tomodachi · tomodachi · Jul 24, 2023 · Jul 22, 2023 · Jul 24, 2023
diff --git a/README.md b/README.md
@@ -48,7 +48,15 @@ Configures a raspberry pi to boot diskless of a NFS share
 __mandatory variables:__  
 rootfs_path:   
 bootfs_path  
-
+
+## dns-over-tls
+DNS over TLS using Cloudflares clourflared for DNS proxying.
+
+__optional variables:__  
+cloudflared_release_ver:  
+doh_dns_1:  
+doh_dns_2:  
+
 ## single-nic-firewall
 Sets up a single nic NAT:ing Firewall with a DHCP server using VLANs & nftables for firewalling.   
 This required that you have a Switch with VLAN capabilities.  

diff --git a/roles/dns-over-tls/handlers/main.yml b/roles/dns-over-tls/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
diff --git a/roles/dns-over-tls/tasks/main.yml b/roles/dns-over-tls/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+
+- name: Detect arch for cloudflare deb
+  ansible.builtin.command:
+    cmd: dpkg --print-architecture
+  register: os_archn
+  changed_when: false
+
+- name: Download DNS over TLS Cloudflared
+  ansible.builtin.get_url:
+    url: "{{ cloudflared_release_ver }}{{ cloudflared_release_arch[os_arch.stdout] }}"
+    dest: /tmp/cloudflared.deb
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: Install DNS over TLS Cloudflared
+  ansible.builtin.apt:
+    deb: /tmp/cloudflared.deb
+
+- name: Copy DNS over TLS Cloudflare systemd service
+  ansible.builtin.template:
+    src: cloudflared.service.j2
+    dest: /etc/systemd/system/cloudflared.service
+    owner: root
+    group: root
+    mode: '0600'
+  notify:
+    - Reload systemd
+
+- name: Enable DNS over TLS Cloudflare systemd service
+  ansible.builtin.systemd:
+    name: cloudflared
+    state: started
+    enabled: true
+
+- name: Clean up cloudflared download tmp files
+  ansible.builtin.file:
+    path: /tmp/cloudflared.deb
+    state: absent
diff --git a/roles/dns-over-tls/templates/cloudflared.service.j2 b/roles/dns-over-tls/templates/cloudflared.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=cloudflared DNS over HTTPS proxy
+After=syslog.target network-online.target
+
+[Service]
+Type=simple
+DynamicUser=yes
+ExecStart=/usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://{{ doh_dns_1 }}/dns-query --upstream https://{{ doh_dns_2 }}/dns-query
+Restart=on-failure
+RestartSec=10
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/dns-over-tls/vars/main.yml b/roles/dns-over-tls/vars/main.yml
@@ -0,0 +1,16 @@
+---
+
+# Cloudflare DNS related settings
+cloudflared_release_ver: https://github.com/cloudflare/cloudflared/releases/download/2023.7.1/
+
+cloudflared_release_arch:
+  amd64: cloudflared-linux-amd64.deb
+  arm64: cloudflared-linux-arm64.deb
+  armhf: cloudflared-linux-armhf.deb
+
+
+doh_dns_1: "1.1.1.1"
+doh_dns_2: "1.0.0.1"
+
+packages:
+  - dnsmasq
diff --git a/roles/librespot/tasks/main.yml b/roles/librespot/tasks/main.yml
@@ -45,6 +45,9 @@
     path: /etc/pulse/system.pa
     line: set-default-sink 1
     insertbefore: EOF
+    owner: root
+    group: root
+    mode: '0644'
 
 - name: Disable pulsaudio autospawn
   ansible.builtin.lineinfile:

diff --git a/roles/single-nic-firewall/templates/cloudflared.service.j2 b/roles/single-nic-firewall/templates/cloudflared.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=cloudflared DNS over HTTPS proxy
+After=syslog.target network-online.target
+
+[Service]
+Type=simple
+DynamicUser=yes
+EnvironmentFile=/etc/default/cloudflared
+ExecStart=/usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://{{ doh_dns_1 }}/dns-query --upstream https://{{ doh_dns_2 }}/dns-query
+Restart=on-failure
+RestartSec=10
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target