Benoit/pyinfra-adguard
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init

Browse source
This commit is contained in:
Benoit S 2021-01-20 21:40:21 +09:00
parent 8b0f093b5d
commit 4b58a930aa
5 changed files with 328 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

137
deploy.py Normal file
View file

@ -0,0 +1,137 @@
from pyinfra import host
from pyinfra.operations import apt, server, files, systemd
SUDO = True
server.user(
name='Add user benpro',
user='benpro',
groups=['sudo'],
public_keys='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFs7yO0auvwFL8HTLMUq6lET6DMYLhqhd32rqFfZUsjL openpgp:0xA32E99AD',
shell='/bin/bash',
present=True,
)
server.hostname(
name='Set the hostname',
hostname='dns.benpro.fr',
)
apt.update(
name='Update apt repositories',
)
apt.upgrade(
name='Upgrade apt packages',
)
apt.packages(
name='Install ufw',
packages=['ufw'],
update=False,
)
server.shell(
name='Add ufw rules',
commands=['ufw limit 22', 'ufw allow 80', 'ufw allow 443', 'ufw allow 853'],
)
server.shell(
name='Enable ufw',
commands=['yes | ufw enable'],
)
apt.packages(
name='Install certbot',
packages=['certbot'],
update=False,
)
if not host.fact.directory('/etc/letsencrypt/live/dns.benpro.fr'):
server.shell(
name='Add certificate',
commands=['certbot certonly --non-interactive --email certbot@benpro.fr --agree-tos --standalone -d dns.benpro.fr'],
)
server.group(
name='Add group adguard',
group=host.data.app_user,
system=True,
present=True,
)
server.user(
name='Add user adguard',
user=host.data.app_user,
group=host.data.app_user,
home=host.data.app_dir,
ensure_home=True,
system=True,
present=True,
)
for items in ['fullchain.pem', 'privkey.pem']:
server.shell(
name='Make certificate available for Adguard ({})'.format(items),
chdir=host.data.app_dir,
commands=['cp -L /etc/letsencrypt/live/dns.benpro.fr/{} .'.format(items), 'chown adguard: {}'.format(items)]
)
files.download(
name='Download AdGuard',
src='https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz',
dest='/home/adguard/AdGuardHome_linux_amd64.tar.gz',
user=host.data.app_user,
group=host.data.app_user,
mode='750',
cache_time=604800,
)
server.shell(
name='Extract Adguard release file',
chdir=host.data.app_dir,
commands=['tar zxf AdGuardHome_linux_amd64.tar.gz','chown -R adguard: AdGuardHome'],
)
server.shell(
name='Setcap on Adguard binary',
chdir=host.data.app_dir,
commands=['setcap \'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip\' AdGuardHome/AdGuardHome'],
)
if host.fact.systemd_enabled['AdGuardHome.service'] == False:
server.shell(
name='Install Adguard systemd service file',
chdir=host.data.app_dir,
commands=['AdGuardHome/AdGuardHome -s install'],
)
files.put(
name='Update systemd service file',
src='files/AdGuardHome.service',
dest='/etc/systemd/system/AdGuardHome.service',
mode='644',
)
files.template(
name='Push AdGuardHome config',
src='templates/AdGuardHome.yaml.j2',
dest='/home/adguard/AdGuardHome/AdGuardHome.yaml',
mode='640',
user='adguard',
group='adguard',
)
systemd.daemon_reload(
name='Reload systemd',
user_mode=False,
)
systemd.service(
name='Restart and enable adguard service',
service='AdGuardHome.service',
running=True,
restarted=True,
enabled=True,
)

24
files/AdGuardHome.service Normal file
View file

@ -0,0 +1,24 @@
[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/home/adguard/AdGuardHome/AdGuardHome
After=syslog.target network-online.target
[Service]
User=adguard
Group=adguard
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/home/adguard/AdGuardHome/AdGuardHome "-s" "run"
WorkingDirectory=/home/adguard/AdGuardHome
StandardOutput=file:/var/log/AdGuardHome.out
StandardError=file:/var/log/AdGuardHome.err
Restart=always
RestartSec=10
EnvironmentFile=-/etc/sysconfig/AdGuardHome
[Install]
WantedBy=multi-user.target

12
group_data/all.py Normal file
View file

@ -0,0 +1,12 @@
from getpass import getpass
import privy
def get_secret(adguard_password):
password = getpass('Please provide the secret password: ')
return privy.peek(adguard_password, password)
b_app_password = get_secret(b'1$2$LlFa8G5qg1DQqboBzagJywm5bayJ5CRDbVOeXrTPPKU=$Z0FBQUFBQmdDQlotZmYtd183cEE1MHpsbl9IaWlLNUlOdXBkMzhsdzQ0SUNhNXhiMDEwbUJfeUJIT2ctM1JFWm5oMW9IN1pocVFDSDIxN0dSSVRaSzdJdzJNQURPM3hyYVlWOUwxR09aOU9ubU1GbjNvNS1NdFNkWFhsS2tjcTNES0ZRYURjUkhWRGVpQkVuMmo0NTdrck9VTWRfaVVHUmZ3PT0=')
app_password = b_app_password.decode('utf-8')
app_user = 'adguard'
app_dir = '/home/adguard'

1
inventory.py Normal file
View file

@ -0,0 +1 @@
my_hosts = ['dns.benpro.fr']

154
templates/AdGuardHome.yaml.j2 Normal file
View file

@ -0,0 +1,154 @@
bind_host: 0.0.0.0
bind_port: 80
users:
- name: benpro
password: {{ host.data.app_password }}
http_proxy: ""
language: ""
rlimit_nofile: 0
debug_pprof: false
web_session_ttl: 720
dns:
bind_host: 0.0.0.0
port: 1053
statistics_interval: 90
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 90
querylog_size_memory: 1000
anonymize_client_ip: true
protection_enabled: true
blocking_mode: nxdomain
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- https://dns10.quad9.net/dns-query
- https://dns.cloudflare.com/dns-query
- https://dns.google/dns-query
- quic://dns-unfiltered.adguard.com:784
upstream_dns_file: ""
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
all_servers: true
fastest_addr: false
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: true
edns_client_subnet: true
max_goroutines: 50
ipset: []
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services:
- facebook
- twitter
- snapchat
- origin
- epic_games
- vk
- mail_ru
- discord
- ok
- tiktok
tls:
enabled: true
server_name: dns.benpro.fr
force_https: true
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 784
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: /home/adguard/fullchain.pem
private_key_path: /home/adguard/privkey.pem
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: true
url: https://www.malwaredomainlist.com/hostslist/hosts.txt
name: MalwareDomainList.com Hosts List
id: 4
- enabled: true
url: https://280blocker.net/files/280blocker_domain.txt
name: 'JPN: 280blocker adblock domain lists'
id: 1598087712
- enabled: true
url: https://raw.githubusercontent.com/AdAway/adaway.github.io/master/hosts.txt
name: AdAway default blocklist
id: 1598087713
- enabled: true
url: https://raw.githubusercontent.com/notracking/hosts-blocklists/master/adblock/adblock.txt
name: notracking
id: 1598087714
- enabled: true
url: https://logroid.github.io/adaway-hosts/hosts.txt
name: AdAway Blocking Hosts File for Japan
id: 1598087715
- enabled: true
url: https://sebsauvage.net/hosts/hosts-adguard
name: Sebsauvage
id: 1598087716
whitelist_filters: []
user_rules:
- '@@||links.eml.atlassian.com^$important'
- '@@||t.paypal.com^$important'
- '@@||email.strava.com^$important'
- '||disqus.com^$important'
- '@@||api2.branch.io^$important'
- '@@||www.navitime.co.jp^$important'
- ""
dhcp:
enabled: false
interface_name: ""
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
schema_version: 7