# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- --- - name: "dns-dnsmasq.yml" debug: verbosity: 1 msg: "dns-dnsmasq.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}" - block: - name: "uninstall dnscrypt-proxy" shell: | systemctl disabled dnscrypt-proxy rm -f /etc/systemd/system/dnscrypt-proxy.service args: removes: /etc/systemd/system/dnscrypt-proxy.service when: - "BOX_SERVICE_MGR == 'systemd'" # see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf - name: "/etc/NetworkManager/NetworkManager.conf dns" lineinfile: dest: /etc/NetworkManager/NetworkManager.conf create: true regexp: "^#*dns=dnsmasq" line: "dns=none" when: - true # /mnt/linuxKick15/etc/NetworkManager/conf.d/dns.conf # https://wiki.archlinux.org/index.php/NetworkManager#/etc/resolv.conf #[main] #ns=none # Tip: You might also want to set main. #systemd-resolved=false - name: "/etc/NetworkManager/NetworkManager.conf no proxy dns" blockinfile: dest: /etc/NetworkManager/NetworkManager.conf create: true marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml" mode: 0644 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" block: | [main] plugins=ifupdown,keyfile dns=none # will always write resolv.conf to its runtime state # directory /run/NetworkManager/resolv.conf. rc-manager=unmanaged unmanaged-devices=interface-name:virbr1 unmanaged-devices=interface-name:virbr2 [ifupdown] # If set to false, then any interface # listed in /etc/network/interfaces will be ignored managed=false [logging] level=info backend=syslog # FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor # FixMe tor client vss whnoix gateway - name: "/etc/dnsmasq.conf.tor enable DNS" blockinfile: dest: /etc/dnsmasq.conf.tor create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml" mode: 0644 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" block: | log-facility=/var/log/dnsmasq.log no-resolv listen-address=127.0.0.1 server=127.0.0.1#9053 port=53 # {{ BASE_ARE_CONNECTED|default('') }} interface={{ BASE_DEFAULT_OUTPUT_IF }} bind-interfaces no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }} # FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor - name: "/etc/dnsmasq.conf enable DNS" blockinfile: dest: /etc/dnsmasq.conf.whonix create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml" mode: 0644 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" block: | log-facility=/var/log/dnsmasq.log no-resolv listen-address=127.0.0.1 server={{ PROXY_WHONIX_SOCKS_HOST }}#9053 port=53 # {{ BASE_ARE_CONNECTED|default('') }} interface={{ BASE_DEFAULT_OUTPUT_IF }} bind-interfaces no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }} - name: "/etc/dnsmasq.conf enable srv-host" blockinfile: dest: "{{item}}" create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml srv-host" # after srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 block: | # dirmgr # dns: getsrv(_pgpkey-https._tcp.keyserver.ubuntu.com): Try again later srv-host=_pgpkey-https._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,443 srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443 srv-host=_pgpkey-https._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,443 srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443 #dead srv-host=_pgpkey-https._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,443 srv-host=_pgpkey-https._tcp.pgp.mit.edu,pgp.mit.edu,443 srv-host=_pgpkey-http._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,80 srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80 srv-host=_pgpkey-http._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,80 srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80 #dead srv-host=_pgpkey-http._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,80 srv-host=_pgpkey-http._tcp.pgp.mit.edu,pgp.mit.edu,80 with_items: - /etc/dnsmasq.conf.whonix - /etc/dnsmasq.conf.tor - name: "/etc/dnsmasq.conf enable dnssec" blockinfile: dest: "{{item}}" create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml dnssec" block: | # DNSSEC setup dnssec trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D dnssec-check-unsigned when: - "'dnsmasq_dnssec' in BOX_PROXY_FEATURES" - false # stops it for starting with_items: - /etc/dnsmasq.conf.whonix - /etc/dnsmasq.conf.tor - /etc/dnsmasq.conf - name: shell: | [ "{{PROXY_MODE}}" = tor ] && \ cp -p /etc/dnsmasq.conf.tor /etc/dnsmasq.conf [ "{{PROXY_MODE}}" = tor ] && \ cp -p /etc/dnsmasq.conf.whonix /etc/dnsmasq.conf exit 0 - name: "enable and start service dnsmasq" service: name: "{{ item.name }}" enabled: false state: "{{ item.state }}" # WARNING: dnsmasq will start when NetworkManager has started failed_when: false with_items: #no - { name: "dnscrypt-proxy", able: "no", state: "restarted" } - { name: "dnsmasq", able: "no", state: "started" }