From f6c4f927f4fa937b48ae689040a0382d161b8f4b Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Wed, 4 Nov 2020 23:16:27 +0100
Subject: [PATCH] dns: also offer DoT

---
 roles/dns/handlers/main.yml         |  3 +++
 roles/dns/tasks/main.yml            |  9 +++++++--
 roles/dns/templates/dnsdist.conf.j2 | 12 ++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 roles/dns/templates/dnsdist.conf.j2

diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml
index fffbb22..95f9ada 100644
--- a/roles/dns/handlers/main.yml
+++ b/roles/dns/handlers/main.yml
@@ -5,3 +5,6 @@
   with_items:
    - pdns
    - pdns-recursor
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 0c73957..4e3fde4 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -3,6 +3,7 @@
 - name: Install powerdns
   apt:
     name:
+    - dnsdist
     - pdns-backend-bind
     - pdns-recursor
     - pdns-server
@@ -12,7 +13,6 @@
 
 - name: Configure powerdns
   template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
-  tags: dns
   notify: Restart powerdns
   with_items:
   - bind/ffrgb.zone
@@ -21,8 +21,13 @@
   - pdns.conf
   - recursor.conf
 
-- name: Start the powerdns services
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
+- name: Start the dns services
   service: name={{ item }} state=started enabled=yes
   with_items:
+  - dnsdist
   - pdns
   - pdns-recursor
diff --git a/roles/dns/templates/dnsdist.conf.j2 b/roles/dns/templates/dnsdist.conf.j2
new file mode 100644
index 0000000..440bd88
--- /dev/null
+++ b/roles/dns/templates/dnsdist.conf.j2
@@ -0,0 +1,12 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1:5353')
+
+newServer({address="127.0.0.1", qps=1, name="localhost"})
+
+addTLSLocal('127.0.0.1','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
+
+-- disable security status polling via DNS
+setSecurityPollSuffix("")