Add Editorconfig to standardize coding style

.editorconfig

@@ -0,0 +1,39 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+trim_trailing_whitespace = true
+
+# YAML files
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+max_line_length = 120
+
+# Markdown files
+[*.md]
+indent_style = space
+indent_size = 2
+max_line_length = 120
+trim_trailing_whitespace = false
+
+# Jinja2 templates
+[*.j2]
+indent_style = space
+indent_size = 2
+
+# Shell scripts
+[*.sh]
+indent_style = space
+indent_size = 2
+
+# Terraform files
+[*.tf]
+indent_style = space
+indent_size = 2

.github/workflows/run-lint.yml

@@ -10,9 +10,10 @@ jobs:
 
     steps:
       - name: Check out project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Check project formating
-        uses: creyD/prettier_action@v4.3
-        with:
-          prettier_options: --check .
+      - name: Install editorconfig-checker
+        uses: editorconfig-checker/action-editorconfig-checker@v2
+
+      - name: Check .editorconfig compliance
+        run: editorconfig-checker

ARCHITECTURE.md

@@ -38,14 +38,16 @@ graph LR
 
 ### DNS Frontend
 
-The frontend accepts client connections, validates DNS queries and forward them to the backend for name resolution, if the cache does not already provide an answer.
+The frontend accepts client connections, validates DNS queries and forward them to the backend for name resolution, if
+the cache does not already provide an answer.
 
 - Handles TLS encryption and Let's Encrypt certificates
 - Enforce rate limits to increase availability for all users
 
 ### DNS Backend
 
-The backend is only reachable by the _dnsdist_ frontend. If the answer to a query is not already cached it is resolved by querying the global domain name system (DNS).
+The backend is only reachable by the _dnsdist_ frontend. If the answer to a query is not already cached it is resolved
+by querying the global domain name system (DNS).
 
 - Prefetching cache to reduced latency
 - DNSSEC validation

CONTRIBUTION.md

@@ -21,9 +21,12 @@ on a way to achieve your idea.
 
 ## How to Contribute
 
-1. Fork the [DNS resolver repository](https://github.com/DigitaleGesellschaft/DNS-Resolver) to your own name space. For this, you need a GitHub account.
-2. For small changes you may use the GitHub web editor to directly fix a document. For larger changes you need to check out your fork of the _DNS resolver_ repository.
-3. Make your changes locally and commit them. For commit messages try to use existing commit messages as a guide. If your commit fixes or addresses an existing issue, please reference the issue number in your commit message.
+1. Fork the [DNS resolver repository](https://github.com/DigitaleGesellschaft/DNS-Resolver) to your own name space. For
+   this, you need a GitHub account.
+2. For small changes you may use the GitHub web editor to directly fix a document. For larger changes you need to check
+   out your fork of the _DNS resolver_ repository.
+3. Make your changes locally and commit them. For commit messages try to use existing commit messages as a guide. If
+   your commit fixes or addresses an existing issue, please reference the issue number in your commit message.
 4. Create a pull request (PR) to our _main_ branch.
 
 Example commit message:

FAQ.md

@@ -4,45 +4,66 @@ This document covers frequently asked questions about our secure DNS resolver sy
 
 ## General
 
-1. Can I use your secure DNS resolvers for private usage?
+**1. Can I use your secure DNS resolvers for private usage?**
 
-   - Yes.
+Yes.
 
-2. Why does the Digital Society provide this service?
+---
 
-   - We think a decentralised and censor resistant Internet is important for our society.
+**2. Why does the Digital Society provide this service?**
 
-3. How can I help?
-   - There are several things you can do:
-     - Review our [configuration files](configuration-files) and [guides](howtos) and improve them.
-     - The annual costs for operating the servers amount to 1'000 CHF. Perhaps it is possible for you to make a [donation](https://www.digitale-gesellschaft.ch/uber-uns/unterstuetzer-werden/).
+We think a decentralised and censor‑resistant Internet is important for our society.
+
+---
+
+**3. How can I help?**
+
+There are several things you can do:
+
+- Review our [configuration files](configuration-files) and [guides](howtos) and improve them.
+- The annual costs for operating the servers amount to 1'000 CHF. Perhaps it is possible for you to make a
+  [donation](https://www.digitale-gesellschaft.ch/uber-uns/unterstuetzer-werden/).
 
 ### For Companies
 
-1. Can I use your secure DNS resolvers for our employees?
-   - Technically yes, but we encourage you to set up your own secure resolvers.
+**1. Can I use your secure DNS resolvers for our employees?**
+
+Technically yes, but we encourage you to set up your own secure resolvers.
 
 ## Servers
 
-1. Where are the DNS resolvers located?
-   - Zurich, Switzerland
+**1. Where are the DNS resolvers located?**
+
+Zurich, Switzerland.
 
 ## Configuration
 
-1. Can I use your service for plain text (unencrypted) DNS?
-   - No, we only provide encrypted DNS-over-HTTPS or DNS-over-TLS. We deliberately do not operate a plain text DNS to avoid user configuration errors.
+**1. Can I use your service for plain text (unencrypted) DNS?**
+
+No, we only provide encrypted DNS-over-HTTPS or DNS-over-TLS. We deliberately do not operate a plain text DNS to
+avoid user configuration errors.
 
 ## Technical Questions
 
-1. Do you block any domains?
+**1. Do you block any domains?**
+
+No, we do not block any domain. Check out our transparency reports and privacy notice:
+https://www.digitale-gesellschaft.ch/dns/
+
+However, we do temporarily block clients or requests if they have malicious behaviour and/or impact our service for
+other users.
 
-   - No, we do not block any domain. Checkout our transparency reports and privacy notice: https://www.digitale-gesellschaft.ch/dns/ However, we do temporarily block clients or requests if they have malicious behaviour and/or impact our service for other users.
+---
 
-2. Do you support DNSCrypt?
-   - No, currently not.
+**2. Do you support DNSCrypt?**
+
+No, currently not.
 
 ## Common Problems
 
-1. Opening `https://dns.digitale-gesellschaft.ch/dns-query` in a web browser does not seem to work correctly.
+**1. Opening `https://dns.digitale-gesellschaft.ch/dns-query` in a web browser does not seem to work correctly.**
+
+The above URI is not meant to be opened directly in a web browser. It is the DNS-over-HTTPS (DoH) destination URI
+configuration. Configure this URI in your DoH client to query our DNS resolvers.
 
-   - The above URI is not meant to be opened directly in a web browser. It is the DNS-over-HTTPS (DoH) destination URI configuration. Configure this URI in your DoH client to query our DNS resolvers. When opened via a web browser, it is intended to always return `Unable to parse the request`.
+When opened via a web browser, it is intended to always return `Unable to parse the request`.

README.md

@@ -1,14 +1,18 @@
 # Secure DNS Resolver
 
-Information, configuration files and _how tos_ about the public secure DNS resolvers operated by the Digital Society Switzerland.
+Information, configuration files and _how tos_ about the public secure DNS resolvers operated by the Digital Society
+Switzerland.
 
-The Digital Society Switzerland runs publicly available DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) DNS resolver systems.
+The Digital Society Switzerland runs publicly available DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) DNS resolver
+systems.
 
 ![Secure DNS resolver overview](assets/Secure-DNS-Resolver-Overview.png)
 
 This repository contains:
 
-- [Configuration files](configuration-files) of our production systems. Anyone interested in our setup can review our production configuration or run its own setup based on our configuration files. You may also check out our [system architecture](ARCHITECTURE.md).
+- [Configuration files](configuration-files) of our production systems. Anyone interested in our setup can review our
+  production configuration or run its own setup based on our configuration files. You may also check out
+  our [system architecture](ARCHITECTURE.md).
 - [How tos](howtos) to configure encrypted DNS on various devices. This allows people to use our secure DNS resolvers.
 
 Also, checkout our [website](https://www.digitale-gesellschaft.ch/dns/) and the [FAQ](FAQ.md).
@@ -18,7 +22,7 @@ Also, checkout our [website](https://www.digitale-gesellschaft.ch/dns/) and the
 To use our DNS resolvers on your DoH or DoT capable client simply configure:
 
 | Protocol             | Address                                                                                          |
-| -------------------- | ------------------------------------------------------------------------------------------------ |
+|----------------------|--------------------------------------------------------------------------------------------------|
 | DNS-over-HTTPS (DoH) | `https://dns.digitale-gesellschaft.ch/dns-query`                                                 |
 | DNS-over-TLS (DoT)   | `dns.digitale-gesellschaft.ch` if you need to specify also a Port use the DoT default Port `853` |
 
@@ -28,7 +32,8 @@ For specific configuration check out our [How-Tos](howtos).
 
 # Contribution
 
-Contributions to this project are very welcome. If you like to contribute, check-out [CONTRIBUTION](CONTRIBUTION.md) for more information.
+Contributions to this project are very welcome. If you like to contribute, check-out [CONTRIBUTION](CONTRIBUTION.md) for
+more information.
 
 Some ideas where help is appreciated:
 

configuration-files/DOCUMENTATION.md

@@ -3,7 +3,7 @@
 ## Important Files
 
 | File                       | Description                                                                                                                                  |
-| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
 | ansible.cfg                | Ansible configuration file.                                                                                                                  |
 | group_vars/\*              | Variables for local staging and productive DNS resolvers. Also contains the specific vault.yml files (these are not part of this repository) |
 | host_vars/\*               | Variables specific to Ansible controlled host.                                                                                               |
@@ -15,7 +15,7 @@
 ## Roles
 
 | Role              | Description                                                                                        |
-| ----------------- | -------------------------------------------------------------------------------------------------- |
+|-------------------|----------------------------------------------------------------------------------------------------|
 | base              | Basic server setup, user configuration, tool and package installation for basic server management. |
 | dns-backend       | Backend DNS resolver configuration, communicates with the domain name system (the Internet).       |
 | dns-frontend      | Frontend DNS resolver configuration, encrypted communicates with the users who use our service.    |
@@ -26,7 +26,7 @@
 ## Ansible Variables
 
 | Variable name                      | Description                                                |
-| ---------------------------------- | ---------------------------------------------------------- |
+|------------------------------------|------------------------------------------------------------|
 | `dg4_dns`                          | IP v4 default gateway                                      |
 | `dg6_dns`                          | IP v6 default gateway                                      |
 | `dnsdist_nof_thread_doh_per_ip`    | Number of dnsdist threads per DoH IP                       |

configuration-files/LOCAL.md

@@ -13,7 +13,8 @@ On your host install `lxc` by running:
 
 We do not keep sensitive information in this repository. Create these files:
 
-- In the `locl.yml` file the two systems `localdns1` and `localdns2` are referred. In order Ansible knows these host systems they need to be in the SSH configuration `~/.ssh/config` file e.g.:
+- In the `locl.yml` file the two systems `localdns1` and `localdns2` are referred. In order Ansible knows these host
+  systems they need to be in the SSH configuration `~/.ssh/config` file e.g.:
 
   ```
   host localdns1
@@ -27,7 +28,8 @@ We do not keep sensitive information in this repository. Create these files:
   Port <port>
   ```
 
-- Create a user to connect to. This might be your current user on your local machine. Create a file in `configuration-files/roles/base/tasks/users/$USER.yml` with this content. Change `$USER` with your current username.
+- Create a user to connect to. This might be your current user on your local machine. Create a file in
+  `configuration-files/roles/base/tasks/users/$USER.yml` with this content. Change `$USER` with your current username.
 
   ```
   ---
@@ -51,12 +53,16 @@ We do not keep sensitive information in this repository. Create these files:
     key: "add your public key here within the quotes e.g. `cat .ssh/id_rsa.pub`"
   ```
 
-- Create an encrypted secret file for ansible secrets. Contains secrets and passphrases in key-values pairs and is located in `configuration-files/group_vars/local/vault.yml`.
+- Create an encrypted secret file for ansible secrets. Contains secrets and passphrases in key-values pairs and is
+  located in `configuration-files/group_vars/local/vault.yml`.
   Some secrets require a specific syntax:
   - `dnsdist_control_interface_key`: [base64 encoded random string](https://www.dnsdist.org/guides/console.html)
-  - `keepalived_*`: [8 alphanumeric characters](https://manpages.ubuntu.com/manpages/latest/en/man5/keepalived.conf.5.html)
-  - `statistics_password`: Password hash (e.g. something generated by [htpasswd -n](https://manpages.ubuntu.com/manpages/latest/en/man1/htpasswd.1.html))
-  - Create a new encrypted file by running `ansible-vault create configuration-files/group_vars/local/vault.yml` and add the following content (these are example secrets):
+  -
+  `keepalived_*`: [8 alphanumeric characters](https://manpages.ubuntu.com/manpages/latest/en/man5/keepalived.conf.5.html)
+  - `statistics_password`: Password hash (e.g. something generated
+    by [htpasswd -n](https://manpages.ubuntu.com/manpages/latest/en/man1/htpasswd.1.html))
+  - Create a new encrypted file by running `ansible-vault create configuration-files/group_vars/local/vault.yml` and add
+    the following content (these are example secrets):
     ```
     dnsdist_control_interface_key: "G5t9FVaMWnceS9HCP7iNvvFdGnpycAOSJC4IUsG+wAc="
     dnsdist_webserver_api_key: "K[F|8I9?"

configuration-files/README.md

@@ -2,7 +2,8 @@
 
 Ansible managed configuration files for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) DNS resolvers.
 
-This configuration applies to the Digital Society's production secure DNS resolver. This document describes how to use the Ansible setup for your own setup.
+This configuration applies to the Digital Society's production secure DNS resolver. This document describes how to use
+the Ansible setup for your own setup.
 
 If you are interested in:
 
@@ -11,7 +12,8 @@ If you are interested in:
 
 ## Apply the Ansible Configuration
 
-This step is very common, as soon as the Ansible configuration files are changed this step will activate the new configuration on the DNS resolvers.
+This step is very common, as soon as the Ansible configuration files are changed this step will activate the new
+configuration on the DNS resolvers.
 
 Change into `configuraiton-files` and start a dry-run of the Ansible configuration.
 
@@ -20,17 +22,20 @@ cd configuration-files
 ansible-playbook --ask-become-pass --ask-vault-pass resolver.yml --check
 ```
 
-When the output does not contain any unexpected surprises, remove the flag `--check` to definitively apply the configuration to the DNS resolvers.
+When the output does not contain any unexpected surprises, remove the flag `--check` to definitively apply the
+configuration to the DNS resolvers.
 
 ## Initial Setup
 
-This step is only performed if a new server is being added and the Ansible configuration is to be applied for the first time.
+This step is only performed if a new server is being added and the Ansible configuration is to be applied for the first
+time.
 
 1. Run the playbook:
    ```shell
    ansible-playbook  --ask-become-pass --ask-vault-pass resolver.yml
    ```
-2. Login to the server via SSH and create TLS certificates manually. Each productive server has two separate Let's Encrypt certificates. Following an example dry run on host `res3`. Remove `--dry-run` once there are no errors.
+2. Login to the server via SSH and create TLS certificates manually. Each productive server has two separate Let's
+   Encrypt certificates. Following an example dry run on host `res3`. Remove `--dry-run` once there are no errors.
    ```shell
    sudo certbot certonly --config /etc/letsencrypt/cli.ini --key-type ecdsa --cert-name res3.digitale-gesellschaft.ch.ecdsa -d res3.digitale-gesellschaft.ch --dry-run
    sudo certbot certonly --config /etc/letsencrypt/cli.ini --key-type ecdsa --cert-name dns.digitale-gesellschaft.ch.ecdsa -d dns.digitale-gesellschaft.ch -d dns1.digitale-gesellschaft.ch -d dns2.digitale-gesellschaft.ch --dry-run

configuration-files/roles/web_server/tasks/localencrypt.yml

@@ -95,24 +95,24 @@
   when:
     not pub_rsa_check.stat.exists
 
-    #
-    #- name: Create full chain files
-    #  copy:
-    #    src: "{{ item.src }}"
-    #    dest: "{{ item.dest }}"
-    #    # path: "{{ cert_path }}live/{{ item.name }}"
-    #    # state: touch
-    #    # mode: "0755"
-    #  loop:
-    #    - {
-    #        src: "{{ cert_path }}live/{{ name_intern }}.{{ domain }}.ecdsa/cert.pem",
-    #        dest: "{{ cert_path }}live/{{ name_intern }}.{{ domain }}.ecdsa/fullchain.pem",
-    #      }
-    #    - {
-    #        src: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.ecdsa/cert.pem",
-    #        dest: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.ecdsa/fullchain.pem",
-    #      }
-    #    - {
-    #        src: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.rsa/cert.pem",
-    #        dest: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.rsa/fullchain.pem",
-    #      }
+  #
+  #- name: Create full chain files
+  #  copy:
+  #    src: "{{ item.src }}"
+  #    dest: "{{ item.dest }}"
+  #    # path: "{{ cert_path }}live/{{ item.name }}"
+  #    # state: touch
+  #    # mode: "0755"
+  #  loop:
+  #    - {
+  #        src: "{{ cert_path }}live/{{ name_intern }}.{{ domain }}.ecdsa/cert.pem",
+  #        dest: "{{ cert_path }}live/{{ name_intern }}.{{ domain }}.ecdsa/fullchain.pem",
+  #      }
+  #    - {
+  #        src: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.ecdsa/cert.pem",
+  #        dest: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.ecdsa/fullchain.pem",
+  #      }
+  #    - {
+  #        src: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.rsa/cert.pem",
+  #        dest: "{{ cert_path }}live/{{ host_public}}.{{ domain }}.rsa/fullchain.pem",
+  #      }