Ansible managed configuration files for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) DNS resolvers.
This configuration applies to the Digital Society's production secure DNS resolver. This document describes how to use the Ansible setup for your own setup.
If you are interested in:
- running this configuration for testing purpose on your local machine see Local
- the documentation of important files and variables of this project, see Documentation
This step is very common, as soon as the Ansible configuration files are changed this step will activate the new configuration on the DNS resolvers.
Change into configuraiton-files and start a dry-run of the Ansible configuration.
cd configuration-files
ansible-playbook --ask-become-pass --ask-vault-pass resolver.yml --checkWhen the output does not contain any unexpected surprises, remove the flag --check to definitively apply the configuration to the DNS resolvers.
This step is only performed if a new server is being added and the Ansible configuration is to be applied for the first time.
- Run the playbook:
ansible-playbook --ask-become-pass --ask-vault-pass resolver.yml
- Login to the server via SSH and create TLS certificates manually. Each productive server has two separate Let's Encrypt certificates. Following an example dry run on host
res3. Remove--dry-runonce there are no errors.sudo certbot certonly --config /etc/letsencrypt/cli.ini --key-type ecdsa --cert-name res3.digitale-gesellschaft.ch.ecdsa -d res3.digitale-gesellschaft.ch --dry-run sudo certbot certonly --config /etc/letsencrypt/cli.ini --key-type ecdsa --cert-name dns.digitale-gesellschaft.ch.ecdsa -d dns.digitale-gesellschaft.ch -d dns1.digitale-gesellschaft.ch -d dns2.digitale-gesellschaft.ch --dry-run
- Rerun the playbook:
The playbook should run without errors.
ansible-playbook --ask-become-pass --ask-vault-pass resolver.yml