Enable DNS over TLS support for local resolvers

Currently uses local CA.

playbooks/dna-gw.yml

@@ -70,6 +70,24 @@
         owner: root
         group: "{{ ansible_wheel }}"
 
+    - name: copy dns private key
+      copy:
+        dest: "{{ tls_private }}/dns.home.foo.sh.key"
+        src: /srv/ca/private/dns.home.foo.sh.key
+        mode: 0600
+        owner: root
+        group: "{{ ansible_wheel }}"
+      tags: certificate
+      notify: restart unbound
+    - name: copy dns certificate and ca cert
+      copy:
+        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
+        src: /srv/ca/certs/dns.home.foo.sh.crt
+        mode: 0644
+        owner: root
+        group: "{{ ansible_wheel }}"
+      tags: certificate
+      notify: restart unbound
     - name: copy dns zone files
       copy:
         dest: "/var/unbound/db/{{ item }}"

roles/pf/files/pf.conf.gw_home

@@ -50,6 +50,7 @@ pass in quick on $int_if proto tcp from $int_net to self port 4949
 
 # allow dns queries from internal net
 pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
+pass in quick on $int_if proto tcp from $int_net to self port domain-s
 
 # allow tftp from internal net
 pass in quick on $int_if proto udp from $int_net to self port tftp

roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2

@@ -2,9 +2,13 @@
 server:
     interface: 127.0.0.1
     interface: ::1
-    interface: 172.20.20.10
-    interface: 172.20.21.1
+    interface: 172.20.20.10@53
+    interface: 172.20.20.10@853
+    interface: 172.20.21.1@53
 
+    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
+    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
+    tls-cert-bundle: {{ tls_certs }}/ca.crt
 
     access-control: 127.0.0.0/8 allow
     access-control: ::1 allow

roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2

@@ -2,9 +2,13 @@
 server:
     interface: 127.0.0.1
     interface: ::1
-    interface: 172.20.20.10
-    interface: 172.20.21.2
+    interface: 172.20.20.10@53
+    interface: 172.20.20.10@853
+    interface: 172.20.21.2@53
 
+    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
+    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
+    tls-cert-bundle: {{ tls_certs }}/ca.crt
 
     access-control: 127.0.0.0/8 allow
     access-control: ::1 allow