd $CDIR || exit 1
|
|
virsh define Whonix-Workstation-XFCE-{{PRIV_WHONIX_VERSION}}.xml --validate
|
|
args:
|
|
creates: /etc/libvirt/qemu/Whonix-Workstation.xml
|
|
when:
|
|
- false
|
|
# FixMe should only edit if not running
|
|
|
|
- name: /etc/libvirt/qemu/*xml
|
|
blockinfile:
|
|
dest: "{{item}}"
|
|
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK proxy whonix -->"
|
|
mode: 0660
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
create: no
|
|
block: |
|
|
<channel type='unix'>
|
|
<source mode='bind'/>
|
|
<target type='virtio' name='org.qemu.guest_agent.0'/>
|
|
<address type='virtio-serial' controller='0' bus='0' port='2'/>
|
|
</channel>
|
|
with_fileglob: /etc/libvirt/qemu/Whonix*.xml
|
|
|
|
when:
|
|
- false # use xml instead
|
|
- "ansible_virtualization_role|replace('NA', 'host') == 'host'"
|
|
|