From f817305718a44350c314bc2294041e3cd4b06ec3 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Thu, 31 Oct 2024 22:05:04 +0100
Subject: [PATCH] Improve dns configs

---
 playbooks/roles/acme_dns/vars/main.yml        |  4 +--
 playbooks/roles/dokku/vars/main.yml           |  2 ++
 playbooks/roles/software/tasks/main.yml       | 36 +++++--------------
 playbooks/roles/software/tasks/restic.yml     | 23 ++++++++++++
 .../roles/software/tasks/systemd-resolved.yml | 34 ++++++++++++++++++
 5 files changed, 69 insertions(+), 30 deletions(-)
 create mode 100644 playbooks/roles/software/tasks/restic.yml
 create mode 100644 playbooks/roles/software/tasks/systemd-resolved.yml

diff --git a/playbooks/roles/acme_dns/vars/main.yml b/playbooks/roles/acme_dns/vars/main.yml
index f6f38bd..f13d9ff 100644
--- a/playbooks/roles/acme_dns/vars/main.yml
+++ b/playbooks/roles/acme_dns/vars/main.yml
@@ -23,5 +23,5 @@ acme_dns_compose:
     services:
       app:
         ports:
-          - "53:53"
-          - 53:53/udp
+          - "{{ ansible_default_ipv4.address }}:53:53"
+          - "{{ ansible_default_ipv4.address }}:53:53/udp"
diff --git a/playbooks/roles/dokku/vars/main.yml b/playbooks/roles/dokku/vars/main.yml
index 1c3d999..1df39ba 100644
--- a/playbooks/roles/dokku/vars/main.yml
+++ b/playbooks/roles/dokku/vars/main.yml
@@ -9,6 +9,8 @@ dokku_svc:
   extra_svcs:
     - domain: serguzim.me
       www_domain: true
+      caddy_extra: |
+        import analytics
       hsts: true
       docker_host: host.docker.internal
       port: 3080
diff --git a/playbooks/roles/software/tasks/main.yml b/playbooks/roles/software/tasks/main.yml
index 31dd691..be52d1a 100644
--- a/playbooks/roles/software/tasks/main.yml
+++ b/playbooks/roles/software/tasks/main.yml
@@ -5,11 +5,6 @@
     update_cache: true
   become: true
 
-- name: Install docker
-  ansible.builtin.import_tasks: docker.yml
-- name: Install docker rclone plugin
-  ansible.builtin.import_tasks: docker-rclone-plugin.yml
-
 - name: Install jq and bzip2
   ansible.builtin.apt:
     pkg:
@@ -19,26 +14,11 @@
     update_cache: true
   become: true
 
-- name: Check if autorestic is installed
-  ansible.builtin.stat:
-    path: /usr/local/bin/autorestic
-  register: autorestic_status
-
-- name: Install autorestic
-  ansible.builtin.shell:
-    executable: /usr/bin/bash
-    cmd: set -o pipefail && wget -qO - https://raw.githubusercontent.com/cupcakearmy/autorestic/master/install.sh | bash
-  when: not autorestic_status.stat.exists
-  changed_when: true
-  become: true
-
-- name: Check if restic is installed
-  ansible.builtin.stat:
-    path: /usr/local/bin/restic
-  register: restic_status
-
-- name: Install restic
-  ansible.builtin.command: autorestic install
-  when: not restic_status.stat.exists
-  changed_when: true
-  become: true
+- name: Install docker
+  ansible.builtin.import_tasks: docker.yml
+- name: Install docker rclone plugin
+  ansible.builtin.import_tasks: docker-rclone-plugin.yml
+- name: Install (auto-)restic
+  ansible.builtin.import_tasks: restic.yml
+- name: Install systemd-resolved
+  ansible.builtin.import_tasks: systemd-resolved.yml
diff --git a/playbooks/roles/software/tasks/restic.yml b/playbooks/roles/software/tasks/restic.yml
new file mode 100644
index 0000000..87fe5a4
--- /dev/null
+++ b/playbooks/roles/software/tasks/restic.yml
@@ -0,0 +1,23 @@
+- name: Check if autorestic is installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/autorestic
+  register: autorestic_status
+
+- name: Install autorestic
+  ansible.builtin.shell:
+    executable: /usr/bin/bash
+    cmd: set -o pipefail && wget -qO - https://raw.githubusercontent.com/cupcakearmy/autorestic/master/install.sh | bash
+  when: not autorestic_status.stat.exists
+  changed_when: true
+  become: true
+
+- name: Check if restic is installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/restic
+  register: restic_status
+
+- name: Install restic
+  ansible.builtin.command: autorestic install
+  when: not restic_status.stat.exists
+  changed_when: true
+  become: true
diff --git a/playbooks/roles/software/tasks/systemd-resolved.yml b/playbooks/roles/software/tasks/systemd-resolved.yml
new file mode 100644
index 0000000..eb4fcca
--- /dev/null
+++ b/playbooks/roles/software/tasks/systemd-resolved.yml
@@ -0,0 +1,34 @@
+- name: Install systemd-resolved
+  ansible.builtin.apt:
+    pkg:
+      - systemd-resolved
+    state: present
+    update_cache: true
+  become: true
+
+- name: Enable systemd-resolved
+  ansible.builtin.systemd_service:
+    name: systemd-resolved.service
+    state: started
+    enabled: true
+    daemon_reload: true
+  become: true
+  register: systemd_resolved_started
+
+- name: Restart other dns-related services
+  ansible.builtin.systemd_service:
+    name: "{{ item }}.service"
+    state: restarted
+    daemon_reload: true
+  become: true
+  when: systemd_resolved_started.changed # noqa: no-handler TODO can we add a handler here?
+  loop:
+    - tailscaled
+
+- name: Create resolv.conf symlink
+  ansible.builtin.file:
+    src: /run/systemd/resolve/stub-resolv.conf
+    dest: /etc/resolv.conf
+    force: true
+    state: link
+  become: true