proxy_role/tasks/dns-dnscrypt.yml

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-

---

- name: "dns-dnscrypt.yml"
  debug:
    verbosity: 1
    msg: "dns-dnscrypt.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"

- name: "/var/local/src/dnscrypt-proxy"
  file:
    dest: "{{ item }}"
    state: directory
    mode:  0755
    owner: "{{ BOX_USER_NAME }}"
    group: "{{ BOX_ALSO_GROUP }}"
  with_items:
    - "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"
    - "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"

- name: "untar dnscrypt tgz"
  shell: |
    URL="{{ PROXY_DNSCRYPT_TGZ_URL }}"
    [ -f {{PROXY_VAR_LOCAL}}/net/Http/$URL ] || \
      wget {{BASE_WGET_ARGS}} -xcqP {{PROXY_VAR_LOCAL}}/net/Http/ https://$URL
    which dnscrypt-proxy 2>/dev/null || \
      tar xvfz {{PROXY_VAR_LOCAL}}/net/Http/$URL \
      -C "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy"    
  args:
    creates: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
  when: "BASE_ARE_CONNECTED|default('') != ''"

- name: "roles/privacy/templates/etc/example-dnscrypt-proxy.toml"
  template:
    force: no
    src: templates/etc/example-dnscrypt-proxy.toml
    dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
    mode:  0644
    owner: "{{BOX_ROOT_USER}}"
    group: "{{ BOX_ALSO_GROUP }}"

- name: "get generate-domains-blacklist.py"
  uri:
    url: https://github.com/jedisct1/dnscrypt-proxy/raw/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
    dest: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
    creates: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py"
    mode:  0775
    owner: "{{ BOX_USER_NAME }}"
    group: "{{ BOX_ALSO_GROUP }}"
  notify: shebang after pip
  # in tar
  when: false and "BASE_ARE_CONNECTED|default('') != ''"

- name: "Invalid rule *.workgroup - wildcards can only be used as a suffix"
  shell: |
    sed -e '/^\\*/d' -i {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-blacklist-local-additions.txt    

# why? dir
- name: "touch {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
  file:
    dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy"
    state: touch
    mode:  0644
    owner: "{{ BOX_USER_NAME }}"
    group: "{{ BOX_ALSO_GROUP }}"
  when: false

- name: "symlink /etc/dnscrypt-proxy.toml"
  file:
    dest: /etc/dnscrypt-proxy.toml
    src: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
    state: link
  when: not ansible_check_mode

- name: "forward dnscrypt-proxy to SOCKS5 - socks5 or tor/harden or privacy"
  lineinfile:
    dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
    regexp: '^#* *{{item.name}} =.*'
    line: "{{item.name}} = {{item.val}}"
    state: present
    backup: no
  with_items:
    - { name: "proxy", val: "'socks5://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}'" }
    - { name: "force_tcp", val: "true" }
  when: not ansible_check_mode and ( SOCKS_PROXY|default('') != ""  or 'privacy' in ROLES )

- name: "dnscrypt-proxy settings"
  lineinfile:
    dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml"
    regexp: '^ *#* *{{item.name}} =.*'
    line: "{{item.name}} = {{item.val}}"
    state: present
    backup: no
  with_items:
    - { name: "log_file", val: "'{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log'" }
    - { name: "log_level", val: 2 }
    - { name: "listen_addresses", val: "['127.0.0.1:53']" }
    #? server_names = ['bn-fr0', 'bn-fr1', 'bn-nl0', 'cs-cfi', 'cs-cfii', 'cs-ch', 'cs-de', 'cs-de3', 'cs-dk', 'cs-dk2', 'cs-es', 'cs-fi', 'cs-fr', 'cs-fr2', 'cs-lt', 'cs-lv', 'cs-md', 'cs-nl', 'cs-pl', 'cs-pt', 'cs-ro', 'cs-rome', 'cs-uk', 'cs-useast', 'cs-useast2', 'cs-usnorth', 'cs-ussouth', 'cs-ussouth2', 'cs-uswest', 'cs-uswest3', 'cs-uswest5', 'dnscrypt.ca-2', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.org-fr', 'ns0.dnscrypt.is', 'securedn']
    - { name: "server_names", val: "['dnscrypt.eu-nl', 'dnscrypt.nl-ns0', 'securedns', 'dnscrypt.nl-ns0', 'scaleway-fr', 'cloudflare', 'google']" }
    # Server must support DNS security extensions (DNSSEC) ??
    - { name: "require_dnssec", val: "true" }
    # Server must not log user queries (declarative)
    - { name: "require_nolog", val: "true" }
    # Server must not enforce its own blacklist (for parental control, ads blocking...)
    - { name: "require_nofilter", val: "true" }
    #/ var/local/etc/dnscrypt-proxy/
    - { name: "blacklist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/blacklist.txt'" }
    - { name: "whitelist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-whitelist.txt'" }
    # opendns - Other popular options include 8.8.8.8 and 1.1.1.1 9.9.9.9:53
    - { name: "fallback_resolver", val: "'nameserver 208.67.222.222:53 208.67.220.220:53'" }
    #? - { name: "ignore_system_dns", val: "true" }
  when: not ansible_check_mode
## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user
# user_name = 'nobody'

- name: "install dnscrypt-proxy in /var/local/bin"
  file:
    src: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy"
    dest: "{{PROXY_VAR_LOCAL}}/bin/dnscrypt-proxy"
    state: link
  when: not ansible_check_mode

# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolver [9.9.9.9:53]
# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
- name: "dnscrypt-proxy fallback resolver"
  lineinfile:
    dest: "/etc/hosts"
    regexp: '^ *{{item.name}}.*'
    line: "{{item.name}}	{{item.val}}"
    state: present
    backup: no
  with_items:
    - { name: "151.101.36.133", val: "raw.githubusercontent.com" }
    - { name: "37.59.238.213", val: "download.dnscrypt.info" }

- block:

  - name: "install dnscrypt-proxy"
    shell: |
      {{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy -service install      
    args:
      creates: /etc/systemd/system/dnscrypt-proxy.service

  # see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
  - name: "/etc/NetworkManager/NetworkManager.conf"
    lineinfile:
      dest: /etc/NetworkManager/NetworkManager.conf
      create: false
      regexp: "^#*dns=dnsmasq"
      line: "#dns=dnsmasq"

  #? not really needed
  # FixMe: wicd?

  #? systemctl disable systemd-resolved
  - name: "/etc/resolve.conf.dnscrypt"
    blockinfile:
      path: /etc/resolve.conf.dnscrypt
      create: yes
      marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
      block: |
        nameserver 127.0.0.1        

  #? clobber or  symlink /var/run/resolvconf/resolv.conf

  # FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
  - name: "/etc/dnsmasq.conf disable DNS"
    lineinfile:
      dest: /etc/dnsmasq.conf
      regexp: '^#* *{{item.name}}=.*'
      line: "{{item.name}}={{item.val}}"
      state: present
  #    backup: yes
      mode:  0644
      owner: "{{BOX_ROOT_USER}}"
      group: "{{BOX_ROOT_GROUP}}"
    with_items:
      - { name: "port", val: "0" }
      # just guessing
      - { name: "resolv-file", val: "/etc/resolve.conf.dnscrypt" }
  when:
    # just guessing
    - false
    - "ansible_distribution in ['Ubuntu', 'Debian']"

# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
- name: "enable and start service dnscrypt-proxy"
  service:
    name: "{{ item.name }}"
    enabled:  "{{ item.able }}"
    state: "{{ item.state }}"
  failed_when: false
  with_items:
#    - { name: "pdnsd", able: "no", state: "stopped" }
    - { name: "dnscrypt-proxy", able: "yes", state: "restarted" }
    - { name: "network-manager", able: "no", state: "stopped" }
  # when: "ansible_distribution in ['Ubuntu', 'Debian']"
  when: ansible_connection|default('') not in PLAY_SERVICE_CONNECTIONS