Improve dns configs

playbooks/roles/acme_dns/vars/main.yml

@@ -23,5 +23,5 @@ acme_dns_compose:
     services:
       app:
         ports:
-          - "53:53"
-          - 53:53/udp
+          - "{{ ansible_default_ipv4.address }}:53:53"
+          - "{{ ansible_default_ipv4.address }}:53:53/udp"

playbooks/roles/dokku/vars/main.yml

@@ -9,6 +9,8 @@ dokku_svc:
   extra_svcs:
     - domain: serguzim.me
       www_domain: true
+      caddy_extra: |
+        import analytics
       hsts: true
       docker_host: host.docker.internal
       port: 3080

playbooks/roles/software/tasks/main.yml

@@ -5,11 +5,6 @@
     update_cache: true
   become: true
 
-- name: Install docker
-  ansible.builtin.import_tasks: docker.yml
-- name: Install docker rclone plugin
-  ansible.builtin.import_tasks: docker-rclone-plugin.yml
-
 - name: Install jq and bzip2
   ansible.builtin.apt:
     pkg:
@@ -19,26 +14,11 @@
     update_cache: true
   become: true
 
-- name: Check if autorestic is installed
-  ansible.builtin.stat:
-    path: /usr/local/bin/autorestic
-  register: autorestic_status
-
-- name: Install autorestic
-  ansible.builtin.shell:
-    executable: /usr/bin/bash
-    cmd: set -o pipefail && wget -qO - https://raw.githubusercontent.com/cupcakearmy/autorestic/master/install.sh | bash
-  when: not autorestic_status.stat.exists
-  changed_when: true
-  become: true
-
-- name: Check if restic is installed
-  ansible.builtin.stat:
-    path: /usr/local/bin/restic
-  register: restic_status
-
-- name: Install restic
-  ansible.builtin.command: autorestic install
-  when: not restic_status.stat.exists
-  changed_when: true
-  become: true
+- name: Install docker
+  ansible.builtin.import_tasks: docker.yml
+- name: Install docker rclone plugin
+  ansible.builtin.import_tasks: docker-rclone-plugin.yml
+- name: Install (auto-)restic
+  ansible.builtin.import_tasks: restic.yml
+- name: Install systemd-resolved
+  ansible.builtin.import_tasks: systemd-resolved.yml

playbooks/roles/software/tasks/restic.yml

@@ -0,0 +1,23 @@
+- name: Check if autorestic is installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/autorestic
+  register: autorestic_status
+
+- name: Install autorestic
+  ansible.builtin.shell:
+    executable: /usr/bin/bash
+    cmd: set -o pipefail && wget -qO - https://raw.githubusercontent.com/cupcakearmy/autorestic/master/install.sh | bash
+  when: not autorestic_status.stat.exists
+  changed_when: true
+  become: true
+
+- name: Check if restic is installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/restic
+  register: restic_status
+
+- name: Install restic
+  ansible.builtin.command: autorestic install
+  when: not restic_status.stat.exists
+  changed_when: true
+  become: true

playbooks/roles/software/tasks/systemd-resolved.yml

@@ -0,0 +1,34 @@
+- name: Install systemd-resolved
+  ansible.builtin.apt:
+    pkg:
+      - systemd-resolved
+    state: present
+    update_cache: true
+  become: true
+
+- name: Enable systemd-resolved
+  ansible.builtin.systemd_service:
+    name: systemd-resolved.service
+    state: started
+    enabled: true
+    daemon_reload: true
+  become: true
+  register: systemd_resolved_started
+
+- name: Restart other dns-related services
+  ansible.builtin.systemd_service:
+    name: "{{ item }}.service"
+    state: restarted
+    daemon_reload: true
+  become: true
+  when: systemd_resolved_started.changed # noqa: no-handler TODO can we add a handler here?
+  loop:
+    - tailscaled
+
+- name: Create resolv.conf symlink
+  ansible.builtin.file:
+    src: /run/systemd/resolve/stub-resolv.conf
+    dest: /etc/resolv.conf
+    force: true
+    state: link
+  become: true