From 5a9b0a6b20f2290c4dee60609232e93052cd947d Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 29 Sep 2021 19:49:04 +0000
Subject: [PATCH] Use real certs for DNS over TLS

---
 playbooks/dna-gw.yml | 10 ++++++++--
 playbooks/proxy.yml  |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml
index b63b253..19f04a8 100644
--- a/playbooks/dna-gw.yml
+++ b/playbooks/dna-gw.yml
@@ -73,19 +73,25 @@
     - name: copy dns private key
       copy:
         dest: "{{ tls_private }}/dns.home.foo.sh.key"
-        src: /srv/ca/private/dns.home.foo.sh.key
+        src: "{{ item }}"
         mode: 0600
         owner: root
         group: "{{ ansible_wheel }}"
+      with_first_found:
+        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
+        - "/srv/ca/private/{{ inventory_hostname }}.key"
       tags: certificate
       notify: restart unbound
     - name: copy dns certificate and ca cert
       copy:
         dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
-        src: /srv/ca/certs/dns.home.foo.sh.crt
+        src: "{{ item }}"
         mode: 0644
         owner: root
         group: "{{ ansible_wheel }}"
+      with_first_found:
+        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
+        - "/srv/ca/certs/{{ inventory_hostname }}.crt"
       tags: certificate
       notify: restart unbound
     - name: copy dns zone files
diff --git a/playbooks/proxy.yml b/playbooks/proxy.yml
index 3a0a98d..f3a5e36 100644
--- a/playbooks/proxy.yml
+++ b/playbooks/proxy.yml
@@ -35,6 +35,9 @@
     - role: nginx/site
       site: devel01.foo.sh
       proxy: https://devel01.home.foo.sh/
+    - role: nginx/site
+      site: dns.home.foo.sh
+      redirect: https://www.foo.sh/
     - role: nginx/site
       site: git.foo.sh
       proxy: https://git02.home.foo.sh/