Correction for DNSDist(DoH DoT) service

2023-05-25 05:52:18 +02:00 · 2023-05-25 05:52:18 +02:00 · 105ee89080
parent 9bf5f2dab4
commit 105ee89080
3 changed files with 32 additions and 17 deletions
--- a/DNSservice.yml
+++ b/DNSservice.yml
@ -1,6 +1,6 @@

 ---
- hosts: test
+- hosts: iloth
  roles:
    - common
    - ssl-cert
@ -8,9 +8,10 @@
    - dnsdist
    # déclaration de la variables globales
  vars:
-    email: votre_email
-    cthostname: nom_du_conteneur
-    domain: nom_de_domaine
-    create_user: false
-    installCertbot: false
-  
+    email: votre_adresse_email
+    cthostname: machine-name
+    domain: machine-name.domain.tld
+    create_user: False
+    installCertbot: True  
+    mode: standalone # nginx or standalone
+    alt_domains: "" # -d sub.domain.told
--- a/roles/dnsdist/tasks/main.yml
+++ b/roles/dnsdist/tasks/main.yml
@ -38,20 +38,20 @@
    path: /etc/dnsdist/dnsdist.conf
    regexp: '__SSL_CRT__'
    replace: '/etc/ssl/{{ domain}}.crt'
-  when: installCertbot == false
+  when: installCertbot == False

 - name: Add SSL keys to dnsdist.conf
  ansible.builtin.replace:
    path: /etc/dnsdist/dnsdist.conf
    regexp: '__SSL_KEY__'
    replace: '/etc/ssl/{{ domain}}.key'
-  when: installCertbot == false
+  when: installCertbot == False

 - name: permission to ssl cert 
  shell: |
    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".key
    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".crt
-  when: installCertbot == false
+  when: installCertbot == False



@ -59,23 +59,30 @@
  ansible.builtin.replace:
    path: /etc/dnsdist/dnsdist.conf
    regexp: '__SSL_CRT__'
-    replace: '/etc/letsencrypt/{{ domain}}/fullchain.pem'
-  when: installCertbot == true
+    replace: '/etc/letsencrypt/live/{{ domain}}/fullchain.pem'
+  when: installCertbot == True

 - name: Add SSL keys to dnsdist.conf
  ansible.builtin.replace:
    path: /etc/dnsdist/dnsdist.conf
    regexp: '__SSL_KEY__'
-    replace: '/etc/letsencrypt/{{ domain}}/privkey.pem'
-  when: installCertbot == true
+    replace: '/etc/letsencrypt/live/{{ domain}}/privkey.pem'
+  when: installCertbot == True

 - name: Set permission letsencrypt SSL keys 
  shell: setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/
-  when: installCertbot == true
+  when: installCertbot == True

+
+- name: Disable and stop systemd-resolved
+  shell: |
+    systemctl disable systemd-resolved
+    systemctl stop systemd-resolved || echo "systemd-resolved is already stopped"
+  
 - name: Start dnsdist service
  shell: "systemctl start dnsdist"


+
 - name: Enable systemd service
  shell: "systemctl enable dnsdist"
--- a/roles/ssl-cert/tasks/main.yml
+++ b/roles/ssl-cert/tasks/main.yml
@ -20,6 +20,13 @@
  shell: openssl req -x509 -nodes -subj '/CN={{ domain }}' -days 3650 -newkey rsa:4096 -sha256 -keyout /etc/ssl/"{{ domain }}".key -out /etc/ssl/"{{ domain }}".crt
  when: installCertbot == False

- name: Create self-signed certificate, if configured.
-  shell: "certbot -certonly -d {{ domain }} {{ alt_domains }} --{{ mode }} -m {{ email }} --agree-tos"
+- name: Open port 80 for letsencrypt challenge
+  ufw:
+    rule: allow
+    port: 80
+    proto: tcp
+  when: installCertbot == True
+
+- name: Create self-signed certificate, if configured.
+  shell: "certbot certonly --{{ mode }} -d {{ domain }} {{ alt_domains }} -m {{ email }} --agree-tos"
  when: installCertbot == True