# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- --- - name: "dns-dnscrypt.yml" debug: verbosity: 1 msg: "dns-dnscrypt.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}" - name: "/var/local/src/dnscrypt-proxy" file: dest: "{{ item }}" state: directory mode: 0755 owner: "{{ BOX_USER_NAME }}" group: "{{ BOX_ALSO_GROUP }}" with_items: - "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy" - "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy" - name: "untar dnscrypt tgz" shell: | URL="{{ PROXY_DNSCRYPT_TGZ_URL }}" [ -f {{PROXY_VAR_LOCAL}}/net/Http/$URL ] || \ wget {{BASE_WGET_ARGS}} -xcqP {{PROXY_VAR_LOCAL}}/net/Http/ https://$URL which dnscrypt-proxy 2>/dev/null || \ tar xvfz {{PROXY_VAR_LOCAL}}/net/Http/$URL \ -C "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy" args: creates: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy" when: "BASE_ARE_CONNECTED|default('') != ''" - name: "roles/privacy/templates/etc/example-dnscrypt-proxy.toml" template: force: no src: templates/etc/example-dnscrypt-proxy.toml dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" mode: 0644 owner: "{{BOX_ROOT_USER}}" group: "{{ BOX_ALSO_GROUP }}" - name: "get generate-domains-blacklist.py" uri: url: https://github.com/jedisct1/dnscrypt-proxy/raw/master/utils/generate-domains-blacklists/generate-domains-blacklist.py dest: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py" creates: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py" mode: 0775 owner: "{{ BOX_USER_NAME }}" group: "{{ BOX_ALSO_GROUP }}" notify: shebang after pip # in tar when: false and "BASE_ARE_CONNECTED|default('') != ''" - name: "Invalid rule *.workgroup - wildcards can only be used as a suffix" shell: | sed -e '/^\\*/d' -i {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-blacklist-local-additions.txt # why? dir - name: "touch {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy" file: dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy" state: touch mode: 0644 owner: "{{ BOX_USER_NAME }}" group: "{{ BOX_ALSO_GROUP }}" when: false - name: "symlink /etc/dnscrypt-proxy.toml" file: dest: /etc/dnscrypt-proxy.toml src: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" state: link when: not ansible_check_mode - name: "forward dnscrypt-proxy to SOCKS5 - socks5 or tor/harden or privacy" lineinfile: dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" regexp: '^#* *{{item.name}} =.*' line: "{{item.name}} = {{item.val}}" state: present backup: no with_items: - { name: "proxy", val: "'socks5://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}'" } - { name: "force_tcp", val: "true" } when: not ansible_check_mode and ( SOCKS_PROXY|default('') != "" or 'privacy' in ROLES ) - name: "dnscrypt-proxy settings" lineinfile: dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" regexp: '^ *#* *{{item.name}} =.*' line: "{{item.name}} = {{item.val}}" state: present backup: no with_items: - { name: "log_file", val: "'{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log'" } - { name: "log_level", val: 2 } - { name: "listen_addresses", val: "['127.0.0.1:53']" } #? server_names = ['bn-fr0', 'bn-fr1', 'bn-nl0', 'cs-cfi', 'cs-cfii', 'cs-ch', 'cs-de', 'cs-de3', 'cs-dk', 'cs-dk2', 'cs-es', 'cs-fi', 'cs-fr', 'cs-fr2', 'cs-lt', 'cs-lv', 'cs-md', 'cs-nl', 'cs-pl', 'cs-pt', 'cs-ro', 'cs-rome', 'cs-uk', 'cs-useast', 'cs-useast2', 'cs-usnorth', 'cs-ussouth', 'cs-ussouth2', 'cs-uswest', 'cs-uswest3', 'cs-uswest5', 'dnscrypt.ca-2', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.org-fr', 'ns0.dnscrypt.is', 'securedn'] - { name: "server_names", val: "['dnscrypt.eu-nl', 'dnscrypt.nl-ns0', 'securedns', 'dnscrypt.nl-ns0', 'scaleway-fr', 'cloudflare', 'google']" } # Server must support DNS security extensions (DNSSEC) ?? - { name: "require_dnssec", val: "true" } # Server must not log user queries (declarative) - { name: "require_nolog", val: "true" } # Server must not enforce its own blacklist (for parental control, ads blocking...) - { name: "require_nofilter", val: "true" } #/ var/local/etc/dnscrypt-proxy/ - { name: "blacklist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/blacklist.txt'" } - { name: "whitelist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-whitelist.txt'" } # opendns - Other popular options include 8.8.8.8 and 1.1.1.1 9.9.9.9:53 - { name: "fallback_resolver", val: "'nameserver 208.67.222.222:53 208.67.220.220:53'" } #? - { name: "ignore_system_dns", val: "true" } when: not ansible_check_mode ## Switch to a different system user after listening sockets have been created. ## Note (1): this feature is currently unsupported on Windows. ## Note (2): this feature is not compatible with systemd socket activation. ## Note (3): when using -pidfile, the PID file directory must be writable by the new user # user_name = 'nobody' - name: "install dnscrypt-proxy in /var/local/bin" file: src: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy" dest: "{{PROXY_VAR_LOCAL}}/bin/dnscrypt-proxy" state: link when: not ansible_check_mode # [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolver [9.9.9.9:53] # [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53] - name: "dnscrypt-proxy fallback resolver" lineinfile: dest: "/etc/hosts" regexp: '^ *{{item.name}}.*' line: "{{item.name}} {{item.val}}" state: present backup: no with_items: - { name: "151.101.36.133", val: "raw.githubusercontent.com" } - { name: "37.59.238.213", val: "download.dnscrypt.info" } - block: - name: "install dnscrypt-proxy" shell: | {{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy -service install args: creates: /etc/systemd/system/dnscrypt-proxy.service # see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf - name: "/etc/NetworkManager/NetworkManager.conf" lineinfile: dest: /etc/NetworkManager/NetworkManager.conf create: false regexp: "^#*dns=dnsmasq" line: "#dns=dnsmasq" #? not really needed # FixMe: wicd? #? systemctl disable systemd-resolved - name: "/etc/resolve.conf.dnscrypt" blockinfile: path: /etc/resolve.conf.dnscrypt create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy" block: | nameserver 127.0.0.1 #? clobber or symlink /var/run/resolvconf/resolv.conf # FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor - name: "/etc/dnsmasq.conf disable DNS" lineinfile: dest: /etc/dnsmasq.conf regexp: '^#* *{{item.name}}=.*' line: "{{item.name}}={{item.val}}" state: present # backup: yes mode: 0644 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" with_items: - { name: "port", val: "0" } # just guessing - { name: "resolv-file", val: "/etc/resolve.conf.dnscrypt" } when: # just guessing - false - "ansible_distribution in ['Ubuntu', 'Debian']" # stop dhclient from overwriting resolv.conf # with scripts in /lib/dhcpcd/dhcpcd-hooks/ - name: "enable and start service dnscrypt-proxy" service: name: "{{ item.name }}" enabled: "{{ item.able }}" state: "{{ item.state }}" failed_when: false with_items: # - { name: "pdnsd", able: "no", state: "stopped" } - { name: "dnscrypt-proxy", able: "yes", state: "restarted" } - { name: "network-manager", able: "no", state: "stopped" } # when: "ansible_distribution in ['Ubuntu', 'Debian']" when: ansible_connection|default('') not in PLAY_SERVICE_CONNECTIONS