debian.ansible.tornet.network/tornet.yml

---
- name: Tornet Debian Linux Setup
  hosts: all
  tasks:
    
    - name: Packages for tor
      apt:
        name: 
          - tor
          - tor-geoipdb
          - privoxy
          - bridge-utils
          - ufw
          - dnsmasq
          - dnscrypt-proxy
        update_cache: no
        install_recommends: no

    - name: 'remove dnsmasq from startup'
      command: systemctl disable dnsmasq
      args:
        removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service

    - name: 'stop dnsmasq'
      command: systemctl stop dnsmasq
      args:
        removes: /run/dnsmasq/dnsmasq.pid

    - name: Tor Config
      blockinfile:
        path: /etc/tor/torrc
        create: yes
        mode: "0444"
        owner: root
        group: root
        insertbefore: BOF
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          # individual Tor-Config
          BridgeRelay 0
          SOCKSPort 0.0.0.0:9050
          SOCKSPort [::]:9050
          ExitPolicy reject *:*
          ControlPort 0.0.0.0:9051
          ControlPort [::]:9051
          HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84
          # Seting up TOR transparent proxy for tor-router
          #VirtualAddrNetwork 10.192.0.0/10
          AutomapHostsOnResolve 1
          TransPort 0.0.0.0:9040
          TransPort [::]:9040
          DNSPort 0.0.0.0:5353
          DNSPort [::]:5353
          # Falls outgping geblockt wird und nur 80/443 geht
          FascistFirewall 1
        backup: yes
      notify:
      - Restart tor

    - name: Privoxy Config
      blockinfile:
        path: /etc/privoxy/config
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          listen-address 0.0.0.0:3128
          listen-address [::1]:3128
          # Privoxy-Tor-Connection
          forward-socks5t / localhost:9050 .
        backup: yes
      notify:
      - Restart privoxy

    - name: Tor bridge
      blockinfile:
        path: /etc/network/interfaces.d/tornet0
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          auto tornet0
          iface tornet0 inet static
            bridge_ports none
            address 192.168.43.1
            broadcast 192.168.43.255
            netmask 255.255.255.0
      notify:
      - Restart tornet0

    - name: start tornet0 if not exists
      ansible.builtin.command: ifup tornet0
      args:
        creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6

    - ansible.posix.sysctl:
        name: net.ipv6.conf.tornet0.disable_ipv6
        value: '1'
        state: present

    - name: ufw firewall rules for transparent tor proxy in tornet0
      blockinfile:
        path: /etc/ufw/before.rules
        create: yes
        mode: "0440"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0"
        insertbefore: BOF
        block: |
          *nat
          :POSTROUTING ACCEPT - [0:0]
          # Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor)
          # Activate "normal" routing for non-Internet Networks
          -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE
          -A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN
          -A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN
          -A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN
          -A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN
          -A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN
          -A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN
          -A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN
          -A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN
          -A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN
          -A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN
          -A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN
          # Redirect all TCP-Connections to transparent Tor-Proxy
          -A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040
          # Redirect DNS to TorDNS
          -A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
          # Redirect all non TCP-Connections into nirvana because Tor only speaks TCP
          -A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1
          COMMIT
      notify:
      - Restart ufw

    - name: Allow Routing
      community.general.ufw:
        rule: allow
        route: yes
        interface_in: tornet0

    - name: Allow all access to tcp port 53/udp (dns)
      community.general.ufw:
        rule: allow
        port: '53'
        proto: udp
        interface: tornet0
        direction: in

    - name: Allow access to dhcp server
      community.general.ufw:
        rule: allow
        port: '67'
        proto: udp
        interface: tornet0
        direction: in

    - name: Allow access to NTP server
      community.general.ufw:
        rule: allow
        port: '123'
        proto: udp
        interface: tornet0
        direction: in

    - name: Allow access to tor
      community.general.ufw:
        rule: allow
        port: '9040'
        proto: tcp
        interface: tornet0
        direction: in

    - name: dnsmasq DNS and DHCP for tornet0
      blockinfile:
        path: /etc/dnsmasq-tornet0.conf
        create: yes
        mode: "0444"
        owner: root
        group: root
        insertbefore: BOF
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          port=53
          interface=tornet0
          listen-address=192.168.43.1
          bind-interfaces
          except-interface=lo
          domain-needed
          bogus-priv
          dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h
          dhcp-option=option:ntp-server,192.168.43.1
          log-queries
          log-dhcp
      notify:
      - Restart dnsmasq-tornet0

    - name: dnsmasq DNS and DHCP for tornet0 systemd
      blockinfile:
        path: /etc/systemd/system/dnsmasq-tornet0.service
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          [Unit]
          Description=dnsmasq tornet0 DNS and DHCP
          After=network.target

          [Service]
          Type=forking
          ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service
          PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid
          KillMode=process
          Restart=on-failure

          [Install]
          WantedBy=multi-user.target
      notify:
      - Restart dnsmasq-tornet0

    - name: 'add dnsmasq-tornet0 to startup'
      command: systemctl enable dnsmasq-tornet0
      args:
        creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service

    - name: 'start dnsmasq-tornet0'
      command: systemctl start dnsmasq-tornet0
      args:
        creates: /run/dnsmasq/dnsmasq-tornet0.pid

#### Prepare DNSCRYPT PROXY FOR DoHoT (DNS over HTTPS over Tor)
   - name: create blocked-names.txt
      command: touch /etc/dnscrypt-proxy/blocked-names.txt
      args:
        creates: /etc/dnscrypt-proxy/blocked-names.txt

    - name: dnscrypt-proxy configfile
      copy:
        dest: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
        mode: "0444"
        owner: root
        group: root
        content: |
          # Documentation https://github.com/DNSCrypt/dnscrypt-proxy/wiki
          
          # listen on all interfaces
          listen_addresses = ['127.0.0.55:5354']
          
          # DoH server list
          server_names = ['doh.mullvad.net-194.242.2.2', 'doh.ffmuc.net-185.150.99.255', 'doh.ffmuc.net-5.1.66.255', 'dns.digitale-gesellschaft.ch-185.95.218.42', 'dns.digitale-gesellschaft.ch-185.95.218.43', 'anycast.uncensoreddns.org-91.239.100.100']
          
          # server names to avoid even if they match all criteria
          # disabled_server_names = []
          
          ## what kinds of server do we want to resolve from?
          doh_servers = true
          ipv4_servers = false
          ipv6_servers = false
          dnscrypt_servers = false
          
          # do we support IPv6 accressing?
          block_ipv6 = false
          
          # don't let weird queries & typos leak upstream
          block_unqualified = true
          block_undelegated = true
          
          # TTL for synthetic responses sent when a request has been blocked
          reject_ttl = 600
          
          # request DoH servers which offer DNSSEC / tamperproofing
          require_dnssec = true
          
          # we are using tor, so we should not care about logging
          require_nolog = false
          
          # request DoH servers that advertise themselves as unfiltered
          require_nofilter = true
          
          # use tor
          force_tcp = true
          proxy = 'socks5://127.0.0.1:9050'
          
          # how long (ms) a DNS query will wait for a response; reasonable max 10s
          timeout = 10000
          
          # keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds; default: 30
          keepalive = 30
          
          # loadbalancing; p2 strategy, and continuous farming of the list
          lb_strategy = 'p2'
          lb_estimator = true
          
          # logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb
          log_level = 2
          use_syslog = false
          log_files_max_size = 64
          log_files_max_age = 7
          log_files_max_backups = 4
          
          # delay, in minutes, after which certificates are reloaded; this also
          # drives the latency logger, so we poll/log every hour
          cert_refresh_delay = 60
          
          # less linkability / more privacy at slight performance impact;
          # see the notes in the above-cited documentation
          tls_disable_session_tickets = true
          tls_cipher_suite = [52392, 49199]
          
          # for healthcheck, heartbeat and bootstrap, dnscrypt-proxy MUST be
          # able to probe the internet, so we must configure our firewall so
          # that it is the only one which can use port 53 to the internet;
          # dnscrypt-proxy claims that it will only use these services in very
          # limited circumstances. Regards option naming, see:
          # https://github.com/DNSCrypt/dnscrypt-proxy/commit/c500287498a05b07c3af8effa23a0ba4c42f00f1
          fallback_resolvers = ['46.182.19.48:53']
          netprobe_address = '46.182.19.48:53'
          netprobe_timeout = 60
          ignore_system_dns = true
          
          # explicit caching
          cache = true       
          cache_size = 4096
          cache_min_ttl = 2400
          cache_max_ttl = 86400
          cache_neg_min_ttl = 60
          cache_neg_max_ttl = 600
          
          # I am not configuring this resolver as a local DoH listener, to do so
          # requires a TLS certificate and that's a world of pain
          
          [query_log]
          file = '/var/log/dnscrypt-proxy/query.log'
          # ignored_qtypes = ['DNSKEY', 'NS']
          
          [nx_log]
          file = '/var/log/dnscrypt-proxy/nx.log'
          
          [blocked_names]
          blocked_names_file = 'blocked-names.txt'
          log_file = '/var/log/dnscrypt-proxy/blocked-names.log'
                    
          [blocked_ips]
          # blocked_ips_file = 'blocked-ips.txt'
          # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log'
          
          [allowed_names]
          # allowed_names_file = 'allowed-names.txt'
          # log_file = '/var/log/dnscrypt-proxy/allowed-names.log'
                    
          [allowed_ips]
          # allowed_ips_file = 'allowed-ips.txt'
          # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log'
          
          # Static DoH DNS Servers from inspired by https://www.kuketz-blog.de/empfehlungsecke/#dns
          # Stamps from https://dnscrypt.info/stamps/
          [static]
          
          [static.'doh.mullvad.net-194.242.2.2']
          stamp = 'sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kb2gubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ'
          
          [static.'doh.ffmuc.net-185.150.99.255']
          stamp = 'sdns://AgcAAAAAAAAADjE4NS4xNTAuOTkuMjU1AA1kb2guZmZtdWMubmV0Ci9kbnMtcXVlcnk'
          
          [static.'doh.ffmuc.net-5.1.66.255']
          stamp = 'sdns://AgcAAAAAAAAACjUuMS42Ni4yNTUADWRvaC5mZm11Yy5uZXQKL2Rucy1xdWVyeQ'
           
          [static.'dns.digitale-gesellschaft.ch-185.95.218.42']
          stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDIAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ'
          
          [static.'dns.digitale-gesellschaft.ch-185.95.218.43']
          stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDMAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ'
          
          [static.'anycast.uncensoreddns.org-91.239.100.100']
          stamp = 'sdns://AgcAAAAAAAAADjkxLjIzOS4xMDAuMTAwABlhbnljYXN0LnVuY2Vuc29yZWRkbnMub3JnCi9kbnMtcXVlcnk'
          
      notify:
      - Restart dnscrypt-proxy

    - name: 'enable and start dnscrypt-proxy'
      command: systemctl enable dnscrypt-proxy --now
      args:
        creates: /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service

    - name: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update
      blockinfile:
        path: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update
        mode: "0400"
        owner: root
        group: root
        create: yes
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          cd /etc/dnscrypt-proxy
          
          # get hosts blocklist from https://github.com/StevenBlack/hosts
          g_runcmd wget https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts -O - | grep "^0\.0\.0\.0 " | cut -d" " -f2 >${g_tmp}/blocked-names.txt
          numhosts=$(cat ${g_tmp}/blocked-names.txt | wc -l)
          if [ "$numhosts" -gt 200000 ]
          then
            cat ${g_tmp}/blocked-names.txt >blocked-names.txt
          else
            g_echo_error "Not enough lines in hosts blocklist from https://github.com/StevenBlack/hosts"
          fi
          
          [ -s blocked-names-local-additions.txt ] && cat blocked-names-local-additions.txt >>blocked-names.txt
          systemctl restart dnscrypt-proxy
          
          cd -
        backup: yes
        validate: /bin/bash -n %s


  handlers:

    - name: Restart tornet0
      ansible.builtin.shell: ifup tornet0

    - name: Restart tor
      service:
        name: tor
        state: restarted

    - name: Restart privoxy
      service:
        name: privoxy
        state: restarted

    - name: Restart ufw
      service:
        name: ufw
        state: restarted

    - name: Restart dnsmasq-tornet0
      service:
        name: dnsmasq-tornet0
        state: restarted

    - name: Restart dnscrypt-proxy
      service:
        name: dnscrypt-proxy
        state: restarted
first commit 2022-07-10 10:51:13 +02:00			`---`
			`- name: Tornet Debian Linux Setup`
„tornet.yml“ ändern 2022-07-14 12:36:15 +02:00			`hosts: all`
first commit 2022-07-10 10:51:13 +02:00			`tasks:`

			`- name: Packages for tor`
			`apt:`
			`name:`
			`- tor`
			`- tor-geoipdb`
			`- privoxy`
			`- bridge-utils`
			`- ufw`
			`- dnsmasq`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`- dnscrypt-proxy`
first commit 2022-07-10 10:51:13 +02:00			`update_cache: no`
			`install_recommends: no`

			`- name: 'remove dnsmasq from startup'`
			`command: systemctl disable dnsmasq`
			`args:`
			`removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service`

			`- name: 'stop dnsmasq'`
			`command: systemctl stop dnsmasq`
			`args:`
			`removes: /run/dnsmasq/dnsmasq.pid`

			`- name: Tor Config`
			`blockinfile:`
			`path: /etc/tor/torrc`
			`create: yes`
			`mode: "0444"`
			`owner: root`
			`group: root`
			`insertbefore: BOF`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`# individual Tor-Config`
			`BridgeRelay 0`
			`SOCKSPort 0.0.0.0:9050`
„tornet.yml“ ändern 2023-06-09 12:48:06 +02:00			`SOCKSPort [::]:9050`
first commit 2022-07-10 10:51:13 +02:00			`ExitPolicy reject :`
„tornet.yml“ ändern 2023-06-09 12:48:06 +02:00			`ControlPort 0.0.0.0:9051`
			`ControlPort [::]:9051`
„tornet.yml“ ändern 2022-09-21 18:12:13 +02:00			`HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84`
first commit 2022-07-10 10:51:13 +02:00			`# Seting up TOR transparent proxy for tor-router`
			`#VirtualAddrNetwork 10.192.0.0/10`
			`AutomapHostsOnResolve 1`
			`TransPort 0.0.0.0:9040`
„tornet.yml“ ändern 2023-06-09 12:48:06 +02:00			`TransPort [::]:9040`
first commit 2022-07-10 10:51:13 +02:00			`DNSPort 0.0.0.0:5353`
tornet.yml aktualisiert 2023-07-26 14:22:59 +02:00			`DNSPort [::]:5353`
first commit 2022-07-10 10:51:13 +02:00			`# Falls outgping geblockt wird und nur 80/443 geht`
			`FascistFirewall 1`
			`backup: yes`
			`notify:`
			`- Restart tor`

			`- name: Privoxy Config`
			`blockinfile:`
			`path: /etc/privoxy/config`
			`create: yes`
			`mode: "0444"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
„tornet.yml“ ändern 2023-06-09 12:48:06 +02:00			`listen-address 0.0.0.0:3128`
„tornet.yml“ ändern 2023-06-09 12:26:02 +02:00			`listen-address [::1]:3128`
„tornet.yml“ ändern 2023-06-09 12:48:06 +02:00			`# Privoxy-Tor-Connection`
„tornet.yml“ ändern 2023-06-09 12:26:02 +02:00			`forward-socks5t / localhost:9050 .`
first commit 2022-07-10 10:51:13 +02:00			`backup: yes`
			`notify:`
			`- Restart privoxy`

			`- name: Tor bridge`
			`blockinfile:`
			`path: /etc/network/interfaces.d/tornet0`
			`create: yes`
			`mode: "0444"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`auto tornet0`
			`iface tornet0 inet static`
			`bridge_ports none`
			`address 192.168.43.1`
			`broadcast 192.168.43.255`
			`netmask 255.255.255.0`
			`notify:`
			`- Restart tornet0`

			`- name: start tornet0 if not exists`
			`ansible.builtin.command: ifup tornet0`
			`args:`
			`creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6`

			`- ansible.posix.sysctl:`
			`name: net.ipv6.conf.tornet0.disable_ipv6`
			`value: '1'`
			`state: present`

			`- name: ufw firewall rules for transparent tor proxy in tornet0`
			`blockinfile:`
			`path: /etc/ufw/before.rules`
			`create: yes`
			`mode: "0440"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0"`
			`insertbefore: BOF`
			`block: \|`
			`*nat`
			`:POSTROUTING ACCEPT - [0:0]`
			`# Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor)`
			`# Activate "normal" routing for non-Internet Networks`
			`-A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE`
			`-A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN`
			`-A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN`
			`-A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN`
			`-A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN`
			`-A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN`
			`-A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN`
			`-A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN`
			`-A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN`
			`-A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN`
			`-A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN`
			`-A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN`
			`-A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN`
			`-A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN`
			`-A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN`
			`-A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN`
			`-A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN`
			`# Redirect all TCP-Connections to transparent Tor-Proxy`
			`-A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040`
			`# Redirect DNS to TorDNS`
			`-A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353`
			`# Redirect all non TCP-Connections into nirvana because Tor only speaks TCP`
			`-A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1`
			`COMMIT`
			`notify:`
			`- Restart ufw`

			`- name: Allow Routing`
			`community.general.ufw:`
			`rule: allow`
			`route: yes`
			`interface_in: tornet0`

			`- name: Allow all access to tcp port 53/udp (dns)`
			`community.general.ufw:`
			`rule: allow`
			`port: '53'`
			`proto: udp`
			`interface: tornet0`
			`direction: in`

			`- name: Allow access to dhcp server`
			`community.general.ufw:`
			`rule: allow`
			`port: '67'`
			`proto: udp`
			`interface: tornet0`
			`direction: in`

			`- name: Allow access to NTP server`
			`community.general.ufw:`
			`rule: allow`
			`port: '123'`
			`proto: udp`
			`interface: tornet0`
			`direction: in`

			`- name: Allow access to tor`
			`community.general.ufw:`
			`rule: allow`
			`port: '9040'`
			`proto: tcp`
			`interface: tornet0`
			`direction: in`

			`- name: dnsmasq DNS and DHCP for tornet0`
			`blockinfile:`
			`path: /etc/dnsmasq-tornet0.conf`
			`create: yes`
			`mode: "0444"`
			`owner: root`
			`group: root`
			`insertbefore: BOF`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`port=53`
			`interface=tornet0`
			`listen-address=192.168.43.1`
			`bind-interfaces`
			`except-interface=lo`
			`domain-needed`
			`bogus-priv`
			`dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h`
			`dhcp-option=option:ntp-server,192.168.43.1`
			`log-queries`
			`log-dhcp`
			`notify:`
			`- Restart dnsmasq-tornet0`

			`- name: dnsmasq DNS and DHCP for tornet0 systemd`
			`blockinfile:`
			`path: /etc/systemd/system/dnsmasq-tornet0.service`
			`create: yes`
			`mode: "0444"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`[Unit]`
			`Description=dnsmasq tornet0 DNS and DHCP`
			`After=network.target`

			`[Service]`
			`Type=forking`
			`ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service`
			`PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid`
			`KillMode=process`
			`Restart=on-failure`

			`[Install]`
			`WantedBy=multi-user.target`
			`notify:`
			`- Restart dnsmasq-tornet0`

			`- name: 'add dnsmasq-tornet0 to startup'`
			`command: systemctl enable dnsmasq-tornet0`
			`args:`
			`creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service`

			`- name: 'start dnsmasq-tornet0'`
			`command: systemctl start dnsmasq-tornet0`
			`args:`
			`creates: /run/dnsmasq/dnsmasq-tornet0.pid`

tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`#### Prepare DNSCRYPT PROXY FOR DoHoT (DNS over HTTPS over Tor)`
tornet.yml aktualisiert 2023-07-29 14:28:03 +02:00			`- name: create blocked-names.txt`
			`command: touch /etc/dnscrypt-proxy/blocked-names.txt`
			`args:`
			`creates: /etc/dnscrypt-proxy/blocked-names.txt`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00
			`- name: dnscrypt-proxy configfile`
tornet.yml aktualisiert 2023-07-28 16:11:47 +02:00			`copy:`
			`dest: /etc/dnscrypt-proxy/dnscrypt-proxy.toml`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`mode: "0444"`
			`owner: root`
			`group: root`
tornet.yml aktualisiert 2023-07-28 16:11:47 +02:00			`content: \|`
tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`# Documentation https://github.com/DNSCrypt/dnscrypt-proxy/wiki`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00
tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`# listen on all interfaces`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`listen_addresses = ['127.0.0.55:5354']`

tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`# DoH server list`
			`server_names = ['doh.mullvad.net-194.242.2.2', 'doh.ffmuc.net-185.150.99.255', 'doh.ffmuc.net-5.1.66.255', 'dns.digitale-gesellschaft.ch-185.95.218.42', 'dns.digitale-gesellschaft.ch-185.95.218.43', 'anycast.uncensoreddns.org-91.239.100.100']`

			`# server names to avoid even if they match all criteria`
			`# disabled_server_names = []`

			`## what kinds of server do we want to resolve from?`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`doh_servers = true`
			`ipv4_servers = false`
			`ipv6_servers = false`
			`dnscrypt_servers = false`

tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`# do we support IPv6 accressing?`
tornet.yml aktualisiert 2023-07-28 16:31:14 +02:00			`block_ipv6 = false`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00
			`# don't let weird queries & typos leak upstream`
			`block_unqualified = true`
			`block_undelegated = true`

			`# TTL for synthetic responses sent when a request has been blocked`
			`reject_ttl = 600`

			`# request DoH servers which offer DNSSEC / tamperproofing`
			`require_dnssec = true`

			`# we are using tor, so we should not care about logging`
			`require_nolog = false`

			`# request DoH servers that advertise themselves as unfiltered`
			`require_nofilter = true`
tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`# use tor`
			`force_tcp = true`
			`proxy = 'socks5://127.0.0.1:9050'`

			`# how long (ms) a DNS query will wait for a response; reasonable max 10s`
			`timeout = 10000`

			`# keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds; default: 30`
			`keepalive = 30`

			`# loadbalancing; p2 strategy, and continuous farming of the list`
			`lb_strategy = 'p2'`
			`lb_estimator = true`

			`# logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb`
			`log_level = 2`
tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`use_syslog = false`
tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`log_files_max_size = 64`
			`log_files_max_age = 7`
			`log_files_max_backups = 4`
tornet.yml aktualisiert 2023-07-28 12:32:14 +02:00
			`# delay, in minutes, after which certificates are reloaded; this also`
			`# drives the latency logger, so we poll/log every hour`
			`cert_refresh_delay = 60`

			`# less linkability / more privacy at slight performance impact;`
			`# see the notes in the above-cited documentation`
			`tls_disable_session_tickets = true`
			`tls_cipher_suite = [52392, 49199]`

			`# for healthcheck, heartbeat and bootstrap, dnscrypt-proxy MUST be`
			`# able to probe the internet, so we must configure our firewall so`
			`# that it is the only one which can use port 53 to the internet;`
			`# dnscrypt-proxy claims that it will only use these services in very`
			`# limited circumstances. Regards option naming, see:`
			`# https://github.com/DNSCrypt/dnscrypt-proxy/commit/c500287498a05b07c3af8effa23a0ba4c42f00f1`
			`fallback_resolvers = ['46.182.19.48:53']`
			`netprobe_address = '46.182.19.48:53'`
			`netprobe_timeout = 60`
			`ignore_system_dns = true`

			`# explicit caching`
tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`cache = true`
tornet.yml aktualisiert 2023-07-28 12:32:14 +02:00			`cache_size = 4096`
			`cache_min_ttl = 2400`
			`cache_max_ttl = 86400`
			`cache_neg_min_ttl = 60`
			`cache_neg_max_ttl = 600`

			`# I am not configuring this resolver as a local DoH listener, to do so`
			`# requires a TLS certificate and that's a world of pain`

			`[query_log]`
			`file = '/var/log/dnscrypt-proxy/query.log'`
			`# ignored_qtypes = ['DNSKEY', 'NS']`

			`[nx_log]`
			`file = '/var/log/dnscrypt-proxy/nx.log'`

			`[blocked_names]`
tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`blocked_names_file = 'blocked-names.txt'`
			`log_file = '/var/log/dnscrypt-proxy/blocked-names.log'`

tornet.yml aktualisiert 2023-07-28 12:32:14 +02:00			`[blocked_ips]`
			`# blocked_ips_file = 'blocked-ips.txt'`
			`# log_file = '/var/log/dnscrypt-proxy/blocked-ips.log'`

			`[allowed_names]`
			`# allowed_names_file = 'allowed-names.txt'`
			`# log_file = '/var/log/dnscrypt-proxy/allowed-names.log'`
tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00
tornet.yml aktualisiert 2023-07-28 12:32:14 +02:00			`[allowed_ips]`
			`# allowed_ips_file = 'allowed-ips.txt'`
			`# log_file = '/var/log/dnscrypt-proxy/allowed-ips.log'`

tornet.yml aktualisiert 2023-07-28 15:19:46 +02:00			`# Static DoH DNS Servers from inspired by https://www.kuketz-blog.de/empfehlungsecke/#dns`
			`# Stamps from https://dnscrypt.info/stamps/`
			`[static]`

			`[static.'doh.mullvad.net-194.242.2.2']`
			`stamp = 'sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kb2gubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ'`

			`[static.'doh.ffmuc.net-185.150.99.255']`
			`stamp = 'sdns://AgcAAAAAAAAADjE4NS4xNTAuOTkuMjU1AA1kb2guZmZtdWMubmV0Ci9kbnMtcXVlcnk'`

			`[static.'doh.ffmuc.net-5.1.66.255']`
			`stamp = 'sdns://AgcAAAAAAAAACjUuMS42Ni4yNTUADWRvaC5mZm11Yy5uZXQKL2Rucy1xdWVyeQ'`

			`[static.'dns.digitale-gesellschaft.ch-185.95.218.42']`
			`stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDIAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ'`

			`[static.'dns.digitale-gesellschaft.ch-185.95.218.43']`
			`stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDMAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ'`

			`[static.'anycast.uncensoreddns.org-91.239.100.100']`
			`stamp = 'sdns://AgcAAAAAAAAADjkxLjIzOS4xMDAuMTAwABlhbnljYXN0LnVuY2Vuc29yZWRkbnMub3JnCi9kbnMtcXVlcnk'`

tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`notify:`
			`- Restart dnscrypt-proxy`

			`- name: 'enable and start dnscrypt-proxy'`
			`command: systemctl enable dnscrypt-proxy --now`
			`args:`
			`creates: /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service`

tornet.yml aktualisiert 2023-07-28 14:38:08 +02:00			`- name: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update`
			`blockinfile:`
			`path: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update`
			`mode: "0400"`
			`owner: root`
			`group: root`
			`create: yes`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`cd /etc/dnscrypt-proxy`

			`# get hosts blocklist from https://github.com/StevenBlack/hosts`
			`g_runcmd wget https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts -O - \| grep "^0\.0\.0\.0 " \| cut -d" " -f2 >${g_tmp}/blocked-names.txt`
			`numhosts=$(cat ${g_tmp}/blocked-names.txt \| wc -l)`
			`if [ "$numhosts" -gt 200000 ]`
			`then`
			`cat ${g_tmp}/blocked-names.txt >blocked-names.txt`
			`else`
			`g_echo_error "Not enough lines in hosts blocklist from https://github.com/StevenBlack/hosts"`
			`fi`

			`[ -s blocked-names-local-additions.txt ] && cat blocked-names-local-additions.txt >>blocked-names.txt`
			`systemctl restart dnscrypt-proxy`

			`cd -`
			`backup: yes`
			`validate: /bin/bash -n %s`


tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00
first commit 2022-07-10 10:51:13 +02:00			`handlers:`

			`- name: Restart tornet0`
„tornet.yml“ ändern 2022-07-26 13:21:50 +02:00			`ansible.builtin.shell: ifup tornet0`
first commit 2022-07-10 10:51:13 +02:00
			`- name: Restart tor`
			`service:`
			`name: tor`
			`state: restarted`

			`- name: Restart privoxy`
			`service:`
			`name: privoxy`
			`state: restarted`

			`- name: Restart ufw`
			`service:`
			`name: ufw`
			`state: restarted`

			`- name: Restart dnsmasq-tornet0`
			`service:`
			`name: dnsmasq-tornet0`
			`state: restarted`

tornet.yml aktualisiert 2023-07-28 12:18:12 +02:00			`- name: Restart dnscrypt-proxy`
			`service:`
			`name: dnscrypt-proxy`
			`state: restarted`