Initial commit

.gitignore

@@ -0,0 +1,5 @@
+*.retry
+.vagrant
+secret
+credentials
+hosts

README.md

@@ -0,0 +1,47 @@
+# ansible-decent-router
+
+This repo contains Ansible playbook to provide decent router experience. Used with [ansible-decent-desktop](https://github.com/komachi/ansible-decent-desktop)
+
+
+This project is not intended to fulfil desires of every user. I use it to provision my own home router. You probably find some defaults incompatible with your view on router configuration, but you can fork and tune it for yourself, or just look at playbooks for inspirations. PRs with improvements welcomed btw.
+
+This playbook meant to be run against [TurrisOS](https://gitlab.nic.cz/turris/openwrt)/[OpenWRT](https://openwrt.org/).
+
+It focus both on security and speed when it's possible. It uses lightweight software when possible and some specific tuning to meet the goal. Take note that while this README uses word "security" several times, nobody checked this. Think then do.
+
+
+## Features
+
+- All traffic routed over [Wireguard](https://wireguard.com) connection, with [mullvad](https://mullvad.net) servers chosen randomly every night
+- DoT with [stubby](https://github.com/getdnsapi/stubby) and [unbound](https://github.com/NLnetLabs/unbound) as caching server
+- Opt-out of [Google's Location Services](https://support.google.com/maps/answer/1725632), [Mozilla Location Service](https://location.services.mozilla.com/optout), Microsoft's [WiFi Sense](https://social.technet.microsoft.com/wiki/contents/articles/32109.disabling-wifi-sense-by-gui-and-gpo-script.aspx)
+- Separate guest WiFi network
+- [Adblock](https://openwrt.org/packages/pkgdata/adblock)
+
+## Roles
+
+`main.yml` includes it all.
+
+### ssh
+
+Configure ssh
+
+### system
+
+Configure system OpenWRT settings
+
+### network
+
+Configure network
+
+### dns
+
+Configure dns server
+
+### adblock
+
+Configure adblock
+
+### luci
+
+Configure [LuCI](https://openwrt.org/docs/techref/luci)

main.yml

@@ -0,0 +1,78 @@
+- hosts: all
+  become: True
+  gather_facts: True
+  roles:
+    - ssh
+    - system
+    - luci
+    - network
+    - dns
+    - adblock
+  vars_prompt:
+    - name: country_code
+      prompt: "Country code"
+      private: no
+      default: "UA"
+    - name: timezone
+      prompt: "Timezone"
+      private: no
+      default: "MSK-3"
+    - name: zonename
+      prompt: "Time zone name"
+      private: no
+      default: "Europe/Moscow"
+    - name: hostname
+      prompt: "Hostname"
+      private: no
+      default: "turris"
+    - name: local_ip
+      prompt: "IP range of your home local network"
+      private: no
+      default: "192.168.0.0/16"
+    - name: router_ip
+      prompt: "IP addr of router"
+      private: no
+      default: "192.168.1.1"
+    - name: mac_addr
+      prompt: "router mac address"
+      private: no
+    - name: router_guest_ip
+      prompt: "IP addr of guest interface"
+      private: no
+      default: "10.111.222.1"
+    - name: ula_prefix
+      prompt: "IPv6 ULA prefix"
+      private: no
+      default: "fd9d:1b60:83cc::/48"
+    - name: pppoe_username
+      prompt: "pppoe username"
+      private: no
+    - name: pppoe_password
+      prompt: "pppoe password"
+      private: yes
+    - name: mullvad_account
+      prompt: "Mullvad account number"
+    - name: ssid
+      prompt: "SSID"
+      private: no
+    - name: core_password
+      prompt: "Core WiFi password"
+    - name: guest_password
+      prompt: "Guest WiFi password"
+  vars:
+  # dev-sec vars
+    sysctl_overwrite:
+      net.ipv6.conf.all.disable_ipv6: 0
+      net.ipv4.ip_forward: 1
+      net.ipv6.conf.all.forwarding: 1
+      net.ipv6.conf.default.forwarding: 1
+      vm.mmap_rnd_bits: 32
+      vm.mmap_rnd_compat_bits: 16
+    ufw_manage_defaults: False
+    ssh_server_enabled: True
+    ssh_server_hardening: yes
+    ssh_use_dns: yes
+    ssh_permit_root_login: yes
+    sftp_enabled: yes
+    os_auditd_enabled: false
+    network_ipv6_enable: True

roles/adblock/files/adblock

@@ -0,0 +1,25 @@
+config adblock 'global'
+	option adb_enabled '1'
+	option adb_debug '0'
+	option adb_forcedns '0'
+	option adb_safesearch '0'
+	option adb_dnsfilereset '0'
+	option adb_mail '0'
+	option adb_report '0'
+	option adb_backup '1'
+	option adb_maxqueue '4'
+	list adb_sources 'adaway'
+	list adb_sources 'adguard'
+	list adb_sources 'disconnect'
+	list adb_sources 'yoyo'
+	list adb_sources 'android_tracking'
+	list adb_sources 'bitcoin'
+	list adb_sources 'firetv_tracking'
+	list adb_sources 'smarttv_tracking'
+	list adb_sources 'winspy'
+	list adb_sources 'openphish'
+	list adb_sources 'phishing_army'
+	list adb_sources  'notracking'
+	option adb_backupdir '/etc/adblock'
+	option adb_dns 'unbound'
+	option adb_fetchutil 'curl'

roles/adblock/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: Install adblock
+  opkg:
+    name: adblock,luci-app-adblock,curl
+    state: present
+
+- name: Configure adblock
+  copy:
+    src: adblock
+    dest: "/etc/config/adblock"
+
+- name: Enable adblock
+  service:
+    name: adblock
+    state: restarted
+    enabled: yes

roles/dns/files/resolver

@@ -0,0 +1,25 @@
+config resolver 'common'
+	list interface '0.0.0.0'
+	list interface '::0'
+	option port '53'
+	option keyfile '/etc/root.keys'
+	option verbose '0'
+	option msg_buffer_size '65552'
+	option msg_cache_size '20M'
+	option net_ipv6 '1'
+	option net_ipv4 '1'
+	option forward_upstream '1'
+	option prefered_resolver 'unbound'
+	option ignore_root_key '0'
+	option prefetch 'yes'
+	option static_domains '1'
+	option dynamic_domains '0'
+	option edns_buffer_size '1232'
+
+config resolver 'unbound'
+  option manual_conf '1'
+
+config resolver 'unbound_remote_control'
+	option control_enable 'yes'
+	option control_use_cert 'no'
+	list control_interface '127.0.0.1'

roles/dns/files/stubby

@@ -0,0 +1,116 @@
+config stubby 'global'
+       option manual '0'
+       option trigger 'wan'
+       # option triggerdelay '2'
+       list dns_transport 'GETDNS_TRANSPORT_TLS'
+       option tls_authentication '1'
+       option tls_query_padding_blocksize '128'
+       # option tls_connection_retries '2'
+       # option tls_backoff_time '3600'
+       option timeout '10000'
+       # option dnssec_return_status '0'
+       option appdata_dir '/var/lib/stubby'
+       # option trust_anchors_backoff_time 2500
+       # option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key'
+       option edns_client_subnet_private '1'
+       option idle_timeout '10000'
+       option round_robin_upstreams '1'
+       list listen_address '127.0.0.1@5453'
+       list listen_address '0::1@5453'
+       # option log_level '7'
+       # option command_line_arguments ''
+       option tls_min_version '1.3'
+
+config resolver
+       option address '185.49.141.37'
+       option tls_auth_name 'getdnsapi.net'
+
+config resolver
+       option address '89.233.43.71'
+       option tls_auth_name 'unicast.censurfridns.dk'
+
+config resolver
+       option address '145.100.185.18'
+       option tls_auth_name 'dnsovertls3.sinodun.com'
+
+config resolver
+       option address '145.100.185.15'
+       option tls_auth_name 'dot.securedns.eu'
+
+config resolver
+       option address '145.100.185.15'
+       option tls_port 443
+       option tls_auth_name 'dnsovertls.sinodun.com'
+
+config resolver
+       option address '94.130.110.185'
+       option tls_auth_name 'ns1.dnsprivacy.at'
+
+config resolver
+       option address '94.130.110.178'
+       option tls_auth_name 'ns2.dnsprivacy.at'
+
+config resolver
+       option address '145.100.185.15'
+       option tls_port 443
+       option tls_auth_name 'dnsovertls1.sinodun.com'
+
+config resolver
+       option address '37.252.185.232'
+       option tls_port 443
+       option tls_auth_name 'dot1.appliedprivacy.net'
+
+config resolver
+       option address '185.222.222.222'
+       option tls_auth_name 'public-dns-a.dns.sb'
+
+config resolver
+       option address '185.184.222.222'
+       option tls_auth_name 'public-dns-a.dns.sb'
+
+config resolver
+       option address '2a09:0000:0000:0000:0000:0000:0000:0000'
+       option tls_auth_name 'public-dns-a.dns.sb'
+
+config resolver
+       option address '2a09::1'
+       option tls_auth_name 'public-dns-a.dns.sb'
+
+config resolver
+       option address '2a00:63c1:a:229::3'
+       option tls_auth_name 'public-dns-a.dns.sb'
+
+config resolver
+       option address '2a00:63c1:a:229::3'
+       option tls_port 443
+       option tls_auth_name 'dot1.appliedprivacy.net'
+
+config resolver
+       option address '2001:610:1:40ba:145:100:185:15'
+       option tls_port 443
+       option tls_auth_name 'dnsovertls.sinodun.com'
+
+config resolver
+       option address '2001:610:1:40ba:145:100:185:16'
+       option tls_port 443
+       option tls_auth_name 'dnsovertls1.sinodun.com'
+
+config resolver
+       option address '2a04:b900:0:100::38'
+       option tls_auth_name 'getdnsapi.net'
+
+config resolver
+       option address '2a01:3a0:53:53::0'
+       option tls_auth_name 'unicast.censurfridns.dk'
+
+config resolver
+       option address '2001:610:1:40ba:145:100:185:18'
+       option tls_auth_name 'dnsovertls3.sinodun.com'
+
+config resolver
+       option address '2a01:4f8:c0c:3c03::2'
+       option tls_auth_name 'ns1.dnsprivacy.at'
+
+config resolver
+       option address '2a01:4f8:c0c:3bfc::2'
+       option tls_auth_name 'ns2.dnsprivacy.at'

roles/dns/tasks/main.yml

@@ -0,0 +1,67 @@
+
+- name: Install stubby
+  opkg:
+    name: stubby
+    state: present
+
+- name: Configure stubby
+  copy:
+    src: stubby
+    dest: "/etc/config/stubby"
+  register: stubbyconfigure
+
+- name: Restart stubby
+  when: stubbyconfigure.changed
+  service:
+    name: stubby
+    state: restarted
+    enabled: yes
+
+- name: Enable stubby
+  service:
+    name: stubby
+    state: started
+    enabled: yes
+
+- name: Install unbound
+  opkg:
+    name: unbound
+    state: present
+
+- name: Disable kresd
+  service:
+    name: kresd
+    state: stopped
+    enabled: no
+  ignore_errors: yes
+
+- name: Remove knot
+  opkg:
+    name: knot-resolver
+    state: absent
+
+- name: Configure resolver
+  copy:
+    src: resolver
+    dest: "/etc/config/resolver"
+  register: resolverconfigure
+
+- name: Restart resolver
+  when: resolverconfigure.changed
+  service:
+    name: resolver
+    state: restarted
+    enabled: yes
+
+- name: Configure unbound
+  template:
+    src: unbound.conf.j2
+    dest: "/etc/unbound/unbound.conf"
+  register: unboundconfigure
+
+- name: Restart unbound
+  when: unboundconfigure.changed
+  service:
+    name: unbound
+    state: restarted
+    enabled: yes