debian.ansible.tornet.network/tornet.yml

---
- name: Tornet Debian Linux Setup
  hosts: all
  tasks:
    
    - name: Packages for tor
      apt:
        name: 
          - tor
          - tor-geoipdb
          - privoxy
          - bridge-utils
          - ufw
          - dnsmasq
        update_cache: no
        install_recommends: no

    - name: 'remove dnsmasq from startup'
      command: systemctl disable dnsmasq
      args:
        removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service

    - name: 'stop dnsmasq'
      command: systemctl stop dnsmasq
      args:
        removes: /run/dnsmasq/dnsmasq.pid

    - name: Tor Config
      blockinfile:
        path: /etc/tor/torrc
        create: yes
        mode: "0444"
        owner: root
        group: root
        insertbefore: BOF
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          # individual Tor-Config
          BridgeRelay 0
          SOCKSPort 0.0.0.0:9050
          SOCKSPort [::]:9050
          ExitPolicy reject *:*
          ControlPort 0.0.0.0:9051
          ControlPort [::]:9051
          HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84
          # Seting up TOR transparent proxy for tor-router
          #VirtualAddrNetwork 10.192.0.0/10
          AutomapHostsOnResolve 1
          TransPort 0.0.0.0:9040
          TransPort [::]:9040
          DNSPort 0.0.0.0:5353
          DNSPort [::]:5353
          # Falls outgping geblockt wird und nur 80/443 geht
          FascistFirewall 1          
        backup: yes
      notify:
      - Restart tor

    - name: Privoxy Config
      blockinfile:
        path: /etc/privoxy/config
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          listen-address 0.0.0.0:3128
          listen-address [::1]:3128
          # Privoxy-Tor-Connection
          forward-socks5t / localhost:9050 .          
        backup: yes
      notify:
      - Restart privoxy

    - name: Tor bridge
      blockinfile:
        path: /etc/network/interfaces.d/tornet0
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          auto tornet0
          iface tornet0 inet static
            bridge_ports none
            address 192.168.43.1
            broadcast 192.168.43.255
            netmask 255.255.255.0          
      notify:
      - Restart tornet0

    - name: start tornet0 if not exists
      ansible.builtin.command: ifup tornet0
      args:
        creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6

    - ansible.posix.sysctl:
        name: net.ipv6.conf.tornet0.disable_ipv6
        value: '1'
        state: present

    - name: ufw firewall rules for transparent tor proxy in tornet0
      blockinfile:
        path: /etc/ufw/before.rules
        create: yes
        mode: "0440"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0"
        insertbefore: BOF
        block: |
          *nat
          :POSTROUTING ACCEPT - [0:0]
          # Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor)
          # Activate "normal" routing for non-Internet Networks
          -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE
          -A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN
          -A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN
          -A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN
          -A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN
          -A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN
          -A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN
          -A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN
          -A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN
          -A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN
          -A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN
          -A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN
          -A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN
          # Redirect all TCP-Connections to transparent Tor-Proxy
          -A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040
          # Redirect DNS to TorDNS
          -A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
          # Redirect all non TCP-Connections into nirvana because Tor only speaks TCP
          -A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1
          COMMIT          
      notify:
      - Restart ufw

    - name: Allow Routing
      community.general.ufw:
        rule: allow
        route: yes
        interface_in: tornet0

    - name: Allow all access to tcp port 53/udp (dns)
      community.general.ufw:
        rule: allow
        port: '53'
        proto: udp
        interface: tornet0
        direction: in

    - name: Allow access to dhcp server
      community.general.ufw:
        rule: allow
        port: '67'
        proto: udp
        interface: tornet0
        direction: in

    - name: Allow access to NTP server
      community.general.ufw:
        rule: allow
        port: '123'
        proto: udp
        interface: tornet0
        direction: in

    - name: Allow access to tor
      community.general.ufw:
        rule: allow
        port: '9040'
        proto: tcp
        interface: tornet0
        direction: in

    - name: dnsmasq DNS and DHCP for tornet0
      blockinfile:
        path: /etc/dnsmasq-tornet0.conf
        create: yes
        mode: "0444"
        owner: root
        group: root
        insertbefore: BOF
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          port=53
          interface=tornet0
          listen-address=192.168.43.1
          bind-interfaces
          except-interface=lo
          domain-needed
          bogus-priv
          dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h
          dhcp-option=option:ntp-server,192.168.43.1
          log-queries
          log-dhcp          
      notify:
      - Restart dnsmasq-tornet0

    - name: dnsmasq DNS and DHCP for tornet0 systemd
      blockinfile:
        path: /etc/systemd/system/dnsmasq-tornet0.service
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          [Unit]
          Description=dnsmasq tornet0 DNS and DHCP
          After=network.target

          [Service]
          Type=forking
          ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service
          PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid
          KillMode=process
          Restart=on-failure

          [Install]
          WantedBy=multi-user.target          
      notify:
      - Restart dnsmasq-tornet0

    - name: 'add dnsmasq-tornet0 to startup'
      command: systemctl enable dnsmasq-tornet0
      args:
        creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service

    - name: 'start dnsmasq-tornet0'
      command: systemctl start dnsmasq-tornet0
      args:
        creates: /run/dnsmasq/dnsmasq-tornet0.pid

  handlers:

    - name: Restart tornet0
      ansible.builtin.shell: ifup tornet0

    - name: Restart tor
      service:
        name: tor
        state: restarted

    - name: Restart privoxy
      service:
        name: privoxy
        state: restarted

    - name: Restart ufw
      service:
        name: ufw
        state: restarted

    - name: Restart dnsmasq-tornet0
      service:
        name: dnsmasq-tornet0
        state: restarted