- unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars
112 lines
3.4 KiB
YAML
112 lines
3.4 KiB
YAML
---
|
|
# Firefox needs to be setup manually:
|
|
# https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH
|
|
- name: dnscrypt-proxy | Prerequisite setup for local DoH server
|
|
block:
|
|
- name: dnscrypt-proxy | Generate private key for local DoH server
|
|
community.crypto.openssl_privatekey:
|
|
path: '/etc/dnscrypt-proxy/{{ ansible_hostname }}.pem'
|
|
type: Ed25519
|
|
mode: 0640
|
|
owner: root
|
|
group: dnscrypt
|
|
state: present
|
|
|
|
- name: dnscrypt-proxy | Generate self-signed certificate for local DoH server
|
|
community.crypto.x509_certificate:
|
|
path: '/etc/dnscrypt-proxy/{{ ansible_hostname }}.crt'
|
|
privatekey_path: '/etc/dnscrypt-proxy/{{ ansible_hostname }}.pem'
|
|
provider: selfsigned
|
|
selfsigned_not_after: +5000d
|
|
selfsigned_digest: sha512
|
|
mode: 0640
|
|
owner: root
|
|
group: dnscrypt
|
|
state: present
|
|
when: dnscrypt.local_doh.enabled
|
|
|
|
- name: dnscrypt-proxy | Copy blocked-ips.txt for rebinding protection
|
|
copy:
|
|
src: blocked-ips.txt
|
|
dest: /etc/dnscrypt-proxy/blocked-ips.txt
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
|
|
- name: dnscrypt-proxy | Copy cloaking-rules.txt
|
|
copy:
|
|
src: cloaking-rules.txt
|
|
dest: /etc/dnscrypt-proxy/cloaking-rules.txt
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
|
|
- name: dnscrypt-proxy | Configure DNS-based adblocking
|
|
block:
|
|
- name: dnscrypt-proxy | Create adblock directory for blocklist configurations
|
|
file:
|
|
path: /etc/dnscrypt-proxy/adblock
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
state: directory
|
|
|
|
- name: dnscrypt-proxy | Copy blocklists
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: '/etc/dnscrypt-proxy/adblock/{{ item }}'
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
loop:
|
|
- domains-blocklist.conf
|
|
- domains-blocklist-local-additions.txt
|
|
|
|
- name: dnscrypt-proxy | Download generate-domains-blocklist.py
|
|
get_url:
|
|
url: https://raw.githubusercontent.com/DNSCrypt/dnscrypt-proxy/master/utils/generate-domains-blocklist/generate-domains-blocklist.py
|
|
dest: /etc/dnscrypt-proxy/adblock/generate-domains-blocklist.py
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
|
|
- name: dnscrypt-proxy | Generate domain blocklist the 1st time
|
|
command:
|
|
cmd: /usr/bin/python3 generate-domains-blocklist.py -i -a /dev/null -r /dev/null -c domains-blocklist.conf -o /etc/dnscrypt-proxy/blocked-names.txt
|
|
chdir: /etc/dnscrypt-proxy/adblock
|
|
creates: /etc/dnscrypt-proxy/blocked-names.txt
|
|
failed_when: no
|
|
|
|
- name: dnscrypt-proxy | Ensure proper permission on blocked-names.txt file
|
|
file:
|
|
path: /etc/dnscrypt-proxy/blocked-names.txt
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
state: file
|
|
|
|
- name: dnscrypt-proxy | Add daily cron job to update the blocklist
|
|
copy:
|
|
src: update_dnscrypt_blocklist
|
|
dest: /etc/periodic/daily/update_dnscrypt_blocklist
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
when: dnscrypt.adblock
|
|
|
|
- name: dnscrypt-proxy | Copy dnscrypt-proxy config
|
|
template:
|
|
src: dnscrypt-proxy.j2
|
|
dest: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
validate: /usr/bin/dnscrypt-proxy -check -config %s
|
|
|
|
- name: dnscrypt-proxy | Start dnscrypt-proxy service on runlevel 'default'
|
|
service:
|
|
name: dnscrypt-proxy
|
|
enabled: yes
|
|
state: started
|
|
runlevel: default
|