From: Jakub Czajka Date: Sun, 23 Mar 2025 16:34:54 +0000 (+0100) Subject: [dns] Deploy dnscrypt-proxy. X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=HEAD;p=metadata.git [dns] Deploy dnscrypt-proxy. --- diff --git a/server.git/dnscrypt-proxy.yaml b/server.git/dnscrypt-proxy.yaml new file mode 100644 index 0000000..4b8a8d4 --- /dev/null +++ b/server.git/dnscrypt-proxy.yaml @@ -0,0 +1,127 @@ +# Copyright (c) 2025 Jakub Czajka +# License: GPL-3.0 or later. + +- hosts: servers + vars: + info: https://api.github.com/repos/DNSCrypt/dnscrypt-proxy/releases/latest + src: https://github.com/DNSCrypt/dnscrypt-proxy/releases/download + bin: dnscrypt-proxy-linux_x86_64 + repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git" + conf: /etc/dns + site: dnscrypt-proxy.conf + tasks: + - name: Fetch latest version of dnscrypt-proxy + uri: + url: "{{ info }}" + return_content: true + register: info + - name: Download dnscrypt-proxy + unarchive: + src: "{{ src }}/{{ ver }}/{{ bin }}-{{ ver }}.tar.gz" + dest: /tmp + copy: no + vars: + ver: "{{ info.json.tag_name }}" + - name: Install dnscrypt-proxy + copy: + src: /tmp/linux-x86_64/dnscrypt-proxy + dest: /usr/bin + become: true + - name: Set permissions for dnscrypt-proxy + file: + path: /usr/bin/dnscrypt-proxy + mode: 0755 + owner: root + group: root + become: true + - name: Install libnginx-mod-stream + package: + name: + - libnginx-mod-stream + state: latest + become: true + + - name: Checkout dnscrypt-proxy's configuration files to /tmp + command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \ + dnscrypt-proxy/* + become: true + - name: Create configuration directory + file: + path: "{{ conf }}" + state: directory + become: true + - name: Copy files to the configuration directory + copy: + src: /tmp/dnscrypt-proxy/{{ item }} + dest: "{{ conf }}" + remote_src: true + become: true + with_items: + - dnscrypt-proxy.toml + - name: Copy resolv.conf to /etc + copy: + src: /tmp/dnscrypt-proxy/resolv.conf + dest: /etc + remote_src: true + become: true + - name: Copy service file to /etc/systemd/system + copy: + src: /tmp/dnscrypt-proxy/dnscrypt-proxy.service + dest: /etc/systemd/system + remote_src: true + become: true + - name: Copy service file to /etc/systemd/system + copy: + src: /tmp/dnscrypt-proxy/dnscrypt-proxy.service + dest: /etc/systemd/system + remote_src: true + become: true + - name: Create user for running dnscrypt-proxy + user: + name: dnscrypt-proxy + create_home: false + shell: /usr/sbin/nologin + become: true + + - name: Checkout nginx's configuration files to /tmp + command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \ + nginx/* + become: true + - name: Copy nginx configuration /etc/nginx + copy: + src: /tmp/nginx/nginx.conf + dest: /etc/nginx + remote_src: true + become: true + - name: Create directory for nginx streams + file: + path: /etc/nginx/{{ item }} + state: directory + become: true + with_items: + - streams-available + - streams-enabled + - name: Copy stream from /tmp to /etc/nginx/streams-available + copy: + src: /tmp/dnscrypt-proxy/{{ site }} + dest: /etc/nginx/streams-available + remote_src: true + become: true + - name: Enable site in nginx + shell: envsubst < /etc/nginx/streams-available/{{ site }} \ + > /etc/nginx/streams-enabled/{{ site }} + environment: "{{ ansible_local.env.vars }}" + become: true + - name: Disable systemd-resolved + service: + name: systemd-resolved + state: stopped + become: true + - name: Restart dnscrypt-proxy and nginx + service: + name: "{{ item }}" + state: restarted + become: true + with_items: + - dnscrypt-proxy + - nginx diff --git a/server.git/hooks/post-receive b/server.git/hooks/post-receive index fa81215..b33f636 100755 --- a/server.git/hooks/post-receive +++ b/server.git/hooks/post-receive @@ -2,8 +2,8 @@ # Copyright (c) 2023-2024 Jakub Czajka # License: GPL-3.0 or later. -DEPLOYABLE="dovecot fail2ban git matrix nginx miniflux opendkim postfix postgres\ - rsyslog sshd" +DEPLOYABLE="dnscrypt-proxy dovecot fail2ban git matrix nginx miniflux opendkim\ + postfix postgres rsyslog sshd" while read old_revision new_revision branch do