171 lines
5.5 KiB
YAML
171 lines
5.5 KiB
YAML
|
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||
|
---
|
||
|
|
||
|
- name: "dns-dnsmasq.yml"
|
||
|
debug:
|
||
|
verbosity: 1
|
||
|
msg: "dns-dnsmasq.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
|
||
|
|
||
|
- block:
|
||
|
|
||
|
- name: "uninstall dnscrypt-proxy"
|
||
|
shell: |
|
||
|
systemctl disabled dnscrypt-proxy
|
||
|
rm -f /etc/systemd/system/dnscrypt-proxy.service
|
||
|
args:
|
||
|
removes: /etc/systemd/system/dnscrypt-proxy.service
|
||
|
|
||
|
when:
|
||
|
- "BOX_SERVICE_MGR == 'systemd'"
|
||
|
|
||
|
# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
|
||
|
- name: "/etc/NetworkManager/NetworkManager.conf dns"
|
||
|
lineinfile:
|
||
|
dest: /etc/NetworkManager/NetworkManager.conf
|
||
|
create: true
|
||
|
regexp: "^#*dns=dnsmasq"
|
||
|
line: "dns=none"
|
||
|
when:
|
||
|
- true
|
||
|
|
||
|
# /mnt/linuxKick15/etc/NetworkManager/conf.d/dns.conf
|
||
|
# https://wiki.archlinux.org/index.php/NetworkManager#/etc/resolv.conf
|
||
|
#[main]
|
||
|
#ns=none
|
||
|
# Tip: You might also want to set main.
|
||
|
#systemd-resolved=false
|
||
|
|
||
|
- name: "/etc/NetworkManager/NetworkManager.conf no proxy dns"
|
||
|
blockinfile:
|
||
|
dest: /etc/NetworkManager/NetworkManager.conf
|
||
|
create: true
|
||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
|
||
|
mode: 0644
|
||
|
owner: "{{BOX_ROOT_USER}}"
|
||
|
group: "{{BOX_ROOT_GROUP}}"
|
||
|
block: |
|
||
|
[main]
|
||
|
plugins=ifupdown,keyfile
|
||
|
dns=none
|
||
|
# will always write resolv.conf to its runtime state
|
||
|
# directory /run/NetworkManager/resolv.conf.
|
||
|
rc-manager=unmanaged
|
||
|
unmanaged-devices=interface-name:virbr1
|
||
|
unmanaged-devices=interface-name:virbr2
|
||
|
|
||
|
[ifupdown]
|
||
|
# If set to false, then any interface
|
||
|
# listed in /etc/network/interfaces will be ignored
|
||
|
managed=false
|
||
|
|
||
|
[logging]
|
||
|
level=info
|
||
|
backend=syslog
|
||
|
|
||
|
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
|
||
|
# FixMe tor client vss whnoix gateway
|
||
|
- name: "/etc/dnsmasq.conf.tor enable DNS"
|
||
|
blockinfile:
|
||
|
dest: /etc/dnsmasq.conf.tor
|
||
|
create: yes
|
||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
|
||
|
mode: 0644
|
||
|
owner: "{{BOX_ROOT_USER}}"
|
||
|
group: "{{BOX_ROOT_GROUP}}"
|
||
|
block: |
|
||
|
log-facility=/var/log/dnsmasq.log
|
||
|
no-resolv
|
||
|
listen-address=127.0.0.1
|
||
|
server=127.0.0.1#9053
|
||
|
port=53
|
||
|
# {{ BASE_ARE_CONNECTED|default('') }}
|
||
|
interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||
|
bind-interfaces
|
||
|
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||
|
|
||
|
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
|
||
|
- name: "/etc/dnsmasq.conf enable DNS"
|
||
|
blockinfile:
|
||
|
dest: /etc/dnsmasq.conf.whonix
|
||
|
create: yes
|
||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
|
||
|
mode: 0644
|
||
|
owner: "{{BOX_ROOT_USER}}"
|
||
|
group: "{{BOX_ROOT_GROUP}}"
|
||
|
block: |
|
||
|
log-facility=/var/log/dnsmasq.log
|
||
|
no-resolv
|
||
|
listen-address=127.0.0.1
|
||
|
server={{ PROXY_WHONIX_SOCKS_HOST }}#9053
|
||
|
port=53
|
||
|
# {{ BASE_ARE_CONNECTED|default('') }}
|
||
|
interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||
|
bind-interfaces
|
||
|
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||
|
|
||
|
- name: "/etc/dnsmasq.conf enable srv-host"
|
||
|
blockinfile:
|
||
|
dest: "{{item}}"
|
||
|
create: yes
|
||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml srv-host"
|
||
|
# after srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
|
||
|
block: |
|
||
|
# dirmgr
|
||
|
# dns: getsrv(_pgpkey-https._tcp.keyserver.ubuntu.com): Try again later
|
||
|
srv-host=_pgpkey-https._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,443
|
||
|
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
|
||
|
srv-host=_pgpkey-https._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,443
|
||
|
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
|
||
|
#dead srv-host=_pgpkey-https._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,443
|
||
|
srv-host=_pgpkey-https._tcp.pgp.mit.edu,pgp.mit.edu,443
|
||
|
|
||
|
srv-host=_pgpkey-http._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,80
|
||
|
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
|
||
|
srv-host=_pgpkey-http._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,80
|
||
|
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
|
||
|
#dead srv-host=_pgpkey-http._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,80
|
||
|
srv-host=_pgpkey-http._tcp.pgp.mit.edu,pgp.mit.edu,80
|
||
|
|
||
|
with_items:
|
||
|
- /etc/dnsmasq.conf.whonix
|
||
|
- /etc/dnsmasq.conf.tor
|
||
|
|
||
|
- name: "/etc/dnsmasq.conf enable dnssec"
|
||
|
blockinfile:
|
||
|
dest: "{{item}}"
|
||
|
create: yes
|
||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml dnssec"
|
||
|
block: |
|
||
|
# DNSSEC setup
|
||
|
dnssec
|
||
|
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
|
||
|
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
|
||
|
dnssec-check-unsigned
|
||
|
when:
|
||
|
- "'dnsmasq_dnssec' in BOX_PROXY_FEATURES"
|
||
|
- false # stops it for starting
|
||
|
with_items:
|
||
|
- /etc/dnsmasq.conf.whonix
|
||
|
- /etc/dnsmasq.conf.tor
|
||
|
- /etc/dnsmasq.conf
|
||
|
|
||
|
- name:
|
||
|
shell: |
|
||
|
[ "{{PROXY_MODE}}" = tor ] && \
|
||
|
cp -p /etc/dnsmasq.conf.tor /etc/dnsmasq.conf
|
||
|
[ "{{PROXY_MODE}}" = tor ] && \
|
||
|
cp -p /etc/dnsmasq.conf.whonix /etc/dnsmasq.conf
|
||
|
exit 0
|
||
|
|
||
|
- name: "enable and start service dnsmasq"
|
||
|
service:
|
||
|
name: "{{ item.name }}"
|
||
|
enabled: false
|
||
|
state: "{{ item.state }}"
|
||
|
# WARNING: dnsmasq will start when NetworkManager has started
|
||
|
failed_when: false
|
||
|
with_items:
|
||
|
#no - { name: "dnscrypt-proxy", able: "no", state: "restarted" }
|
||
|
- { name: "dnsmasq", able: "no", state: "started" }
|
||
|
|