mirror of https://github.com/trailofbits/algo
WireGuard BSD (#1083)
* WireGuard BSD * Remove unneeded config option * Enable PersistentKeepalive for NAT and Firewall Traversal Persistence * Install dnscrypt-proxy from repositoriespull/1117/merge
parent
6c0753e3b8
commit
dbd68aa97d
@ -1,38 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# PROVIDE: dnscrypt-proxy
|
|
||||||
# REQUIRE: LOGIN
|
|
||||||
# BEFORE: securelevel
|
|
||||||
# KEYWORD: shutdown
|
|
||||||
|
|
||||||
# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy':
|
|
||||||
#
|
|
||||||
# dnscrypt_proxy_enable="YES"
|
|
||||||
# dnscrypt_proxy_flags="<set as needed>"
|
|
||||||
#
|
|
||||||
# See rsync(1) for rsyncd_flags
|
|
||||||
#
|
|
||||||
|
|
||||||
. /etc/rc.subr
|
|
||||||
|
|
||||||
name="dnscrypt-proxy"
|
|
||||||
rcvar=dnscrypt_proxy_enable
|
|
||||||
load_rc_config "$name"
|
|
||||||
pidfile="/var/run/$name.pid"
|
|
||||||
start_cmd=dnscrypt_proxy_start
|
|
||||||
stop_postcmd=dnscrypt_proxy_stop
|
|
||||||
|
|
||||||
: ${dnscrypt_proxy_enable="NO"}
|
|
||||||
: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
|
|
||||||
|
|
||||||
dnscrypt_proxy_start() {
|
|
||||||
echo "Starting dnscrypt-proxy..."
|
|
||||||
touch ${pidfile}
|
|
||||||
/usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags}
|
|
||||||
}
|
|
||||||
|
|
||||||
dnscrypt_proxy_stop() {
|
|
||||||
[ -f ${pidfile} ] && rm ${pidfile}
|
|
||||||
}
|
|
||||||
|
|
||||||
run_rc_command "$1"
|
|
@ -1,51 +1,10 @@
|
|||||||
---
|
---
|
||||||
- name: FreeBSD | Ensure that the required directories exist
|
- name: Install dnscrypt-proxy
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/"
|
|
||||||
- /usr/dnscrypt-proxy/
|
|
||||||
|
|
||||||
- name: Required tools installed
|
|
||||||
package:
|
package:
|
||||||
name: gtar
|
name: dnscrypt-proxy2
|
||||||
|
|
||||||
- name: FreeBSD | Retrive the latest versions
|
|
||||||
uri:
|
|
||||||
url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest
|
|
||||||
register: dnscrypt_proxy_latest
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: FreeBSD | Set default dnscrypt-proxy assets
|
|
||||||
set_fact:
|
|
||||||
dnscrypt_proxy_latest:
|
|
||||||
json:
|
|
||||||
assets:
|
|
||||||
- name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
|
||||||
browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
|
||||||
when: dnscrypt_proxy_latest.failed
|
|
||||||
|
|
||||||
- name: FreeBSD | Download the latest archive
|
|
||||||
get_url:
|
|
||||||
url: "{{ item['browser_download_url'] }}"
|
|
||||||
dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz"
|
|
||||||
mode: '0755'
|
|
||||||
force: true
|
|
||||||
with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}"
|
|
||||||
no_log: true
|
|
||||||
when: '"freebsd_amd64" in item.name and not item.name.endswith("minisig")'
|
|
||||||
notify: restart dnscrypt-proxy
|
|
||||||
|
|
||||||
- name: FreeBSD | Extract the latest archive
|
|
||||||
unarchive:
|
|
||||||
remote_src: true
|
|
||||||
src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz
|
|
||||||
dest: /usr/dnscrypt-proxy
|
|
||||||
|
|
||||||
- name: FreeBSD | Configure rc script
|
- name: Enable mac_portacl
|
||||||
copy:
|
lineinfile:
|
||||||
src: rc.dnscrypt-proxy.sh
|
path: /etc/rc.conf
|
||||||
dest: /usr/local/etc/rc.d/dnscrypt-proxy
|
line: 'dnscrypt_proxy_mac_portacl_enable="YES"'
|
||||||
mode: "0755"
|
when: listen_port|int == 53
|
||||||
notify: restart dnscrypt-proxy
|
|
||||||
|
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# PROVIDE: wireguard
|
||||||
|
# REQUIRE: LOGIN
|
||||||
|
# BEFORE: securelevel
|
||||||
|
# KEYWORD: shutdown
|
||||||
|
|
||||||
|
. /etc/rc.subr
|
||||||
|
|
||||||
|
name="wg"
|
||||||
|
rcvar=wg_enable
|
||||||
|
|
||||||
|
command="/usr/local/bin/wg-quick"
|
||||||
|
start_cmd=wg_up
|
||||||
|
stop_cmd=wg_down
|
||||||
|
status_cmd=wg_status
|
||||||
|
pidfile="/var/run/$name.pid"
|
||||||
|
load_rc_config "$name"
|
||||||
|
|
||||||
|
: ${wg_enable="NO"}
|
||||||
|
: ${wg_interface="wg0"}
|
||||||
|
|
||||||
|
wg_up() {
|
||||||
|
echo "Starting WireGuard..."
|
||||||
|
/usr/sbin/daemon -cS -p ${pidfile} ${command} up ${wg_interface}
|
||||||
|
}
|
||||||
|
|
||||||
|
wg_down() {
|
||||||
|
echo "Stopping WireGuard..."
|
||||||
|
${command} down ${wg_interface}
|
||||||
|
}
|
||||||
|
|
||||||
|
wg_status () {
|
||||||
|
not_running () {
|
||||||
|
echo "WireGuard is not running on $wg_interface" && exit 1
|
||||||
|
}
|
||||||
|
/usr/local/bin/wg show wg0 && echo "WireGuard is running on $wg_interface" || not_running
|
||||||
|
}
|
||||||
|
|
||||||
|
run_rc_command "$1"
|
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
- name: restart wireguard
|
- name: restart wireguard
|
||||||
service:
|
service:
|
||||||
name: "wg-quick@{{ wireguard_interface }}"
|
name: "{{ service_name }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
- name: BSD | WireGuard installed
|
||||||
|
package:
|
||||||
|
name: wireguard
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
service_name: wireguard
|
||||||
|
tags: always
|
||||||
|
|
||||||
|
- name: BSD | Configure rc script
|
||||||
|
copy:
|
||||||
|
src: wireguard.sh
|
||||||
|
dest: /usr/local/etc/rc.d/wireguard
|
||||||
|
mode: "0755"
|
||||||
|
notify: restart wireguard
|
@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
- name: WireGuard repository configured
|
||||||
|
apt_repository:
|
||||||
|
repo: ppa:wireguard/wireguard
|
||||||
|
state: present
|
||||||
|
register: result
|
||||||
|
until: result is succeeded
|
||||||
|
retries: 10
|
||||||
|
delay: 3
|
||||||
|
|
||||||
|
- name: WireGuard installed
|
||||||
|
apt:
|
||||||
|
name: wireguard
|
||||||
|
state: present
|
||||||
|
update_cache: true
|
||||||
|
|
||||||
|
- name: WireGuard reload-module-on-update
|
||||||
|
file:
|
||||||
|
dest: /etc/wireguard/.reload-module-on-update
|
||||||
|
state: touch
|
||||||
|
|
||||||
|
- name: Configure unattended-upgrades
|
||||||
|
copy:
|
||||||
|
src: 50-wireguard-unattended-upgrades
|
||||||
|
dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
service_name: "wg-quick@{{ wireguard_interface }}"
|
||||||
|
tags: always
|
Loading…
Reference in New Issue