From afb080143096ab76ca7e222176e390efa198076a Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Mon, 6 May 2024 18:55:00 +0300
Subject: [PATCH] unbound: add doh-local.sample

Works otherwise, but self-signed cert didn't satisfy Chromium I wanted to point at it
---
 .gitignore                                  | 3 +++
 etc/unbound/unbound.conf.d/doh-local.sample | 9 +++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 etc/unbound/unbound.conf.d/doh-local.sample

diff --git a/.gitignore b/.gitignore
index 85d16822..577182ac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,9 @@
 !.pre-commit-config.yaml
 !.reuse
 
+# Certificates (unlikely to happen, but better safe than sorry)
+*.pem
+
 # Symlinks
 install.run
 LICENSE
diff --git a/etc/unbound/unbound.conf.d/doh-local.sample b/etc/unbound/unbound.conf.d/doh-local.sample
new file mode 100644
index 00000000..e471f1ea
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/doh-local.sample
@@ -0,0 +1,9 @@
+# semanage port -a -t dns_port_t -p tcp 4433
+interface: ::1@53
+interface: 127.0.0.1@53
+interface: ::1@4433
+interface: 127.0.0.1@4433
+https-port: 4433
+#http-notls-downstream: yes
+tls-service-key: /etc/unbound/conf.d/unbound.pem
+tls-service-pem: /etc/unbound/conf.d/unbound.pem