140 lines
4.4 KiB
YAML
140 lines
4.4 KiB
YAML
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
|
---
|
|
|
|
- name: "dns.yml"
|
|
debug:
|
|
verbosity: 1
|
|
msg: "dns.yml PROXY_DNS_PROXY={{PROXY_DNS_PROXY}}"
|
|
|
|
- name: /etc/hostname
|
|
shell: |
|
|
grep -q localhost /etc/hostname && echo {{inventory_hostname}} > /etc/hostname
|
|
exit 0
|
|
when:
|
|
- ansible_distribution in ['Ubuntu', 'Debian', 'Devuan']
|
|
check_mode: false
|
|
|
|
- name: /etc/hosts
|
|
shell: |
|
|
grep '^127.0.0.1.* {{inventory_hostname}}' /etc/hosts || \
|
|
sed -e 's@^127.0.0.1.*@\& {{inventory_hostname}}@' -i /etc/hosts
|
|
exit 0
|
|
|
|
- assert:
|
|
that:
|
|
- '"{{ PROXY_DNS_PROXY }}" in ["dnsmasq", "dnscrypt"]'
|
|
- '"{{ PROXY_DNS_PROXY }}" not in ["pdnsd"]'
|
|
- '"{{ PROXY_DNS_NETMAN }}" in {{PROXY_DNS_NETMAN_ALL}}'
|
|
|
|
- name: "include 'netman.yml tasks"
|
|
include_tasks: "netman.yml"
|
|
when: PROXY_DNS_NETMAN == 'networkmanager'
|
|
|
|
- set_fact:
|
|
PROXY_DNS_PROXY: "socat"
|
|
when:
|
|
- BOX_WHONIX_PROXY_HOST != "" or BOX_OS_FLAVOR|default('') in ['WhonixWorkstation' , 'WhonixGateway'] or PROXY_MODE in ['tor', 'selektor']
|
|
|
|
- set_fact:
|
|
PROXY_DNS_PROXY: "dnsmasq"
|
|
when:
|
|
- BOX_WHONIX_PROXY_HOST != ""
|
|
- BOX_OS_FLAVOR|default('') != 'WhonixWorkstation' and BOX_OS_FLAVOR|default('') != 'WhonixGateway'
|
|
- false
|
|
|
|
- name: "include dns-dnscrypt.yml tasks"
|
|
include_tasks: "dns-dnscrypt.yml"
|
|
when: PROXY_DNS_PROXY == "dnscrypt"
|
|
|
|
- name: "include dns-dnsmasq.yml tasks"
|
|
include_tasks: "dns-dnsmasq.yml"
|
|
when: PROXY_DNS_PROXY == "dnsmasq"
|
|
|
|
- name: "include dns-socat.yml tasks"
|
|
include_tasks: "dns-socat.yml"
|
|
when: PROXY_DNS_PROXY == "socat"
|
|
|
|
# System hook scripts are found in /lib/dhcpcd/dhcpcd-hooks and the user defined hooks are /etc/dhcpcd.enter-hook
|
|
# dhclient->resolvconf overwrites this - for now, use testforge.start for things like starbucks
|
|
# https://www.techrepublic.com/article/pro-tip-take-back-control-of-resolv-conf/
|
|
# https://www.linuxquestions.org/questions/slackware-14/how-to-prevent-wicd-overwriting-etc-resolv-conf-4175488551/
|
|
- name: "/etc/resolv.conf"
|
|
blockinfile:
|
|
dest: /etc/resolv.conf
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK privacy"
|
|
create: yes
|
|
block: |
|
|
nameserver 127.0.0.1
|
|
when:
|
|
- PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat']
|
|
|
|
# stop dhclient from overwriting resolv.conf
|
|
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
|
|
# FixMe: /etc/dhcp/dhcp-client.conf?
|
|
|
|
# dnscrypt is not a system service
|
|
- name: "service disable not {{PROXY_DNS_PROXY}}"
|
|
service:
|
|
enabled: '{{ "yes" if PROXY_DNS_PROXY == "{{ item }}" else "no" }}'
|
|
state: '{{ "started" if PROXY_DNS_PROXY == "{{ item }}" else "stopped" }}'
|
|
name: "{{ item }}"
|
|
with_items:
|
|
# leave 'dnsmasq' running
|
|
# maybe shutting dnsmasq shuts NetworkManager?
|
|
- "{{PROXY_DNS_PROXY}}"
|
|
# "dnscrypt" is not a system service
|
|
ignore_errors: true
|
|
when:
|
|
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
|
|
|
|
- name: "service disable not {{PROXY_DNS_NETMAN}}"
|
|
service:
|
|
enabled: '{{ "yes" if PROXY_DNS_NETMAN == "{{ item }}" else "no" }}'
|
|
state: '{{ "started" if PROXY_DNS_NETMAN == "{{ item }}" else "stopped" }}'
|
|
name: "{{ item }}"
|
|
with_items: "{{ PROXY_DNS_NETMAN_ALL }}"
|
|
ignore_errors: true
|
|
when:
|
|
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
|
|
|
|
- name: "/etc/dhcpcd.conf {{ansible_distribution}}"
|
|
blockinfile:
|
|
dest: "{{ item }}"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
|
|
create: true
|
|
block: |
|
|
# we route dns queries through tor
|
|
# we will configure ntp generically
|
|
nohook resolv.conf,ntp.conf
|
|
# with_first_found:
|
|
with_items:
|
|
- /etc/dhcpcd.conf
|
|
when:
|
|
- "'run_dnsmasq' in PROXY_FEATURES"
|
|
|
|
- name: "/etc/resolvconf.conf"
|
|
lineinfile:
|
|
dest: /etc/resolvconf.conf
|
|
create: true
|
|
regexp: "{{ item.name }}"
|
|
line: "{{ item.val }}"
|
|
with_items:
|
|
- { name: "^#*resolvconf=.*", val: "resolvconf=no" }
|
|
- { name: "^#*name_servers=.*", val: "name_servers=127.0.0.1" }
|
|
- { name: "^#*resolv_conf.*", val: "resolv_conf=/etc/resolv.conf" }
|
|
when:
|
|
- ansible_distribution == 'Gentoo'
|
|
- "'run_dnsmasq' in PROXY_FEATURES"
|
|
|
|
# /etc/resolvconf/update.d/ for Ubuntu
|
|
|
|
# /etc/resolvconf/update.d/dnsmasq for Debian
|
|
- name: "/etc/resolvconf/update.d/dnsmasq"
|
|
shell: |
|
|
[ -f /etc/resolvconf/update.d/dnsmasq ] || exit 0
|
|
chmod 644 /etc/resolvconf/update.d/dnsmasq
|
|
mv /etc/resolvconf/update.d/dnsmasq /etc/resolvconf/update.d/.dnsmasq
|
|
when:
|
|
- PROXY_DNS_PROXY != ""
|
|
|