From 558c71219b53f567a4d7051b62643bde1ee4eb78 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Wed, 14 Dec 2022 22:36:12 -0500
Subject: [PATCH] Add DNS over TLS.

---
 ansible/playbook.yaml                         | 66 +++++++++----------
 ansible/roles/base/files/odofreebsd_rc.conf   |  1 -
 .../roles/network/files/local_unbound_rc.conf |  6 ++
 .../network/files/mullvlad_dns_over_tls.conf  |  3 +
 ansible/roles/network/tasks/freebsd.yaml      | 11 ++++
 ansible/roles/network/tasks/linux.yaml        | 26 ++++++--
 6 files changed, 73 insertions(+), 40 deletions(-)
 create mode 100644 ansible/roles/network/files/local_unbound_rc.conf
 create mode 100644 ansible/roles/network/files/mullvlad_dns_over_tls.conf

diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index d4f4ef6..d14443e 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -2,42 +2,42 @@
   vars:
     ansible_become: True
   roles:
-    # - sudo
+    - sudo
     - users
-    # - package_manager
-    # - zrepl
-    # - zsh
-    # - network
-    # - sshd
-    # - base
+    - package_manager
+    - zrepl
+    - zsh
+    - network
+    - sshd
+    - base
     - firewall
-    # - cpu
-    # - ntp
-    # - hosts
-    # - build
-    # - sound
-    # - graphics
-    # - gpg
-    # - fonts
-    # - alacritty
-    # - sway
-    # - emacs
-    # - firefox
-    # - devfs
-    # - ssh_client
-    # - sshfs
-    # - jail
-    # - fuse
-    # - autofs
-    # - exfat
+    - cpu
+    - ntp
+    - hosts
+    - build
+    - sound
+    - graphics
+    - gpg
+    - fonts
+    - alacritty
+    - sway
+    - emacs
+    - firefox
+    - devfs
+    - ssh_client
+    - sshfs
+    - jail
+    - fuse
+    - autofs
+    - exfat
     - bhyve
-    # - media
-    # - kubernetes
-    # - google_cloud_sdk
-    # - ansible
-    # - wireguard
-    # - portshaker
-    # - poudriere
+    - media
+    - kubernetes
+    - google_cloud_sdk
+    - ansible
+    - wireguard
+    - portshaker
+    - poudriere
 
 - hosts: nat_dhcp:homeserver_nat_dhcp
   vars:
diff --git a/ansible/roles/base/files/odofreebsd_rc.conf b/ansible/roles/base/files/odofreebsd_rc.conf
index 476c16b..7c02282 100644
--- a/ansible/roles/base/files/odofreebsd_rc.conf
+++ b/ansible/roles/base/files/odofreebsd_rc.conf
@@ -2,7 +2,6 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-local_unbound_enable="YES"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
diff --git a/ansible/roles/network/files/local_unbound_rc.conf b/ansible/roles/network/files/local_unbound_rc.conf
new file mode 100644
index 0000000..c839dee
--- /dev/null
+++ b/ansible/roles/network/files/local_unbound_rc.conf
@@ -0,0 +1,6 @@
+# For some unknown reason, enabling local unbound with DNS over TLS breaks network connectivity a couple minutes later
+local_unbound_enable="NO"
+local_unbound_tls="YES"
+local_unbound_forwarders="1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net 2a07:e340::2@853#doh.mullvad.net 1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"
diff --git a/ansible/roles/network/files/mullvlad_dns_over_tls.conf b/ansible/roles/network/files/mullvlad_dns_over_tls.conf
new file mode 100644
index 0000000..81b18b5
--- /dev/null
+++ b/ansible/roles/network/files/mullvlad_dns_over_tls.conf
@@ -0,0 +1,3 @@
+[Resolve]
+DNS=194.242.2.2#doh.mullvad.net [2a07:e340::2]#doh.mullvad.net
+DNSOverTLS=yes
diff --git a/ansible/roles/network/tasks/freebsd.yaml b/ansible/roles/network/tasks/freebsd.yaml
index 6bc4e2e..49de8b2 100644
--- a/ansible/roles/network/tasks/freebsd.yaml
+++ b/ansible/roles/network/tasks/freebsd.yaml
@@ -1,3 +1,4 @@
+# MANUAL: I had to run `sudo service local_unbound setup`
 - name: Install configuration
   copy:
     src: "files/{{ item.src }}"
@@ -35,3 +36,13 @@
     # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
     #   value: "1"
     # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - local_unbound
diff --git a/ansible/roles/network/tasks/linux.yaml b/ansible/roles/network/tasks/linux.yaml
index e1835f0..e8f1494 100644
--- a/ansible/roles/network/tasks/linux.yaml
+++ b/ansible/roles/network/tasks/linux.yaml
@@ -1,6 +1,20 @@
-# - name: Install packages
-#   pacman:
-#     name:
-#       - foo
-#     state: present
-#     update_cache: true
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /etc/systemd/resolved.conf.d
+
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: mullvlad_dns_over_tls.conf
+      dest: /etc/systemd/resolved.conf.d/mullvlad_dns_over_tls.conf