Add DNS over TLS.

2022-12-14 22:36:12 -05:00
parent e9e772f4fa
commit 558c71219b
6 changed files with 73 additions and 40 deletions
--- a/ansible/roles/base/files/odofreebsd_rc.conf
+++ b/ansible/roles/base/files/odofreebsd_rc.conf
@@ -2,7 +2,6 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-local_unbound_enable="YES"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"
--- a/ansible/roles/network/files/local_unbound_rc.conf
+++ b/ansible/roles/network/files/local_unbound_rc.conf
@@ -0,0 +1,6 @@
+# For some unknown reason, enabling local unbound with DNS over TLS breaks network connectivity a couple minutes later
+local_unbound_enable="NO"
+local_unbound_tls="YES"
+local_unbound_forwarders="1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net 2a07:e340::2@853#doh.mullvad.net 1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"
--- a/ansible/roles/network/files/mullvlad_dns_over_tls.conf
+++ b/ansible/roles/network/files/mullvlad_dns_over_tls.conf
@@ -0,0 +1,3 @@
+[Resolve]
+DNS=194.242.2.2#doh.mullvad.net [2a07:e340::2]#doh.mullvad.net
+DNSOverTLS=yes
--- a/ansible/roles/network/tasks/freebsd.yaml
+++ b/ansible/roles/network/tasks/freebsd.yaml
@@ -1,3 +1,4 @@
+# MANUAL: I had to run `sudo service local_unbound setup`
 - name: Install configuration
  copy:
    src: "files/{{ item.src }}"
@@ -35,3 +36,13 @@
    # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
    #   value: "1"
    # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - local_unbound
--- a/ansible/roles/network/tasks/linux.yaml
+++ b/ansible/roles/network/tasks/linux.yaml
@@ -1,6 +1,20 @@
-# - name: Install packages
-#   pacman:
-#     name:
-#       - foo
-#     state: present
-#     update_cache: true
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /etc/systemd/resolved.conf.d
+
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: mullvlad_dns_over_tls.conf
+      dest: /etc/systemd/resolved.conf.d/mullvlad_dns_over_tls.conf