Sunday, April 19, 2015

installation of dnscrypt using puppet automation framework on centos7 and ubuntu14.04 trusty.

#Purpose: installation of dnscrypt using puppet automation framework.
#Cat and paste will show config files.
#I hope this help you to configure dnscrypt with puppet.
#Advice and comment would be very grateful.
#ubuntu is trusty 14.04, centos is 7


root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat init.pp

class dnscrypt{
    
case $::operatingsystem {
   'RedHat', 'CentOS', 'Scientific', 'OracleLinux', 'OEL': {
     #default env variables#
     $service_name = "dnscrypt"
     $provider="dnscrypt"
     $pid="/run/dnscrypt-proxy.pid"
     $eps="--edns-payload-size=4096"
     $daemon="/usr/sbin/dnscrypt-proxy"
     $daemon_name="dnscrypt-proxy"
     $desc="dnscrypt DNS encryption to opendns"
     $resolver="opendns"
     $dname="dnscrypt"
     $masq_port="2053"
     $masq_host="127.0.0.2"
     $masq_listen_address="127.0.0.1"

     #####pre install requirement#####
     $pre_install_package = ["gcc","make","dnsmasq","libtool","libtool-ltdl","libtool-ltdl-devel"]
     package { $pre_install_package: ensure => "installed" }
     #####pre install requirement end#####

     #####Obtaining source and compile#####
     include dnscrypt::get_dnscrypt_centos7
     include dnscrypt::centos7_config
     # do something RHEL specific

     #####running service#####
     ##running dnscrypt#######
     include dnscrypt::centos7_service

   }

   'ubuntu': {
     #default env variables#
     $service_name = "dnscrypt"
     $provider="dnscrypt"
     $pid="/run/dnscrypt-proxy.pid"
     $eps="--edns-payload-size=4096"
     $daemon="/usr/sbin/dnscrypt-proxy"
     $daemon_name="dnscrypt-proxy"
     $desc="dnscrypt DNS encryption to opendns"
     $resolver="opendns"
     $shell="#!/bin/sh"
     $dname="dnscrypt"
     $masq_port="2053"
     $masq_host="127.0.0.2"
     $masq_listen_address="127.0.0.1"
     $user="dnscrypt"

     #pre install requirement#
     package { 'gcc':
        ensure => installed,
     }    
     package { 'make':
        ensure => installed,
     }    

     package { 'dnsmasq':
        ensure => installed,
     }    
     #pre install requirement end#

     include dnscrypt::account_add
     include dnscrypt::get_dnscrypt_ubuntu
     include dnscrypt::ubuntu_config



      # running dnscrypt
     include dnscrypt::service

    
   }
   default: {
     # ...
   }
 }
}


#Obtain and compile dnscrypt and etc for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat get_dnscrypt_ubuntu.pp
class dnscrypt::get_dnscrypt_ubuntu {
     $dcp="dnscrypt-proxy-1.4.3"
     $lsd="libsodium-1.0.2"
     $ext=".tar.gz"
     $local_http_server="http://10.0.0.1"
     $daemon_exec="/usr/sbin/dnscrypt-proxy"
     exec { 'wget-dnscrypt-libsodium':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
        cwd => '/tmp',
        #local web server#
        command => "wget $local_http_server/$dcp$ext && wget $local_http_server/$lsd$ext",
        #remote web#
        #command => "wget http://download.dnscrypt.org/dnscrypt-proxy/$dcp$ext && wget https://download.libsodium.org/libsodium/releases/$lsd$ext"
        unless => "ls $daemon_exec",
      }

     exec { 'untar':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
        cwd => '/tmp',
        command => "tar xvzf $dcp$ext && tar xvzf $lsd$ext",
        require => Exec['wget-dnscrypt-libsodium'],
        unless => "ls $daemon_exec",
     }

     exec { 'compile-libsodium':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$lsd"],
        cwd => "/tmp/$lsd",
        command => './configure --prefix=/usr && make && make install',
        require => Exec['untar'],
        unless => "ls $daemon_exec",
        }
     exec { 'compile-dnscrypt':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$dcp"],
        cwd => "/tmp/$dcp",
        command => './configure --prefix=/usr && make && make install',
        require => Exec['compile-libsodium'],
        unless => "ls $daemon_exec",
        }
     exec { 'service-enable':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
        cwd => '/root',
        command => "update-rc.d dnscrypt defaults",
        #require => Exec['compile-dnscrypt'],
        onlyif => "ls /etc/init.d/dnscrypt",
     }

 }

#Obtain and compile dnscrypt and etc for centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat get_dnscrypt_centos7.pp
class dnscrypt::get_dnscrypt_centos7{
     $dcp="dnscrypt-proxy-1.4.3"
     $lsd="libsodium-1.0.2"
     $ext=".tar.gz"
     $local_http_server="http://10.0.0.1"
     $daemon_exec="/usr/sbin/dnscrypt-proxy"
     exec { 'wget-dnscrypt-libsodium':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
        cwd => '/tmp',
        #local web server#
        command => "wget $local_http_server/$dcp$ext && wget $local_http_server/$lsd$ext",
        #remote web#
        #command => "wget http://download.dnscrypt.org/dnscrypt-proxy/$dcp$ext && wget https://download.libsodium.org/libsodium/releases/$lsd$ext"
        unless => "ls $daemon_exec",
      }

     exec { 'untar':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
        cwd => '/tmp',
        command => "tar xvzf $dcp$ext && tar xvzf $lsd$ext",
        require => Exec['wget-dnscrypt-libsodium'],
        unless => "ls $daemon_exec",
     }

     exec { 'compile-libsodium':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$lsd"],
        cwd => "/tmp/$lsd",
        command => './configure --prefix=/usr && make && make install',
        require => Exec['untar'],
        unless => "ls $daemon_exec",
        }
     exec { 'compile-dnscrypt':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin',"/tmp/$dcp"],
        cwd => "/tmp/$dcp",
        command => './autogen.sh && ./configure --prefix=/usr && make && make install',
        require => Exec['compile-libsodium'],
        unless => "ls $daemon_exec",
        }
     exec { 'service-enable':
        path => ['/bin','/usr/bin','/usr/sbin','/sbin'],
        cwd => '/root',
        command => "update-rc.d dnscrypt defaults",
        #require => Exec['compile-dnscrypt'],
        onlyif => "ls /etc/init.d/dnscrypt",
     }

 }


#service class for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat service.pp
class dnscrypt::service {
     service { "dnscrypt":
      name => $service_name,
      ensure => running,
      hasstatus => true,
      hasrestart => true,
      enable => true,
      require => Class["dnscrypt::ubuntu_config"],
     }

    
      # running dnsmasq
     service { "dnsmasq":
      name => dnsmasq,
      ensure => running,
      hasstatus => true,
      hasrestart => true,
      enable => true,
      require => Class["dnscrypt::ubuntu_config"],
     }
}
#service class for centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat centos7_service.pp
class dnscrypt::centos7_service {
     service { "dnscrypt":
      provider => 'systemd',
      name => $service_name,
      ensure => running,
      hasstatus => true,
      hasrestart => true,
      enable => true,
      require => Class['dnscrypt::centos7_config'],
     }

    
      # running dnsmasq
     service { "dnsmasq":
      provider => 'systemd',
      name => dnsmasq,
      ensure => running,
      hasstatus => true,
      hasrestart => true,
      enable => true,
      require => Class["dnscrypt::centos7_config"],
     }
}


#config for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ubuntu_config.pp
class dnscrypt::ubuntu_config {
   file { "/etc/hosts":
     ensure => present,
     owner => 'root',
     group => 'root',
     mode => 0644,
     source => "puppet:///modules/dnscrypt/hosts",
     #content => template('dnscrypt/hosts.erb'),
   }
    
   file { "/etc/init.d/dnscrypt":
     ensure => present,
     owner => 'root',
     group => 'root',
     mode => 0755,
     content => template('dnscrypt/dnscrypt_ubuntu.erb'),
     #require => Class["dnscrypt::get_dnscrypt_ubuntu"],
     notify => Service['dnscrypt'],
   }

   file { "/etc/dnsmasq.conf":
     ensure => present,
     owner => 'root',
     group => 'root',
     mode => 0644,
     content => template('dnscrypt/dnscrypt_ubuntu_dnsmasq.erb'),
     #require => Class["dnscrypt::get_dnscrypt_ubuntu"],
     notify => Service['dnsmasq'],
   }
}
#config for centos#

root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat centos7_config.pp
class dnscrypt::centos7_config {
   file { "/etc/systemd/system/dnscrypt.service":
     ensure => present,
     owner => 'root',
     group => 'root',
     mode => 0755,
     #enable => true,
     content => template('dnscrypt/dnscrypt_centos7.erb'),
   }
file { "/etc/hosts":
     ensure => present,
     owner => 'root',
     group => 'root',
     mode => 0644,
     source => "puppet:///modules/dnscrypt/hosts",
     #content => template('dnscrypt/hosts.erb'),
   }
    

   file { "/etc/dnsmasq.conf":
     ensure => present,
     owner => 'root',
     group => 'root',
     mode => 0644,
     content => template('dnscrypt/dnscrypt_ubuntu_dnsmasq.erb'),
     #require => Class["dnscrypt::get_dnscrypt_ubuntu"],
     notify => Service['dnsmasq'],
   }


}

#Account for ubuntu,centos does not need additional account, because nobody user has home directory..so..nobody is enough#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat account_add.pp
class dnscrypt::account_add {
    user { "dnscrypt":
        comment => "dnscrypt account",
        home => "/run/dnscrypt",
        ensure => "present",
        managehome => "true",
        shell => "/bin/false",
        uid => 110,
        gid => 119,
    }

    group { "dnscrypt":
        gid => 119,
    }
     
}





#dnsmasq.conf for ubuntu and centos#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../templates/dnscrypt_ubuntu_dnsmasq.erb
# Configuration file for dnsmasq.
no-resolv
server=<%= @masq_host %>#<%= @masq_port %>
listen-address=<%= @masq_listen_address %>
root@puppet:/etc/puppet/modules/dnscrypt/manifests#


#init script for ubuntu#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../templates/dnscrypt_ubuntu.erb
<%= @shell %>
#Created by wnapdlf05@gmail.com
#Dnscrypt protocol for securing communications between a client and a DNS resolver.
#
### BEGIN INIT INFO
# Provides:          <%= @provider %>
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO

NAME="<%= @service_name %>"
DESC="<%= @desc %>"
DAEMON="<%= @daemon %>"
PID="<%= @pid %>"
MH="<%= @masq_host %>"
MP="<%= @masq_port %>"
#edns payload size
EPS="<%= @eps %>"
RSV="<%= @resolver %>"
USER="<%= @user %>"


. /lib/lsb/init-functions
PATH=/sbin:/bin:/usr/sbin:/usr/bin

status_check(){
 start-stop-daemon -T --pidfile $PID
 if [ $? -eq 0 ]
 then
    echo "$NAME is running at pid $(cat $PID)"
 else
    echo "Service $NAME is not running"
    exit 1
 fi
}

start_dnscrypt(){
  log_daemon_msg "starting $NAME" "$DAEMON"
   set +e
   $DAEMON -a $MH:$MP $EPS -u $USER --pidfile=$PID -R $RSV --daemonize
   set -e
   log_end_msg $?
}

stop_dnscrypt(){
   log_daemon_msg "stopping $NAME" "$DAEMON"
   set +e
   start-stop-daemon --stop --pidfile $PID --retry 5
   rm -f <%= @pid %>
   set -e
   log_end_msg $?
}





case "$1" in
 start)
   start_dnscrypt
   ;;

 stop)
   stop_dnscrypt
   ;;

 restart)
   stop_dnscrypt
   start_dnscrypt
   ;;

 status)
   status_check
   ;;

 *)
   echo "Usage: $0 {start|stop|restart|status}"
   exit 1
   ;;
esac
exit 0;


#Init script for systemd. centos#

root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../templates/dnscrypt_centos7.erb
[Unit]
Description=OpenDNS Crypt proxy server
After=network.target

[Service]
ExecStart=<%= @daemon %> -a <%= @masq_host %>:<%= @masq_port %> <%= @eps %> --pidfile=<%= @pid %> -R <%= @resolver %> --daemonize
#ExecStart=/usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
ExecReload=/bin/kill -HUP $MAINPID
Restart = always
Type = forking
User = nobody

[Install]
WantedBy=default.target

#hosts file edit and add 127.0.0.2 for ubuntu and centos. Only for ipv4. Need to be moved to template dir?#
root@puppet:/etc/puppet/modules/dnscrypt/manifests# cat ../files/hosts
127.0.0.1 localhost
127.0.0.2 localhost
10.0.0.5 puppet
10.0.0.19 hp2
10.0.0.13 mc
10.0.0.11 ct7


#Test. --debug option will show much more information.#
root@mc:~# puppet agent --test

Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for mc
Info: Applying configuration version '1429473505'
Notice: /Stage[main]/Dnscrypt::Ubuntu_config/File[/etc/init.d/dnscrypt]/ensure: created
Info: /Stage[main]/Dnscrypt::Ubuntu_config/File[/etc/init.d/dnscrypt]: Scheduling refresh of Service[dnscrypt]
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[service-enable]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[wget-dnscrypt-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[untar]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[compile-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_ubuntu/Exec[compile-dnscrypt]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Account_add/User[dnscrypt]/ensure: created
Notice: /Stage[main]/Dnscrypt::Service/Service[dnscrypt]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Dnscrypt::Service/Service[dnscrypt]: Unscheduling refresh on Service[dnscrypt]
Notice: Finished catalog run in 21.54 seconds
#Service auto start, it is nice ^^#
root@mc:~# ps -ef | grep dnsc
root     21127     1  0 04:59 ?        00:00:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --edns-payload-size=4096 -u dnscrypt --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
dnscrypt 21131 21127  0 04:59 ?        00:00:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --edns-payload-size=4096 -u dnscrypt --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
root     21150  2649  0 04:59 pts/0    00:00:00 grep --color=auto dnsc
root@mc:~#

#So, happily it is good#
root@mc:~# dig -t txt debug.opendns.com @127.0.0.1

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t txt debug.opendns.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20247
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.        IN    TXT

;; ANSWER SECTION:
debug.opendns.com.    0    IN    TXT    "server 3.sea"
debug.opendns.com.    0    IN    TXT    "flags 20 0 70 5950800000000000000"
debug.opendns.com.    0    IN    TXT    "originid 0"
debug.opendns.com.    0    IN    TXT    "actype 0"
debug.opendns.com.    0    IN    TXT    "source 203.90.42.85:43819"
debug.opendns.com.    0    IN    TXT    "dnscrypt enabled (71447764594D3377)"

;; Query time: 226 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 20 05:03:34 KST 2015
;; MSG SIZE  rcvd: 247



# On centos7 #

[root@ct7 system]# puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for ct7
Info: Applying configuration version '1429473505'
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[wget-dnscrypt-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[untar]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[compile-libsodium]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Get_dnscrypt_centos7/Exec[compile-dnscrypt]/returns: executed successfully
Notice: /Stage[main]/Dnscrypt::Centos7_config/File[/etc/systemd/system/dnscrypt.service]/ensure: created
Notice: /Stage[main]/Dnscrypt::Centos7_service/Service[dnscrypt]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Dnscrypt::Centos7_service/Service[dnscrypt]: Unscheduling refresh on Service[dnscrypt]
Notice: Finished catalog run in 40.92 seconds
[root@ct7 system]# ps -ef | grep dnsc
nobody   31187     1  0 05:06 ?        00:00:00 /usr/sbin/dnscrypt-proxy -a 127.0.0.2:2053 --edns-payload-size=4096 --pidfile=/run/dnscrypt-proxy.pid -R opendns --daemonize
root     31192  1401  0 05:07 pts/0    00:00:00 grep --color=auto dnsc

# Fortunately,,it is successful ^^#
root@ct7 system]# dig -t txt debug.opendns.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> -t txt debug.opendns.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52463
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.        IN    TXT

;; ANSWER SECTION:
debug.opendns.com.    0    IN    TXT    "server 1.sea"
debug.opendns.com.    0    IN    TXT    "flags 20 0 70 5950800000000000000"
debug.opendns.com.    0    IN    TXT    "originid 0"
debug.opendns.com.    0    IN    TXT    "actype 0"
debug.opendns.com.    0    IN    TXT    "source 203.90.42.85:57710"
debug.opendns.com.    0    IN    TXT    "dnscrypt enabled (71447764594D3377)"

;; Query time: 207 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 20 05:11:00 KST 2015
;; MSG SIZE  rcvd: 247



No comments:

Post a Comment