diff --git a/roles/mgrote_minio_configure/defaults/main.yml b/roles/mgrote_minio_configure/defaults/main.yml new file mode 100644 index 00000000..b1dc2fc1 --- /dev/null +++ b/roles/mgrote_minio_configure/defaults/main.yml @@ -0,0 +1,68 @@ +--- +# Docs in config.yml and https://0xerr0r.github.io/blocky/configuration/ + +blocky_user: blocky +blocky_group: blocky +blocky_version: v0.22 +blocky_arch: x86_64 +blocky_download_url: "https://github.com/0xERR0R/blocky/releases/download/{{ blocky_version }}/blocky_{{ blocky_version }}_Linux_{{ blocky_arch }}.tar.gz" +blocky_conf_dir: /etc/blocky +blocky_block_type: zeroIp +blocky_block_ttl: 1m +blocky_blacklists_strategy: failOnError +blocky_local_upstream: 192.168.2.1 +blocky_prometheus: false +blocky_fqdn_only: false +blocky_port_dns: 53 +blocky_log_level: info +blocky_dns_upstream: + - 9.9.9.9 + - 1.1.1.1 + - 8.8.8.8 + - 5.9.164.112 +blocky_dns_blocklists: + - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + - http://sysctl.org/cameleon/hosts + - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt +#blocky_custom_lookups: # optional +# # Internet +# - name: wiki.mgrote.net +# ip: 192.168.2.43 +# - name: audio.mgrote.net +# ip: 192.168.2.43 +# - name: auth.mgrote.net +# ip: 192.168.2.43 +# - name: ci.mgrote.net +# ip: 192.168.2.43 +# - name: git.mgrote.net +# ip: 192.168.2.43 +# - name: miniflux.mgrote.net +# ip: 192.168.2.43 +# - name: nextcloud.mgrote.net +# ip: 192.168.2.43 +# - name: registry.mgrote.net +# ip: 192.168.2.43 +# # Intern +# - name: ads2700w.mgrote.net +# ip: 192.168.2.147 +# - name: crs305.mgrote.net +# ip: 192.168.2.225 +# - name: hex.mgrote.net +# ip: 192.168.3.144 +# - name: pbs-test.mgrote.net +# ip: 192.168.2.18 +# - name: pbs.mgrote.net +# ip: 192.168.3.239 +# - name: pve5-test.mgrote.net +# ip: 192.168.2.17 +# - name: pve5.mgrote.net # bleibt im Router auch angelegt, weil wenn pve aus auch kein blocky ;-) +# ip: 192.168.2.16 +# - name: rb5009.mgrote.net +# ip: 192.168.2.1 +# - name: fritz.box +# ip: 192.168.5.1 +#blocky_conditional_mapping: # optional +# - domain: mgrote.net +# resolver: 192.168.2.1 +# diff --git a/roles/mgrote_minio_configure/handlers/main.yml b/roles/mgrote_minio_configure/handlers/main.yml new file mode 100644 index 00000000..861be7e3 --- /dev/null +++ b/roles/mgrote_minio_configure/handlers/main.yml @@ -0,0 +1,17 @@ +--- + +- name: set cap_net_bind_service # noqa no-changed-when + become: true + ansible.builtin.command: setcap 'cap_net_bind_service=+ep' /usr/local/bin/blocky + +- name: systemctl daemon-reload + become: true + ansible.builtin.systemd: + daemon_reload: true + +- name: restart service unit + become: true + ansible.builtin.systemd: + name: blocky.service + state: restarted + enabled: true diff --git a/roles/mgrote_minio_configure/tasks/main.yml b/roles/mgrote_minio_configure/tasks/main.yml new file mode 100644 index 00000000..c6289335 --- /dev/null +++ b/roles/mgrote_minio_configure/tasks/main.yml @@ -0,0 +1,61 @@ +--- +- name: ensure group exists + become: true + ansible.builtin.group: + name: "{{ blocky_group }}" + state: present + +- name: ensure user exists + become: true + ansible.builtin.user: + name: "{{ blocky_user }}" + state: present + create_home: false + +- name: ensure binaries are installed + become: true + ansible.builtin.unarchive: + src: "{{ blocky_download_url }}" + dest: /usr/local/bin + remote_src: true + owner: "{{ blocky_user }}" + group: "{{ blocky_group }}" + mode: "0755" + exclude: + - LICENSE + - README.md + notify: + - set cap_net_bind_service + - restart service unit + +- name: ensure conf dir exists + become: true + ansible.builtin.file: + path: "{{ blocky_conf_dir }}" + state: directory + owner: "{{ blocky_user }}" + group: "{{ blocky_group }}" + mode: "0755" + +- name: template configuration + become: true + ansible.builtin.template: + src: "config.yml.j2" + dest: "{{ blocky_conf_dir }}/config.yml" + owner: "{{ blocky_user }}" + group: "{{ blocky_group }}" + mode: "0600" + notify: + - restart service unit + +- name: template service + become: true + ansible.builtin.template: + src: "blocky.service.j2" + dest: /etc/systemd/system/blocky.service + owner: root + group: root + mode: "0644" + notify: + - systemctl daemon-reload + - restart service unit diff --git a/roles/mgrote_minio_configure/templates/blocky.service.j2 b/roles/mgrote_minio_configure/templates/blocky.service.j2 new file mode 100644 index 00000000..656fe94c --- /dev/null +++ b/roles/mgrote_minio_configure/templates/blocky.service.j2 @@ -0,0 +1,15 @@ +{{ file_header | default () }} + +[Unit] +Description=Blocky is a DNS proxy and ad-blocker for the local network written in Go. +Requires=network.target +Wants=nss-lookup.target +Before=nss-lookup.target +After=network.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/blocky --config {{ blocky_conf_dir }}/config.yml + +[Install] +WantedBy=multi-user.target diff --git a/roles/mgrote_minio_configure/templates/config.yml.j2 b/roles/mgrote_minio_configure/templates/config.yml.j2 new file mode 100644 index 00000000..da1402de --- /dev/null +++ b/roles/mgrote_minio_configure/templates/config.yml.j2 @@ -0,0 +1,196 @@ +{{ file_header | default () }} +upstreams: + init: + # Configure startup behavior. + # accepted: blocking, failOnError, fast + # default: blocking + strategy: fast + groups: + default: +{% for item in blocky_dns_upstream %} + - {{ item }} +{% endfor %} + strategy: parallel_best + timeout: 2s + +# optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists. +# accepted: dual, v4, v6 +# default: dual +connectIPVersion: v4 + + +# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.) +blocking: + # definition of blacklist groups. Can be external link (http/https) or local file + blackLists: + ads: +{% for item in blocky_dns_blocklists %} + - {{ item }} +{% endfor %} + # which response will be sent, if query is blocked: + # zeroIp: 0.0.0.0 will be returned (default) + # nxDomain: return NXDOMAIN as return code + # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page. + blockType: {{ blocky_block_type | default ("zeroIp") }} + # optional: TTL for answers to blocked domains + # default: 6h + blockTTL: {{ blocky_block_ttl | default ("6h") }} + clientGroupsBlock: + # default will be used, if no special definition for a client name exists + default: + - ads # siehe blocking.blacklists.ads + # optional: Configure how lists, AKA sources, are loaded + loading: + # optional: list refresh period in duration format. + # Set to a value <= 0 to disable. + # default: 4h + refreshPeriod: 4h + # optional: Applies only to lists that are downloaded (HTTP URLs). + downloads: + # optional: timeout for list download (each url). Use large values for big lists or slow internet connections + # default: 5s + timeout: 60s + # optional: Maximum download attempts + # default: 3 + attempts: 5 + # optional: Time between the download attempts + # default: 500ms + cooldown: 10s + # optional: Maximum number of lists to process in parallel. + # default: 4 + concurrency: 16 + # Configure startup behavior. + # accepted: blocking, failOnError, fast + # default: blocking + strategy: {{ blocky_blacklists_strategy | default ("blocking") }} + # Number of errors allowed in a list before it is considered invalid. + # A value of -1 disables the limit. + # default: 5 + maxErrorsPerSource: 5 + +{% if blocky_conditional_mapping is defined %} + +# optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma +# Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name +conditional: + # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver + # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if `fallbackUpstream` was set to `true`, the original query "blog.example.com" will be sent upstream. + # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain. + fallbackUpstream: false + mapping: +{% for item in blocky_conditional_mapping %} + {{ item.domain }}: {{ item.resolver }} +{% endfor %} +{% endif %} + + +{% if blocky_custom_lookups is defined %} +# optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma +# example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3 +customDNS: + customTTL: 1h + # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined). + # if false, queries with unmapped types will be forwarded to the upstream resolver + filterUnmappedTypes: true + # optional: replace domain in the query with other domain before resolver lookup in the mapping + # rewrite: + # example.com: printer.lan + mapping: +{% for item in blocky_custom_lookups %} + {{ item.name }}: {{ item.ip }} +{% endfor %} +{% endif %} + +# optional: configuration for caching of DNS responses +caching: + # duration how long a response must be cached (min value). + # If <=0, use response's TTL, if >0 use this value, if TTL is smaller + # Default: 0 + minTime: 0 + # duration how long a response must be cached (max value). + # If <0, do not cache responses + # If 0, use TTL + # If > 0, use this value, if TTL is greater + # Default: 0 + maxTime: 0 + # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM. + # Default (0): unlimited + maxItemsCount: 0 + # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window) + # this improves the response time for often used queries, but significantly increases external traffic + # default: false + prefetching: true + # prefetch track time window (in duration format) + # default: 120 + prefetchExpires: 2h + # name queries threshold for prefetch + # default: 5 + prefetchThreshold: 5 + # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM. + # Default (0): unlimited + prefetchMaxItemsCount: 0 + # Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results. + # Default: 30m + cacheTimeNegative: -1 + +# optional: configuration of client name resolution +clientLookup: + # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router) + upstream: {{ blocky_local_upstream | default ("192.168.2.1") }} + # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used. + # Example: take second name if present, if not take first name + # singleNameOrder: + # - 2 + # - 1 + + +# optional: configuration for prometheus metrics endpoint +prometheus: + # enabled if true + enable: {{ blocky_prometheus | default ("false") }} + # url path, optional (default '/metrics') + path: /metrics + + +# optional: Mininal TLS version that the DoH and DoT server will use +# minTlsServeVersion: 1.3 + +# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated +#certFile: server.crt +#keyFile: server.key + +# optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries. +bootstrapDns: + - tcp+udp:9.9.9.9 + +# optional: drop all queries with following query types. Default: empty +filtering: + queryTypes: + - AAAA + +# optional: return NXDOMAIN for queries that are not FQDNs. +fqdnOnly: + # default: false + enable: {{ blocky_fqdn_only | default ("false") }} + +# optional: ports configuration +ports: + # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353" + dns: {{ blocky_port_dns | default ("53") }} + # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853 + # tls: 853 + # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443 + # https: 443 + # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000 + http: 4000 + +# optional: logging configuration +log: + # optional: Log level (one from debug, info, warn, error). Default: info + level: {{ blocky_log_level | default ("info") }} + # optional: Log format (text or json). Default: text + format: text + # optional: log timestamps. Default: true + timestamp: true + # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false + privacy: false