From 04c2ed7e306d9099aeadd89a1f5dd8a6943786f9 Mon Sep 17 00:00:00 2001
From: Julian Labus <julian@labus-online.de>
Date: Fri, 5 Apr 2019 19:53:19 +0200
Subject: [PATCH] service-bind-slave: add stunnel4 for DNS-over-TLS

---
 roles/service-bind-slave/handlers/main.yml    |  5 ++
 roles/service-bind-slave/tasks/main.yml       | 23 +++++++
 .../templates/dnstls.conf.j2                  | 66 +++++++++++++++++++
 3 files changed, 94 insertions(+)
 create mode 100644 roles/service-bind-slave/templates/dnstls.conf.j2

diff --git a/roles/service-bind-slave/handlers/main.yml b/roles/service-bind-slave/handlers/main.yml
index e1b2000..656e4ec 100644
--- a/roles/service-bind-slave/handlers/main.yml
+++ b/roles/service-bind-slave/handlers/main.yml
@@ -7,3 +7,8 @@
   systemd:
     name: bind9
     state: restarted
+
+- name: restart stunnel4
+  systemd:
+    name: stunnel4
+    state: restarted
diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml
index 1cab390..2c77df3 100644
--- a/roles/service-bind-slave/tasks/main.yml
+++ b/roles/service-bind-slave/tasks/main.yml
@@ -7,6 +7,7 @@
     - bind9
     - bind9-doc
     - bind9utils
+    - stunnel
 
 - name: write named.conf
   template:
@@ -44,6 +45,22 @@
     mode: 0644
   notify: restart bind9
 
+- name: write stunnel4 dnstls.conf
+  template:
+    src: dnstls.conf.j2
+    dest: /etc/stunnel/dnstls.conf
+    owner: root
+    group: stunnel4
+    mode: 0644
+  notify: restart stunnel4
+
+- name: enable stunnel4
+  lineinfile:
+    dest: "/etc/default/stunnel4"
+    regexp: '^ENABLED=0$'
+    line: 'ENABLED=1'
+  notify: restart stunnel4
+
 - name: write initial icvpn bind config
   shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn
   args:
@@ -88,3 +105,9 @@
     name: bind9
     enabled: yes
     state: started
+
+- name: enable systemd unit stunnel4
+  systemd:
+    name: stunnel4
+    enabled: yes
+    state: started
diff --git a/roles/service-bind-slave/templates/dnstls.conf.j2 b/roles/service-bind-slave/templates/dnstls.conf.j2
new file mode 100644
index 0000000..fb3c5b8
--- /dev/null
+++ b/roles/service-bind-slave/templates/dnstls.conf.j2
@@ -0,0 +1,66 @@
+debug = warning
+
+pid = /var/run/stunnel4/dnstls.pid
+
+setuid = stunnel4
+setgid = stunnel4
+
+[dns-localhost]
+accept = 127.0.0.1:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-localhost-v6]
+accept = ::1:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-anycast]
+accept = {{ anycast_ipv4 | ipaddr('address') }}:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-anycast-v6]
+accept = {{ anycast_ipv6 | ipaddr('address') }}:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-loopback]
+accept = {{ loopback_net_ipv4 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+[dns-loopback-v6]
+accept = {{ loopback_net_ipv6 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+{% for mesh in meshes %}
+[dns-{{ mesh.id }}]
+accept = {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
+connect = 127.0.0.1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+
+{% for ip in mesh.ipv6_ula %}
+[dns-{{ mesh.id }}-v6-{{ loop.index }}]
+accept = {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}:853
+connect = ::1:53
+cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
+key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
+{% endfor %}
+{% endfor %}