proxy_role/tasks/dns-dnsmasq.yml
2024-01-06 03:08:22 +00:00

171 lines
5.5 KiB
YAML

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "dns-dnsmasq.yml"
debug:
verbosity: 1
msg: "dns-dnsmasq.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- block:
- name: "uninstall dnscrypt-proxy"
shell: |
systemctl disabled dnscrypt-proxy
rm -f /etc/systemd/system/dnscrypt-proxy.service
args:
removes: /etc/systemd/system/dnscrypt-proxy.service
when:
- "BOX_SERVICE_MGR == 'systemd'"
# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf
- name: "/etc/NetworkManager/NetworkManager.conf dns"
lineinfile:
dest: /etc/NetworkManager/NetworkManager.conf
create: true
regexp: "^#*dns=dnsmasq"
line: "dns=none"
when:
- true
# /mnt/linuxKick15/etc/NetworkManager/conf.d/dns.conf
# https://wiki.archlinux.org/index.php/NetworkManager#/etc/resolv.conf
#[main]
#ns=none
# Tip: You might also want to set main.
#systemd-resolved=false
- name: "/etc/NetworkManager/NetworkManager.conf no proxy dns"
blockinfile:
dest: /etc/NetworkManager/NetworkManager.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
block: |
[main]
plugins=ifupdown,keyfile
dns=none
# will always write resolv.conf to its runtime state
# directory /run/NetworkManager/resolv.conf.
rc-manager=unmanaged
unmanaged-devices=interface-name:virbr1
unmanaged-devices=interface-name:virbr2
[ifupdown]
# If set to false, then any interface
# listed in /etc/network/interfaces will be ignored
managed=false
[logging]
level=info
backend=syslog
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
# FixMe tor client vss whnoix gateway
- name: "/etc/dnsmasq.conf.tor enable DNS"
blockinfile:
dest: /etc/dnsmasq.conf.tor
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
block: |
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=127.0.0.1#9053
port=53
# {{ BASE_ARE_CONNECTED|default('') }}
interface={{ BASE_DEFAULT_OUTPUT_IF }}
bind-interfaces
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor
- name: "/etc/dnsmasq.conf enable DNS"
blockinfile:
dest: /etc/dnsmasq.conf.whonix
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
block: |
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server={{ PROXY_WHONIX_SOCKS_HOST }}#9053
port=53
# {{ BASE_ARE_CONNECTED|default('') }}
interface={{ BASE_DEFAULT_OUTPUT_IF }}
bind-interfaces
no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }}
- name: "/etc/dnsmasq.conf enable srv-host"
blockinfile:
dest: "{{item}}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml srv-host"
# after srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
block: |
# dirmgr
# dns: getsrv(_pgpkey-https._tcp.keyserver.ubuntu.com): Try again later
srv-host=_pgpkey-https._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,443
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
srv-host=_pgpkey-https._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,443
srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443
#dead srv-host=_pgpkey-https._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,443
srv-host=_pgpkey-https._tcp.pgp.mit.edu,pgp.mit.edu,443
srv-host=_pgpkey-http._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,80
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
srv-host=_pgpkey-http._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,80
srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80
#dead srv-host=_pgpkey-http._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,80
srv-host=_pgpkey-http._tcp.pgp.mit.edu,pgp.mit.edu,80
with_items:
- /etc/dnsmasq.conf.whonix
- /etc/dnsmasq.conf.tor
- name: "/etc/dnsmasq.conf enable dnssec"
blockinfile:
dest: "{{item}}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml dnssec"
block: |
# DNSSEC setup
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec-check-unsigned
when:
- "'dnsmasq_dnssec' in BOX_PROXY_FEATURES"
- false # stops it for starting
with_items:
- /etc/dnsmasq.conf.whonix
- /etc/dnsmasq.conf.tor
- /etc/dnsmasq.conf
- name:
shell: |
[ "{{PROXY_MODE}}" = tor ] && \
cp -p /etc/dnsmasq.conf.tor /etc/dnsmasq.conf
[ "{{PROXY_MODE}}" = tor ] && \
cp -p /etc/dnsmasq.conf.whonix /etc/dnsmasq.conf
exit 0
- name: "enable and start service dnsmasq"
service:
name: "{{ item.name }}"
enabled: false
state: "{{ item.state }}"
# WARNING: dnsmasq will start when NetworkManager has started
failed_when: false
with_items:
#no - { name: "dnscrypt-proxy", able: "no", state: "restarted" }
- { name: "dnsmasq", able: "no", state: "started" }