From 403acf1f34294f9d65bfb7b1008825324cf9bf74 Mon Sep 17 00:00:00 2001
From: olli <olli@gabosh.net>
Date: Sun, 10 Jul 2022 10:51:14 +0200
Subject: [PATCH] first commit

---
 README.md |   0
 vnet.yml  | 187 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 187 insertions(+)
 create mode 100644 README.md
 create mode 100644 vnet.yml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/vnet.yml b/vnet.yml
new file mode 100644
index 0000000..17908eb
--- /dev/null
+++ b/vnet.yml
@@ -0,0 +1,187 @@
+---
+- name: vnet Debian Linux Setup
+  hosts: defiant.dedyn.io tor-nas.dedyn.io
+  tasks:
+
+    - name: Packages for vnet0
+      apt:
+        name:
+          - bridge-utils
+          - ufw
+          - dnsmasq
+        update_cache: no
+        install_recommends: no
+
+    - name: 'remove dnsmasq from startup'
+      command: systemctl disable dnsmasq
+      args:
+        removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service
+
+    - name: 'stop dnsmasq'
+      command: systemctl stop dnsmasq
+      args:
+        removes: /run/dnsmasq/dnsmasq.pid
+
+    - name: V bridge
+      blockinfile:
+        path: /etc/network/interfaces.d/vnet0
+        create: yes
+        mode: "0444"
+        owner: root
+        group: root
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          auto vnet0
+          iface vnet0 inet static
+            bridge_ports none
+            address 192.168.42.1
+            broadcast 192.168.42.255
+            netmask 255.255.255.0
+      notify:
+      - Restart vnet0
+
+    - name: start vnet0 if not exists
+      ansible.builtin.command: ifup vnet0
+      args:
+        creates: /proc/sys/net/ipv6/conf/vnet0/disable_ipv6
+
+    - ansible.posix.sysctl:
+        name: net.ipv6.conf.vnet0.disable_ipv6
+        value: '1'
+        state: present
+
+    - ansible.posix.sysctl:
+        name: net.ipv4.ip_forward
+        value: '1'
+        state: present
+
+    - name: ufw firewall rules for routing to the Internet
+      blockinfile:
+        path: /etc/ufw/before.rules
+        create: yes
+        mode: "0440"
+        owner: root
+        group: root
+        marker: "# {mark} ANSIBLE MANAGED BLOCK for vnet0"
+        insertbefore: BOF
+        block: |
+          *nat
+          :POSTROUTING ACCEPT - [0:0]
+          # Route network 192.168.42.0/24 (vnet0)
+          -A POSTROUTING -s 192.168.42.0/24 -j MASQUERADE
+          COMMIT
+      notify:
+      - Restart ufw
+
+
+    - name: Allow Routing
+      community.general.ufw:
+        rule: allow
+        route: yes
+        interface_in: vnet0
+  
+    - name: Allow all access to tcp port 53/udp (dns)
+      community.general.ufw:
+        rule: allow
+        port: '53'
+        proto: udp
+        interface: vnet0
+        direction: in
+
+    - name: Allow access to dhcp server
+      community.general.ufw:
+        rule: allow
+        port: '67'
+        proto: udp
+        interface: vnet0
+        direction: in
+
+    - name: Allow access to NTP server
+      community.general.ufw:
+        rule: allow
+        port: '123'
+        proto: udp
+        interface: vnet0
+        direction: in
+
+    - name: Allow access to tor
+      community.general.ufw:
+        rule: allow
+        port: '9040'
+        proto: tcp
+        interface: vnet0
+        direction: in
+
+    - name: dnsmasq DNS and DHCP for vnet0
+      blockinfile:
+        path: /etc/dnsmasq-vnet0.conf
+        create: yes
+        mode: "0444"
+        owner: root
+        group: root
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          port=53
+          interface=vnet0
+          listen-address=192.168.42.1
+          bind-interfaces
+          except-interface=lo
+          domain-needed
+          bogus-priv
+          dhcp-range=192.168.42.100,192.168.42.200,255.255.255.0,12h
+          dhcp-option=option:ntp-server,192.168.42.1
+          log-queries
+          log-dhcp
+      notify:
+      - Restart dnsmasq-vnet0
+
+    - name: dnsmasq DNS and DHCP for vnet0 systemd
+      blockinfile:
+        path: /etc/systemd/system/dnsmasq-vnet0.service
+        create: yes
+        mode: "0444"
+        owner: root
+        group: root
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          [Unit]
+          Description=dnsmasq vnet0 DNS and DHCP
+          After=network.target
+            
+          [Service]
+          Type=forking
+          ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-vnet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-vnet0.conf --local-service
+          PIDFile=/run/dnsmasq/dnsmasq-vnet0.pid
+          KillMode=process
+          Restart=on-failure
+          
+          [Install]
+          WantedBy=multi-user.target
+      notify:
+      - Restart dnsmasq-vnet0
+
+    - name: 'add dnsmasq-vnet0 to startup'
+      command: systemctl enable dnsmasq-vnet0
+      args:
+        creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-vnet0.service
+
+    - name: 'start dnsmasq-vnet0'
+      command: systemctl start dnsmasq-vnet0
+      args:
+        creates: /run/dnsmasq/dnsmasq-vnet0.pid
+
+  handlers:
+
+    - name: Restart vnet0
+      ansible.builtin.shell: ifdown vnet0 ; ifup vnet0
+
+    - name: Restart dnsmasq-vnet0
+      service:
+        name: dnsmasq-vnet0
+        state: restarted
+
+    - name: Restart ufw
+      service:
+        name: ufw
+        state: restarted
+