emdee/proxy_role
1
0
Fork 0
Code Issues Pull requests Wiki Activity

second

Browse source
This commit is contained in:
emdee 2024-01-06 03:08:22 +00:00
parent 19597c9297
commit d29b1e4542
128 changed files with 15399 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

117
tasks/Debian.yml Normal file
View file

@ -0,0 +1,117 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Debian.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Debian.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off
# the apt-cache (not needed in a container) and disable translation fetching...
- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io"
blockinfile:
dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
force-unsafe-io
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::http {No-Cache=True;};
when:
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::http {No-Cache=False;};
when:
- ansible_virtualization_role|replace('NA', 'host') != 'guest'
- name: "/etc/apt/apt.conf.d/no-lang"
blockinfile:
dest: /etc/apt/apt.conf.d/no-lang
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::Languages "none";
- name: disable /etc/apt/apt.conf.d/50unattended-upgrades
shell: |
[ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0
grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0
sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades
exit 0
- name: /etc/apt/apt.conf.d/70insecure.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70insecure.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::AllowInsecureRepositories false;
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "{{ item }}"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- item != '' and item != []
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
with_items:
- "{{ proxy_debs_inst }}"
- "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}"
- "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}"
- "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}"
- "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}"
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- false
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
- name: "/etc/default/console-setup"
lineinfile:
dest: /etc/default/console-setup
regexp: "^#* *{{item.name}}.*"
line: '{{ item.name }}="{{ item.val }}"'
state: present
with_items:
- { name: CODESET, val: "Uni2" }
- { name: FONTFACE, val: "TerminusBold" }
- { name: FONTSIZE, val: "28x14" }
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
block: |
APT::Install-Recommends false;
APT::Install-Suggests false;
#APT::AutoRemove::RecommendsImportant false;
#APT::AutoRemove::SuggestsImportant false;
APT::Periodic::Enable 0;

40
tasks/Debian_post.yml Normal file
View file

@ -0,0 +1,40 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- debug:
verbosity: 1
msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- name: /etc/apt/apt.conf.d/80proxy.conf
blockinfile:
dest: /etc/apt/apt.conf.d/80proxy.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}";
Acquire::tor::Timeout 60;
when:
- "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''"
- name: "/etc/sdwdate.d/30_default.conf"
lineinfile:
dest: /etc/sdwdate.d/30_default.conf
create: true
regexp: "^#*{{ item.name }}.*"
line: "{{ item.name }}={{ item.val }}"
with_items:
- { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" }
- { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" }

137
tasks/Devuan.yml Normal file
View file

@ -0,0 +1,137 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Devuan.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Devuan.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off
# the apt-cache (not needed in a container) and disable translation fetching...
- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io"
blockinfile:
dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
force-unsafe-io
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-redirect
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
# https://lists.debian.org/debian-security-announce/2019/msg00010.html
Acquire::http::AllowRedirect=false update;
Acquire::http::AllowRedirect=false upgrade;
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::http {No-Cache=True;};
when:
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::http {No-Cache=False;};
when:
- ansible_virtualization_role|replace('NA', 'host') != 'guest'
- name: "/etc/apt/apt.conf.d/no-lang"
blockinfile:
dest: /etc/apt/apt.conf.d/no-lang
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::Languages "none";
- name: disable /etc/apt/apt.conf.d/50unattended-upgrades
shell: |
[ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0
grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0
sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades
exit 0
- name: /etc/apt/apt.conf.d/70insecure.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70insecure.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::AllowInsecureRepositories false;
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "{{ item }}"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- item != '' and item != []
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
with_items:
- "{{proxy_debs_inst}}"
- "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}"
- "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}"
- "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}"
- "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}"
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- false
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
- name: "/etc/default/console-setup"
lineinfile:
dest: /etc/default/console-setup
create: yes
regexp: "^#* *{{item.name}}.*"
line: '{{ item.name }}="{{ item.val }}"'
state: present
with_items:
- { name: CODESET, val: "Uni2" }
- { name: FONTFACE, val: "TerminusBold" }
- { name: FONTSIZE, val: "28x14" }
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
block: |
APT::Install-Recommends false;
APT::Install-Suggests false;
#APT::AutoRemove::RecommendsImportant false;
#APT::AutoRemove::SuggestsImportant false;
APT::Periodic::Enable 0;
- name: //usr/share/tor/tor-service-defaults-torrc
shell: |
[ -f /usr/share/tor/tor-service-defaults-torrc ] &&
[ -h /usr/share/tor/tor-service-defaults-torrc ] && return 0
[ -f /usr/share/tor/tor-service-defaults-torrc ] || return 0
mv /usr/share/tor/tor-service-defaults-torrc \
/usr/share/tor/tor-service-defaults-torrc.bak
ln -s /etc/tor/torrc-defaults /usr/share/tor/tor-service-defaults-torrc

40
tasks/Devuan_post.yml Normal file
View file

@ -0,0 +1,40 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- debug:
verbosity: 1
msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- name: /etc/apt/apt.conf.d/80proxy.conf
blockinfile:
dest: /etc/apt/apt.conf.d/80proxy.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}";
Acquire::tor::Timeout 60;
when:
- "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''"
- name: "/etc/sdwdate.d/30_default.conf"
lineinfile:
dest: /etc/sdwdate.d/30_default.conf
create: true
regexp: "^#*{{ item.name }}.*"
line: "{{ item.name }}={{ item.val }}"
with_items:
- { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" }
- { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" }

67
tasks/Gentoo.yml Normal file
View file

@ -0,0 +1,67 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy Gentoo2.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Gentoo2.yml"
- assert:
that: "'{{BOX_OS_FLAVOR}}' in ['Clipos', 'Funtoo', 'Pentoo' , 'Gentoo']"
- name: "include proxy by-flavour tasks"
include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}/{{ BOX_OS_FLAVOR }}/main.yml"
- name: install proxy packages proxy_pkgs_inst
environment: "{{ portage_proxy_env }}"
shell: |
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
retval=0
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
{{proxy_pkgs_bootstrap}} \
{{proxy_pkgs_inst}} \
&& exit 0
retval=$?
echo WARN: $retval
exit $retval
when:
- BASE_ARE_CONNECTED|default('') != ''
- ansible_virtualization_role|replace('NA', 'host') == 'host'
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
- name: install proxy packages GUEST
environment: "{{ portage_proxy_env }}"
shell: |
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
{{ proxy_pkgs_bootstrap }} \
{{ proxy_pkgs_inst_guest }} \
|| exit $?
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- BASE_ARE_CONNECTED|default('') != ''
- ansible_virtualization_role|replace('NA', 'host') != 'host'
- name: install cntlm packages
portage: package="net-proxy/cntlm" state=present
when: CORP_NTLM_PROXY|default('') != ''
- name: /etc/conf.d/consolefont
blockinfile:
dest: "/etc/{{ETC_CONF_D}}/consolefont"
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Gentoo"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
block: |
consolefont="ter-v24b"
- name: rc-update add bootlogd boot
shell: |
rc-update | grep -q 'bootlogd .* boot' || \
rc-update add bootlogd boot
exit 0

15
tasks/Gentoo/Gentoo/accept_keywords.yml Normal file
View file

@ -0,0 +1,15 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt"
blockinfile:
dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt
create: true
marker: "# {mark} Ansible Managed Block proxy polipo"
block: |
=net-proxy/polipo-9999 **

16
tasks/Gentoo/Gentoo/main.yml Normal file
View file

@ -0,0 +1,16 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo.yml"
- include_tasks: Gentoo/Pentoo/portage.yml
- include_tasks: Gentoo/Pentoo/use.yml
#- include_tasks: Gentoo/Pentoo/mask.yml
- include_tasks: Gentoo/Pentoo/accept_keywords.yml

8
tasks/Gentoo/Gentoo/portage.yml Normal file
View file

@ -0,0 +1,8 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo/portage.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo/portage.yml"

55
tasks/Gentoo/Gentoo/use.yml Normal file
View file

@ -0,0 +1,55 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.use/2022-08_nss.txt"
blockinfile:
dest: /etc/portage/package.use/2022-08_nss.txt
create: true
marker: "# {mark} Ansible Managed Block proxy curl"
block: |
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
blockinfile:
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
create: true
marker: "# {mark} Ansible Managed Block proxy unzip"
block: |
app-arch/unzip natspec
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap -ipv6
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
blockinfile:
dest: /etc/portage/package.use/2021-00_verify-sig.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap verify-sig
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
blockinfile:
dest: /etc/portage/package.use/2019-02_rkhunter.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof rpc
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof -ipv6

15
tasks/Gentoo/Pentoo/accept_keywords.yml Normal file
View file

@ -0,0 +1,15 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt"
blockinfile:
dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt
create: true
marker: "# {mark} Ansible Managed Block proxy polipo"
block: |
=net-proxy/polipo-9999 **

16
tasks/Gentoo/Pentoo/main.yml Normal file
View file

@ -0,0 +1,16 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo.yml"
- include_tasks: Gentoo/Pentoo/portage.yml
- include_tasks: Gentoo/Pentoo/use.yml
#- include_tasks: Gentoo/Pentoo/mask.yml
- include_tasks: Gentoo/Pentoo/accept_keywords.yml

8
tasks/Gentoo/Pentoo/portage.yml Normal file
View file

@ -0,0 +1,8 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo/portage.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo/portage.yml"

55
tasks/Gentoo/Pentoo/use.yml Normal file
View file

@ -0,0 +1,55 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.use/2022-08_nss.txt"
blockinfile:
dest: /etc/portage/package.use/2022-08_nss.txt
create: true
marker: "# {mark} Ansible Managed Block proxy curl"
block: |
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
blockinfile:
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
create: true
marker: "# {mark} Ansible Managed Block proxy unzip"
block: |
app-arch/unzip natspec
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap -ipv6
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
blockinfile:
dest: /etc/portage/package.use/2021-00_verify-sig.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap verify-sig
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
blockinfile:
dest: /etc/portage/package.use/2019-02_rkhunter.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof rpc
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof -ipv6

104
tasks/Gentoo_post.yml Normal file
View file

@ -0,0 +1,104 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy Gentoo_post.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Gentoo_post.yml"
- name: proxy http equals
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http equals"
# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
# emerge does not seem to pick up .gitconfig settings for proxy from ~portage/.gitconfig
# neded to get these form the environment or hosts.yml
# fucking google go calls home during COMPILE
#NO api/services/events/v1/events.pb.go:15:2: google.golang.org/grpc@v1.43.0: Get "https://proxy.golang.org/google.golang.org/grpc/@v/v1.43.0.zip": proxyconnect tcp: dial tcp 127.0.0.1:9128: connect: connection refused
# allow
#NO http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
#NO https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
#NO socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
# NO RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
http_proxy=http://127.0.0.1:666
https_proxy=http://127.0.0.1:666
socks_proxy=socks5h://127.0.0.1:666
no_proxy="{{ NO_PROXY }}"
RSYNC_PROXY=127.0.0.1:666
when:
- "item.bool == 'yes'"
with_items:
- dest: "/etc/portage/make.conf"
owner: "portage"
group: "portage"
mode: "0644"
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
- name: proxy http CURL_OPTS
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http CURL_OPTS"
# state: "{{ 'present' if SOCKS_PROXY != '' else 'absent' }}"
block: |
CURL_OPTS="--cert-status --connect-timeout 30 {{ '--tlsv1.3' if BOX_TLS_VERSION == '1.3' else '--tlsv1.2' }} --location --proto-redir https --proto-default https --proto =https -x ${socks_proxy} --fail"
when:
- "item.bool == 'yes'"
with_items:
- dest: "/etc/portage/make.conf"
owner: "portage"
group: "portage"
mode: "0644"
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
- name: proxy http FETCHCOMMAND
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http FETCHCOMMAND"
# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
#FETCHCOMMAND='wget -t 1 -T 10 --passive-ftp -O "\${DISTDIR}/\${FILE}" "\${URI}"'
FETCHCOMMAND='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
FETCHCOMMAND_HTTP='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
FETCHCOMMAND_HTTPS='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
RESUMECOMMAND='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
RESUMECOMMAND_HTTP='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
RESUMECOMMAND_HTTPS='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
when:
- "item.bool == 'yes'"
with_items:
- dest: "/etc/portage/make.conf"
owner: "portage"
group: "portage"
mode: "0644"
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
- name: /etc/portage/make.conf PORTAGE_RSYNC_EXTRA_OPTS
blockinfile:
dest: /etc/portage/make.conf
create: no
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy [PORTAGE_RSYNC_EXTRA_OPTS]"
block: |
PORTAGE_RSYNC_RETRIES=5
#mgorny suggested this speeds up sync, in my testing it makes a rather large difference
PORTAGE_RSYNC_EXTRA_OPTS="--omit-dir-times -4 --timeout=20"

28
tasks/Msys.yml Executable file
View file

@ -0,0 +1,28 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Msys.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Msys.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
- name: netsh interface ip set address name="Ethernet0" static 10.1.2.220 255.255.255.0 10.1.2.1
shell: |
# https://pureinfotech.com/set-static-ip-address-windows-10/
netsh interface ip set address name="{{BOX_DEFAULT_OUTPUT_IF}}" static 10.152.152.13 255.255.255.0 10.152.152.10
- name: "proxy local_connection.yml"
include_tasks: "local_connection.yml"
- block:
- name: mvmc_setup.msi
shell: |
[ -f /e/net/Http/https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi ] \
wget --restrict-file-names=windows -xcP /e/net/Http \
https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi || \
exit 1
[ -d /c/Program Files/ ] || \
start "/e/net/Http/github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi" //quiet

41
tasks/Ubuntu.yml Normal file
View file

@ -0,0 +1,41 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Ubuntu.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu.yml"
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
shell: |
apt-get install {{ proxy_debs_inst|join(' ') }} -y \
{{ '--print-uris' if BASE_ARE_CONNECTED|default('') == '' else '' }}
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- not ansible_check_mode
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
- name: "/etc/default/console-setup"
lineinfile:
dest: /etc/default/console-setup
regexp: "^#* *{{item.name}}.*"
line: '{{ item.name }}="{{ item.val }}"'
state: present
with_items:
- { name: FONTFACE, val: "TerminusBold" }
- { name: FONTSIZE, val: "12x24" }

35
tasks/Ubuntu16.yml Normal file
View file

@ -0,0 +1,35 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy Ubuntu14.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu14.yml"
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "{{ proxy_debs_inst }}"
state: latest
update_cache: no
ignore_errors: BASE_ARE_CONNECTED|default('') == ''
when:
- BASE_ARE_CONNECTED|default('') != ''
- not ansible_check_mode
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- not ansible_check_mode
- CORP_NTLM_PROXY|default('') != ''
- BASE_ARE_CONNECTED|default('') != ''

11
tasks/Ubuntu16_no_systemd.yml Normal file
View file

@ -0,0 +1,11 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
# http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_an_Ubuntu_Xenial_installation
---
- name: "DEBUG: Including proxy Ubuntu16_no_systemd.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu16_no_systemd.yml"

23
tasks/Ubuntu_post.yml Normal file
View file

@ -0,0 +1,23 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu_post.yml"
- name: /etc/apt/apt.conf.d/80proxy.conf
blockinfile:
dest: /etc/apt/apt.conf.d/80proxy.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
block: |
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
when: HTTP_PROXYHOST != ''
- name: /etc/apt/apt.conf.d/80proxy.conf
file:
path: /etc/apt/apt.conf.d/80proxy.conf
state: absent
when: HTTP_PROXYHOST == ''

20
tasks/dirmngr.err Normal file
View file

@ -0,0 +1,20 @@
3root@Ulati:# dirmngr --help|less
3root@Ulati:# dirmngr --server --http-proxy $http_proxy &
[1] 8783
3root@Ulati:# dirmngr[8783]: No ldapserver file at: '/root/.gnupg/dirmngr_ldapservers.conf'
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
ksba: ERROR: object length field 2 octects too large
ksba: ERROR: object length field 12 octects too large
ksba: ERROR: object length field 12 octects too large
ksba: ERROR: object length field 71 octects too large
ksba: ERROR: object length field 59 octects too large
ksba: ber-decoder: node `?': TLV length too large
dirmngr[8783.0]: can't parse certificate '/etc/ssl/certs/ca-certificates.crt': BER error
dirmngr[8783.0]: permanently loaded certificates: 2
dirmngr[8783.0]: runtime cached certificates: 0
dirmngr[8783.0]: trusted certificates: 2 (1,0,0,1)

54
tasks/dirmngr.hlp Normal file
View file

@ -0,0 +1,54 @@
dirmngr (GnuPG) 2.2.12
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Syntax: dirmngr [options] [command [args]]
Keyserver, CRL, and OCSP access for GnuPG
Commands:
--server run in server mode (foreground)
--daemon run in daemon mode (background)
--supervised run in supervised mode
--list-crls list the contents of the CRL cache
--load-crl FILE load CRL from FILE into cache
--fetch-crl URL fetch a CRL from URL
--shutdown shutdown the dirmngr
--flush flush the cache
Options:
-v, --verbose verbose
-q, --quiet be somewhat more quiet
-s, --sh sh-style command output
-c, --csh csh-style command output
--options FILE read options from FILE
--debug-level LEVEL set the debugging level to LEVEL
--no-detach do not detach from the console
--log-file FILE write server mode logs to FILE
--batch run without asking a user
--force force loading of outdated CRLs
--allow-ocsp allow sending OCSP requests
--allow-version-check allow online software version check
--disable-http inhibit the use of HTTP
--disable-ldap inhibit the use of LDAP
--ignore-http-dp ignore HTTP CRL distribution points
--ignore-ldap-dp ignore LDAP CRL distribution points
--ignore-ocsp-service-url ignore certificate contained OCSP service URLs
--http-proxy URL redirect all HTTP requests to URL
--ldap-proxy HOST use HOST for LDAP queries
--only-ldap-proxy do not use fallback hosts with --ldap-proxy
--ldapserverlist-file FILE read LDAP server list from FILE
--add-servers add new servers discovered in CRL distribution points to serverlist
--ldaptimeout N set LDAP timeout to N seconds
--ocsp-responder URL use OCSP responder at URL
--ocsp-signer FPR OCSP response signed by FPR
--max-replies N do not return more than N items in one query
--hkp-cacert FILE use the CA certificates in FILE for HKP over TLS
--use-tor route all network traffic via Tor
(See the "info" manual for a complete listing of all commands and options)
Please report bugs to <https://bugs.gnupg.org>.

1
tasks/dirmngr.sh Normal file
View file

@ -0,0 +1 @@
dirmngr --server --http-proxy http://127.0.0.1:3128 --options /etc/dirmngr/dirmngr.conf --disable-ldap --hkp-cacert /usr/local/etc/ssl/cacert-testforge.pem --log-file /var/log/dirmngr.log --no-detach

172
tasks/dirmngr.yml Normal file
View file

@ -0,0 +1,172 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy dirmngr.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy dirmngr.yml"
- name: /etc/gnupg/
shell: |
[ -d "/etc/gnupg" ] || mkdir -p "{{USR_LOCAL}}/etc/gnupg"
- name: /etc/dirmngr/dirmngr.conf
lineinfile:
dest: "/etc/dirmngr/dirmngr.conf"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "# -.- mode: conf; tab-width: 0; coding: utf-8-unix -.-"
line: "# -*- mode: conf; tab-width: 0; coding: utf-8-unix -*-"
when:
- not ansible_check_mode
# FixMe:
ignore_errors: true
- name: /etc/gnupg/gpgconf.conf
lineinfile:
dest: "/etc/gnupg/gpgconf.conf"
# insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
state: "{{item.state}}"
regexp: "^#*{{item.key}} .*"
line: "{{item.key}} {{item.val}}"
when:
- not ansible_check_mode
with_items:
- key: keyserver-options
val: no-try-dns-srv
# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
# gentoo unknown - dirmngr ?
state: absent
- key: debug-level
val: "4"
# not on gentoo
state: "{{ 'present' if ansible_distribution != 'Gentoo' else 'absent' }}"
# - key: connect-timeout
# val: "20"
# value: ""
# state: present
- name: /etc/dirmngr/dirmngr.conf
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: false
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"
block: |
verbose
debug-all
standard-resolver
disable-ldap
when:
- not ansible_check_mode
- name: /etc/dirmngr/dirmngr.conf
blockinfile:
dest: /etc/dirmngr/dirmngr.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml ipv6"
block: |
disable-ipv6
when:
- not ansible_check_mode
- BASE_IPV6_DISABLE == 1
- name: /etc/dirmngr/dirmngr.conf
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: false
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head"
block: |
{% for elt in PROXY_GNUPG_SERVERS %}
keyserver hkp://{{ elt }}
{% endfor %}
{% for elt in PROXY_GNUPG_CERTS %}
hkp-cacert {{ elt }}
{% endfor %}
when:
- not ansible_check_mode
- name: /var/log/dirmngr.log
shell: |
[ -f /var/log/dirmngr.log ] || touch /var/log/dirmngr.log
chown root /var/log/dirmngr.log
args:
creates: /var/log/dirmngr.log
- name: /etc/dirmngr/dirmngr.conf.tor
shell: |
[ -e /etc/dirmngr/dirmngr.conf.tor ] || \
cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.tor
when:
- PROXY_MODE == 'tor'
- name: /etc/dirmngr/dirmngr.conf use-tor
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK tor"
block: |
use-tor
# https://keys.openpgp.org/about/usage
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
when:
- not ansible_check_mode
- PROXY_MODE == 'tor'
- name: /etc/dirmngr/dirmngr.conf.whonix
shell: |
[ -e /etc/dirmngr/dirmngr.conf.whonix ] || \
cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.whonix
when:
- PROXY_MODE == 'whonix'
# This is not enough:
- name: /usr/bin/dirmngr.bin
# FixMe: blockinfile
shell: |
# /usr/bin/dirmngr.bin --dump-options >> /tmp/$$.out
[ -d /etc/dirmngr ] || mkdir /etc/dirmngr
[ -f /etc/dirmngr/dirmngr.conf ] || touch /etc/dirmngr/dirmngr.conf
grep -q disable-ipv6 /etc/dirmngr/dirmngr.conf ] || \
echo disable-ipv6 >> /etc/dirmngr/dirmngr.conf
args:
creates: /etc/dirmngr/dirmngr.conf
when:
- not ansible_check_mode
- BASE_IPV6_DISABLE == 1
- block:
- name: /usr/bin/dirmngr.bin
shell: |
[ -f /usr/local/bin/proxy_dirmngr.bash ] || exit 1
# This is recent
cd /usr/bin/
if [ ! -f dirmngr.bin ] ; then
mv dirmngr dirmngr.bin
elif file dirmngr | grep -q ELF ; then
mv dirmngr dirmngr.bin
fi
[ -h dirmngr ] || ln -s /usr/local/bin/proxy_dirmngr.bash dirmngr
chmod 755 dirmngr /usr/local/bin/proxy_dirmngr.bash
[ -x /usr/local/bin/proxy_dirmngr.bash ] || exit 2
when:
# the --keyserver may be required even with ipv6
- true or BASE_IPV6_DISABLE == 1
- not ansible_check_mode

203
tasks/dns-dnscrypt.yml Normal file
View file

@ -0,0 +1,203 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "dns-dnscrypt.yml"
debug:
verbosity: 1
msg: "dns-dnscrypt.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- name: "/var/local/src/dnscrypt-proxy"
file:
dest: "{{ item }}"
state: directory
mode: 0755
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
with_items:
- "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"
- "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
- name: "untar dnscrypt tgz"
shell: |
URL="{{ PROXY_DNSCRYPT_TGZ_URL }}"
[ -f {{PROXY_VAR_LOCAL}}/net/Http/$URL ] || \
wget {{BASE_WGET_ARGS}} -xcqP {{PROXY_VAR_LOCAL}}/net/Http/ https://$URL
which dnscrypt-proxy 2>/dev/null || \
tar xvfz {{PROXY_VAR_LOCAL}}/net/Http/$URL \
-C "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"
args:
creates: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
when: "BASE_ARE_CONNECTED|default('') != ''"
- name: "roles/privacy/templates/etc/example-dnscrypt-proxy.toml"
template:
force: no
src: templates/etc/example-dnscrypt-proxy.toml
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{ BOX_ALSO_GROUP }}"
- name: "get generate-domains-blacklist.py"
uri:
url: https://github.com/jedisct1/dnscrypt-proxy/raw/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
dest: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
creates: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
mode: 0775
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
notify: shebang after pip
# in tar
when: false and "BASE_ARE_CONNECTED|default('') != ''"
- name: "Invalid rule *.workgroup - wildcards can only be used as a suffix"
shell: |
sed -e '/^\\*/d' -i {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-blacklist-local-additions.txt
# why? dir
- name: "touch {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
file:
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
state: touch
mode: 0644
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
when: false
- name: "symlink /etc/dnscrypt-proxy.toml"
file:
dest: /etc/dnscrypt-proxy.toml
src: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
state: link
when: not ansible_check_mode
- name: "forward dnscrypt-proxy to SOCKS5 - socks5 or tor/harden or privacy"
lineinfile:
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
regexp: '^#* *{{item.name}} =.*'
line: "{{item.name}} = {{item.val}}"
state: present
backup: no
with_items:
- { name: "proxy", val: "'socks5://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}'" }
- { name: "force_tcp", val: "true" }
when: not ansible_check_mode and ( SOCKS_PROXY|default('') != "" or 'privacy' in ROLES )
- name: "dnscrypt-proxy settings"
lineinfile:
dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
regexp: '^ *#* *{{item.name}} =.*'
line: "{{item.name}} = {{item.val}}"
state: present
backup: no
with_items:
- { name: "log_file", val: "'{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log'" }
- { name: "log_level", val: 2 }
- { name: "listen_addresses", val: "['127.0.0.1:53']" }
#? server_names = ['bn-fr0', 'bn-fr1', 'bn-nl0', 'cs-cfi', 'cs-cfii', 'cs-ch', 'cs-de', 'cs-de3', 'cs-dk', 'cs-dk2', 'cs-es', 'cs-fi', 'cs-fr', 'cs-fr2', 'cs-lt', 'cs-lv', 'cs-md', 'cs-nl', 'cs-pl', 'cs-pt', 'cs-ro', 'cs-rome', 'cs-uk', 'cs-useast', 'cs-useast2', 'cs-usnorth', 'cs-ussouth', 'cs-ussouth2', 'cs-uswest', 'cs-uswest3', 'cs-uswest5', 'dnscrypt.ca-2', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.org-fr', 'ns0.dnscrypt.is', 'securedn']
- { name: "server_names", val: "['dnscrypt.eu-nl', 'dnscrypt.nl-ns0', 'securedns', 'dnscrypt.nl-ns0', 'scaleway-fr', 'cloudflare', 'google']" }
# Server must support DNS security extensions (DNSSEC) ??
- { name: "require_dnssec", val: "true" }
# Server must not log user queries (declarative)
- { name: "require_nolog", val: "true" }
# Server must not enforce its own blacklist (for parental control, ads blocking...)
- { name: "require_nofilter", val: "true" }
#/ var/local/etc/dnscrypt-proxy/
- { name: "blacklist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/blacklist.txt'" }
- { name: "whitelist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-whitelist.txt'" }
# opendns - Other popular options include 8.8.8.8 and 1.1.1.1 9.9.9.9:53
- { name: "fallback_resolver", val: "'nameserver 208.67.222.222:53 208.67.220.220:53'" }
#? - { name: "ignore_system_dns", val: "true" }
when: not ansible_check_mode
## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user
# user_name = 'nobody'
- name: "install dnscrypt-proxy in /var/local/bin"
file:
src: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
dest: "{{PROXY_VAR_LOCAL}}/bin/dnscrypt-proxy"
state: link
when: not ansible_check_mode
# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolver [9.9.9.9:53]
# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
- name: "dnscrypt-proxy fallback resolver"
lineinfile:
dest: "/etc/hosts"
regexp: '^ *{{item.name}}.*'
line: "{{item.name}} {{item.val}}"
state: present
backup: no
with_items:
- { name: "151.101.36.133", val: "raw.githubusercontent.com" }
- { name: "37.59.238.213", val: "download.dnscrypt.info" }
- block:
- name: "install dnscrypt-proxy"
shell: |
{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy -service install
args:
creates: /etc/systemd/system/dnscrypt-proxy.service
# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
- name: "/etc/NetworkManager/NetworkManager.conf"
lineinfile:
dest: /etc/NetworkManager/NetworkManager.conf
create: false
regexp: "^#*dns=dnsmasq"
line: "#dns=dnsmasq"
#? not really needed
# FixMe: wicd?
#? systemctl disable systemd-resolved
- name: "/etc/resolve.conf.dnscrypt"
blockinfile:
path: /etc/resolve.conf.dnscrypt
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
block: |
nameserver 127.0.0.1
#? clobber or symlink /var/run/resolvconf/resolv.conf
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
- name: "/etc/dnsmasq.conf disable DNS"
lineinfile:
dest: /etc/dnsmasq.conf
regexp: '^#* *{{item.name}}=.*'
line: "{{item.name}}={{item.val}}"
state: present
# backup: yes
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
with_items:
- { name: "port", val: "0" }
# just guessing
- { name: "resolv-file", val: "/etc/resolve.conf.dnscrypt" }
when:
# just guessing
- false
- "ansible_distribution in ['Ubuntu', 'Debian']"
# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
- name: "enable and start service dnscrypt-proxy"
service:
name: "{{ item.name }}"
enabled: "{{ item.able }}"
state: "{{ item.state }}"
failed_when: false
with_items:
# - { name: "pdnsd", able: "no", state: "stopped" }
- { name: "dnscrypt-proxy", able: "yes", state: "restarted" }
- { name: "network-manager", able: "no", state: "stopped" }
# when: "ansible_distribution in ['Ubuntu', 'Debian']"
when: ansible_connection|default('') not in PLAY_SERVICE_CONNECTIONS

170
tasks/dns-dnsmasq.yml Normal file
View file

@ -0,0 +1,170 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "dns-dnsmasq.yml"
debug:
verbosity: 1
msg: "dns-dnsmasq.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- block:
- name: "uninstall dnscrypt-proxy"
shell: |
systemctl disabled dnscrypt-proxy
rm -f /etc/systemd/system/dnscrypt-proxy.service
args:
removes: /etc/systemd/system/dnscrypt-proxy.service
when:
- "BOX_SERVICE_MGR == 'systemd'"
# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
- name: "/etc/NetworkManager/NetworkManager.conf dns"
lineinfile:
dest: /etc/NetworkManager/NetworkManager.conf
create: true
regexp: "^#*dns=dnsmasq"
line: "dns=none"
when:
- true
# /mnt/linuxKick15/etc/NetworkManager/conf.d/dns.conf
# https://wiki.archlinux.org/index.php/NetworkManager#/etc/resolv.conf
#[main]
#ns=none
# Tip: You might also want to set main.
#systemd-resolved=false
- name: "/etc/NetworkManager/NetworkManager.conf no proxy dns"
blockinfile:
dest: /etc/NetworkManager/NetworkManager.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
block: |
[main]
plugins=ifupdown,keyfile
dns=none
# will always write resolv.conf to its runtime state
# directory /run/NetworkManager/resolv.conf.
rc-manager=unmanaged
unmanaged-devices=interface-name:virbr1
unmanaged-devices=interface-name:virbr2
[ifupdown]
# If set to false, then any interface
# listed in /etc/network/interfaces will be ignored
managed=false
[logging]
level=info
backend=syslog
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
# FixMe tor client vss whnoix gateway
- name: "/etc/dnsmasq.conf.tor enable DNS"
blockinfile:
dest: /etc/dnsmasq.conf.tor
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
block: |
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=127.0.0.1#9053
port=53
# {{ BASE_ARE_CONNECTED|default('') }}
interface={{ BASE_DEFAULT_OUTPUT_IF }}
bind-interfaces
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
- name: "/etc/dnsmasq.conf enable DNS"
blockinfile:
dest: /etc/dnsmasq.conf.whonix
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
block: |
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server={{ PROXY_WHONIX_SOCKS_HOST }}#9053
port=53
# {{ BASE_ARE_CONNECTED|default('') }}
interface={{ BASE_DEFAULT_OUTPUT_IF }}
bind-interfaces
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
- name: "/etc/dnsmasq.conf enable srv-host"
blockinfile:
dest: "{{item}}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml srv-host"
# after srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
block: |
# dirmgr
# dns: getsrv(_pgpkey-https._tcp.keyserver.ubuntu.com): Try again later
srv-host=_pgpkey-https._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,443
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
srv-host=_pgpkey-https._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,443
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
#dead srv-host=_pgpkey-https._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,443
srv-host=_pgpkey-https._tcp.pgp.mit.edu,pgp.mit.edu,443
srv-host=_pgpkey-http._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,80
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
srv-host=_pgpkey-http._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,80
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
#dead srv-host=_pgpkey-http._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,80
srv-host=_pgpkey-http._tcp.pgp.mit.edu,pgp.mit.edu,80
with_items:
- /etc/dnsmasq.conf.whonix
- /etc/dnsmasq.conf.tor
- name: "/etc/dnsmasq.conf enable dnssec"
blockinfile:
dest: "{{item}}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml dnssec"
block: |
# DNSSEC setup
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec-check-unsigned
when:
- "'dnsmasq_dnssec' in BOX_PROXY_FEATURES"
- false # stops it for starting
with_items:
- /etc/dnsmasq.conf.whonix
- /etc/dnsmasq.conf.tor
- /etc/dnsmasq.conf
- name:
shell: |
[ "{{PROXY_MODE}}" = tor ] && \
cp -p /etc/dnsmasq.conf.tor /etc/dnsmasq.conf
[ "{{PROXY_MODE}}" = tor ] && \
cp -p /etc/dnsmasq.conf.whonix /etc/dnsmasq.conf
exit 0
- name: "enable and start service dnsmasq"
service:
name: "{{ item.name }}"
enabled: false
state: "{{ item.state }}"
# WARNING: dnsmasq will start when NetworkManager has started
failed_when: false
with_items:
#no - { name: "dnscrypt-proxy", able: "no", state: "restarted" }
- { name: "dnsmasq", able: "no", state: "started" }

15
tasks/dns-socat.yml Normal file
View file

@ -0,0 +1,15 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "dns-socat.yml"
debug:
verbosity: 1
msg: "dns-socat.yml PROXY_DNS_PROXY={{PROXY_DNS_PROXY}}"
- assert:
that: "'{{PROXY_DNS_PROXY}}' in ['socat']"
- name: /usr/local/bin/proxy_dns_forward.bash
shell: |
netstat -nlpe4 | grep -q 127.0.0.1:53 || \
echo WARN: run /usr/local/bin/proxy_dns_forward.bash

139
tasks/dns.yml Normal file
View file

@ -0,0 +1,139 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "dns.yml"
debug:
verbosity: 1
msg: "dns.yml PROXY_DNS_PROXY={{PROXY_DNS_PROXY}}"
- name: /etc/hostname
shell: |
grep -q localhost /etc/hostname && echo {{inventory_hostname}} > /etc/hostname
exit 0
when:
- ansible_distribution in ['Ubuntu', 'Debian', 'Devuan']
check_mode: false
- name: /etc/hosts
shell: |
grep '^127.0.0.1.* {{inventory_hostname}}' /etc/hosts || \
sed -e 's@^127.0.0.1.*@\& {{inventory_hostname}}@' -i /etc/hosts
exit 0
- assert:
that:
- '"{{ PROXY_DNS_PROXY }}" in ["dnsmasq", "dnscrypt"]'
- '"{{ PROXY_DNS_PROXY }}" not in ["pdnsd"]'
- '"{{ PROXY_DNS_NETMAN }}" in {{PROXY_DNS_NETMAN_ALL}}'
- name: "include 'netman.yml tasks"
include_tasks: "netman.yml"
when: PROXY_DNS_NETMAN == 'networkmanager'
- set_fact:
PROXY_DNS_PROXY: "socat"
when:
- BOX_WHONIX_PROXY_HOST != "" or BOX_OS_FLAVOR|default('') in ['WhonixWorkstation' , 'WhonixGateway'] or PROXY_MODE in ['tor', 'selektor']
- set_fact:
PROXY_DNS_PROXY: "dnsmasq"
when:
- BOX_WHONIX_PROXY_HOST != ""
- BOX_OS_FLAVOR|default('') != 'WhonixWorkstation' and BOX_OS_FLAVOR|default('') != 'WhonixGateway'
- false
- name: "include dns-dnscrypt.yml tasks"
include_tasks: "dns-dnscrypt.yml"
when: PROXY_DNS_PROXY == "dnscrypt"
- name: "include dns-dnsmasq.yml tasks"
include_tasks: "dns-dnsmasq.yml"
when: PROXY_DNS_PROXY == "dnsmasq"
- name: "include dns-socat.yml tasks"
include_tasks: "dns-socat.yml"
when: PROXY_DNS_PROXY == "socat"
# System hook scripts are found in /lib/dhcpcd/dhcpcd-hooks and the user defined hooks are /etc/dhcpcd.enter-hook
# dhclient->resolvconf overwrites this - for now, use testforge.start for things like starbucks
# https://www.techrepublic.com/article/pro-tip-take-back-control-of-resolv-conf/
# https://www.linuxquestions.org/questions/slackware-14/how-to-prevent-wicd-overwriting-etc-resolv-conf-4175488551/
- name: "/etc/resolv.conf"
blockinfile:
dest: /etc/resolv.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK privacy"
create: yes
block: |
nameserver 127.0.0.1
when:
- PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat']
# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
# FixMe: /etc/dhcp/dhcp-client.conf?
# dnscrypt is not a system service
- name: "service disable not {{PROXY_DNS_PROXY}}"
service:
enabled: '{{ "yes" if PROXY_DNS_PROXY == "{{ item }}" else "no" }}'
state: '{{ "started" if PROXY_DNS_PROXY == "{{ item }}" else "stopped" }}'
name: "{{ item }}"
with_items:
# leave 'dnsmasq' running
# maybe shutting dnsmasq shuts NetworkManager?
- "{{PROXY_DNS_PROXY}}"
# "dnscrypt" is not a system service
ignore_errors: true
when:
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
- name: "service disable not {{PROXY_DNS_NETMAN}}"
service:
enabled: '{{ "yes" if PROXY_DNS_NETMAN == "{{ item }}" else "no" }}'
state: '{{ "started" if PROXY_DNS_NETMAN == "{{ item }}" else "stopped" }}'
name: "{{ item }}"
with_items: "{{ PROXY_DNS_NETMAN_ALL }}"
ignore_errors: true
when:
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
- name: "/etc/dhcpcd.conf {{ansible_distribution}}"
blockinfile:
dest: "{{ item }}"
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
create: true
block: |
# we route dns queries through tor
# we will configure ntp generically
nohook resolv.conf,ntp.conf
# with_first_found:
with_items:
- /etc/dhcpcd.conf
when:
- "'run_dnsmasq' in PROXY_FEATURES"
- name: "/etc/resolvconf.conf"
lineinfile:
dest: /etc/resolvconf.conf
create: true
regexp: "{{ item.name }}"
line: "{{ item.val }}"
with_items:
- { name: "^#*resolvconf=.*", val: "resolvconf=no" }
- { name: "^#*name_servers=.*", val: "name_servers=127.0.0.1" }
- { name: "^#*resolv_conf.*", val: "resolv_conf=/etc/resolv.conf" }
when:
- ansible_distribution == 'Gentoo'
- "'run_dnsmasq' in PROXY_FEATURES"
# /etc/resolvconf/update.d/ for Ubuntu
# /etc/resolvconf/update.d/dnsmasq for Debian
- name: "/etc/resolvconf/update.d/dnsmasq"
shell: |
[ -f /etc/resolvconf/update.d/dnsmasq ] || exit 0
chmod 644 /etc/resolvconf/update.d/dnsmasq
mv /etc/resolvconf/update.d/dnsmasq /etc/resolvconf/update.d/.dnsmasq
when:
- PROXY_DNS_PROXY != ""

97
tasks/hourly.yml Normal file
View file

@ -0,0 +1,97 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy hourly.yml"
debug:
verbosity: 1
msg: "proxy hourly.yml"
- block:
- name: check privoxy is listening
shell: |
echo '{{ proxy_netstat_nlp_fact.stdout|default('')}}' | grep ':{{HTTP_PROXYPORT}}'
ignore_errors: true # FixMe: defer to hourly.bash
when:
- HTTP_PROXYPORT != ''
when:
- PROXY_MODE in ['tor', 'whonix']
- proxy_netstat_nlp_fact is defined and proxy_netstat_nlp_fact.rc == 0
- block:
- name: "check dns is listening"
shell: |
# ip route | grep ^default || exit 0
. /usr/local/etc/local.d/local.bash
echo '{{ proxy_netstat_nlp_fact.stdout}}' | grep ':53' || { exit 1 ; }
echo '{{proxy_netstat_nlp_fact.stdout}}' | grep ':{{PROXY_DNS_PORT}}' || {
proxy_rc_service {{PROXY_DNS_PROXY}} status || proxy_rc_service {{PROXY_DNS_PROXY}} start || exit 1
sleep 10
netstat -nl -t inet | grep ':{{PROXY_DNS_PORT}}' && exit 0
echo ERROR: {{PROXY_DNS_PROXY}} is not running
exit 2
}
ignore_errors: true # FixMe: defer to hourly.bash
when:
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
- BOX_PROXY_MODE != 'nat'
when:
- PROXY_DNS_PROXY == "dnsmasq"
- not ansible_check_mode
- proxy_netstat_nlp_fact is defined
- name: check route
shell: |
ip route | grep default || \
echo WARN: no default route
- name: check eix-update
shell: |
eix-update
args:
creates: /var/cache/eix/portage.eix
when:
- ansible_distribution == 'Gentoo'
- name: check resolv.conf
shell: |
grep 127.0.0.1 /etc/resolv.conf || {
echo WARN: /etc/resolv.conf is not local
echo nameserver 127.0.0.1 > /etc/resolv.conf
}
exit 0
when:
- PROXY_DNS_PROXY in ["pdnsd", "dnsmasq"]
- not ansible_check_mode
# - BASE_ARE_CONNECTED|default('') != ''
- name: check /etc/sysctl.conf
shell: |
cd /etc/sysctl.d
cat *.conf | grep '^[a-z]' | while read elt rest ; do
grep "^$elt" ../sysctl.conf && echo WARN: dup "^$elt" in ../sysctl.conf
done
exit 0
# This is dupped on daily/weekly/monthly
# [ $MYID -eq 0 ] || echo WARN: $prog should be run as root $MYID
- name: run proxy_hourly.bash
environment: "{{ shell_proxy_env }}"
shell: |
umask 0027
echo "INFO: proxy_log_hourly"
cd {{USR_LOCAL}}/bin
[ -x proxy_hourly.bash ] || exit 0
bash proxy_hourly.bash
register: proxy_log_hourly
notify: summary of logs
when:
- not ansible_check_mode
- ansible_connection not in PLAY_CHROOT_CONNECTIONS
# FixMe
ignore_errors: true

39
tasks/local_connection.yml Executable file
View file

@ -0,0 +1,39 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy local_connection.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy local_connection.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
- block:
- name: Convert-WindowsImage-and-Resize-VHDX-Command.zip
shell: |
[ -e /e/net/Http/devblogs.microsoft.com/wp-content/uploads/sites/32/2019/03/Convert-WindowsImage-and-Resize-VHDX-Command.zip ] || \
wget --restrict-file-names=windows -xcP /e/net/Http/devblogs.microsoft.com/wp-content/uploads/sites/32/2019/03/Convert-WindowsImage-and-Resize-VHDX-Command.zip
[ -d /e/lib/PowerShell ] || mkdir /e/lib/PowerShell
[ -f /e/lib/PowerShell/"Convert-WindowsImage.ps1" ] || \
unzip -o /e/tmp/Topics/ConvertVhd/devblogs.microsoft.com/wp-content/uploads/sites/32/2019/03/Convert-WindowsImage-and-Resize-VHDX-Command.zip \
-d /e/lib/PowerShell
# 206326 Defl:N 35661 83% 2017-01-18 21:01 816b27ad Convert-WindowsImage.ps1
# 173 Defl:N 141 19% 2017-01-21 11:08 51449cb6 ReSize VHDX Commands.t
- name: dsfok.zip
shell: |
# https://stackoverflow.com/questions/37481737/error-when-converting-vmware-virtual-disk-to-hyperv
# https://gist.github.com/sukesh-ak/9a633c48ceefe9560b8f2eb5d8fcff72
# https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-generic
# https://gist.github.com/rahilwazir/69a750b70348459875cbf40935af02cbxf
[ -d https://web.archive.org/web/20190910101150/http://members.ozemail.com.au/%7Enulifetv/freezip/freeware/dsfok.zip ] || \
wget --restrict-file-names=windows -xcP /e/var/local/net/Http \
https://web.archive.org/web/20190910101150/http://members.ozemail.com.au/%7Enulifetv/freezip/freeware/dsfok.zip || exit 1
[ -d /e/lib/dsfok ] || {
unzip /e/var/local/net/Http/web.archive.org/web/20190910101150/http%3A/members.ozemail.com.au/~nulifetv/freezip/freeware/dsfok.zip -d /e/lib
exit 2
}
when:
- BASE_ARE_CONNECTED|default('') != ''

416
tasks/main.yml Normal file
View file

@ -0,0 +1,416 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy main.yml CORP_NTLM_PROXY={{ CORP_NTLM_PROXY | default('') }}"
debug:
verbosity: 1
msg: "DEBUG: Including proxy main.yml"
- name: include proxy by-platform vars
include_vars: "{{item}}.yml"
with_items:
- Unix
- "{{ ansible_distribution }}{{ ansible_distribution_major_version }}"
tags: always
- name: "rsync proxy root_overlay"
synchronize:
src: "roles/proxy/overlay/{{item}}/"
dest: /
compress: no
copy_links: yes
archive: no
recursive: yes
links: no
owner: no
perms: no
times: yes
rsync_opts: "{{base_rsync_opts}}"
with_items:
- Linux
- "{{ ansible_distribution }}"
notify:
#? - chmod /usr/local
- update-ca-certificates
when:
- not ansible_check_mode
# FixAns: This remote host is being accessed via chroot instead so it cannot work
- ansible_connection|default('') not in PLAY_NORSYNC_CONNECTIONS
tags:
- always
- name: rsync root_overlay - the tar gets made by a make before running
unarchive:
dest: /
src: "{{item}}.tar"
keep_newer: true
owner: "{{BOX_ROOT_USER}}"
# extra_opts: "{{ BASE_UNTAR_ARGS }}"
ignore_errors: true
with_items:
- Linux
- "{{ ansible_distribution }}"
notify:
#? - chmod /usr/local
- update-ca-certificates
when:
- not ansible_check_mode
# FixAns: This remote host is being accessed via chroot instead so it cannot work
- ansible_connection|default('') in PLAY_NORSYNC_CONNECTIONS
- name: "grep -q root=/dev/vda /proc/cmdline "
environment: "{{ shell_proxy_env }}"
shell: |
grep -q root=/dev/vda /proc/cmdline
failed_when: false
register: proxy_vda_cmdline_fact
tags:
- always
- name: proxy post tasks first
include_tasks: "proxy_mode.yml"
# We are running these tasks here to set the proxy up to download and install packages
- name: proxy post tasks first
include_tasks: "proxy_post.yml"
- name: include proxy by-platform tasks
include_tasks: "{{ ansible_distribution }}.yml"
- name: "proxy gpg keys system"
# Option --keyserver must be used to
environment: "{{ shell_proxy_env }}"
shell: |
/usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \
/usr/bin/gpg --recv-keys "{{ item.uid }}"
# --keyserver "{{ TESTF_GPG_SERVER }}"
# deprecated - please use the --keyserver in ?dirmngr.conf? instead
with_items: "{{ proxy_gpg_keys_system }}"
when:
- proxy_gpg_keys_system|length > 0
- BASE_ARE_CONNECTED|default('') != ''
# FixMe:
ignore_errors: true
- name: fix pip
shell: |
find /usr/local/lib*/python*/*-packages/pip \
-name filesystem.py | while read file ; do
[ -f $file.dst ] && continue
cp -p $file $file.dst
sed -e 's/path_uid == 0/os.access(path, os.W_OK)/' -i $file
done
exit 0
- block:
- name: /usr/local/patches/proxy
shell: |
[ -d /usr/local/patches/proxy/ ] || exit 0
cd /usr/local/patches/proxy/ || exit 1
ls || exit 2
/usr/local/sbin/base_patch_from_diff.bash *
when:
- true or ansible_distribution == 'Gentoo'
- name: install proxy pips 2
changed_when: false
environment: "{{pip_proxy_env}}"
pip:
executable: "{{BASE_USR_LOCAL}}/bin/pip2.sh"
state: present
extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip2/proxy.log"
name: "{{ proxy_pips2_inst }}"
become: yes
become_user: "{{ BOX_USER_NAME }}"
notify: shebang after pip
when:
- false
# this must be empty aas shebang after pip is in testforge
- proxy_pips2_inst|length > 0
- BASE_ARE_CONNECTED|default('') != ''
- "BASE_PYTHON2_MINOR != ''"
ignore_errors: "{{ base_pip_ignore_errors }}"
- name: install proxy pips 3
changed_when: false
environment: "{{pip_proxy_env}}"
pip:
executable: "{{BASE_USR_LOCAL}}/bin/pip3.sh"
state: present
extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip3/proxy.log"
name: "{{ proxy_pips3_inst }}"
become: yes
become_user: "{{ BOX_USER_NAME }}"
notify: shebang after pip
when:
- false
# this must be empty aas shebang after pip is in testforge
- proxy_pips3_inst|length > 0
- BASE_ARE_CONNECTED|default('') != ''
ignore_errors: "{{ base_pip_ignore_errors }}"
- name: "/usr/local/etc/local.d/Whonix-Lati.rc"
blockinfile:
dest: /usr/local/etc/local.d/Whonix-Lati.rc
create: yes
mode: 0770
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml start"
insertafter: EOF
block: |
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
#? # this should not run as root
- name: "/usr/local/src/usr_local_python.bash"
environment: "{{ shell_proxy_env }}"
shell: |
umask 0002
#? usr_local_python.bash
[ ! -f usr_local_proxy.bash ] && exit 1
bash usr_local_python.bash \
{{ 'check' if ansible_check_mode }}
args:
chdir: "{{PROXY_USR_LOCAL}}/src"
become: yes
become_user: "{{ BOX_USER_NAME }}"
check_mode: false
# FixMe:
ignore_errors: true
# this should be run as root
- name: run usr_local_src item
environment: "{{ shell_proxy_env }}"
shell: |
umask 0002
bash /usr/local/src/{{item}}.bash
args:
chdir: "{{ PROXY_USR_LOCAL }}/src"
when:
- item != '' and item != []
with_items:
# - "{{ 'sdwdate' if ansible_distribution == 'Gentoo' else '' }}"
- []
- name: "enable and start services"
service:
name: "{{ item }}"
enabled: yes
state: restarted
failed_when: false
when:
- "item != ''"
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
with_items: "{{ proxy_services }}"
# We are running these tasks here to work around handler issues with include_tasks
- name: "proxy post tasks end"
include_tasks: "proxy_post.yml"
- name: "proxy dirmngr tasks end"
include_tasks: "dirmngr.yml"
when:
- "http_proxy != '' or https_proxy != '' or socks_proxy != ''"
- name: "whonix host tasks end"
include_tasks: "{{LOOP_FILE}}.yml"
when:
- LOOP_FILE != '' and LOOP_FILE != []
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
with_items:
- "{{ 'whonix_host' if (PROXY_MODE == 'whonix' and BOX_WHONIX_PROXY_HOST != '' ) else [] }}"
loop_control:
loop_var: LOOP_FILE
- name: "whonix guest tasks end"
include_tasks: "whonix_guest.yml"
when:
- "PROXY_MODE in ['gateway','ws', 'vda', 'nat']"
# works?
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- name: "include_tasks proxy users.yml"
include_tasks:
file: "users.yml"
apply:
environment: "{{ proxy_env }}"
become_user: "{{ LOOP_USER }}"
when:
- LOOP_USER != [] and LOOP_USER != ''
with_items:
# FixMe: need user groups fixing
- root
- "{{ base_system_users }}"
- "{{ proxy_also_users }}"
- "{{ 'portage' if ansible_distribution == 'Gentoo' else '' }}"
loop_control:
loop_var: LOOP_USER
- name: "/usr/local/etc/testforge/testforge.ini BOF"
lineinfile:
dest: "/usr/local/etc/testforge/testforge.ini"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "# -.- mode: sh; tab-width: 0; coding: utf-8-unix -.-"
line: "# -*- mode: sh; tab-width: 0; coding: utf-8-unix -*-"
- name: /usr/local/etc/testforge/testforge.ini proxy
blockinfile:
dest: /usr/local/etc/testforge/testforge.ini
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK ini [proxy]"
#? PROXY_VAR_LOCAL={{PROXY_VAR_LOCAL}}
block: |
[proxy]
HTTP_PROXYHOST="{{ HTTP_PROXYHOST }}"
HTTP_PROXYPORT={{HTTP_PROXYPORT}}
HTTP_PROXYTYPE="{{ HTTP_PROXYTYPE }}"
HTTPS_PROXYHOST="{{ HTTPS_PROXYHOST }}"
HTTPS_PROXYPORT={{HTTPS_PROXYPORT}}
HTTPS_PROXYTYPE="{{ HTTPS_PROXYTYPE }}"
SOCKS_PROXYHOST="{{ SOCKS_PROXYHOST }}"
SOCKS_PROXYPORT={{SOCKS_PROXYPORT}}
SOCKS_PROXYTYPE="{{ SOCKS_PROXYTYPE }}"
NO_PROXY="{{ NO_PROXY }}"
CORP_PROXY_PAC="{{ CORP_PROXY_PAC|default('') }}"
CORP_NTLM_PROXY="{{ CORP_NTLM_PROXY|default('') }}"
PROXY_FEATURES={{ PROXY_FEATURES }}
PROXY_DNS_PROXY="{{ PROXY_DNS_PROXY }}"
PROXY_DNS_NETMAN="{{ PROXY_DNS_NETMAN }}"
PROXY_HTTP_PROXY_NAME="{{ PROXY_HTTP_PROXY_NAME|default('privoxy')}}"
PROXY_HTTP_PROXY_PORT="{{ PROXY_HTTP_PROXY_PORT|default(3128)}}"
PROXY_HTTP_PROXY_HOST="{{ PROXY_HTTP_PROXY_HOST|default('127.0.0.1')}}"
notify: update facts
#? PLAY_PIP_CACHE="{{BASE_USR_LOCAL}}/net/Cache/Pip"
- name: /usr/local/etc/testforge/testforge.ini proxy gitconfig
blockinfile:
dest: /usr/local/etc/testforge/testforge.ini
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml"
block: |
[gitconfig]
# FixMe: this may not be needed
GIT_ALLOW_PROTOCOL="https"
# This may not be needed if you put it in ~/.gitconfig
GIT_SSL_CAINFO="/usr/local/etc/ssl/cacert-testforge.pem"
# FixMe: this may not be needed
# GIT_PROTOCOL_COMMAND="/usr/local/bin/gitproxy.bash"
when:
- true or CORP_NTLM_PROXY|default('') != ''
notify: update facts
- name: "include dns.yml tasks"
include_tasks: "dns.yml"
when:
- PROXY_DNS_PROXY != ''
- name: "include wicd.yml tasks"
include_tasks: "wicd.yml"
when:
- false
- name: "find listening sockets for daily"
environment: "{{ shell_proxy_env }}"
shell: |
netstat -t inet -npl | grep LISTEN
register: proxy_netstat_nlp_fact
failed_when: false
tags:
- always
- name: proxy hourly include_tasks
include_tasks:
file: "hourly.yml"
apply:
environment: "{{ shell_proxy_env }}"
tags:
- always
tags:
- always
# maybe should be in testforge but may use them early
- stat: path=/etc/java-config-2/current-system-vm/jre/lib/net.properties
register: etc_x11_xsession_d
when:
- not ansible_check_mode
- name: "check arp length"
environment: "{{ shell_proxy_env }}"
shell: |
a=`arp -i wlan7|tail -n -1|wc -l`
[ $? -eq 0 ] || exit 1
[ $a -eq 1 ] || exit $a
exit 0
- name: "dnscrypt-proxy address already in use"
shell: |
tail -100 '{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log' | grep -q 'bind: address already in use' || \
{ echo 'ERROR: dnscrypt-proxy address already in use' ; exit 1 ; }
when:
- not ansible_check_mode
- PROXY_DNS_PROXY == "dnscrypt"
- PROXY_DNS_PORT != ''
- BASE_ARE_CONNECTED|default('') != ''
- testforge_netstat_nlp_fact is defined
# FixMe: /etc/systemd/system/sntp.service.d/00gentoo.conf
- name: /etc/ntp.conf
blockinfile:
dest: /etc/ntp.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK testforge"
mode: 0640
owner: "{{BOX_ROOT_USER}}"
# group: ntp
create: yes
block: |
# conf.d interface ignore all wlan7
# If you want to deny all machines (including your own)
# from accessing the NTP server, uncomment:
restrict default ignore
# Default configuration:
# - Allow only time queries, at a limited rate, sending KoD when in excess.
# - Allow all local queries (IPv4, IPv6)
#restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1
restrict [::1]
# You do need to talk to an NTP server or two (or three).
{% for elt in PROXY_NTP_SERVERS %}
server {{ elt }}
{% endfor %}
# {{ PROXY_NTP_SERVERS|join('\n') }}
when:
- "BOX_TIME_DAEMON == 'ntp'"
- name: apt-get update
raw: |
[ -f /var/log/dpkg.log ] || apt-get update
when:
- ansible_distribution in ['Ubuntu', 'Debian', 'Deuvan']
- BASE_ARE_CONNECTED|default('') != ''
ignore_errors: true
check_mode: false
- name: base gpg keys system
# Option --keyserver must be used to
environment: "{{ shell_env }}"
shell: |
/usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \
/usr/bin/gpg --recv-keys "{{ item.uid }}" --keyserver "{{ BASE_GPG_SERVER }}"
with_items: "{{ base_gpg_keys_system }}"
when:
- proxy_gpg_keys_system|length > 0
- BASE_ARE_CONNECTED|default('') != ''
# FixMe:
ignore_errors: true

80
tasks/netman.yml Normal file
View file

@ -0,0 +1,80 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- block:
- name: "/etc/NetworkManager/pre-up.d/"
file:
dest: "{{ item }}"
state: directory
mode: 0755
owner: "{{BOX_ROOT_USER}}" # required
with_items:
- /etc/NetworkManager/dispatcher.d/pre-up.d/
# what about -resolvconf on Gentoo?
# see /etc/resolvconf/update.d/dnsmasq on Debian
# see /etc/dhcp/dhclient-exit-hooks.d/ntpdate on Debian
# see also etc/network/if-down.d/ on Debian
# and etc/ppp/ip-down.d/
- name: "/etc/NetworkManager/dispatcher.d/20-resolv-conf-override"
lineinfile:
path: /etc/NetworkManager/dispatcher.d/20-resolv-conf-override
create: yes
mode: 0755
insertafter: BOF
line: "#!/bin/sh"
regexp: "#./bin/sh"
- name: "/etc/NetworkManager/dispatcher.d/20-resolv-conf-override dnscrypt"
blockinfile:
path: /etc/NetworkManager/dispatcher.d/20-resolv-conf-override
create: yes
mode: 0755
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dnscrypt"
block: |
[ -f /etc/resolv.conf.localhost ] || echo nameserver 127.0.0.1 > /etc/resolv.conf.localhost
[ -f /etc/resolv.conf.dnscrypt ] && \
[ -d /run/resolvconf ] && \
cp -f /etc/resolv.conf.dnscrypt /run/resolvconf/resolv.conf
exit 0
state: "{{ 'present' if PROXY_DNS_PROXY == 'dnscrypt' else 'absent' }}"
- name: "/etc/NetworkManager/dispatcher.d/20-resolv-conf-override dnscrypt"
blockinfile:
path: /etc/NetworkManager/dispatcher.d/20-resolv-conf-override
create: yes
mode: 0755
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dnsmasq"
state: "{{ 'present' if PROXY_DNS_PROXY == 'dnsmasq' else 'absent' }}"
block: |
[ -f /etc/resolv.conf.localhost ] || echo nameserver 127.0.0.1 > /etc/resolv.conf.localhost
diff -q /etc/resolv.conf.localhost /etc/resolv.conf || \
cp -f /etc/resolv.conf.localhost /etc/resolv.conf
[ -d /run/resolvconf ] && \
cp -f /etc/resolv.conf.localhost /run/resolvconf/resolv.conf
[ -f /etc/resolvconf.conf ] || cat > /etc/resolvconf.conf <<EOF
resolvconf=no
name_servers=127.0.0.1
resolv_conf=/etc/resolv.conf
EOF
exit 0
#? FixMe: link to wicd/scripts - WHY pre-up? was dest/src swapped
- name: "/etc/NetworkManager/dispatcher.d/20-resolv-conf-override link"
file:
src: /etc/NetworkManager/dispatcher.d/20-resolv-conf-override
dest: /etc/NetworkManager/dispatcher.d/pre-up.d/20-resolv-conf-override
state: "{{'link' if PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq'] else 'absent'}}"
when:
- not ansible_check_mode
when: PROXY_DNS_NETMAN == 'networkmanager'
# wicd

150
tasks/proxy_mode.yml Normal file
View file

@ -0,0 +1,150 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy proxy_mode.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy proxy_mode.yml {{lookup('env', 'MODE')}}"
- block:
# takes precedence but This may notbe installed yet on first check
- name: PROXY_MODE from proxy_whonix_mode
environment: "{{ shell_no_proxy_env }}"
shell: |
[ -x /usr/local/bin/proxy_ping_lib.bash ] || exit 0
/usr/local/bin/proxy_ping_lib.bash proxy_whonix_mode
register: proxy_whonix_mode
when:
# - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
- "PROXY_MODE|default('') == ''"
- name: PROXY_MODE from proxy_whonix_mode
environment: "{{ shell_no_proxy_env }}"
shell: |
[ -x /usr/local/bin/proxy_ping_lib.bash ] || exit 0
/usr/local/bin/proxy_ping_lib.bash proxy_whonix_mode
register: proxy_whonix_mode
when:
# env takes precedence
- "PROXY_MODE|default('') == ''"
- name: PROXY_MODE proxy_whonix_mode
set_fact:
PROXY_MODE: "{{proxy_whonix_mode.stdout}}"
when:
- "PROXY_MODE|default('') == ''"
- proxy_whonix_mode.rc == 0
# WTF? 'dict object' has no attribute 'stdout'
ignore_errors: true
- name: PROXY_MODE from inventory
set_fact:
PROXY_MODE: "{{BOX_PROXY_MODE}}"
when:
# env takes precedence over hosts.yml
- "PROXY_MODE|default('') == ''"
check_mode: false
- name: PROXY_MODE != ''
assert:
that:
- PROXY_MODE != ''
- name: PROXY_MODE == 'tor'
set_fact:
PROXY_FEATURES: "['run_tor', 'run_dnsmasq', 'run_polipo'] + {{BOX_PROXY_FEATURES}}"
when:
- PROXY_MODE == 'tor'
- BOX_WHONIX_PROXY_HOST == ""
- name: PROXY_MODE == 'whonix'
set_fact:
PROXY_FEATURES: "['run_dnsmasq', 'run_polipo', 'run_sdwdate'] + {{BOX_PROXY_FEATURES}}"
when:
- PROXY_MODE in ['selektor', 'whonix'] and BOX_WHONIX_PROXY_HOST != ""
- name: PROXY_MODE == 'vda'
set_fact:
PROXY_FEATURES: "[] + {{BOX_PROXY_FEATURES}}"
# vda is generic and has to be configured from inventory
when:
- PROXY_MODE == 'vda' and BOX_WHONIX_PROXY_HOST != "" or
proxy_vda_cmdline_fact.rc|default(1) == 0
- name: PROXY_MODE == 'nat'
set_fact:
PROXY_FEATURES: "[] + {{BOX_PROXY_FEATURES}}"
when:
- PROXY_MODE == 'nat' and BOX_WHONIX_PROXY_HOST != ""
- name: PROXY_MODE == 'ws' or PROXY_MODE == 'workstation'
set_fact:
PROXY_FEATURES: "['run_dnsmasq', 'run_polipo'] + {{BOX_PROXY_FEATURES}}"
when:
- PROXY_MODE == 'ws' or PROXY_MODE == 'workstation'
or BOX_OS_FLAVOR|default('') == 'WhonixWorkstation'
- name: PROXY_MODE == 'gateway'
set_fact:
PROXY_FEATURES: "[] + {{BOX_PROXY_FEATURES}}"
when:
- PROXY_MODE == 'gateway' or BOX_OS_FLAVOR|default('') == 'WhonixGateway'
- name: PROXY_DNS_PROXY dnsmasq
set_fact:
PROXY_DNS_PROXY: dnsmasq
when:
- "'run_dnsmasq' in PROXY_FEATURES"
- name: BOX_TIME_DAEMON sdwdate
set_fact:
BOX_TIME_DAEMON: sdwdate
when:
- "'run_sdwdate' in PROXY_FEATURES"
- block:
- debug:
msg: "including proxy_export.txt"
- name: "make a tempfile for proxy_export.txt"
tempfile:
state: file
delegate_to: localhost
register: proxy_export_txt_file
- name: "create REMOTE proxy_export.txt"
environment: "{{ shell_no_proxy_env }}"
shell: |
PROXY_MODE={{PROXY_MODE}}
. /usr/local/bin/proxy_export.bash
cat > /tmp/proxy_export.txt << EOF
http_proxy: "$http_proxy"
https_proxy: "$https_proxy"
socks_proxy: "$socks_proxy"
no_proxy: "$no_proxy"
RSYNC_PROXY: "$RSYNC_PROXY"
EOF
exit 0
- name: "slurp REMOTE proxy_export.txt"
slurp:
src: "/tmp/proxy_export.txt"
register: proxy_export_txt
- name: "copy slurped proxy_export.txt to tempfile"
copy:
dest: "{{ proxy_export_txt_file.path}}"
content: "{{ proxy_export_txt['content']|b64decode }}"
delegate_to: localhost
- name: "include copied proxy_export.txt"
include_vars: "{{proxy_export_txt_file.path}}"
check_mode: false
rescue:
- debug:
msg: "WARN: error including proxy_export.txt"

399
tasks/proxy_post.yml Normal file
View file

@ -0,0 +1,399 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
# NB - dirmngr fails incomprehesibly if there are repeated commands in conf
- name: "DEBUG: proxy proxy_post.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy proxy_post.yml"
- name: if there is no /etc/cntlm.conf it has not been installed
stat: path=/etc/cntlm.conf
register: cntlm_conf_fact
- block:
# make sure double quotes do not end up in the cntlm.conf
- lineinfile:
dest: /etc/cntlm.conf
regexp: "^#* *{{item.name}}.*"
line: "{{item.name}} {{item.val}}"
state: present
with_items:
- { name: Username, val: "{{ MY_CORP_USER }}" }
- { name: Domain, val: "{{ MY_CORP_DOMAIN }}" }
- { name: Password, val: "{{ MY_CORP_PASS }}" }
- { name: Proxy, val: "{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}" }
- { name: NoProxy, val: "{{ NO_PROXY }}" }
- { name: Listen, val: "{{CNTLM_BIND_IP}}:{{CNTLM_HTTP_PORT}}" }
- { name: SOCKS5Proxy, val: "{{ CNTLM_SOCKS_PORT }}"}
- lineinfile:
dest: /etc/cntlm.conf
regexp: "^Proxy.*8080"
state: absent
- name: enable and start cntlm
service:
name: cntlm
enabled: yes
state: restarted
register: retval
failed_when: false
when: ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
# FixMe: test to see if cntlm has started
- stat: path="{{ cntlm_pid_file }}"
register: cntlm_pid
# only if its started do we override
- name: override HTTP_PROXY with retval is success
set_fact: >
HTTP_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}}
HTTP_PROXYHOST=127.0.0.1
HTTP_PROXYPORT={{NTLM_PROXYPORT}}
HTTP_PROXYTYPE=http
HTTPS_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}}
HTTPS_PROXYHOST=127.0.0.1
HTTPS_PROXYPORT={{NTLM_PROXYPORT}}
HTTPS_PROXYTYPE=http
# this works with cntlm as we configured it
SOCKS_PROXY=socks5://127.0.0.1:{{CNTLM_SOCKS_PORT}}
SOCKS_PROXYHOST=127.0.0.1
SOCKS_PROXYPORT={{CNTLM_SOCKS_PORT}}
SOCKS_PROXYTYPE=socks5
when: retval.rc|default(0) == 0 and cntlm_pid.stat.exists == true
- name: override HTTP_PROXY with retval is failed
set_fact: >
HTTP_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}
HTTP_PROXYHOST={{NTLM_PROXYHOST}}
HTTP_PROXYPORT={{NTLM_PROXYPORT}}
HTTP_PROXYTYPE=http
HTTPS_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}
HTTPS_PROXYHOST={{NTLM_PROXYHOST}}
HTTPS_PROXYPORT={{NTLM_PROXYPORT}}
HTTPS_PROXYTYPE=http
# dunno if this works
SOCKS_PROXY=socks5://{{NTLM_PROXYHOST}}:9050
SOCKS_PROXYHOST={{NTLM_PROXYHOST}}
SOCKS_PROXYPORT=9050
SOCKS_PROXYTYPE=socks5
when: retval.rc|default(1) == 0 or cntlm_pid.stat.exists == false
#? does retval.rc exist?
- debug:
msg: "proxy/tasks/main.yml cntlm.rc={{cntlm_pid.stat.exists}} HTTP_PROXY={{ HTTP_PROXY }}"
when: NTLM_PROXYPORT != '' and cntlm_conf_fact.stat.exists == true
- name: gather the http_proxy information together for subsequent roles
set_fact:
proxy_env:
TERM: "linux"
http_proxy: "{{ HTTP_PROXY }}"
https_proxy: "{{ HTTPS_PROXY }}"
socks_proxy: "{{ SOCKS_PROXY }}"
ftp_proxy: "{{ HTTP_PROXY }}"
no_proxy: "{{ NO_PROXY }}"
SSL_CERT_FILE: "{{ SSL_CERT_FILE|default(PLAY_CA_CERT) }}"
RSYNC_PROXY: "{{ HTTP_PROXY|replace('http://', '') }}"
no_proxy_env:
TERM: "linux"
http_proxy: "http://127.0.0.1:9999"
https_proxy: "http://127.0.0.1:9999"
socks_proxy: "socks4://127.0.0.1:9999"
ftp_proxy: "ftp://127.0.0.1:9999"
no_proxy: "{{ NO_PROXY|default('127.0.0.1,localhost') }}"
RSYNC_PROXY: "http://127.0.0.1:9999"
- set_fact:
# allowed out {'PATH': PATH, 'PYTHONPATH': '' }
shell_proxy_env: "{{ proxy_env|combine(shell_env) }}"
# forbidden out {'PATH': PATH, 'PYTHONPATH': '' }
shell_no_proxy_env: "{{ no_proxy_env|combine(shell_env) }}"
apt_env: {'RUNLEVEL': 1}
- set_fact:
portage_proxy_env: "{{ shell_proxy_env }}"
# we're letting pip out to install but with --nodeps
# so that we must list a prerequisites expcitly
# and to prevent it from having a free hand.
pip_proxy_env: "{{ shell_proxy_env }}"
apt_proxy_env: "{{ proxy_env|combine(apt_env) }}"
#- name: "roles/proxy/tasks/main.yml"
# debug: msg="roles/proxy/tasks/main.yml NTLM_PROXYPORT={{ NTLM_PROXYPORT }}"
- name: roles/proxy/tasks/ _post.yml
include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}_post.yml"
# sync this with ../../roles/base/overlay/Linux/usr/local/share/scripts/bootstrap_proxy.bash
# no global setting for this now
- name: /etc/wgetrc without proxy
blockinfile:
dest: /etc/wgetrc
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
#http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
#https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
no_proxy={{ NO_PROXY }}
ca-certificate = /usr/local/etc/ssl/cacert-testforge.pem
check_certificate = on
# dont change the environment for everyon with env.d/70proxy
# maually include box_proxy_tor.bash -> ~/bin/tor.sh
- name: proxy http export
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
export http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
export https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
export no_proxy="{{ NO_PROXY }}"
export RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
with_items:
- {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0755" }
when: false
- name: /usr/local/share/scripts/box_proxy_tor.bash socks
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks"
state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}"
block: |
export socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
with_items:
- {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0644" }
when: false
- name: /etc/privoxy/config.whonix socks
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks"
state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}"
block: |
# https://tor.stackexchange.com/questions/947/socks-server-with-dynamic-traffic-routing-trought-tor-i2p-depending-on-the-e
forward .i2p 127.0.0.1:4444
forward-socks5t / {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} .
with_items:
- { dest: "/etc/privoxy/config.whonix", owner: "root", group: "root", mode: "0644" }
- { dest: "/etc/privoxy/config.tor", owner: "root", group: "root", mode: "0644" }
- { dest: "/etc/privoxy/config.nat", owner: "root", group: "root", mode: "0644" }
- { dest: "/etc/privoxy/config.selektor", owner: "root", group: "root", mode: "0644" }
when:
- SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''
- "PROXY_MODE|default('') in ['tor', 'whonix', 'selektor']"
- name: check if /etc/gnupg/gpgconf.conf exists
stat: path=/etc/gnupg/gpgconf.conf
register: etc_gpgconf_fact
- name: /etc/gnupg/gpgconf.conf
lineinfile:
dest: "/etc/gnupg/gpgconf.conf"
# insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
state: "{{item.state}}"
regexp: "^#*{{item.key}} {{item.val}}.*"
line: "{{item.key}} {{item.val}}{{item.value}}"
with_items:
- key: keyserver-options
val: http-proxy=
value: "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"
# gpg: keyserver option 'https-proxy' is unknown
state: absent # "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
- key: keyserver-options
val: https-proxy=
value: "{{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}"
# gpg: keyserver option 'https-proxy' is unknown
state: absent # "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}"
- key: keyserver
val: hkp://keys.gnupg.net
value: ""
state: "present"
- key: keyserver-options
val: verbose
value: ""
state: absent # is unknown "present"
- key: keyserver-options
val: "options "
value: "/etc/dirmngr/dirmngr.conf"
state: absent # is unknown "present"
when:
- not ansible_check_mode
- etc_gpgconf_fact.stat.exists == true
- name: check if /etc/npmrc exists
stat: path=/etc/npmrc
register: npm_npmrc_fact
#? do I want these in /etc/environment?
# FixMe: harden/templates/etc/example-dnscrypt-proxy.toml
# force_tcp = true
#? ~/.gnupg/gnupg.conf
# https://github.com/riseupnet/riseup_help/issues/294
# keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
# .repo_.gitconfig.json
# handle setting up an ssh server in proxy - for libvirt_qemu (or chroot?)
- name: /etc/conf.d/sshd
blockinfile:
dest: "/etc/{{ETC_CONF_D}}/sshd"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK testforge"
block: |
SSHD_OPTS="-4 -E /var/log/sshd.log"
- name: /etc/dirmngr/dirmngr.conf
shell: |
[ -d /etc/dirmngr ] || mkdir /etc/dirmngr
[ -f /etc/dirmngr/dirmngr.conf ] && [ -h /etc/gnupg/dirmngr.conf ] && exit 0
[ -f /etc/dirmngr/dirmngr.conf ] && [ ! -f /etc/gnupg/dirmngr.conf ] && \
mv /etc/dirmngr/dirmngr.conf /etc/gnupg/dirmngr.conf && \
ln -s /etc/gnupg/dirmngr.conf /etc/dirmngr/dirmngr.conf
exit 0
- name: /etc/dirmngr/dirmngr.conf
lineinfile:
dest: "/etc/dirmngr/dirmngr.conf"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "#*keyserver-options http-proxy.*"
line: "keyserver-options http-proxy=http://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"
when:
- not ansible_check_mode
- HTTP_PROXYHOST == '' and HTTP_PROXYPORT == ''
- name: /etc/dirmngr/dirmngr.conf
lineinfile:
dest: "/etc/dirmngr/dirmngr.conf"
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "^keyserver-options no-try-dns-srv"
line: "keyserver-options no-try-dns-srv"
state: "{{ 'present' if ansible_distribution == 'never' else 'absent' }}"
when:
- not ansible_check_mode
- name: /etc/dirmngr/dirmngr.conf dnsmasq
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy_post.yml dnsmasq"
block: |
debug-level 5
log-file /var/log/dirmngr.log
nameserver 127.0.0.1
when:
- not ansible_check_mode
- "'run_dnsmasq' in PROXY_FEATURES"
- block:
- name: /etc/dirmngr/dirmngr.conf no proxy
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: false
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy"
block: |
# honor-http-proxy
# may not exist
ignore_errors: true
when:
- HTTP_PROXYHOST == '' and HTTP_PROXYPORT == ''
- block:
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-https
blockinfile:
dest: "{{item}}"
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml https"
state: "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}"
block: |
#! debian10: /etc/dirmngr/dirmngr.conf:3: invalid option
#! https-proxy {{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
with_items:
- /etc/dirmngr/dirmngr.conf
- /etc/dirmngr/dirmngr.conf.whonix
# may not exist
ignore_errors: true
when:
- HTTPS_PROXYHOST != '' and HTTPS_PROXYPORT != ''
- block:
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-proxy
blockinfile:
dest: /etc/dirmngr/dirmngr.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy"
block: |
honor-http-proxy
# may not exist
ignore_errors: true
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http
blockinfile:
dest: /etc/dirmngr/dirmngr.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
honor-http-proxy
http-proxy {{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
- block:
# FixMe: should be lineinfile
- name: /etc/npmrc with proxy http
blockinfile:
dest: /etc/npmrc
create: false
mode: 0644
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
https-proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
cafile=/usr/local/etc/ssl/cacert-testforge.pem
progress=false
when:
- npm_npmrc_fact.stat.exists == true

114
tasks/users.yml Normal file
View file

@ -0,0 +1,114 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy users.yml LOOP_USER"
debug:
verbosity: 1
msg: "DEBUG: Including proxy users.yml LOOP_USER={{LOOP_USER}}"
# why LOOP_USER == portage
# was in testforge base.yml
- name: "gpgconf --list {{LOOP_USER}}"
shell: |
[ -d ~/.gpg ] || mkdir ~/.gpg
gpgconf --list-dirs | grep 'socketdir\|homedir' | \
sed -e 's/.*://' | \
while read path; do
[ -e $path ] || continue; chmod -R 'go-rwx' $path
done
# wierd error
# TASK [proxy : ~/.gitconfig with proxy http] *****************************************An exception occurred during task execution. To see the full traceback, use -vvv. The error was: FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/mnt/o/data/TestForge/src/ansible']
# failed: [pentoo] (item={'dest': '~portage/.gitconfig', 'owner': 'portage'}) => changed=false
when: false
# Unable to look up a name or access an attribute in template string ({{ item.dest|expanduser }}).
- name: ~/.gitconfig pull
blockinfile:
dest: "{{ item.dest | expanduser }}"
owner: "{{ item.owner }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy pull"
block: |
[pull]
# ff = true
rebase = true
with_items:
- dest: "~{{LOOP_USER}}/.gitconfig"
owner: "{{ LOOP_USER }}"
ignore_errors: true
- block:
# dont change the environment for everyone with env.d/70proxy
# manually include tor.sh
- name: "/usr/local/share/scripts/box_proxy_tor.bash no_proxy /bin/sh"
lineinfile:
path: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
create: yes
owner: "{{ item.owner }}"
mode: "{{ item.mode }}"
insertafter: BOF
line: "#!/bin/sh"
regexp: "#./bin/sh"
with_items:
- dest: "~{{LOOP_USER}}/bin"
owner: "{{ LOOP_USER }}"
mode: "0755"
# unused?
- name: ~/bin/box_proxy_tor.bash no_proxy
blockinfile:
dest: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy noproxy"
insertafter: "#./bin/sh"
mode: "{{ item.mode }}"
block: |
[ -f {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash ] && . {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash
[ -n "$no_proxy" ] && export no_proxy=$no_proxy || export no_proxy={{ NO_PROXY }}
when:
- "LOOP_USER != 'portage'"
with_items:
- dest: "~{{LOOP_USER}}/bin"
owner: "{{ LOOP_USER }}"
mode: "0755"
- name: /etc/dirmngr/dirmngr.conf
shell: |
[ -e "/etc/dirmngr/dirmngr.conf" ] || exit 0
[ -e "{{ item|expanduser }}" ] && exit 0
ln -s "/etc/dirmngr/dirmngr.conf" "{{ item|expanduser }}"
with_items:
- "~{{LOOP_USER}}/.gpg/dirmngr.conf"
when:
- not ansible_check_mode
# FixMe
ignore_errors: true
when:
- "LOOP_USER != 'portage'"
- name: cacert.org
shell: |
PREFIX=/var/local
[ -d $PREFIX/net/Http//www.cacert.org/certs/ ] || \
mkdir -p $PREFIX/net/Http//www.cacert.org/certs/
[ -f $PREFIX/net/Http//www.cacert.org/certs/cacert.asc ] || \
scurl.bash -P $PREFIX/net/Http/www.cacert.org/certs/ \
-- http://www.cacert.org/certs/cacert.asc
[ -f $PREFIX/net/Http//www.cacert.org/certs/CAcert_Class3Root_x14E228.crt ] || \
scurl.bash -P $PREFIX/net/Http/www.cacert.org/certs/ \
-- http://www.cacert.org/certs/CAcert_Class3Root_x14E228.crt
[ -f $PREFIX/net/Http//www.cacert.org/certs/root_X0F.crt ] || \
scurl.bash -P $PREFIX/net/Http/www.cacert.org/certs/ \
http://www.cacert.org/certs/root_X0F.crt
ls -l $PREFIX/net/Http//www.cacert.org/certs/
ignore_errors: true
when:
- false
- LOOP_USER != 'portage'
- BASE_ARE_CONNECTED|default('') != ''
# git config --global http.sslversion tlsv1.3

9
tasks/vms.yml Normal file
View file

@ -0,0 +1,9 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy vms.yml"
debug:
verbosity: 1
msg: "proxy vms.yml HOSTVMS_FEATURES={{HOSTVMS_FEATURES}}"

135
tasks/whonix_guest.yml Normal file
View file

@ -0,0 +1,135 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
# to be run on the guest our guest workstation by libvirt_qemu
- name: "proxy whonix_guest.yml"
debug:
verbosity: 1
msg: "proxy whonix_guest.yml PROXY_FEATURES={{PROXY_FEATURES}}"
## Whonix Guest or libvirt nat
- block:
- name: "proxy whonix_guest"
debug:
verbosity: 1
msg: "proxy whonix.yml HOST={{ansible_virtualization_role|replace('NA', 'host')}}"
- name: /etc/init.d/qemu-guest-agent
shell: |
# even systemd
[ -x /etc/init.d/qemu-guest-agent ] || exit 1
/etc/init.d/qemu-guest-agent status || /etc/init.d/qemu-guest-agent start
/etc/init.d/qemu-guest-agent status
- name: /dev/virtio-ports/org/qemu.guest_agent.0
shell: |
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]
- name: external
delegate_to: localhost
shell: |
grep ' external$' /etc/hosts | sed -e 's/ .*//'
register: external_out
check_mode: false
- name: BASE_EXTERNAL_IP
set_fact:
BASE_EXTERNAL_IP: "{{external_out.stdout}}"
when: external_out.rc|default(1) == 0
check_mode: false
when:
- "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
- BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
- block:
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Gateway.local /etc/rc.local
- name: /etc/sysctl.d/80_whonix_gateway.conf
blockinfile:
dest: /etc/sysctl.d/80_whonix_gateway.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_guest.yml"
insertafter: "Type=oneshot"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
block: |
LimitNOFILE=100000
RestartSec=600s
Restart=never
when:
- BOX_OS_FLAVOR|default('') == 'WhonixGateway'
- block:
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Workstation.local /etc/rc.local
- name: /etc/sysctl.d/80_whonix_gateway.conf
blockinfile:
dest: /etc/sysctl.d/80_whonix_gateway.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_guest.yml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
block: |
fs.file-max = 100000
when:
- BOX_OS_FLAVOR|default('') == 'WhonixWorkstation'
- block:
# #x1:12345:respawn:/sbin/agetty -J 38400 console linux /etc/inittab
- name: "/etc/inittab"
lineinfile:
dest: "/etc/inittab"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "^#x1:12345:respawn:/sbin/agetty"
line: "x1:12345:respawn:/sbin/agetty"
when:
proxy_vda_cmdline_fact|default(1) == 0
- block:
- name: /etc/X11/xorg.conf.d/80_qxl.conf
blockinfile:
dest: /etc/X11/xorg.conf.d/80_qxl.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_guest.yml"
insertafter: "Type=oneshot"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
block: |
Section "Device"
Identifier "qxl"
Driver "qxl"
Option "DPI" "96 x 96"
Option "ENABLE_IMAGE_CACHE" "True"
Option "ENABLE_FALLBACK_CACHE" "False"
Option "ENABLE_SURFACES" "False"
EndSection
when:
- BOX_OS_FLAVOR|default('') != 'WhonixWorkstation' # already done
- BOX_OS_FLAVOR|default('') != 'WhonixGateway' # already done
- ansible_virtualization_role|replace('NA', 'host') == 'guest'

303
tasks/whonix_host.yml Normal file
View file

@ -0,0 +1,303 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy whonix_host.yml"
debug:
verbosity: 1
msg: "proxy whonix_host.yml BOX_WHONIX_PROXY_HOST={{BOX_WHONIX_PROXY_HOST}}"
- name: chmod 664 /etc/libvirt/qemu/*xml
shell: |
chmod 664 /etc/libvirt/qemu/*xml || true
- name: /etc/libvirt/hooks/network
blockinfile:
dest: /etc/libvirt/hooks/network
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
mode: 0775
block: |
[ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \
/usr/local/sbin/proxy_libvirt_hook_network.bash
when: false # now in overlay
# FixMe: Whats the right consitonal for starting polipo
#- block:
# to be run on the host to use the gateway as our proxy using ports via iptables
# The proxy setup to be run are a way of centralizing tasks from other roles be run on the gateway.
- stat: path=/etc/polipo/config
register: polipo_conf
- name: PRIV_TOR_TYPE in ['client']
assert:
# drive from {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
that:
- "'{{PROXY_WHONIX_HTTPS_PORT}}' != ''"
- "'{{PROXY_WHONIX_SOCKS_PORT}}' != ''"
- "'{{PROXY_WHONIX_SOCKS_USER}}' != ''"
- "'{{PROXY_WHONIX_SOCKS_PASS}}' != ''"
- "'{{PROXY_WHONIX_DNS_PORT}}' != ''"
- "'{{PROXY_WHONIX_TRANS_PORT}}' != ''"
- "'{{PROXY_WHONIX_BUKU_PORT}}' != ''"
- name: PRIV_TOR_TYPE in ['client']
set_fact:
# {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
PROXY_POLIPO_SOCKSHOST: "{{PROXY_WHONIX_SOCKS_HOST}}"
PROXY_POLIPO_SOCKSPORT: "{{PROXY_WHONIX_SOCKS_PORT}}"
PROXY_POLIPO_SOCKSUSER: "{{PROXY_WHONIX_SOCKS_USER}}"
PROXY_POLIPO_SOCKSPASS: "{{PROXY_WHONIX_SOCKS_PASS}}"
PROXY_POLIPO_SOCKSTYPE: "socks5"
PRIV_FIREWALL_SET: whonix
HARDEN_DNS_PORT: "{{PROXY_DNS_PORT}}"
when:
- BOX_WHONIX_PROXY_HOST != ""
- name: "/etc/modules-load.d/firewall.conf"
blockinfile:
dest: /etc/modules-load.d/firewall.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
block: |
ip_tables
ipt_REJECT
iptable_filter
iptable_nat
xt_LOG
xt_conntrack
xt_nat
xt_owner
xt_state
xt_tcpudp
nf_conntrack
nf_defrag_ipv4
# 5.15 nf_log_common
nf_log_ipv4
nf_nat
#5 nf_nat_ipv4
#5 nf_reject_ipv4
#5 x_tables
xt_MASQUERADE
nft_masq
iptable_mangle
bridge
- name: template /etc/firewall.conf
template:
force: no
src: "etc/firewall-tor_{{PRIV_FIREWALL_SET}}.conf"
dest: /etc/firewall.conf
- name: /etc/polipo/config
lineinfile:
dest: /etc/polipo/config
regexp: '^#* *{{item.name}}.*'
line: "{{item.name}}={{item.val}}"
state: present
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
mode: 0644
create: yes
with_items:
- { name: daemonise, val: false }
- { name: diskCacheRoot, val: "" }
- { name: disableLocalInterface, val: true }
- { name: proxyAddress, val: 127.0.0.1 }
- { name: proxyName, val: 127.0.0.1 }
- { name: proxyPort, val: "{{ PROXY_POLIPO_PROXYPORT }}" }
- { name: allowedClients, val: 127.0.0.1 }
- { name: socksParentProxy, val: "{{PROXY_POLIPO_SOCKSHOST}}:{{PROXY_POLIPO_SOCKSPORT}}" }
- { name: socksProxyType, val: "{{PROXY_POLIPO_SOCKSTYPE}}" }
# - { name: socksUserName, val: "foo" } # not Debian - unenforced?
- { name: disableVia, val: true }
# can be a directory
- { name: forbiddenFile, val: /etc/polipo/forbidden }
# maybe the same directory forbids the same tunnelling
- { name: forbiddenTunnelsFile, val: /etc/polipo/forbidden }
- { name: allowedPorts, val: 1-65535 }
- { name: tunnelAllowedPorts, val: 1-65535 }
- { name: logFile, val: "{{ PROXY_POLIPO_LOG }}" }
- { name: logSyslog, val: false }
- { name: logLevel, val: 455 }
# logLevel=0x107
when:
- not ansible_check_mode
- polipo_conf.stat.exists == true
# FixMe: make logLevel high but make the log file root readable only
- name: chmod /var/log/polipo.log
file:
state: file
path: "{{ PROXY_POLIPO_LOG }}"
mode: 0640
owner: "{{ PROXY_POLIPO_OWNER }}"
group: "{{ PROXY_POLIPO_GROUP }}"
when:
- not ansible_check_mode
# FixMe: may not have been started
ignore_errors: true
#- name: virsh list
# command: virsh list
# register: virsh_list
# when:
# - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
- block:
- name: polipo Whonix-Gateway
shell: |
ifconfig | grep virbr || exit 0
# FixMe: which is gateway
grep '^allowedClients=.*/' /etc/polipo/config && \
sed -e 's/allowedClients=.*/allowedClients=127.0.0.1/' -i /etc/polipo/config || \
echo 'allowedClients=127.0.0.1' >> /etc/polipo/config
ifconfig | grep br | grep inet | while read inet ip rest ; do
sed -e "s/allowedClients=.*/&,$ip/" -i /etc/polipo/config
done
. /usr/local/etc/local.d/local.bash
proxy_rc_service polipo restart
when:
- false
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
# was in hostvms libvirt.yml
- block:
- name: /etc/libvirt/hooks/network
lineinfile:
path: "/etc/libvirt/hooks/network"
create: yes
mode: 0775
insertafter: BOF
line: "#!/bin/sh"
regexp: "#./bin/sh"
when: false # now in overlay
- name: /usr/local/bin/proxy_libvirt_hook_network.bash
blockinfile:
dest: /etc/libvirt/hooks/network
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
mode: 0775
block: |
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
# hung processes will hang virsh list
[ ! -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || \
timeout --kill-after=10 10 /usr/local/bin/proxy_libvirt_hook_network.bash $*
[ $? -ne 0 ] && \
logger $0 WARN: /usr/local/bin/proxy_libvirt_hook_network.bash retval=$?
exit 0
when: false # now in overlay
- name: proxy_libvirt_no_autostart
shell: |
/usr/local/bin/proxy_ping_lib.bash proxy_libvirt_no_autostart
- name: /etc/init.d/libvirtd
shell: |
# now moved to /usr/local/bin/proxy_hourly.bash
[ ! -f /usr/local/bin/proxy_hourly.bash ] || /usr/local/bin/proxy_hourly.bash
exit 0
when: false
- name: "/etc/conf.d/libvirtd"
lineinfile:
dest: "/etc/{{ETC_CONF_D}}/libvirtd"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "^rc_need"
line: "#rc_need"
when:
- ansible_virtualization_role|replace('NA', 'host') == 'host'
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
- "'libvirt' in BOX_HOSTVMS_FEATURES or BOX_WHONIX_PROXY_HOST != ''"
- block:
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Host.local /etc/rc.local
when:
- BOX_OS_FLAVOR|default('') == 'KickSecure'
- name: /usr/local/src/secbrowser.bash
shell: |
[ -f /usr/local/src/secbrowser.bash ] && exit 0
/local/src/secbrowser.bash
when:
- BOX_OS_FLAVOR|default('') == 'KickSecure'
when:
- "ansible_virtualization_role|replace('NA', 'host') == 'host'"
- block:
- name: /run/tmp
shell: |
[ -d /run/tmp ] && exit 0
mkdir /run/tmp
chmod 1777 /run/tmp
# lib64 is not being made
mkdir -p /usr/local/lib/python3.11/site-packages \
/usr/local/lib64/python3.11/site-packages
when:
- external_out.rc|default(1) == 0
- external_out.stdout|default('') != ''
- name: proxy_libvirt_forward.bash
shell: |
ps ax | grep proxy_libvirt_forward.bash && exit 0
proxy_libvirt_forward.bash
when:
- external_out.rc|default(1) == 0
- external_out.stdout|default('') != ''
# box mode is tor or
become: yes
become_user: "{{ BOX_USER_NAME }}"
when:
- ansible_connection|default('') in ['libvirt_qemu']
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Vda.local /etc/rc.local
when:
- proxy_vda_cmdline_fact|default(1) == 0
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Gateway.local /etc/rc.local
when:
- BOX_OS_FLAVOR|default('') == 'WhonixGateway'
- name: /etc/rc.local Workstation
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Workstation.local /etc/rc.local
when:
- BOX_OS_FLAVOR|default('') == 'WhonixWorkstation'
when:
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- block:
- name: /usr/local/src/secbrowser.bash
shell: |
[ -f /usr/local/src/secbrowser.bash ] && exit 0
/local/src/secbrowser.bash
when:
- BOX_OS_FLAVOR|default('') == 'KickSecure' or proxy_vda_cmdline_fact|default(1) == 0

90
tasks/wicd.yml Normal file
View file

@ -0,0 +1,90 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "wicd.yml"
debug:
verbosity: 1
msg: "proxy wicd.yml "
- name: "/etc/dhcp/dhcpd.conf"
blockinfile:
dest: /etc/dhcp/dhcpd.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK privacy"
create: yes
block: |
default-lease-time 36000;
ipv4only;
randomise_hwaddr;
#? whitelist 10.16.238.1;
logfile /var/log/dhcpd.log;
nohook resolv.conf;
# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
# FixMe: /etc/dhcp/dhcp-client.conf?
# dnscrypt is not a system service
- name: "service disable not {{PROXY_DNS_PROXY}}"
service:
enabled: '{{ "yes" if PROXY_DNS_PROXY == "{{ item }}" else "no" }}'
state: '{{ "started" if PROXY_DNS_PROXY == "{{ item }}" else "stopped" }}'
name: "{{ item }}"
with_items:
# leave 'dnsmasq' running
# maybe shutting dnsmasq shuts NetworkManager?
- "{{PROXY_DNS_PROXY}}"
# "dnscrypt" is not a system service
ignore_errors: true
when:
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
- name: "service disable not {{PROXY_DNS_NETMAN}}"
service:
enabled: '{{ "yes" if PROXY_DNS_NETMAN == "{{ item }}" else "no" }}'
state: '{{ "started" if PROXY_DNS_NETMAN == "{{ item }}" else "stopped" }}'
name: "{{ item }}"
with_items: "{{ PROXY_DNS_NETMAN_ALL }}"
ignore_errors: true
when:
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
- name: "/etc/dhcpcd.conf {{ansible_distribution}}"
blockinfile:
dest: "{{ item }}"
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
create: true
block: |
# we route dns queries through tor
# we will configure ntp generically
nohook resolv.conf,ntp.conf
# with_first_found:
with_items:
- /etc/dhcpcd.conf
when:
- "'run_dnsmasq' in PROXY_FEATURES"
- name: "/etc/resolvconf.conf"
lineinfile:
dest: /etc/resolvconf.conf
create: true
regexp: "{{ item.name }}"
line: "{{ item.val }}"
with_items:
- { name: "^#*resolvconf=.*", val: "resolvconf=no" }
- { name: "^#*name_servers=.*", val: "name_servers=127.0.0.1" }
- { name: "^#*resolv_conf.*", val: "resolv_conf=/etc/resolv.conf" }
when:
- ansible_distribution == 'Gentoo'
- "'run_dnsmasq' in PROXY_FEATURES"
# /etc/resolvconf/update.d/ for Ubuntu
# /etc/resolvconf/update.d/dnsmasq for Debian
- name: "/etc/resolvconf/update.d/dnsmasq"
shell: |
[ -f /etc/resolvconf/update.d/dnsmasq ] || exit 0
chmod 644 /etc/resolvconf/update.d/dnsmasq
mv /etc/resolvconf/update.d/dnsmasq /etc/resolvconf/update.d/.dnsmasq
when:
- PROXY_DNS_PROXY != ""