second
This commit is contained in:
parent
19597c9297
commit
d29b1e4542
128 changed files with 15399 additions and 61 deletions
170
tasks/dns-dnsmasq.yml
Normal file
170
tasks/dns-dnsmasq.yml
Normal file
|
@ -0,0 +1,170 @@
|
|||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- name: "dns-dnsmasq.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "dns-dnsmasq.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
|
||||
|
||||
- block:
|
||||
|
||||
- name: "uninstall dnscrypt-proxy"
|
||||
shell: |
|
||||
systemctl disabled dnscrypt-proxy
|
||||
rm -f /etc/systemd/system/dnscrypt-proxy.service
|
||||
args:
|
||||
removes: /etc/systemd/system/dnscrypt-proxy.service
|
||||
|
||||
when:
|
||||
- "BOX_SERVICE_MGR == 'systemd'"
|
||||
|
||||
# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
|
||||
- name: "/etc/NetworkManager/NetworkManager.conf dns"
|
||||
lineinfile:
|
||||
dest: /etc/NetworkManager/NetworkManager.conf
|
||||
create: true
|
||||
regexp: "^#*dns=dnsmasq"
|
||||
line: "dns=none"
|
||||
when:
|
||||
- true
|
||||
|
||||
# /mnt/linuxKick15/etc/NetworkManager/conf.d/dns.conf
|
||||
# https://wiki.archlinux.org/index.php/NetworkManager#/etc/resolv.conf
|
||||
#[main]
|
||||
#ns=none
|
||||
# Tip: You might also want to set main.
|
||||
#systemd-resolved=false
|
||||
|
||||
- name: "/etc/NetworkManager/NetworkManager.conf no proxy dns"
|
||||
blockinfile:
|
||||
dest: /etc/NetworkManager/NetworkManager.conf
|
||||
create: true
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
|
||||
mode: 0644
|
||||
owner: "{{BOX_ROOT_USER}}"
|
||||
group: "{{BOX_ROOT_GROUP}}"
|
||||
block: |
|
||||
[main]
|
||||
plugins=ifupdown,keyfile
|
||||
dns=none
|
||||
# will always write resolv.conf to its runtime state
|
||||
# directory /run/NetworkManager/resolv.conf.
|
||||
rc-manager=unmanaged
|
||||
unmanaged-devices=interface-name:virbr1
|
||||
unmanaged-devices=interface-name:virbr2
|
||||
|
||||
[ifupdown]
|
||||
# If set to false, then any interface
|
||||
# listed in /etc/network/interfaces will be ignored
|
||||
managed=false
|
||||
|
||||
[logging]
|
||||
level=info
|
||||
backend=syslog
|
||||
|
||||
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
|
||||
# FixMe tor client vss whnoix gateway
|
||||
- name: "/etc/dnsmasq.conf.tor enable DNS"
|
||||
blockinfile:
|
||||
dest: /etc/dnsmasq.conf.tor
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
|
||||
mode: 0644
|
||||
owner: "{{BOX_ROOT_USER}}"
|
||||
group: "{{BOX_ROOT_GROUP}}"
|
||||
block: |
|
||||
log-facility=/var/log/dnsmasq.log
|
||||
no-resolv
|
||||
listen-address=127.0.0.1
|
||||
server=127.0.0.1#9053
|
||||
port=53
|
||||
# {{ BASE_ARE_CONNECTED|default('') }}
|
||||
interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||||
bind-interfaces
|
||||
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||||
|
||||
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
|
||||
- name: "/etc/dnsmasq.conf enable DNS"
|
||||
blockinfile:
|
||||
dest: /etc/dnsmasq.conf.whonix
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
|
||||
mode: 0644
|
||||
owner: "{{BOX_ROOT_USER}}"
|
||||
group: "{{BOX_ROOT_GROUP}}"
|
||||
block: |
|
||||
log-facility=/var/log/dnsmasq.log
|
||||
no-resolv
|
||||
listen-address=127.0.0.1
|
||||
server={{ PROXY_WHONIX_SOCKS_HOST }}#9053
|
||||
port=53
|
||||
# {{ BASE_ARE_CONNECTED|default('') }}
|
||||
interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||||
bind-interfaces
|
||||
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
|
||||
|
||||
- name: "/etc/dnsmasq.conf enable srv-host"
|
||||
blockinfile:
|
||||
dest: "{{item}}"
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml srv-host"
|
||||
# after srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
|
||||
block: |
|
||||
# dirmgr
|
||||
# dns: getsrv(_pgpkey-https._tcp.keyserver.ubuntu.com): Try again later
|
||||
srv-host=_pgpkey-https._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,443
|
||||
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
|
||||
srv-host=_pgpkey-https._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,443
|
||||
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
|
||||
#dead srv-host=_pgpkey-https._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,443
|
||||
srv-host=_pgpkey-https._tcp.pgp.mit.edu,pgp.mit.edu,443
|
||||
|
||||
srv-host=_pgpkey-http._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,80
|
||||
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
|
||||
srv-host=_pgpkey-http._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,80
|
||||
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
|
||||
#dead srv-host=_pgpkey-http._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,80
|
||||
srv-host=_pgpkey-http._tcp.pgp.mit.edu,pgp.mit.edu,80
|
||||
|
||||
with_items:
|
||||
- /etc/dnsmasq.conf.whonix
|
||||
- /etc/dnsmasq.conf.tor
|
||||
|
||||
- name: "/etc/dnsmasq.conf enable dnssec"
|
||||
blockinfile:
|
||||
dest: "{{item}}"
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml dnssec"
|
||||
block: |
|
||||
# DNSSEC setup
|
||||
dnssec
|
||||
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
|
||||
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
|
||||
dnssec-check-unsigned
|
||||
when:
|
||||
- "'dnsmasq_dnssec' in BOX_PROXY_FEATURES"
|
||||
- false # stops it for starting
|
||||
with_items:
|
||||
- /etc/dnsmasq.conf.whonix
|
||||
- /etc/dnsmasq.conf.tor
|
||||
- /etc/dnsmasq.conf
|
||||
|
||||
- name:
|
||||
shell: |
|
||||
[ "{{PROXY_MODE}}" = tor ] && \
|
||||
cp -p /etc/dnsmasq.conf.tor /etc/dnsmasq.conf
|
||||
[ "{{PROXY_MODE}}" = tor ] && \
|
||||
cp -p /etc/dnsmasq.conf.whonix /etc/dnsmasq.conf
|
||||
exit 0
|
||||
|
||||
- name: "enable and start service dnsmasq"
|
||||
service:
|
||||
name: "{{ item.name }}"
|
||||
enabled: false
|
||||
state: "{{ item.state }}"
|
||||
# WARNING: dnsmasq will start when NetworkManager has started
|
||||
failed_when: false
|
||||
with_items:
|
||||
#no - { name: "dnscrypt-proxy", able: "no", state: "restarted" }
|
||||
- { name: "dnsmasq", able: "no", state: "started" }
|
||||
|
Loading…
Add table
Add a link
Reference in a new issue