Add wireguard configuration to dotfiles roleHEADmaster

This is a simple role that works only for one host. There are multiple
complications that I should keep in mind in the future.

* There is should be a way to install dotfiles on boxes without GPG key
  there. So, files with secrets in them should be gated.
* Wireguard configuration should be per host. Each host should have it
  is own private key.

1 files changed, 18 insertions, 0 deletions

diff --git a/misc/dotfiles/wireguard/onion-dns-up.sh b/misc/dotfiles/wireguard/onion-dns-up.sh
new file mode 100755
index 0000000..d8f69b9
--- /dev/null
+++ b/misc/dotfiles/wireguard/onion-dns-up.sh
@@ -0,0 +1,18 @@
+#! /usr/bin/env sh
+
+# macOS as usual has it is own way to do DNS. Even when we set DNS in
+# WireGuard config, onion addresses will not be resolved anyway. Moreover,
+# nslookup (and probably other standard cli utilities will work properly), but
+# Firefox at the same time will not.
+# The only workaround I found it to set `SupplementalMatchDomains` manually
+# with `scutil`. This trick worked for OpenVPN for long time as well.
+
+iface=$1
+dns=$2
+
+scutil <<EOF
+d.init
+d.add ServerAddresses * $dns
+d.add SupplementalMatchDomains * onion
+set State:/Network/Service/$iface/DNS
+EOF