Created
March 30, 2018 23:22
-
-
Save ivandeex/ecb6da64ad518b90700ac7a7bfaca084 to your computer and use it in GitHub Desktop.
test iodine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: all | |
| gather_facts: no | |
| vars: | |
| iodine_domain: "iodine.mydomain.com" | |
| iodine_password: "top secret" | |
| iodine_tunnelip: "10.99.99.1/24" | |
| iodine_port: 15353 # note: 5353 taken by nxserver | |
| tasks: | |
| - name: install iodine server | |
| block: | |
| - name: install iodine package | |
| package: | |
| name: iodine | |
| state: present | |
| - name: set iodine daemon parameters | |
| copy: | |
| dest: /etc/default/iodine | |
| content: | | |
| START_IODINED="true" | |
| IODINED_ARGS="-p {{ iodine_port }} {{ iodine_tunnelip }} -c {{ iodine_domain }}" | |
| IODINED_PASSWORD="{{ iodine_password }}" | |
| owner: root | |
| mode: "600" | |
| notify: restart iodined | |
| - name: start iodined service | |
| service: | |
| name: iodined | |
| enabled: yes | |
| state: started | |
| become: yes | |
| - name: forward subdomain to iodine daemon | |
| block: | |
| - blockinfile: | |
| path: /etc/bind/named.conf | |
| block: | | |
| zone "{{ iodine_domain }}" { | |
| type forward; | |
| forwarders { 127.0.0.1 port {{ iodine_port }}; }; | |
| }; | |
| marker: "# {mark} iodine" | |
| insertafter: "= Forward zones =" | |
| owner: root | |
| group: bind | |
| mode: "640" | |
| notify: restart bind9 | |
| become: yes | |
| - name: hexify iodine domain | |
| shell: | | |
| if True: # workaround for buggy indenting | |
| import binascii | |
| domain = "{{ iodine_domain }}" | |
| parts = [ chr(len(part)) + part for part in domain.split(".") ] | |
| hexed = binascii.hexlify("".join(parts).encode()) | |
| print("%s00" % hexed.decode()) | |
| args: | |
| executable: python3 | |
| delegate_to: localhost | |
| run_once: true | |
| register: hexified_domain | |
| changed_when: false | |
| - name: add ufw iptables rules for iodine | |
| block: | |
| - name: check presense of the ufw nat block | |
| lineinfile: | |
| path: /etc/ufw/before.rules | |
| line: "# == BEGIN ANSIBLE MANAGED NAT RULES ==" | |
| check_mode: yes | |
| register: ufw_nat_block | |
| - name: add block for ufw nat rules | |
| blockinfile: | |
| path: /etc/ufw/before.rules | |
| block: | | |
| *nat | |
| :PREROUTING ACCEPT [0:0] | |
| :INPUT ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :POSTROUTING ACCEPT [0:0] | |
| # === START OF NAT RULES === | |
| # === END OF NAT RULES === | |
| COMMIT | |
| marker: "# == {mark} ANSIBLE MANAGED NAT RULES ==" | |
| insertbefore: "^\\*filter" | |
| when: ufw_nat_block.changed | |
| notify: reload ufw | |
| - name: ufw nat rule for iodine | |
| blockinfile: | |
| path: /etc/ufw/before.rules | |
| block: | | |
| -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string "|{{ hexified_domain.stdout |default(0) }}|" -j REDIRECT --to-ports {{ iodine_port }} | |
| -A PREROUTING -p udp --dport 53 -m string --algo bm --from 0 --hex-string "|10d19e|" -j REDIRECT --to-ports {{ iodine_port }} | |
| marker: "# {mark} iodine" | |
| insertbefore: "END OF NAT RULES" | |
| notify: reload ufw | |
| become: yes | |
| handlers: | |
| - name: restart iodined | |
| service: | |
| name: iodined | |
| state: restarted | |
| become: yes | |
| - name: restart bind9 | |
| service: | |
| name: bind9 | |
| state: restarted | |
| become: yes | |
| - name: reload ufw | |
| ufw: | |
| state: reloaded | |
| become: yes | |
| ... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment