second

2024-01-06 03:08:22 +00:00 · 2024-01-06 03:08:22 +00:00 · d29b1e4542
commit d29b1e4542
parent 19597c9297
128 changed files with 15399 additions and 61 deletions
--- a/tasks/dns-dnsmasq.yml
+++ b/tasks/dns-dnsmasq.yml
@ -0,0 +1,170 @@
+# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
+---
+
+- name: "dns-dnsmasq.yml"
+  debug:
+    verbosity: 1
+    msg: "dns-dnsmasq.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
+
+- block:
+
+  - name: "uninstall dnscrypt-proxy"
+    shell: |
+      systemctl disabled dnscrypt-proxy
+      rm -f /etc/systemd/system/dnscrypt-proxy.service
+    args:
+      removes: /etc/systemd/system/dnscrypt-proxy.service
+
+  when:
+    - "BOX_SERVICE_MGR == 'systemd'"
+
+# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
+- name: "/etc/NetworkManager/NetworkManager.conf dns"
+  lineinfile:
+    dest: /etc/NetworkManager/NetworkManager.conf
+    create: true
+    regexp: "^#*dns=dnsmasq"
+    line: "dns=none"
+  when:
+    - true
+
+# /mnt/linuxKick15/etc/NetworkManager/conf.d/dns.conf
+# https://wiki.archlinux.org/index.php/NetworkManager#/etc/resolv.conf
+#[main]
+#ns=none
+# Tip: You might also want to set main.
+#systemd-resolved=false
+
+- name: "/etc/NetworkManager/NetworkManager.conf no proxy dns"
+  blockinfile:
+    dest: /etc/NetworkManager/NetworkManager.conf
+    create: true
+    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
+    mode:  0644
+    owner: "{{BOX_ROOT_USER}}"
+    group: "{{BOX_ROOT_GROUP}}"
+    block: |
+      [main]
+      plugins=ifupdown,keyfile
+      dns=none
+      # will always write resolv.conf to its runtime state
+      # directory /run/NetworkManager/resolv.conf.
+      rc-manager=unmanaged
+      unmanaged-devices=interface-name:virbr1
+      unmanaged-devices=interface-name:virbr2
+
+      [ifupdown]
+      # If set to false, then any interface
+      # listed in /etc/network/interfaces will be ignored
+      managed=false
+
+      [logging]
+      level=info
+      backend=syslog
+
+# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
+# FixMe tor client vss whnoix gateway
+- name: "/etc/dnsmasq.conf.tor enable DNS"
+  blockinfile:
+    dest: /etc/dnsmasq.conf.tor
+    create: yes
+    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
+    mode:  0644
+    owner: "{{BOX_ROOT_USER}}"
+    group: "{{BOX_ROOT_GROUP}}"
+    block: |
+      log-facility=/var/log/dnsmasq.log
+      no-resolv
+      listen-address=127.0.0.1
+      server=127.0.0.1#9053
+      port=53
+      # {{ BASE_ARE_CONNECTED|default('') }}
+      interface={{ BASE_DEFAULT_OUTPUT_IF }}
+      bind-interfaces
+      no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
+
+# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
+- name: "/etc/dnsmasq.conf enable DNS"
+  blockinfile:
+    dest: /etc/dnsmasq.conf.whonix
+    create: yes
+    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
+    mode:  0644
+    owner: "{{BOX_ROOT_USER}}"
+    group: "{{BOX_ROOT_GROUP}}"
+    block: |
+      log-facility=/var/log/dnsmasq.log
+      no-resolv
+      listen-address=127.0.0.1
+      server={{ PROXY_WHONIX_SOCKS_HOST }}#9053
+      port=53
+      # {{ BASE_ARE_CONNECTED|default('') }}
+      interface={{ BASE_DEFAULT_OUTPUT_IF }}
+      bind-interfaces
+      no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
+
+- name: "/etc/dnsmasq.conf enable srv-host"
+  blockinfile:
+    dest: "{{item}}"
+    create: yes
+    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml srv-host"
+    # after srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+    block: |
+      # dirmgr
+      # dns: getsrv(_pgpkey-https._tcp.keyserver.ubuntu.com): Try again later
+      srv-host=_pgpkey-https._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,443
+      srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
+      srv-host=_pgpkey-https._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,443
+      srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
+      #dead srv-host=_pgpkey-https._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,443
+      srv-host=_pgpkey-https._tcp.pgp.mit.edu,pgp.mit.edu,443
+
+      srv-host=_pgpkey-http._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,80
+      srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
+      srv-host=_pgpkey-http._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,80
+      srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
+      #dead srv-host=_pgpkey-http._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,80
+      srv-host=_pgpkey-http._tcp.pgp.mit.edu,pgp.mit.edu,80
+
+  with_items:
+    - /etc/dnsmasq.conf.whonix
+    - /etc/dnsmasq.conf.tor
+
+- name: "/etc/dnsmasq.conf enable dnssec"
+  blockinfile:
+    dest: "{{item}}"
+    create: yes
+    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml dnssec"
+    block: |
+      # DNSSEC setup
+      dnssec
+      trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+      trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
+      dnssec-check-unsigned
+  when:
+    - "'dnsmasq_dnssec' in BOX_PROXY_FEATURES"
+    - false # stops it for starting
+  with_items:
+    - /etc/dnsmasq.conf.whonix
+    - /etc/dnsmasq.conf.tor
+    - /etc/dnsmasq.conf
+
+- name:
+  shell: |
+    [ "{{PROXY_MODE}}" = tor ] && \
+      cp -p /etc/dnsmasq.conf.tor /etc/dnsmasq.conf
+    [ "{{PROXY_MODE}}" = tor ] && \
+      cp -p /etc/dnsmasq.conf.whonix /etc/dnsmasq.conf
+    exit 0
+
+- name: "enable and start service dnsmasq"
+  service:
+    name: "{{ item.name }}"
+    enabled:  false
+    state: "{{ item.state }}"
+  # WARNING: dnsmasq will start when NetworkManager has started
+  failed_when: false
+  with_items:
+    #no    - { name: "dnscrypt-proxy", able: "no", state: "restarted" }
+    - { name: "dnsmasq", able: "no", state: "started" }
+