ipaserver: Add support for DNS over TLS

This change adds support for DNS over TLS to the ipaserver role. New variables ipaserver_dot_forwarders List of DNS over TLS forwarders. Required if ipaserver_dns_over_tls is enabled. (list of strings) required: false ipaserver_dns_over_tls | ipaclient_dns_over_tls Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) required: false ipaserver_dns_over_tls_cert Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. (string) required: false ipaserver_dns_over_tls_key Key for certificate specified in ipaserver_dns_over_tls_cert. (string) required: false ipaserver_dns_policy Encrypted DNS policy. Only usable if `ipaserver_dns_over_tls` is enabled. (choice: relaxed, enforced, default: relaxed) required: false New distribution specific variable ipaserver_packages_dot List of IPA packages needed for DNS over TLS.
2026-03-26 21:33:05 +00:00 · 2025-07-01 14:31:51 +02:00
parent 7a23c668fc
commit e2317f304c
12 changed files with 246 additions and 39 deletions
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -343,6 +343,12 @@ Variable | Description | Required
 `ipaserver_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
 `ipaserver_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first, only) | no
 `ipaserver_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
+`ipaserver_dot_forwarders` | List of DNS over TLS forwarders. Required if `ipaserver_dns_over_tls` is enabled. (list of strings) | no
+`ipaserver_dns_over_tls` \| `ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
+`ipaserver_dns_over_tls_cert` | Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. (string) | no
+`ipaserver_dns_over_tls_key` | Key for certificate specified in `ipaserver_dns_over_tls_cert`. (string) | no
+`ipaserver_dns_policy` | Encrypted DNS policy. Only usable if `ipaserver_dns_over_tls` is enabled. (choice: relaxed, enforced, default: relaxed) | no
+

 AD trust Variables
 ------------------