service-bind-slave: add stunnel4 for DNS-over-TLS

This commit is contained in:
Julian Labus 2019-04-05 19:53:19 +02:00
parent ac64eddfb1
commit 04c2ed7e30
No known key found for this signature in database
GPG key ID: 8AF209F2C6B3572A
3 changed files with 94 additions and 0 deletions

View file

@ -7,3 +7,8 @@
systemd: systemd:
name: bind9 name: bind9
state: restarted state: restarted
- name: restart stunnel4
systemd:
name: stunnel4
state: restarted

View file

@ -7,6 +7,7 @@
- bind9 - bind9
- bind9-doc - bind9-doc
- bind9utils - bind9utils
- stunnel
- name: write named.conf - name: write named.conf
template: template:
@ -44,6 +45,22 @@
mode: 0644 mode: 0644
notify: restart bind9 notify: restart bind9
- name: write stunnel4 dnstls.conf
template:
src: dnstls.conf.j2
dest: /etc/stunnel/dnstls.conf
owner: root
group: stunnel4
mode: 0644
notify: restart stunnel4
- name: enable stunnel4
lineinfile:
dest: "/etc/default/stunnel4"
regexp: '^ENABLED=0$'
line: 'ENABLED=1'
notify: restart stunnel4
- name: write initial icvpn bind config - name: write initial icvpn bind config
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn
args: args:
@ -88,3 +105,9 @@
name: bind9 name: bind9
enabled: yes enabled: yes
state: started state: started
- name: enable systemd unit stunnel4
systemd:
name: stunnel4
enabled: yes
state: started

View file

@ -0,0 +1,66 @@
debug = warning
pid = /var/run/stunnel4/dnstls.pid
setuid = stunnel4
setgid = stunnel4
[dns-localhost]
accept = 127.0.0.1:853
connect = 127.0.0.1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
[dns-localhost-v6]
accept = ::1:853
connect = ::1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
[dns-anycast]
accept = {{ anycast_ipv4 | ipaddr('address') }}:853
connect = 127.0.0.1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
[dns-anycast-v6]
accept = {{ anycast_ipv6 | ipaddr('address') }}:853
connect = ::1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
[dns-loopback]
accept = {{ loopback_net_ipv4 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
connect = 127.0.0.1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
[dns-loopback-v6]
accept = {{ loopback_net_ipv6 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
connect = ::1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
{% for mesh in meshes %}
[dns-{{ mesh.id }}]
accept = {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}:853
connect = 127.0.0.1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
{% for ip in mesh.ipv6_ula %}
[dns-{{ mesh.id }}-v6-{{ loop.index }}]
accept = {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}:853
connect = ::1:53
cert = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/cert.pem
key = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
CAfile = /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/chain.pem
{% endfor %}
{% endfor %}