204 lines
7.8 KiB
YAML
204 lines
7.8 KiB
YAML
|
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||
|
|
||
|
---
|
||
|
|
||
|
- name: "dns-dnscrypt.yml"
|
||
|
debug:
|
||
|
verbosity: 1
|
||
|
msg: "dns-dnscrypt.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
|
||
|
|
||
|
- name: "/var/local/src/dnscrypt-proxy"
|
||
|
file:
|
||
|
dest: "{{ item }}"
|
||
|
state: directory
|
||
|
mode: 0755
|
||
|
owner: "{{ BOX_USER_NAME }}"
|
||
|
group: "{{ BOX_ALSO_GROUP }}"
|
||
|
with_items:
|
||
|
- "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"
|
||
|
- "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
|
||
|
|
||
|
- name: "untar dnscrypt tgz"
|
||
|
shell: |
|
||
|
URL="{{ PROXY_DNSCRYPT_TGZ_URL }}"
|
||
|
[ -f {{PROXY_VAR_LOCAL}}/net/Http/$URL ] || \
|
||
|
wget {{BASE_WGET_ARGS}} -xcqP {{PROXY_VAR_LOCAL}}/net/Http/ https://$URL
|
||
|
which dnscrypt-proxy 2>/dev/null || \
|
||
|
tar xvfz {{PROXY_VAR_LOCAL}}/net/Http/$URL \
|
||
|
-C "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"
|
||
|
args:
|
||
|
creates: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
|
||
|
when: "BASE_ARE_CONNECTED|default('') != ''"
|
||
|
|
||
|
- name: "roles/privacy/templates/etc/example-dnscrypt-proxy.toml"
|
||
|
template:
|
||
|
force: no
|
||
|
src: templates/etc/example-dnscrypt-proxy.toml
|
||
|
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
|
||
|
mode: 0644
|
||
|
owner: "{{BOX_ROOT_USER}}"
|
||
|
group: "{{ BOX_ALSO_GROUP }}"
|
||
|
|
||
|
- name: "get generate-domains-blacklist.py"
|
||
|
uri:
|
||
|
url: https://github.com/jedisct1/dnscrypt-proxy/raw/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
|
||
|
dest: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
|
||
|
creates: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
|
||
|
mode: 0775
|
||
|
owner: "{{ BOX_USER_NAME }}"
|
||
|
group: "{{ BOX_ALSO_GROUP }}"
|
||
|
notify: shebang after pip
|
||
|
# in tar
|
||
|
when: false and "BASE_ARE_CONNECTED|default('') != ''"
|
||
|
|
||
|
- name: "Invalid rule *.workgroup - wildcards can only be used as a suffix"
|
||
|
shell: |
|
||
|
sed -e '/^\\*/d' -i {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-blacklist-local-additions.txt
|
||
|
|
||
|
# why? dir
|
||
|
- name: "touch {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
|
||
|
file:
|
||
|
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
|
||
|
state: touch
|
||
|
mode: 0644
|
||
|
owner: "{{ BOX_USER_NAME }}"
|
||
|
group: "{{ BOX_ALSO_GROUP }}"
|
||
|
when: false
|
||
|
|
||
|
- name: "symlink /etc/dnscrypt-proxy.toml"
|
||
|
file:
|
||
|
dest: /etc/dnscrypt-proxy.toml
|
||
|
src: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
|
||
|
state: link
|
||
|
when: not ansible_check_mode
|
||
|
|
||
|
- name: "forward dnscrypt-proxy to SOCKS5 - socks5 or tor/harden or privacy"
|
||
|
lineinfile:
|
||
|
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
|
||
|
regexp: '^#* *{{item.name}} =.*'
|
||
|
line: "{{item.name}} = {{item.val}}"
|
||
|
state: present
|
||
|
backup: no
|
||
|
with_items:
|
||
|
- { name: "proxy", val: "'socks5://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}'" }
|
||
|
- { name: "force_tcp", val: "true" }
|
||
|
when: not ansible_check_mode and ( SOCKS_PROXY|default('') != "" or 'privacy' in ROLES )
|
||
|
|
||
|
- name: "dnscrypt-proxy settings"
|
||
|
lineinfile:
|
||
|
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
|
||
|
regexp: '^ *#* *{{item.name}} =.*'
|
||
|
line: "{{item.name}} = {{item.val}}"
|
||
|
state: present
|
||
|
backup: no
|
||
|
with_items:
|
||
|
- { name: "log_file", val: "'{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log'" }
|
||
|
- { name: "log_level", val: 2 }
|
||
|
- { name: "listen_addresses", val: "['127.0.0.1:53']" }
|
||
|
#? server_names = ['bn-fr0', 'bn-fr1', 'bn-nl0', 'cs-cfi', 'cs-cfii', 'cs-ch', 'cs-de', 'cs-de3', 'cs-dk', 'cs-dk2', 'cs-es', 'cs-fi', 'cs-fr', 'cs-fr2', 'cs-lt', 'cs-lv', 'cs-md', 'cs-nl', 'cs-pl', 'cs-pt', 'cs-ro', 'cs-rome', 'cs-uk', 'cs-useast', 'cs-useast2', 'cs-usnorth', 'cs-ussouth', 'cs-ussouth2', 'cs-uswest', 'cs-uswest3', 'cs-uswest5', 'dnscrypt.ca-2', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.org-fr', 'ns0.dnscrypt.is', 'securedn']
|
||
|
- { name: "server_names", val: "['dnscrypt.eu-nl', 'dnscrypt.nl-ns0', 'securedns', 'dnscrypt.nl-ns0', 'scaleway-fr', 'cloudflare', 'google']" }
|
||
|
# Server must support DNS security extensions (DNSSEC) ??
|
||
|
- { name: "require_dnssec", val: "true" }
|
||
|
# Server must not log user queries (declarative)
|
||
|
- { name: "require_nolog", val: "true" }
|
||
|
# Server must not enforce its own blacklist (for parental control, ads blocking...)
|
||
|
- { name: "require_nofilter", val: "true" }
|
||
|
#/ var/local/etc/dnscrypt-proxy/
|
||
|
- { name: "blacklist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/blacklist.txt'" }
|
||
|
- { name: "whitelist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-whitelist.txt'" }
|
||
|
# opendns - Other popular options include 8.8.8.8 and 1.1.1.1 9.9.9.9:53
|
||
|
- { name: "fallback_resolver", val: "'nameserver 208.67.222.222:53 208.67.220.220:53'" }
|
||
|
#? - { name: "ignore_system_dns", val: "true" }
|
||
|
when: not ansible_check_mode
|
||
|
## Switch to a different system user after listening sockets have been created.
|
||
|
## Note (1): this feature is currently unsupported on Windows.
|
||
|
## Note (2): this feature is not compatible with systemd socket activation.
|
||
|
## Note (3): when using -pidfile, the PID file directory must be writable by the new user
|
||
|
# user_name = 'nobody'
|
||
|
|
||
|
- name: "install dnscrypt-proxy in /var/local/bin"
|
||
|
file:
|
||
|
src: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
|
||
|
dest: "{{PROXY_VAR_LOCAL}}/bin/dnscrypt-proxy"
|
||
|
state: link
|
||
|
when: not ansible_check_mode
|
||
|
|
||
|
# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolver [9.9.9.9:53]
|
||
|
# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
|
||
|
- name: "dnscrypt-proxy fallback resolver"
|
||
|
lineinfile:
|
||
|
dest: "/etc/hosts"
|
||
|
regexp: '^ *{{item.name}}.*'
|
||
|
line: "{{item.name}} {{item.val}}"
|
||
|
state: present
|
||
|
backup: no
|
||
|
with_items:
|
||
|
- { name: "151.101.36.133", val: "raw.githubusercontent.com" }
|
||
|
- { name: "37.59.238.213", val: "download.dnscrypt.info" }
|
||
|
|
||
|
- block:
|
||
|
|
||
|
- name: "install dnscrypt-proxy"
|
||
|
shell: |
|
||
|
{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy -service install
|
||
|
args:
|
||
|
creates: /etc/systemd/system/dnscrypt-proxy.service
|
||
|
|
||
|
# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
|
||
|
- name: "/etc/NetworkManager/NetworkManager.conf"
|
||
|
lineinfile:
|
||
|
dest: /etc/NetworkManager/NetworkManager.conf
|
||
|
create: false
|
||
|
regexp: "^#*dns=dnsmasq"
|
||
|
line: "#dns=dnsmasq"
|
||
|
|
||
|
#? not really needed
|
||
|
# FixMe: wicd?
|
||
|
|
||
|
#? systemctl disable systemd-resolved
|
||
|
- name: "/etc/resolve.conf.dnscrypt"
|
||
|
blockinfile:
|
||
|
path: /etc/resolve.conf.dnscrypt
|
||
|
create: yes
|
||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
|
||
|
block: |
|
||
|
nameserver 127.0.0.1
|
||
|
|
||
|
#? clobber or symlink /var/run/resolvconf/resolv.conf
|
||
|
|
||
|
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
|
||
|
- name: "/etc/dnsmasq.conf disable DNS"
|
||
|
lineinfile:
|
||
|
dest: /etc/dnsmasq.conf
|
||
|
regexp: '^#* *{{item.name}}=.*'
|
||
|
line: "{{item.name}}={{item.val}}"
|
||
|
state: present
|
||
|
# backup: yes
|
||
|
mode: 0644
|
||
|
owner: "{{BOX_ROOT_USER}}"
|
||
|
group: "{{BOX_ROOT_GROUP}}"
|
||
|
with_items:
|
||
|
- { name: "port", val: "0" }
|
||
|
# just guessing
|
||
|
- { name: "resolv-file", val: "/etc/resolve.conf.dnscrypt" }
|
||
|
when:
|
||
|
# just guessing
|
||
|
- false
|
||
|
- "ansible_distribution in ['Ubuntu', 'Debian']"
|
||
|
|
||
|
# stop dhclient from overwriting resolv.conf
|
||
|
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
|
||
|
- name: "enable and start service dnscrypt-proxy"
|
||
|
service:
|
||
|
name: "{{ item.name }}"
|
||
|
enabled: "{{ item.able }}"
|
||
|
state: "{{ item.state }}"
|
||
|
failed_when: false
|
||
|
with_items:
|
||
|
# - { name: "pdnsd", able: "no", state: "stopped" }
|
||
|
- { name: "dnscrypt-proxy", able: "yes", state: "restarted" }
|
||
|
- { name: "network-manager", able: "no", state: "stopped" }
|
||
|
# when: "ansible_distribution in ['Ubuntu', 'Debian']"
|
||
|
when: ansible_connection|default('') not in PLAY_SERVICE_CONNECTIONS
|
||
|
|