dns: also offer DoT

roles/dns/handlers/main.yml

@@ -5,3 +5,6 @@
   with_items:
    - pdns
    - pdns-recursor
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted

roles/dns/tasks/main.yml

@@ -3,6 +3,7 @@
 - name: Install powerdns
   apt:
     name:
+    - dnsdist
     - pdns-backend-bind
     - pdns-recursor
     - pdns-server
@@ -12,7 +13,6 @@
 
 - name: Configure powerdns
   template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
-  tags: dns
   notify: Restart powerdns
   with_items:
   - bind/ffrgb.zone
@@ -21,8 +21,13 @@
   - pdns.conf
   - recursor.conf
 
-- name: Start the powerdns services
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
+- name: Start the dns services
   service: name={{ item }} state=started enabled=yes
   with_items:
+  - dnsdist
   - pdns
   - pdns-recursor

roles/dns/templates/dnsdist.conf.j2

@@ -0,0 +1,12 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1:5353')
+
+newServer({address="127.0.0.1", qps=1, name="localhost"})
+
+addTLSLocal('127.0.0.1','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
+
+-- disable security status polling via DNS
+setSecurityPollSuffix("")