diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2025-08-24 13:31:38 +0100 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2025-08-24 13:31:38 +0100 |
| commit | 7d113fcddd341f1e4b04ceb2785087d50b8e1556 (patch) | |
| tree | a8f8e8c288c13badf9eb061bbc67c899916bc6a3 /misc | |
| parent | 461b380f51b6aca3113f581378846e4902bea6fe (diff) | |
| download | infra-7d113fcddd341f1e4b04ceb2785087d50b8e1556.tar.gz infra-7d113fcddd341f1e4b04ceb2785087d50b8e1556.tar.bz2 infra-7d113fcddd341f1e4b04ceb2785087d50b8e1556.zip | |
This is a simple role that works only for one host. There are multiple
complications that I should keep in mind in the future.
* There is should be a way to install dotfiles on boxes without GPG key
there. So, files with secrets in them should be gated.
* Wireguard configuration should be per host. Each host should have it
is own private key.
Diffstat (limited to 'misc')
| -rwxr-xr-x | misc/dotfiles/wireguard/onion-dns-down.sh | 7 | ||||
| -rwxr-xr-x | misc/dotfiles/wireguard/onion-dns-up.sh | 18 | ||||
| -rw-r--r-- | misc/dotfiles/wireguard/wgtor0.conf | 22 | ||||
| -rw-r--r-- | misc/dotfiles/wireguard/wgvpn0.conf | 17 |
4 files changed, 64 insertions, 0 deletions
diff --git a/misc/dotfiles/wireguard/onion-dns-down.sh b/misc/dotfiles/wireguard/onion-dns-down.sh new file mode 100755 index 0000000..b271700 --- /dev/null +++ b/misc/dotfiles/wireguard/onion-dns-down.sh @@ -0,0 +1,7 @@ +#! /usr/bin/env sh + +iface=$1 + +/usr/sbin/scutil <<EOF +remove State:/Network/Service/$iface/DNS +EOF diff --git a/misc/dotfiles/wireguard/onion-dns-up.sh b/misc/dotfiles/wireguard/onion-dns-up.sh new file mode 100755 index 0000000..d8f69b9 --- /dev/null +++ b/misc/dotfiles/wireguard/onion-dns-up.sh @@ -0,0 +1,18 @@ +#! /usr/bin/env sh + +# macOS as usual has it is own way to do DNS. Even when we set DNS in +# WireGuard config, onion addresses will not be resolved anyway. Moreover, +# nslookup (and probably other standard cli utilities will work properly), but +# Firefox at the same time will not. +# The only workaround I found it to set `SupplementalMatchDomains` manually +# with `scutil`. This trick worked for OpenVPN for long time as well. + +iface=$1 +dns=$2 + +scutil <<EOF +d.init +d.add ServerAddresses * $dns +d.add SupplementalMatchDomains * onion +set State:/Network/Service/$iface/DNS +EOF diff --git a/misc/dotfiles/wireguard/wgtor0.conf b/misc/dotfiles/wireguard/wgtor0.conf new file mode 100644 index 0000000..3f217c3 --- /dev/null +++ b/misc/dotfiles/wireguard/wgtor0.conf @@ -0,0 +1,22 @@ +$ANSIBLE_VAULT;1.1;AES256 +66653962643936356331393865643262303630343363346232636461666633383938366562346135 +3334336566326662393835393061313034353337613039340a386633333537626466373034343933 +37336666326364353438353666663138306531636334386434633238356233343439616538336635 +3762666439353563350a373331663732313665626566613965326365626638396361323038333436 +66303766303261633966646634656161346464616538356530666461346665316366613938383330 +63336436343934316236303335306331313638343930623061343536666139653330363133346330 +32633665346136653664383464373365663063613832373263626366646633373037363263643830 +38636238303030373134343631643930626537356135363831663864373339303739616639363838 +64306633613439366462393935646535376331396537616164656263363862396131313538366330 +30383732323565366166303831373061356239326262306361373837663032623631643564313639 +39333064623534313336366161633435343062653136333539383764366366653639353534343335 +64343331356632643061313263336362323836343738393332333832353465343237356365326635 +62333661373365623463343931633530613466356330303833613035613933323830616664393937 +36613330326265383035623536303865393733663733316636633731373533636132633031613339 +63333666343331353833643263343731306234313435373331353235353131383563633935653339 +35373865303962383837373862346630663633653638323533323037613539663364306635393365 +39613931653338646163333461326534663535306334626134316563646438666536643136376635 +39346338646563376462313564643137373030666330663863633835663165376462646234333239 +66616630326262623734613232666132366337656565306638346132323166383165633961313033 +34393437623336323565386531613737353739303064393764613366363136363035343039396463 +6531 diff --git a/misc/dotfiles/wireguard/wgvpn0.conf b/misc/dotfiles/wireguard/wgvpn0.conf new file mode 100644 index 0000000..97691b7 --- /dev/null +++ b/misc/dotfiles/wireguard/wgvpn0.conf @@ -0,0 +1,17 @@ +$ANSIBLE_VAULT;1.1;AES256 +61366266653839616332383237343332373262313963343564636431336533303034346434636233 +3037376439386635323531333838366564303565663535390a383763623731323633396433326237 +37326438303662313337313239626461303464316566623639376330303338383934306238666331 +6564393861316231370a636432343934343830393439303739636630626137326463636634613463 +66333461383964656235383363626365373066663962393137343364643537396433366634336439 +61303832373039633636666364393432333863613462313539313063666263336363623833396233 +66366133613563613036383636333334343830373464396662353637323630336232653431326465 +66356630353336373731306130643438653736366331343139643765643633366439633566656534 +63343235663032366531663561356161646537623665613535656132356139366461643361646436 +32336530323435623938623561363966616638333637653862313161616139373235316334373233 +30646265393337326565326161386461356663663064353130356136363266653163363164636234 +33396334323264303264303563346439326530646531356463346562383235303538643066656366 +31326533373466346430303461323237623031643730313566333561333162636632656332313637 +61333038336466356561353237306430313032616639383539663731343031663731636333326631 +34663831353832386638666131313737636631303237663761376434313935613438376532666261 +32633835386431663238 |