freeipa
diff --git a/‎roles/ipareplica/README.md‎
Lines changed: 5 additions & 0 deletions b/‎roles/ipareplica/README.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎roles/ipareplica/library/ipareplica_prepare.py‎
Lines changed: 40 additions & 0 deletions b/‎roles/ipareplica/library/ipareplica_prepare.py‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎roles/ipareplica/library/ipareplica_setup_dns.py‎
Lines changed: 42 additions & 0 deletions b/‎roles/ipareplica/library/ipareplica_setup_dns.py‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎roles/ipareplica/library/ipareplica_test.py‎
Lines changed: 83 additions & 1 deletion b/‎roles/ipareplica/library/ipareplica_test.py‎
Lines changed: 83 additions & 1 deletion
diff --git a/‎roles/ipareplica/module_utils/ansible_ipa_replica.py‎
Lines changed: 8 additions & 6 deletions b/‎roles/ipareplica/module_utils/ansible_ipa_replica.py‎
Lines changed: 8 additions & 6 deletions
@@ -270,6 +270,11 @@ Variable | Description | Required
 `ipareplica_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
 `ipareplica_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first,only) | no
 `ipareplica_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
+`ipareplica_dot_forwarders` | List of DNS over TLS forwarders. Required if `ipareplica_dns_over_tls` is enabled. (list of strings) | no
+`ipareplica_dns_over_tls` \| `ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
+`ipareplica_dns_over_tls_cert` | Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. (string) | no
+`ipareplica_dns_over_tls_key` | Key for certificate specified in `ipareplica_dns_over_tls_cert`. (string) | no
+`ipareplica_dns_policy` | Encrypted DNS policy. Only usable if `ipareplica_dns_over_tls` is enabled. (choice: relaxed, enforced, default: relaxed) | no
 
 AD trust Variables
 ------------------
 
@@ -224,6 +224,32 @@
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
   enable_compat:
     description: Enable support for trusted domains for old clients
     type: bool
@@ -354,6 +380,15 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool',
+                              default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
             # ad trust
             enable_compat=dict(required=False, type='bool', default=False),
             netbios_name=dict(required=False, type='str'),
@@ -430,6 +465,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
     # ad trust
     options.enable_compat = ansible_module.params.get('enable_compat')
     options.netbios_name = ansible_module.params.get('netbios_name')
 
@@ -72,6 +72,32 @@
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
   dns_ip_addresses:
     description: The dns ip_addresses setting
     type: list
@@ -117,6 +143,9 @@
     gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, dns,
     ansible_module_get_parsed_ip_addresses
 )
+# pylint: disable=unused-import
+from ansible.module_utils.ansible_ipa_replica import bindinstance  # noqa: F401
+# pylint: enable=unused-import
 
 
 def main():
@@ -135,6 +164,14 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
             # additional
             dns_ip_addresses=dict(required=True, type='list', elements='str'),
             dns_reverse_zones=dict(required=True, type='list', elements='str'),
@@ -167,6 +204,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
     # additional
     dns.ip_addresses = ansible_module_get_parsed_ip_addresses(
         ansible_module, 'dns_ip_addresses')
 
@@ -181,6 +181,32 @@
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
 author:
     - Thomas Woerner (@t-woerner)
 '''
@@ -199,7 +225,8 @@
     paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
     redirect_stdout, create_ipa_conf, ipautil,
     x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert,
+    services, CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION
 )
 
 
@@ -250,6 +277,14 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
         ),
     )
 
@@ -298,6 +333,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
 
     ##########################################################################
     # replica init ###########################################################
@@ -419,6 +459,14 @@ def main():
             ansible_module.fail_json(
                 msg="You cannot specify a --no-dnssec-validation option "
                 "without the --setup-dns option")
+        if installer.dns_over_tls_cert:
+            ansible_module.fail_json(
+                msg="You cannot specify a --dns-over-tls-cert option "
+                "without the --setup-dns option")
+        if installer.dns_over_tls_key:
+            ansible_module.fail_json(
+                msg="You cannot specify a --dns-over-tls-key option "
+                "without the --setup-dns option")
     elif installer.forwarders and installer.no_forwarders:
         ansible_module.fail_json(
             msg="You cannot specify a --forwarder option together with "
@@ -435,6 +483,31 @@ def main():
         ansible_module.fail_json(
             msg="You cannot specify a --auto-reverse option together with "
             "--no-reverse")
+    elif installer.dot_forwarders and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dot-forwarder option "
+            "without the --dns-over-tls option")
+    elif (installer.dns_over_tls
+          and not services.knownservices["unbound"].is_installed()):
+        ansible_module.fail_json(
+            msg="To enable DNS over TLS, package ipa-server-encrypted-dns "
+            "must be installed.")
+    elif installer.dns_policy == "enforced" and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-policy option "
+            "without the --dns-over-tls option")
+    elif installer.dns_over_tls_cert and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-over-tls-cert option "
+            "without the --dns-over-tls option")
+    elif installer.dns_over_tls_key and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-over-tls-key option "
+            "without the --dns-over-tls option")
+    elif bool(installer.dns_over_tls_key) != bool(installer.dns_over_tls_cert):
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-over-tls-key option "
+            "without the --dns-over-tls-cert option and vice versa")
 
     # replica installers
     if installer.servers and not installer.domain_name:
@@ -449,6 +522,10 @@ def main():
             ansible_module.fail_json(
                 msg="You must specify at least one of --forwarder, "
                 "--auto-forwarders, or --no-forwarders options")
+            if installer.dns_over_tls and not installer.dot_forwarders:
+                ansible_module.fail_json(
+                    msg="You must specify --dot-forwarder "
+                    "when enabling DNS over TLS")
 
     if installer.dirsrv_config_file is not None and \
        not os.path.exists(installer.dirsrv_config_file):
@@ -486,6 +563,11 @@ def main():
     if installer.domain_name is not None:
         validate_domain_name(installer.domain_name)
 
+    if installer.dns_over_tls and not CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION:
+        ansible_module.fail_json(
+            msg="Important patches for DNS over TLS are missing in your "
+            "IPA version.")
+
     ##########################################################################
     # replica promote_check excerpts #########################################
     ##########################################################################
 
@@ -187,6 +187,14 @@ def getargspec(func):
             from ipaserver.install import ntpinstance
             time_service = "ntpd"  # pylint: disable=invalid-name
 
+        try:
+            CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = False
+            from ipaclient.install.client import ClientInstallInterface
+        except ImportError:
+            pass
+        else:
+            if hasattr(ClientInstallInterface, "no_dnssec_validation"):
+                CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = True
     else:
         # IPA version < 4.6
         raise RuntimeError("freeipa version '%s' is too old" % VERSION)
@@ -337,12 +345,6 @@ def knobs(self):
 options.subject_base = None
 options.ca_subject = None
 
-# Hotfix for https://github.com/freeipa/freeipa/pull/7343
-options.dns_over_tls = False
-options.dns_over_tls_key = None
-options.dns_over_tls_cert = None
-options.dot_forwarders = None
-options.dns_policy = None
 # pylint: enable=attribute-defined-outside-init