proxy_role/tasks/dns.yml

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---

- name: "dns.yml"
  debug:
    verbosity: 1
    msg: "dns.yml PROXY_DNS_PROXY={{PROXY_DNS_PROXY}}"

- name: /etc/hostname
  shell: |
    grep -q localhost /etc/hostname && echo {{inventory_hostname}} > /etc/hostname
    exit 0    
  when:
    - ansible_distribution in ['Ubuntu', 'Debian', 'Devuan']
  check_mode: false

- name: /etc/hosts
  shell: |
    grep '^127.0.0.1.* {{inventory_hostname}}' /etc/hosts || \
      sed -e 's@^127.0.0.1.*@\& {{inventory_hostname}}@' -i /etc/hosts
    exit 0    

- assert:
    that:
      - '"{{ PROXY_DNS_PROXY }}" in ["dnsmasq", "dnscrypt"]'
      - '"{{ PROXY_DNS_PROXY }}" not in ["pdnsd"]'
      - '"{{ PROXY_DNS_NETMAN }}" in {{PROXY_DNS_NETMAN_ALL}}'

- name: "include 'netman.yml tasks"
  include_tasks: "netman.yml"
  when: PROXY_DNS_NETMAN == 'networkmanager'

- set_fact:
    PROXY_DNS_PROXY: "socat"
  when:
    - BOX_WHONIX_PROXY_HOST != "" or BOX_OS_FLAVOR|default('') in ['WhonixWorkstation' , 'WhonixGateway'] or PROXY_MODE in ['tor', 'selektor']

- set_fact:
    PROXY_DNS_PROXY: "dnsmasq"
  when:
    - BOX_WHONIX_PROXY_HOST != ""
    - BOX_OS_FLAVOR|default('') != 'WhonixWorkstation' and BOX_OS_FLAVOR|default('') != 'WhonixGateway'
    - false

- name: "include dns-dnscrypt.yml tasks"
  include_tasks: "dns-dnscrypt.yml"
  when: PROXY_DNS_PROXY == "dnscrypt"

- name: "include dns-dnsmasq.yml tasks"
  include_tasks: "dns-dnsmasq.yml"
  when: PROXY_DNS_PROXY == "dnsmasq"

- name: "include dns-socat.yml tasks"
  include_tasks: "dns-socat.yml"
  when: PROXY_DNS_PROXY == "socat"

# System hook scripts are found in /lib/dhcpcd/dhcpcd-hooks and the user defined hooks are /etc/dhcpcd.enter-hook
# dhclient->resolvconf overwrites this  - for now, use testforge.start for things like starbucks
# https://www.techrepublic.com/article/pro-tip-take-back-control-of-resolv-conf/
# https://www.linuxquestions.org/questions/slackware-14/how-to-prevent-wicd-overwriting-etc-resolv-conf-4175488551/
- name: "/etc/resolv.conf"
  blockinfile:
    dest: /etc/resolv.conf
    marker: "# {mark} ANSIBLE MANAGED BLOCK privacy"
    create: yes
    block: |
      nameserver 127.0.0.1      
  when:
    - PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat']
    - PROXY_MODE in ['tor', 'selektor', 'whonix']
# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
# FixMe: /etc/dhcp/dhcp-client.conf?

- name: "/etc/resolv.conf"
  blockinfile:
    dest: /etc/resolv.conf
    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
    create: yes
    block: |
      nameserver 10.0.2.2      
  when:
    - PROXY_MODE in ['nat']
    - "'{{BOX_NBD_OVERLAY_BR}}' == 'virbr1'"
    
# dnscrypt is not a system service
- name: "service disable not {{PROXY_DNS_PROXY}}"
  service:
    enabled: '{{ "yes" if PROXY_DNS_PROXY == "{{ item }}" else "no" }}'
    state: '{{ "started" if PROXY_DNS_PROXY == "{{ item }}" else "stopped" }}'
    name: "{{ item }}"
  with_items:
    # leave 'dnsmasq' running
    # maybe shutting dnsmasq shuts NetworkManager?
    - "{{PROXY_DNS_PROXY}}"
    # "dnscrypt" is not a system service
  ignore_errors: true
  when:
    - ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS

- name: "service disable not {{PROXY_DNS_NETMAN}}"
  service:
    enabled: '{{ "yes" if PROXY_DNS_NETMAN == "{{ item }}" else "no" }}'
    state: '{{ "started" if PROXY_DNS_NETMAN == "{{ item }}" else "stopped" }}'
    name: "{{ item }}"
  with_items: "{{ PROXY_DNS_NETMAN_ALL }}"
  ignore_errors: true
  when:
    - ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS

- name: "/etc/dhcpcd.conf {{ansible_distribution}}"
  blockinfile:
    dest: "{{ item }}"
    marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
    create: true
    block: |
      # we route dns queries through tor
      # we will configure ntp generically
      nohook resolv.conf,ntp.conf      
  # with_first_found:
  with_items:
    - /etc/dhcpcd.conf
  when:
    - "'run_dnsmasq' in PROXY_FEATURES"

- name: "/etc/resolvconf.conf"
  lineinfile:
    dest: /etc/resolvconf.conf
    create: true
    regexp: "{{ item.name }}"
    line: "{{ item.val }}"
  with_items:
    - { name: "^#*resolvconf=.*", val: "resolvconf=no" }
    - { name: "^#*name_servers=.*", val: "name_servers=127.0.0.1" }
    - { name: "^#*resolv_conf.*", val: "resolv_conf=/etc/resolv.conf" }
  when:
    - ansible_distribution == 'Gentoo'
    - "'run_dnsmasq' in PROXY_FEATURES"

# /etc/resolvconf/update.d/ for Ubuntu

# /etc/resolvconf/update.d/dnsmasq for Debian
- name: "/etc/resolvconf/update.d/dnsmasq"
  shell: |
    [ -f /etc/resolvconf/update.d/dnsmasq ] || exit 0
    chmod 644  /etc/resolvconf/update.d/dnsmasq
    mv /etc/resolvconf/update.d/dnsmasq /etc/resolvconf/update.d/.dnsmasq    
  when:
    - PROXY_DNS_PROXY != ""