mirror of https://github.com/trailofbits/algo
WireGuard BSD (#1083)
* WireGuard BSD * Remove unneeded config option * Enable PersistentKeepalive for NAT and Firewall Traversal Persistence * Install dnscrypt-proxy from repositoriespull/1117/merge
Jack Ivanov
6 years ago
committed by
Dan Guido
parent
6c0753e3b8
commit
dbd68aa97d
@ -1,38 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# PROVIDE: dnscrypt-proxy
|
||||
# REQUIRE: LOGIN
|
||||
# BEFORE: securelevel
|
||||
# KEYWORD: shutdown
|
||||
|
||||
# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy':
|
||||
#
|
||||
# dnscrypt_proxy_enable="YES"
|
||||
# dnscrypt_proxy_flags="<set as needed>"
|
||||
#
|
||||
# See rsync(1) for rsyncd_flags
|
||||
#
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name="dnscrypt-proxy"
|
||||
rcvar=dnscrypt_proxy_enable
|
||||
load_rc_config "$name"
|
||||
pidfile="/var/run/$name.pid"
|
||||
start_cmd=dnscrypt_proxy_start
|
||||
stop_postcmd=dnscrypt_proxy_stop
|
||||
|
||||
: ${dnscrypt_proxy_enable="NO"}
|
||||
: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
|
||||
|
||||
dnscrypt_proxy_start() {
|
||||
echo "Starting dnscrypt-proxy..."
|
||||
touch ${pidfile}
|
||||
/usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags}
|
||||
}
|
||||
|
||||
dnscrypt_proxy_stop() {
|
||||
[ -f ${pidfile} ] && rm ${pidfile}
|
||||
}
|
||||
|
||||
run_rc_command "$1"
|
||||
@ -1,51 +1,10 @@
|
||||
---
|
||||
- name: FreeBSD | Ensure that the required directories exist
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
with_items:
|
||||
- "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/"
|
||||
- /usr/dnscrypt-proxy/
|
||||
|
||||
- name: Required tools installed
|
||||
- name: Install dnscrypt-proxy
|
||||
package:
|
||||
name: gtar
|
||||
|
||||
- name: FreeBSD | Retrive the latest versions
|
||||
uri:
|
||||
url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest
|
||||
register: dnscrypt_proxy_latest
|
||||
ignore_errors: true
|
||||
|
||||
- name: FreeBSD | Set default dnscrypt-proxy assets
|
||||
set_fact:
|
||||
dnscrypt_proxy_latest:
|
||||
json:
|
||||
assets:
|
||||
- name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
||||
browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
||||
when: dnscrypt_proxy_latest.failed
|
||||
|
||||
- name: FreeBSD | Download the latest archive
|
||||
get_url:
|
||||
url: "{{ item['browser_download_url'] }}"
|
||||
dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
||||
mode: '0755'
|
||||
force: true
|
||||
with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}"
|
||||
no_log: true
|
||||
when: '"freebsd_amd64" in item.name and not item.name.endswith("minisig")'
|
||||
notify: restart dnscrypt-proxy
|
||||
|
||||
- name: FreeBSD | Extract the latest archive
|
||||
unarchive:
|
||||
remote_src: true
|
||||
src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz
|
||||
dest: /usr/dnscrypt-proxy
|
||||
name: dnscrypt-proxy2
|
||||
|
||||
- name: FreeBSD | Configure rc script
|
||||
copy:
|
||||
src: rc.dnscrypt-proxy.sh
|
||||
dest: /usr/local/etc/rc.d/dnscrypt-proxy
|
||||
mode: "0755"
|
||||
notify: restart dnscrypt-proxy
|
||||
- name: Enable mac_portacl
|
||||
lineinfile:
|
||||
path: /etc/rc.conf
|
||||
line: 'dnscrypt_proxy_mac_portacl_enable="YES"'
|
||||
when: listen_port|int == 53
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
#!/bin/sh
|
||||
|
||||
# PROVIDE: wireguard
|
||||
# REQUIRE: LOGIN
|
||||
# BEFORE: securelevel
|
||||
# KEYWORD: shutdown
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name="wg"
|
||||
rcvar=wg_enable
|
||||
|
||||
command="/usr/local/bin/wg-quick"
|
||||
start_cmd=wg_up
|
||||
stop_cmd=wg_down
|
||||
status_cmd=wg_status
|
||||
pidfile="/var/run/$name.pid"
|
||||
load_rc_config "$name"
|
||||
|
||||
: ${wg_enable="NO"}
|
||||
: ${wg_interface="wg0"}
|
||||
|
||||
wg_up() {
|
||||
echo "Starting WireGuard..."
|
||||
/usr/sbin/daemon -cS -p ${pidfile} ${command} up ${wg_interface}
|
||||
}
|
||||
|
||||
wg_down() {
|
||||
echo "Stopping WireGuard..."
|
||||
${command} down ${wg_interface}
|
||||
}
|
||||
|
||||
wg_status () {
|
||||
not_running () {
|
||||
echo "WireGuard is not running on $wg_interface" && exit 1
|
||||
}
|
||||
/usr/local/bin/wg show wg0 && echo "WireGuard is running on $wg_interface" || not_running
|
||||
}
|
||||
|
||||
run_rc_command "$1"
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: restart wireguard
|
||||
service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
name: "{{ service_name }}"
|
||||
state: restarted
|
||||
|
||||
@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: BSD | WireGuard installed
|
||||
package:
|
||||
name: wireguard
|
||||
state: present
|
||||
|
||||
- set_fact:
|
||||
service_name: wireguard
|
||||
tags: always
|
||||
|
||||
- name: BSD | Configure rc script
|
||||
copy:
|
||||
src: wireguard.sh
|
||||
dest: /usr/local/etc/rc.d/wireguard
|
||||
mode: "0755"
|
||||
notify: restart wireguard
|
||||
@ -0,0 +1,32 @@
|
||||
---
|
||||
- name: WireGuard repository configured
|
||||
apt_repository:
|
||||
repo: ppa:wireguard/wireguard
|
||||
state: present
|
||||
register: result
|
||||
until: result is succeeded
|
||||
retries: 10
|
||||
delay: 3
|
||||
|
||||
- name: WireGuard installed
|
||||
apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
update_cache: true
|
||||
|
||||
- name: WireGuard reload-module-on-update
|
||||
file:
|
||||
dest: /etc/wireguard/.reload-module-on-update
|
||||
state: touch
|
||||
|
||||
- name: Configure unattended-upgrades
|
||||
copy:
|
||||
src: 50-wireguard-unattended-upgrades
|
||||
dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- set_fact:
|
||||
service_name: "wg-quick@{{ wireguard_interface }}"
|
||||
tags: always
|
||||
Loading…
Reference in New Issue