proxy_role/tasks/dns.yml
2024-01-06 03:08:22 +00:00

140 lines
4.4 KiB
YAML

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "dns.yml"
debug:
verbosity: 1
msg: "dns.yml PROXY_DNS_PROXY={{PROXY_DNS_PROXY}}"
- name: /etc/hostname
shell: |
grep -q localhost /etc/hostname && echo {{inventory_hostname}} > /etc/hostname
exit 0
when:
- ansible_distribution in ['Ubuntu', 'Debian', 'Devuan']
check_mode: false
- name: /etc/hosts
shell: |
grep '^127.0.0.1.* {{inventory_hostname}}' /etc/hosts || \
sed -e 's@^127.0.0.1.*@\& {{inventory_hostname}}@' -i /etc/hosts
exit 0
- assert:
that:
- '"{{ PROXY_DNS_PROXY }}" in ["dnsmasq", "dnscrypt"]'
- '"{{ PROXY_DNS_PROXY }}" not in ["pdnsd"]'
- '"{{ PROXY_DNS_NETMAN }}" in {{PROXY_DNS_NETMAN_ALL}}'
- name: "include 'netman.yml tasks"
include_tasks: "netman.yml"
when: PROXY_DNS_NETMAN == 'networkmanager'
- set_fact:
PROXY_DNS_PROXY: "socat"
when:
- BOX_WHONIX_PROXY_HOST != "" or BOX_OS_FLAVOR|default('') in ['WhonixWorkstation' , 'WhonixGateway'] or PROXY_MODE in ['tor', 'selektor']
- set_fact:
PROXY_DNS_PROXY: "dnsmasq"
when:
- BOX_WHONIX_PROXY_HOST != ""
- BOX_OS_FLAVOR|default('') != 'WhonixWorkstation' and BOX_OS_FLAVOR|default('') != 'WhonixGateway'
- false
- name: "include dns-dnscrypt.yml tasks"
include_tasks: "dns-dnscrypt.yml"
when: PROXY_DNS_PROXY == "dnscrypt"
- name: "include dns-dnsmasq.yml tasks"
include_tasks: "dns-dnsmasq.yml"
when: PROXY_DNS_PROXY == "dnsmasq"
- name: "include dns-socat.yml tasks"
include_tasks: "dns-socat.yml"
when: PROXY_DNS_PROXY == "socat"
# System hook scripts are found in /lib/dhcpcd/dhcpcd-hooks and the user defined hooks are /etc/dhcpcd.enter-hook
# dhclient->resolvconf overwrites this - for now, use testforge.start for things like starbucks
# https://www.techrepublic.com/article/pro-tip-take-back-control-of-resolv-conf/
# https://www.linuxquestions.org/questions/slackware-14/how-to-prevent-wicd-overwriting-etc-resolv-conf-4175488551/
- name: "/etc/resolv.conf"
blockinfile:
dest: /etc/resolv.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK privacy"
create: yes
block: |
nameserver 127.0.0.1
when:
- PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat']
# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
# FixMe: /etc/dhcp/dhcp-client.conf?
# dnscrypt is not a system service
- name: "service disable not {{PROXY_DNS_PROXY}}"
service:
enabled: '{{ "yes" if PROXY_DNS_PROXY == "{{ item }}" else "no" }}'
state: '{{ "started" if PROXY_DNS_PROXY == "{{ item }}" else "stopped" }}'
name: "{{ item }}"
with_items:
# leave 'dnsmasq' running
# maybe shutting dnsmasq shuts NetworkManager?
- "{{PROXY_DNS_PROXY}}"
# "dnscrypt" is not a system service
ignore_errors: true
when:
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
- name: "service disable not {{PROXY_DNS_NETMAN}}"
service:
enabled: '{{ "yes" if PROXY_DNS_NETMAN == "{{ item }}" else "no" }}'
state: '{{ "started" if PROXY_DNS_NETMAN == "{{ item }}" else "stopped" }}'
name: "{{ item }}"
with_items: "{{ PROXY_DNS_NETMAN_ALL }}"
ignore_errors: true
when:
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
- name: "/etc/dhcpcd.conf {{ansible_distribution}}"
blockinfile:
dest: "{{ item }}"
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
create: true
block: |
# we route dns queries through tor
# we will configure ntp generically
nohook resolv.conf,ntp.conf
# with_first_found:
with_items:
- /etc/dhcpcd.conf
when:
- "'run_dnsmasq' in PROXY_FEATURES"
- name: "/etc/resolvconf.conf"
lineinfile:
dest: /etc/resolvconf.conf
create: true
regexp: "{{ item.name }}"
line: "{{ item.val }}"
with_items:
- { name: "^#*resolvconf=.*", val: "resolvconf=no" }
- { name: "^#*name_servers=.*", val: "name_servers=127.0.0.1" }
- { name: "^#*resolv_conf.*", val: "resolv_conf=/etc/resolv.conf" }
when:
- ansible_distribution == 'Gentoo'
- "'run_dnsmasq' in PROXY_FEATURES"
# /etc/resolvconf/update.d/ for Ubuntu
# /etc/resolvconf/update.d/dnsmasq for Debian
- name: "/etc/resolvconf/update.d/dnsmasq"
shell: |
[ -f /etc/resolvconf/update.d/dnsmasq ] || exit 0
chmod 644 /etc/resolvconf/update.d/dnsmasq
mv /etc/resolvconf/update.d/dnsmasq /etc/resolvconf/update.d/.dnsmasq
when:
- PROXY_DNS_PROXY != ""