service-bind-slave: add stunnel4 for DNS-over-TLS

2019-04-05 19:53:19 +02:00 · 2019-04-05 19:53:19 +02:00 · 04c2ed7e30
parent ac64eddfb1
commit 04c2ed7e30
3 changed files with 94 additions and 0 deletions
--- a/roles/service-bind-slave/handlers/main.yml
+++ b/roles/service-bind-slave/handlers/main.yml
@ -7,3 +7,8 @@
  systemd:
    name: bind9
    state: restarted
+
+- name: restart stunnel4
+  systemd:
+    name: stunnel4
+    state: restarted
--- a/roles/service-bind-slave/tasks/main.yml
+++ b/roles/service-bind-slave/tasks/main.yml
@ -7,6 +7,7 @@
    - bind9
    - bind9-doc
    - bind9utils
+    - stunnel

 - name: write named.conf
  template:
@ -44,6 +45,22 @@
    mode: 0644
  notify: restart bind9

+- name: write stunnel4 dnstls.conf
+  template:
+    src: dnstls.conf.j2
+    dest: /etc/stunnel/dnstls.conf
+    owner: root
+    group: stunnel4
+    mode: 0644
+  notify: restart stunnel4
+
+- name: enable stunnel4
+  lineinfile:
+    dest: "/etc/default/stunnel4"
+    regexp: '^ENABLED=0$'
+    line: 'ENABLED=1'
+  notify: restart stunnel4
+
 - name: write initial icvpn bind config
  shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn
  args:
@ -88,3 +105,9 @@
    name: bind9
    enabled: yes
    state: started
+
+- name: enable systemd unit stunnel4
+  systemd:
+    name: stunnel4
+    enabled: yes
+    state: started
--- a/roles/service-bind-slave/templates/dnstls.conf.j2
+++ b/roles/service-bind-slave/templates/dnstls.conf.j2
@ -0,0 +1,66 @@
+debug = warning
+
+pid = /var/run/stunnel4/dnstls.pid
+
+setuid = stunnel4
+setgid = stunnel4
+
+[dns-localhost]
+accept = 127.0.0.1:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-localhost-v6]
+accept = ::1:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-anycast]
+accept = {{ anycast_ipv4 | ipaddr('address') }}:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-anycast-v6]
+accept = {{ anycast_ipv6 | ipaddr('address') }}:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-loopback]
+accept = {{ loopback_net_ipv4 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-loopback-v6]
+accept = {{ loopback_net_ipv6 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+{% for mesh in meshes %}
+[dns-{{ mesh.id }}]
+accept = {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+{% for ip in mesh.ipv6_ula %}
+[dns-{{ mesh.id }}-v6-{{ loop.index }}]
+accept = {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+{% endfor %}
+{% endfor %}