#Purpose: installation of dnscrypt using puppet automation framework.
#Cat and paste will show config files.
#I hope this help you to configure dnscrypt with puppet.
#Advice and comment would be very grateful.
#ubuntu is trusty 14.04, centos is 7
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat init.pp
class dnscrypt{
case $::operatingsystem {
'RedHat', 'CentOS', 'Scientific', 'OracleLinux', 'OEL': {
#default env variables#
$service_name = "dnscrypt"
$provider="dnscrypt"
$pid="/run/dnscrypt-proxy.pid"
$eps="--edns-payload-size=4096"
$daemon="/usr/sbin/dnscrypt-proxy"
$daemon_name="dnscrypt-proxy"
$desc="dnscrypt DNS encryption to opendns"
$resolver="opendns"
$dname="dnscrypt"
$masq_port="2053"
$masq_host="127.0.0.2"
$masq_listen_address="127.0.0.1"
#####pre install requirement#####
$pre_install_package = ["gcc","make","dnsmasq","libtool","libtool-ltdl","libtool-ltdl-devel"]
package { $pre_install_package: ensure => "installed" }
#####pre install requirement end#####
#####Obtaining source and compile#####
include dnscrypt::get_dnscrypt_centos7
include dnscrypt::centos7_config
# do something RHEL specific
#####running service#####
##running dnscrypt#######
include dnscrypt::centos7_service
}
'ubuntu': {
#default env variables#
$service_name = "dnscrypt"
$provider="dnscrypt"
$pid="/run/dnscrypt-proxy.pid"
$eps="--edns-payload-size=4096"
$daemon="/usr/sbin/dnscrypt-proxy"
$daemon_name="dnscrypt-proxy"
$desc="dnscrypt DNS encryption to opendns"
$resolver="opendns"
$shell="#!/bin/sh"
$dname="dnscrypt"
$masq_port="2053"
$masq_host="127.0.0.2"
$masq_listen_address="127.0.0.1"
$user="dnscrypt"
#pre install requirement#
package { 'gcc':
ensure => installed,
}
package { 'make':
ensure => installed,
}
package { 'dnsmasq':
ensure => installed,
}
#pre install requirement end#
include dnscrypt::account_add
include dnscrypt::get_dnscrypt_ubuntu
include dnscrypt::ubuntu_config
# running dnscrypt
include dnscrypt::service
}
default: {
# ...
}
}
}
#Obtain and compile dnscrypt and etc for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat get_dnscrypt_ubuntu.pp
class dnscrypt::get_dnscrypt_ubuntu {
$dcp="dnscrypt-proxy-1.4.3"
$lsd="libsodium-1.0.2"
$ext=".tar.gz"
$local_http_server="http://10.0.0.1"
$daemon_exec="/usr/sbin/dnscrypt-proxy"
exec { 'wget-dnscrypt-libsodium':
path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
cwd => '/tmp',
#local web server#
command => "wget $local_http_server/$dcp$ext && wget $local_http_server/$lsd$ext",
#remote web#
#command => "wget http://download.dnscrypt.org/dnscrypt-proxy/$dcp$ext && wget https://download.libsodium.org/libsodium/releases/$lsd$ext"
unless => "ls $daemon_exec",
}
exec { 'untar':
path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
cwd => '/tmp',
command => "tar xvzf $dcp$ext && tar xvzf $lsd$ext",
require => Exec['wget-dnscrypt-libsodium'],
unless => "ls $daemon_exec",
}
exec { 'compile-libsodium':
path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$lsd"],
cwd => "/tmp/$lsd",
command => './configure --prefix=/usr && make && make install',
require => Exec['untar'],
unless => "ls $daemon_exec",
}
exec { 'compile-dnscrypt':
path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$dcp"],
cwd => "/tmp/$dcp",
command => './configure --prefix=/usr && make && make install',
require => Exec['compile-libsodium'],
unless => "ls $daemon_exec",
}
exec { 'service-enable':
path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
cwd => '/root',
command => "update-rc.d dnscrypt defaults",
#require => Exec['compile-dnscrypt'],
onlyif => "ls /etc/init.d/dnscrypt",
}
}
#Obtain and compile dnscrypt and etc for centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat get_dnscrypt_centos7.pp
class dnscrypt::get_dnscrypt_centos7{
$dcp="dnscrypt-proxy-1.4.3"
$lsd="libsodium-1.0.2"
$ext=".tar.gz"
$local_http_server="http://10.0.0.1"
$daemon_exec="/usr/sbin/dnscrypt-proxy"
exec { 'wget-dnscrypt-libsodium':
path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
cwd => '/tmp',
#local web server#
command => "wget $local_http_server/$dcp$ext && wget $local_http_server/$lsd$ext",
#remote web#
#command => "wget http://download.dnscrypt.org/dnscrypt-proxy/$dcp$ext && wget https://download.libsodium.org/libsodium/releases/$lsd$ext"
unless => "ls $daemon_exec",
}
exec { 'untar':
path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
cwd => '/tmp',
command => "tar xvzf $dcp$ext && tar xvzf $lsd$ext",
require => Exec['wget-dnscrypt-libsodium'],
unless => "ls $daemon_exec",
}
exec { 'compile-libsodium':
path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$lsd"],
cwd => "/tmp/$lsd",
command => './configure --prefix=/usr && make && make install',
require => Exec['untar'],
unless => "ls $daemon_exec",
}
exec { 'compile-dnscrypt':
path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$dcp"],
cwd => "/tmp/$dcp",
command => './autogen.sh && ./configure --prefix=/usr && make && make install',
require => Exec['compile-libsodium'],
unless => "ls $daemon_exec",
}
exec { 'service-enable':
path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
cwd => '/root',
command => "update-rc.d dnscrypt defaults",
#require => Exec['compile-dnscrypt'],
onlyif => "ls /etc/init.d/dnscrypt",
}
}
#service class for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat service.pp
class dnscrypt::service {
service { "dnscrypt":
name => $service_name,
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["dnscrypt::ubuntu_config"],
}
# running dnsmasq
service { "dnsmasq":
name => dnsmasq,
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["dnscrypt::ubuntu_config"],
}
}
#service class for centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat centos7_service.pp
class dnscrypt::centos7_service {
service { "dnscrypt":
provider => 'systemd',
name => $service_name,
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class['dnscrypt::centos7_config'],
}
# running dnsmasq
service { "dnsmasq":
provider => 'systemd',
name => dnsmasq,
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["dnscrypt::centos7_config"],
}
}
#config for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ubuntu_config.pp
class dnscrypt::ubuntu_config {
file { "/etc/hosts":
ensure => present,
owner => 'root',
group => 'root',
mode => 0644,
source => "puppet:///modules/dnscrypt/hosts",
#content => template('dnscrypt/hosts.erb'),
}
file { "/etc/init.d/dnscrypt":
ensure => present,
owner => 'root',
group => 'root',
mode => 0755,
content => template('dnscrypt/dnscrypt_ubuntu.erb'),
#require => Class["dnscrypt::get_dnscrypt_ubuntu"],
notify => Service['dnscrypt'],
}
file { "/etc/dnsmasq.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0644,
content => template('dnscrypt/dnscrypt_ubuntu_dnsmasq.erb'),
#require => Class["dnscrypt::get_dnscrypt_ubuntu"],
notify => Service['dnsmasq'],
}
}
#config for centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat centos7_config.pp
class dnscrypt::centos7_config {
file { "/etc/systemd/system/dnscrypt.service":
ensure => present,
owner => 'root',
group => 'root',
mode => 0755,
#enable => true,
content => template('dnscrypt/dnscrypt_centos7.erb'),
}
file { "/etc/hosts":
ensure => present,
owner => 'root',
group => 'root',
mode => 0644,
source => "puppet:///modules/dnscrypt/hosts",
#content => template('dnscrypt/hosts.erb'),
}
file { "/etc/dnsmasq.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0644,
content => template('dnscrypt/dnscrypt_ubuntu_dnsmasq.erb'),
#require => Class["dnscrypt::get_dnscrypt_ubuntu"],
notify => Service['dnsmasq'],
}
}
#Account for ubuntu,centos does not need additional account, because nobody user has home directory..so..nobody is enough#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat account_add.pp
class dnscrypt::account_add {
user { "dnscrypt":
comment => "dnscrypt account",
home => "/run/dnscrypt",
ensure => "present",
managehome => "true",
shell => "/bin/false",
uid => 110,
gid => 119,
}
group { "dnscrypt":
gid => 119,
}
}
#dnsmasq.conf for ubuntu and centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../templates/dnscrypt_ubuntu_dnsmasq.erb
# Configuration file for dnsmasq.
no-resolv
server=<%= @masq_host %>#<%= @masq_port %>
listen-address=<%= @masq_listen_address %>
root@puppet:/etc/puppet/modules/dnscrypt/manifests#
#init script for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../templates/dnscrypt_ubuntu.erb
<%= @shell %>
#Created by wnapdlf05@gmail.com
#Dnscrypt protocol for securing communications between a client and a DNS resolver.
#
### BEGIN INIT INFO
# Provides: <%= @provider %>
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
NAME="<%= @service_name %>"
DESC="<%= @desc %>"
DAEMON="<%= @daemon %>"
PID="<%= @pid %>"
MH="<%= @masq_host %>"
MP="<%= @masq_port %>"
#edns payload size
EPS="<%= @eps %>"
RSV="<%= @resolver %>"
USER="<%= @user %>"
. /lib/lsb/init-functions
PATH=/sbin:/bin:/usr/sbin:/usr/bin
status_check(){
start-stop-daemon -T --pidfile $PID
if [ $? -eq 0 ]
then
echo "$NAME is running at pid $(cat $PID)"
else
echo "Service $NAME is not running"
exit 1
fi
}
start_dnscrypt(){
log_daemon_msg "starting $NAME" "$DAEMON"
set +e
$DAEMON -a $MH:$MP $EPS -u $USER --pidfile=$PID -R $RSV --daemonize
set -e
log_end_msg $?
}
stop_dnscrypt(){
log_daemon_msg "stopping $NAME" "$DAEMON"
set +e
start-stop-daemon --stop --pidfile $PID --retry 5
rm -f <%= @pid %>
set -e
log_end_msg $?
}
case "$1" in
start)
start_dnscrypt
;;
stop)
stop_dnscrypt
;;
restart)
stop_dnscrypt
start_dnscrypt
;;
status)
status_check
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
exit 0;
#Init script for systemd. centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../templates/dnscrypt_centos7.erb
[Unit]
Description=OpenDNS Crypt proxy server
After=network.target
[Service]
ExecStart=<%= @daemon %> -a <%= @masq_host %>:<%= @masq_port %> <%= @eps %> --pidfile=<%= @pid %> -R <%= @resolver %> --daemonize
#ExecStart=/usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
ExecReload=/bin/kill -HUP $MAINPID
Restart = always
Type = forking
User = nobody
[Install]
WantedBy=default.target
#hosts file edit and add 127.0.0.2 for ubuntu and centos. Only for ipv4. Need to be moved to template dir?#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../files/hosts
127.0.0.1 localhost
127.0.0.2 localhost
10.0.0.5 puppet
10.0.0.19 hp2
10.0.0.13 mc
10.0.0.11 ct7
#Test. --debug option will show much more information.#
root@mc:~# puppet agent --test
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for mc
Info: Applying configuration version '1429473505'
Notice: /Stage[main]/Dnscrypt::Ubuntu_config/File[/etc/init.d/dnscrypt]/ensure: created
Info: /Stage[main]/Dnscrypt::Ubuntu_config/File[/etc/init.d/dnscrypt]: Scheduling refresh of Service[dnscrypt]
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[service-enable]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[wget-dnscrypt-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[untar]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[compile-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[compile-dnscrypt]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Account_add/User[dnscrypt]/ensure: created
Notice: /Stage[main]/Dnscrypt::Service/Service[dnscrypt]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Dnscrypt::Service/Service[dnscrypt]: Unscheduling refresh on Service[dnscrypt]
Notice: Finished catalog run in 21.54 seconds
#Service auto start, it is nice ^^#
root@mc:~# ps -ef | grep dnsc
root 21127 1 0 04:59 ? 00:00:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --edns-payload-size=4096 -u dnscrypt --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
dnscrypt 21131 21127 0 04:59 ? 00:00:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --edns-payload-size=4096 -u dnscrypt --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
root 21150 2649 0 04:59 pts/0 00:00:00 grep --color=auto dnsc
root@mc:~#
#So, happily it is good#
root@mc:~# dig -t txt debug.opendns.com @127.0.0.1
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t txt debug.opendns.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20247
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 3.sea"
debug.opendns.com. 0 IN TXT "flags 20 0 70 5950800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "source 203.90.42.85:43819"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"
;; Query time: 226 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 20 05:03:34 KST 2015
;; MSG SIZE rcvd: 247
# On centos7 #
[root@ct7 system]# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for ct7
Info: Applying configuration version '1429473505'
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[wget-dnscrypt-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[untar]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[compile-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[compile-dnscrypt]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Centos7_config/File[/etc/systemd/system/dnscrypt.service]/ensure: created
Notice: /Stage[main]/Dnscrypt::Centos7_service/Service[dnscrypt]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Dnscrypt::Centos7_service/Service[dnscrypt]: Unscheduling refresh on Service[dnscrypt]
Notice: Finished catalog run in 40.92 seconds
[root@ct7 system]# ps -ef | grep dnsc
nobody 31187 1 0 05:06 ? 00:00:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --edns-payload-size=4096 --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
root 31192 1401 0 05:07 pts/0 00:00:00 grep --color=auto dnsc
# Fortunately,,it is successful ^^#
root@ct7 system]# dig -t txt debug.opendns.com @127.0.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> -t txt debug.opendns.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52463
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 1.sea"
debug.opendns.com. 0 IN TXT "flags 20 0 70 5950800000000000000"
debug.opendns.com. 0 IN TXT "originid 0"
debug.opendns.com. 0 IN TXT "actype 0"
debug.opendns.com. 0 IN TXT "source 203.90.42.85:57710"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"
;; Query time: 207 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 20 05:11:00 KST 2015
;; MSG SIZE rcvd: 247
No comments:
Post a Comment