Add DNS over TLS.

ansible/playbook.yaml

@@ -2,42 +2,42 @@
   vars:
     ansible_become: True
   roles:
-    # - sudo
+    - sudo
     - users
-    # - package_manager
+    - package_manager
-    # - zrepl
+    - zrepl
-    # - zsh
+    - zsh
-    # - network
+    - network
-    # - sshd
+    - sshd
-    # - base
+    - base
     - firewall
-    # - cpu
+    - cpu
-    # - ntp
+    - ntp
-    # - hosts
+    - hosts
-    # - build
+    - build
-    # - sound
+    - sound
-    # - graphics
+    - graphics
-    # - gpg
+    - gpg
-    # - fonts
+    - fonts
-    # - alacritty
+    - alacritty
-    # - sway
+    - sway
-    # - emacs
+    - emacs
-    # - firefox
+    - firefox
-    # - devfs
+    - devfs
-    # - ssh_client
+    - ssh_client
-    # - sshfs
+    - sshfs
-    # - jail
+    - jail
-    # - fuse
+    - fuse
-    # - autofs
+    - autofs
-    # - exfat
+    - exfat
     - bhyve
-    # - media
+    - media
-    # - kubernetes
+    - kubernetes
-    # - google_cloud_sdk
+    - google_cloud_sdk
-    # - ansible
+    - ansible
-    # - wireguard
+    - wireguard
-    # - portshaker
+    - portshaker
-    # - poudriere
+    - poudriere
 
 - hosts: nat_dhcp:homeserver_nat_dhcp
   vars:

ansible/roles/base/files/odofreebsd_rc.conf

@@ -2,7 +2,6 @@ clear_tmp_enable="YES"
 syslogd_flags="-ss"
 sendmail_enable="NONE"
 hostname="odo"
-local_unbound_enable="YES"
 sshd_enable="YES"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="NO"

ansible/roles/network/files/local_unbound_rc.conf

@@ -0,0 +1,6 @@
+# For some unknown reason, enabling local unbound with DNS over TLS breaks network connectivity a couple minutes later
+local_unbound_enable="NO"
+local_unbound_tls="YES"
+local_unbound_forwarders="1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net"
+# local_unbound_forwarders="194.242.2.2@853#doh.mullvad.net 2a07:e340::2@853#doh.mullvad.net 1.0.0.1@853#cloudflare-dns.com 1.1.1.1@853#cloudflare-dns.com 2606:4700:4700::1111@853#cloudflare-dns.com 2606:4700:4700::1001@853#cloudflare-dns.com"

ansible/roles/network/files/mullvlad_dns_over_tls.conf

@@ -0,0 +1,3 @@
+[Resolve]
+DNS=194.242.2.2#doh.mullvad.net [2a07:e340::2]#doh.mullvad.net
+DNSOverTLS=yes

ansible/roles/network/tasks/freebsd.yaml

@@ -1,3 +1,4 @@
+# MANUAL: I had to run `sudo service local_unbound setup`
 - name: Install configuration
   copy:
     src: "files/{{ item.src }}"
@@ -35,3 +36,13 @@
     # - name: net.inet6.ip6.use_tempaddr # Enable privacy addresses
     #   value: "1"
     # - name: net.inet6.ip6.prefer_tempaddr # Prefer privacy addresses
+
+- name: Install service configuration
+  copy:
+    src: "files/{{ item }}_rc.conf"
+    dest: "/etc/rc.conf.d/{{ item }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - local_unbound

ansible/roles/network/tasks/linux.yaml

@@ -1,6 +1,20 @@
-# - name: Install packages
+- name: Create directories
-#   pacman:
+  file:
-#     name:
+    name: "{{ item }}"
-#       - foo
+    state: directory
-#     state: present
+    mode: 0755
-#     update_cache: true
+    owner: root
+    group: wheel
+  loop:
+    - /etc/systemd/resolved.conf.d
+
+- name: Copy files
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: mullvlad_dns_over_tls.conf
+      dest: /etc/systemd/resolved.conf.d/mullvlad_dns_over_tls.conf