# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- --- - name: "proxy whonix_host.yml" debug: verbosity: 1 msg: "proxy whonix_host.yml BOX_WHONIX_PROXY_HOST={{BOX_WHONIX_PROXY_HOST}}" - name: chmod 664 /etc/libvirt/qemu/*xml shell: | chmod 664 /etc/libvirt/qemu/*xml || true - name: /etc/libvirt/hooks/network blockinfile: dest: /etc/libvirt/hooks/network create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml" mode: 0775 block: | [ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \ /usr/local/sbin/proxy_libvirt_hook_network.bash when: false # now in overlay # FixMe: Whats the right consitonal for starting polipo #- block: # to be run on the host to use the gateway as our proxy using ports via iptables # The proxy setup to be run are a way of centralizing tasks from other roles be run on the gateway. - stat: path=/etc/polipo/config register: polipo_conf - name: PRIV_TOR_TYPE in ['client'] assert: # drive from {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} that: - "'{{PROXY_WHONIX_HTTPS_PORT}}' != ''" - "'{{PROXY_WHONIX_SOCKS_PORT}}' != ''" - "'{{PROXY_WHONIX_SOCKS_USER}}' != ''" - "'{{PROXY_WHONIX_SOCKS_PASS}}' != ''" - "'{{PROXY_WHONIX_DNS_PORT}}' != ''" - "'{{PROXY_WHONIX_TRANS_PORT}}' != ''" - "'{{PROXY_WHONIX_BUKU_PORT}}' != ''" - name: PRIV_TOR_TYPE in ['client'] set_fact: # {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} PROXY_POLIPO_SOCKSHOST: "{{PROXY_WHONIX_SOCKS_HOST}}" PROXY_POLIPO_SOCKSPORT: "{{PROXY_WHONIX_SOCKS_PORT}}" PROXY_POLIPO_SOCKSUSER: "{{PROXY_WHONIX_SOCKS_USER}}" PROXY_POLIPO_SOCKSPASS: "{{PROXY_WHONIX_SOCKS_PASS}}" PROXY_POLIPO_SOCKSTYPE: "socks5" PRIV_FIREWALL_SET: whonix HARDEN_DNS_PORT: "{{PROXY_DNS_PORT}}" when: - BOX_WHONIX_PROXY_HOST != "" - name: "/etc/modules-load.d/firewall.conf" blockinfile: dest: /etc/modules-load.d/firewall.conf create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml" block: | ip_tables ipt_REJECT iptable_filter iptable_nat xt_LOG xt_conntrack xt_nat xt_owner xt_state xt_tcpudp nf_conntrack nf_defrag_ipv4 # 5.15 nf_log_common nf_log_ipv4 nf_nat #5 nf_nat_ipv4 #5 nf_reject_ipv4 #5 x_tables xt_MASQUERADE nft_masq iptable_mangle bridge - name: template /etc/firewall.conf template: force: no src: "etc/firewall-tor_{{PRIV_FIREWALL_SET}}.conf" dest: /etc/firewall.conf - name: /etc/polipo/config lineinfile: dest: /etc/polipo/config regexp: '^#* *{{item.name}}.*' line: "{{item.name}}={{item.val}}" state: present owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" mode: 0644 create: yes with_items: - { name: daemonise, val: false } - { name: diskCacheRoot, val: "" } - { name: disableLocalInterface, val: true } - { name: proxyAddress, val: 127.0.0.1 } - { name: proxyName, val: 127.0.0.1 } - { name: proxyPort, val: "{{ PROXY_POLIPO_PROXYPORT }}" } - { name: allowedClients, val: 127.0.0.1 } - { name: socksParentProxy, val: "{{PROXY_POLIPO_SOCKSHOST}}:{{PROXY_POLIPO_SOCKSPORT}}" } - { name: socksProxyType, val: "{{PROXY_POLIPO_SOCKSTYPE}}" } # - { name: socksUserName, val: "foo" } # not Debian - unenforced? - { name: disableVia, val: true } # can be a directory - { name: forbiddenFile, val: /etc/polipo/forbidden } # maybe the same directory forbids the same tunnelling - { name: forbiddenTunnelsFile, val: /etc/polipo/forbidden } - { name: allowedPorts, val: 1-65535 } - { name: tunnelAllowedPorts, val: 1-65535 } - { name: logFile, val: "{{ PROXY_POLIPO_LOG }}" } - { name: logSyslog, val: false } - { name: logLevel, val: 455 } # logLevel=0x107 when: - not ansible_check_mode - polipo_conf.stat.exists == true # FixMe: make logLevel high but make the log file root readable only - name: chmod /var/log/polipo.log file: state: file path: "{{ PROXY_POLIPO_LOG }}" mode: 0640 owner: "{{ PROXY_POLIPO_OWNER }}" group: "{{ PROXY_POLIPO_GROUP }}" when: - not ansible_check_mode # FixMe: may not have been started ignore_errors: true #- name: virsh list # command: virsh list # register: virsh_list # when: # - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS - block: - name: polipo Whonix-Gateway shell: | ifconfig | grep virbr || exit 0 # FixMe: which is gateway grep '^allowedClients=.*/' /etc/polipo/config && \ sed -e 's/allowedClients=.*/allowedClients=127.0.0.1/' -i /etc/polipo/config || \ echo 'allowedClients=127.0.0.1' >> /etc/polipo/config ifconfig | grep br | grep inet | while read inet ip rest ; do sed -e "s/allowedClients=.*/&,$ip/" -i /etc/polipo/config done . /usr/local/etc/local.d/local.bash proxy_rc_service polipo restart when: - false - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS # was in hostvms libvirt.yml - block: - name: /etc/libvirt/hooks/network lineinfile: path: "/etc/libvirt/hooks/network" create: yes mode: 0775 insertafter: BOF line: "#!/bin/sh" regexp: "#./bin/sh" when: false # now in overlay - name: /usr/local/bin/proxy_libvirt_hook_network.bash blockinfile: dest: /etc/libvirt/hooks/network marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml" mode: 0775 block: | export PATH=$PATH:/usr/local/bin:/usr/local/sbin # hung processes will hang virsh list [ ! -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || \ timeout --kill-after=10 10 /usr/local/bin/proxy_libvirt_hook_network.bash $* [ $? -ne 0 ] && \ logger $0 WARN: /usr/local/bin/proxy_libvirt_hook_network.bash retval=$? exit 0 when: false # now in overlay - name: proxy_libvirt_no_autostart shell: | /usr/local/bin/proxy_ping_lib.bash proxy_libvirt_no_autostart - name: /etc/init.d/libvirtd shell: | # now moved to /usr/local/bin/proxy_hourly.bash [ ! -f /usr/local/bin/proxy_hourly.bash ] || /usr/local/bin/proxy_hourly.bash exit 0 when: false - name: "/etc/conf.d/libvirtd" lineinfile: dest: "/etc/{{ETC_CONF_D}}/libvirtd" insertbefore: BOF mode: 0755 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" create: yes regexp: "^rc_need" line: "#rc_need" when: - ansible_virtualization_role|replace('NA', 'host') == 'host' - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS - "'libvirt' in BOX_HOSTVMS_FEATURES or BOX_WHONIX_PROXY_HOST != ''" - block: - name: /etc/rc.local shell: | [ -f /etc/rc.local ] && exit 0 cp -p /usr/local/etc/local.d/Whonix-Host.local /etc/rc.local when: - BOX_OS_FLAVOR|default('') == 'KickSecure' - name: /usr/local/src/secbrowser.bash shell: | [ -f /usr/local/src/secbrowser.bash ] && exit 0 /local/src/secbrowser.bash when: - BOX_OS_FLAVOR|default('') == 'KickSecure' when: - "ansible_virtualization_role|replace('NA', 'host') == 'host'" - block: - name: /run/tmp shell: | [ -d /run/tmp ] && exit 0 mkdir /run/tmp chmod 1777 /run/tmp # lib64 is not being made mkdir -p /usr/local/lib/python3.11/site-packages \ /usr/local/lib64/python3.11/site-packages when: - external_out.rc|default(1) == 0 - external_out.stdout|default('') != '' - name: proxy_libvirt_forward.bash shell: | ps ax | grep proxy_libvirt_forward.bash && exit 0 proxy_libvirt_forward.bash when: - external_out.rc|default(1) == 0 - external_out.stdout|default('') != '' # box mode is tor or become: yes become_user: "{{ BOX_USER_NAME }}" when: - ansible_connection|default('') in ['libvirt_qemu'] - name: /etc/rc.local shell: | [ -f /etc/rc.local ] && exit 0 cp -p /usr/local/etc/local.d/Whonix-Vda.local /etc/rc.local when: - proxy_vda_cmdline_fact|default(1) == 0 - name: /etc/rc.local shell: | [ -f /etc/rc.local ] && exit 0 cp -p /usr/local/etc/local.d/Whonix-Gateway.local /etc/rc.local when: - BOX_OS_FLAVOR|default('') == 'WhonixGateway' - name: /etc/rc.local Workstation shell: | [ -f /etc/rc.local ] && exit 0 cp -p /usr/local/etc/local.d/Whonix-Workstation.local /etc/rc.local when: - BOX_OS_FLAVOR|default('') == 'WhonixWorkstation' when: - ansible_virtualization_role|replace('NA', 'host') == 'guest' - block: - name: /usr/local/src/secbrowser.bash shell: | [ -f /usr/local/src/secbrowser.bash ] && exit 0 /local/src/secbrowser.bash when: - BOX_OS_FLAVOR|default('') == 'KickSecure' or proxy_vda_cmdline_fact|default(1) == 0