folliehiyuki/sysconfig
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
This repository has been archived on 2024-02-16. You can view files and clone it, but cannot push or open issues or pull requests.
sysconfig/roles/dns/tasks/dnscrypt-proxy.yml
Hoang Nguyen 0b9a54783e
Tons of cool things 
- unbound: rename role to 'dns', add dnscrypt-proxy tasks
- devd: add sample udev rules
- apparmor: move kernel parameters to group_vars
2022-06-20 01:29:26 +07:00

112 lines
3.4 KiB
YAML
Raw Blame History

---
# Firefox needs to be setup manually:
# https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH
- name: dnscrypt-proxy | Prerequisite setup for local DoH server
block:
- name: dnscrypt-proxy | Generate private key for local DoH server
community.crypto.openssl_privatekey:
path: '/etc/dnscrypt-proxy/{{ ansible_hostname }}.pem'
type: Ed25519
mode: 0640
owner: root
group: dnscrypt
state: present
- name: dnscrypt-proxy | Generate self-signed certificate for local DoH server
community.crypto.x509_certificate:
path: '/etc/dnscrypt-proxy/{{ ansible_hostname }}.crt'
privatekey_path: '/etc/dnscrypt-proxy/{{ ansible_hostname }}.pem'
provider: selfsigned
selfsigned_not_after: +5000d
selfsigned_digest: sha512
mode: 0640
owner: root
group: dnscrypt
state: present
when: dnscrypt.local_doh.enabled
- name: dnscrypt-proxy | Copy blocked-ips.txt for rebinding protection
copy:
src: blocked-ips.txt
dest: /etc/dnscrypt-proxy/blocked-ips.txt
mode: 0644
owner: root
group: root
- name: dnscrypt-proxy | Copy cloaking-rules.txt
copy:
src: cloaking-rules.txt
dest: /etc/dnscrypt-proxy/cloaking-rules.txt
mode: 0644
owner: root
group: root
- name: dnscrypt-proxy | Configure DNS-based adblocking
block:
- name: dnscrypt-proxy | Create adblock directory for blocklist configurations
file:
path: /etc/dnscrypt-proxy/adblock
owner: root
group: root
mode: 0755
state: directory
- name: dnscrypt-proxy | Copy blocklists
copy:
src: '{{ item }}'
dest: '/etc/dnscrypt-proxy/adblock/{{ item }}'
owner: root
group: root
mode: 0644
loop:
- domains-blocklist.conf
- domains-blocklist-local-additions.txt
- name: dnscrypt-proxy | Download generate-domains-blocklist.py
get_url:
url: https://raw.githubusercontent.com/DNSCrypt/dnscrypt-proxy/master/utils/generate-domains-blocklist/generate-domains-blocklist.py
dest: /etc/dnscrypt-proxy/adblock/generate-domains-blocklist.py
mode: 0644
owner: root
group: root
- name: dnscrypt-proxy | Generate domain blocklist the 1st time
command:
cmd: /usr/bin/python3 generate-domains-blocklist.py -i -a /dev/null -r /dev/null -c domains-blocklist.conf -o /etc/dnscrypt-proxy/blocked-names.txt
chdir: /etc/dnscrypt-proxy/adblock
creates: /etc/dnscrypt-proxy/blocked-names.txt
failed_when: no
- name: dnscrypt-proxy | Ensure proper permission on blocked-names.txt file
file:
path: /etc/dnscrypt-proxy/blocked-names.txt
mode: 0644
owner: root
group: root
state: file
- name: dnscrypt-proxy | Add daily cron job to update the blocklist
copy:
src: update_dnscrypt_blocklist
dest: /etc/periodic/daily/update_dnscrypt_blocklist
mode: 0755
owner: root
group: root
when: dnscrypt.adblock
- name: dnscrypt-proxy | Copy dnscrypt-proxy config
template:
src: dnscrypt-proxy.j2
dest: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
mode: 0644
owner: root
group: root
validate: /usr/bin/dnscrypt-proxy -check -config %s
- name: dnscrypt-proxy | Start dnscrypt-proxy service on runlevel 'default'
service:
name: dnscrypt-proxy
enabled: yes
state: started
runlevel: default
Reference in a new issue View git blame Copy permalink