proxy_role/tasks/dns-dnscrypt.yml

204 lines
7.8 KiB
YAML
Raw Normal View History

2024-01-06 03:08:22 +00:00
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "dns-dnscrypt.yml"
debug:
verbosity: 1
msg: "dns-dnscrypt.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- name: "/var/local/src/dnscrypt-proxy"
file:
dest: "{{ item }}"
state: directory
mode: 0755
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
with_items:
- "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"
- "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
- name: "untar dnscrypt tgz"
shell: |
URL="{{ PROXY_DNSCRYPT_TGZ_URL }}"
[ -f {{PROXY_VAR_LOCAL}}/net/Http/$URL ] || \
wget {{BASE_WGET_ARGS}} -xcqP {{PROXY_VAR_LOCAL}}/net/Http/ https://$URL
which dnscrypt-proxy 2>/dev/null || \
tar xvfz {{PROXY_VAR_LOCAL}}/net/Http/$URL \
-C "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"
args:
creates: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
when: "BASE_ARE_CONNECTED|default('') != ''"
- name: "roles/privacy/templates/etc/example-dnscrypt-proxy.toml"
template:
force: no
src: templates/etc/example-dnscrypt-proxy.toml
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{ BOX_ALSO_GROUP }}"
- name: "get generate-domains-blacklist.py"
uri:
url: https://github.com/jedisct1/dnscrypt-proxy/raw/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
dest: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
creates: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
mode: 0775
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
notify: shebang after pip
# in tar
when: false and "BASE_ARE_CONNECTED|default('') != ''"
- name: "Invalid rule *.workgroup - wildcards can only be used as a suffix"
shell: |
sed -e '/^\\*/d' -i {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-blacklist-local-additions.txt
# why? dir
- name: "touch {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
file:
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
state: touch
mode: 0644
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
when: false
- name: "symlink /etc/dnscrypt-proxy.toml"
file:
dest: /etc/dnscrypt-proxy.toml
src: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
state: link
when: not ansible_check_mode
- name: "forward dnscrypt-proxy to SOCKS5 - socks5 or tor/harden or privacy"
lineinfile:
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
regexp: '^#* *{{item.name}} =.*'
line: "{{item.name}} = {{item.val}}"
state: present
backup: no
with_items:
- { name: "proxy", val: "'socks5://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}'" }
- { name: "force_tcp", val: "true" }
when: not ansible_check_mode and ( SOCKS_PROXY|default('') != "" or 'privacy' in ROLES )
- name: "dnscrypt-proxy settings"
lineinfile:
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
regexp: '^ *#* *{{item.name}} =.*'
line: "{{item.name}} = {{item.val}}"
state: present
backup: no
with_items:
- { name: "log_file", val: "'{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log'" }
- { name: "log_level", val: 2 }
- { name: "listen_addresses", val: "['127.0.0.1:53']" }
#? server_names = ['bn-fr0', 'bn-fr1', 'bn-nl0', 'cs-cfi', 'cs-cfii', 'cs-ch', 'cs-de', 'cs-de3', 'cs-dk', 'cs-dk2', 'cs-es', 'cs-fi', 'cs-fr', 'cs-fr2', 'cs-lt', 'cs-lv', 'cs-md', 'cs-nl', 'cs-pl', 'cs-pt', 'cs-ro', 'cs-rome', 'cs-uk', 'cs-useast', 'cs-useast2', 'cs-usnorth', 'cs-ussouth', 'cs-ussouth2', 'cs-uswest', 'cs-uswest3', 'cs-uswest5', 'dnscrypt.ca-2', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.org-fr', 'ns0.dnscrypt.is', 'securedn']
- { name: "server_names", val: "['dnscrypt.eu-nl', 'dnscrypt.nl-ns0', 'securedns', 'dnscrypt.nl-ns0', 'scaleway-fr', 'cloudflare', 'google']" }
# Server must support DNS security extensions (DNSSEC) ??
- { name: "require_dnssec", val: "true" }
# Server must not log user queries (declarative)
- { name: "require_nolog", val: "true" }
# Server must not enforce its own blacklist (for parental control, ads blocking...)
- { name: "require_nofilter", val: "true" }
#/ var/local/etc/dnscrypt-proxy/
- { name: "blacklist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/blacklist.txt'" }
- { name: "whitelist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-whitelist.txt'" }
# opendns - Other popular options include 8.8.8.8 and 1.1.1.1 9.9.9.9:53
- { name: "fallback_resolver", val: "'nameserver 208.67.222.222:53 208.67.220.220:53'" }
#? - { name: "ignore_system_dns", val: "true" }
when: not ansible_check_mode
## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user
# user_name = 'nobody'
- name: "install dnscrypt-proxy in /var/local/bin"
file:
src: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
dest: "{{PROXY_VAR_LOCAL}}/bin/dnscrypt-proxy"
state: link
when: not ansible_check_mode
# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolver [9.9.9.9:53]
# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
- name: "dnscrypt-proxy fallback resolver"
lineinfile:
dest: "/etc/hosts"
regexp: '^ *{{item.name}}.*'
line: "{{item.name}} {{item.val}}"
state: present
backup: no
with_items:
- { name: "151.101.36.133", val: "raw.githubusercontent.com" }
- { name: "37.59.238.213", val: "download.dnscrypt.info" }
- block:
- name: "install dnscrypt-proxy"
shell: |
{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy -service install
args:
creates: /etc/systemd/system/dnscrypt-proxy.service
# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
- name: "/etc/NetworkManager/NetworkManager.conf"
lineinfile:
dest: /etc/NetworkManager/NetworkManager.conf
create: false
regexp: "^#*dns=dnsmasq"
line: "#dns=dnsmasq"
#? not really needed
# FixMe: wicd?
#? systemctl disable systemd-resolved
- name: "/etc/resolve.conf.dnscrypt"
blockinfile:
path: /etc/resolve.conf.dnscrypt
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
block: |
nameserver 127.0.0.1
#? clobber or symlink /var/run/resolvconf/resolv.conf
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
- name: "/etc/dnsmasq.conf disable DNS"
lineinfile:
dest: /etc/dnsmasq.conf
regexp: '^#* *{{item.name}}=.*'
line: "{{item.name}}={{item.val}}"
state: present
# backup: yes
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
with_items:
- { name: "port", val: "0" }
# just guessing
- { name: "resolv-file", val: "/etc/resolve.conf.dnscrypt" }
when:
# just guessing
- false
- "ansible_distribution in ['Ubuntu', 'Debian']"
# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
- name: "enable and start service dnscrypt-proxy"
service:
name: "{{ item.name }}"
enabled: "{{ item.able }}"
state: "{{ item.state }}"
failed_when: false
with_items:
# - { name: "pdnsd", able: "no", state: "stopped" }
- { name: "dnscrypt-proxy", able: "yes", state: "restarted" }
- { name: "network-manager", able: "no", state: "stopped" }
# when: "ansible_distribution in ['Ubuntu', 'Debian']"
when: ansible_connection|default('') not in PLAY_SERVICE_CONNECTIONS