Add omarchy-setup-cloudflare-dns script (#752)

* Add omarchy-setup-cloudflare-dns script

Addresses issue #745 by providing user choice for DNS configuration.

Features:
- Makes Cloudflare DNS opt-in instead of forced default
- Preserves local development environments with DHCP option
- Includes custom DNS configuration support
- Provides backup/restore functionality
- Follows Omarchy naming conventions

Fixes #745

* Address DHH feedback on DNS configuration script

Changes based on maintainer review:
- Rename script to omarchy-setup-dns (more generic name)
- Remove /usr/local/bin installation (use PATH instead)
- Add migration to reset automatic Cloudflare DNS to DHCP
- Force DNS on physical interfaces only using systemd-networkd
- Exclude docker/virtual interfaces from forced DNS

Fixes local development environment issues while making Cloudflare DNS opt-in.

* Use timestamped backups and remove restore function

Follow Omarchy backup standards by using timestamped backup files
instead of fixed names. Remove restore function since backups now
have unpredictable names - users can manually restore if needed.

This matches the pattern used in omarchy-refresh-config.

* Add DNS over TLS support for enhanced security

Enable opportunistic DNS over TLS when using Cloudflare DNS. This
encrypts DNS queries when possible while falling back to regular DNS
if TLS isn't available, providing security without breaking compatibility.

Thanks to the suggestion in #696 for highlighting this improvement.

* Add certificate validation for DNS over TLS

The DNS servers now include their proper hostnames for certificate
validation (cloudflare-dns.com and dns.google). This ensures we're
actually talking to the real DNS servers when using encrypted DNS,
not some imposter.

Completes the implementation suggested in #696.

* Prevent backup file accumulation

Clean up old backup files before creating new ones to prevent the
accumulation of .bak.* files over time. Keeps only the most recent
backup while maintaining the timestamped naming pattern.

This ensures the system doesn't get cluttered with countless backup
files from repeated script runs.

* Simplify DNS setup script per review feedback

Reduced script complexity from 227 to 58 lines while maintaining core functionality.
Removed unnecessary backup system and systemd-networkd configuration.
Kept essential features: Cloudflare DNS with TLS, DHCP mode, and custom DNS option.
Script now follows established Omarchy conventions for simplicity and size.

* Allow setup from omarchy-menu

* Integrate into Omarchy Menu

* Align parameter

---------

Co-authored-by: David Heinemeier Hansson <david@hey.com>

bin/omarchy-menu

@@ -127,7 +127,7 @@ show_setup_menu() {
   local options="  Audio\n  Wifi\n󰂯  Bluetooth\n󱐋  Power Profile\n󰍹  Monitors"
   [ -f ~/.config/hypr/bindings.conf ] && options="$options\n  Keybindings"
   [ -f ~/.config/hypr/input.conf ] && options="$options\n  Input"
-  options="$options\n  Config\n󰈷  Fingerprint\n  Fido2"
+  options="$options\n󰱔  DNS\n  Config\n󰈷  Fingerprint\n  Fido2"
 
   case $(menu "Setup" "$options") in
   *Audio*) alacritty --class=Wiremix -e wiremix ;;
@@ -143,6 +143,7 @@ show_setup_menu() {
   *Monitors*) edit_in_nvim ~/.config/hypr/monitors.conf ;;
   *Keybindings*) edit_in_nvim ~/.config/hypr/bindings.conf ;;
   *Input*) edit_in_nvim ~/.config/hypr/input.conf ;;
+  *DNS*) present_terminal omarchy-setup-dns ;;
   *Config*) show_setup_config_menu ;;
   *Fingerprint*) present_terminal omarchy-setup-fingerprint ;;
   *Fido2*) present_terminal omarchy-setup-fido2 ;;

bin/omarchy-setup-dns

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+if [[ -z $1 ]]; then
+  dns=$(gum choose --height 5 --header "Select DNS provider" Cloudflare DHCP Custom)
+else
+  dns=$1
+fi
+
+case "$dns" in
+Cloudflare)
+  sudo tee /etc/systemd/resolved.conf >/dev/null <<'EOF'
+[Resolve]
+DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
+FallbackDNS=8.8.8.8#dns.google 8.8.4.4#dns.google
+DNSOverTLS=opportunistic
+EOF
+  sudo systemctl restart systemd-resolved
+  ;;
+
+DHCP)
+  sudo tee /etc/systemd/resolved.conf >/dev/null <<'EOF'
+[Resolve]
+DNS=
+FallbackDNS=
+DNSOverTLS=no
+EOF
+  sudo systemctl restart systemd-resolved
+  ;;
+
+Custom)
+  echo "Enter your DNS servers (space-separated, e.g. '192.168.1.1 1.1.1.1'):"
+  read -r dns_servers
+
+  if [[ -z "$dns_servers" ]]; then
+    echo "Error: No DNS servers provided."
+    exit 1
+  fi
+
+  sudo tee /etc/systemd/resolved.conf >/dev/null <<EOF
+[Resolve]
+DNS=$dns_servers
+FallbackDNS=1.1.1.1 8.8.8.8
+EOF
+  sudo systemctl restart systemd-resolved
+
+  ;;
+esac
+

migrations/1755109182.sh

@@ -0,0 +1,32 @@
+echo "Reset DNS configuration to DHCP (remove forced Cloudflare DNS)"
+
+# Reset DNS to use DHCP by default instead of forcing Cloudflare
+# This preserves local development environments (.local domains, etc.)
+# Users can still opt-in to Cloudflare DNS using: omarchy-setup-dns cloudflare
+
+if [ -f /etc/systemd/resolved.conf ]; then
+  # Backup current config with timestamp
+  backup_timestamp=$(date +"%Y%m%d%H%M%S")
+  sudo cp /etc/systemd/resolved.conf "/etc/systemd/resolved.conf.bak.${backup_timestamp}"
+
+  # Remove explicit DNS entries to use DHCP
+  sudo sed -i '/^DNS=/d' /etc/systemd/resolved.conf
+  sudo sed -i '/^FallbackDNS=/d' /etc/systemd/resolved.conf
+
+  # Add empty DNS entries to ensure DHCP is used
+  echo "DNS=" | sudo tee -a /etc/systemd/resolved.conf >/dev/null
+  echo "FallbackDNS=" | sudo tee -a /etc/systemd/resolved.conf >/dev/null
+
+  # Remove any forced DNS config from systemd-networkd
+  if [ -f /etc/systemd/network/99-omarchy-dns.network ]; then
+    sudo rm -f /etc/systemd/network/99-omarchy-dns.network
+    sudo systemctl restart systemd-networkd
+  fi
+
+  # Restart systemd-resolved to apply changes
+  sudo systemctl restart systemd-resolved
+
+  echo "DNS configuration reset to use DHCP (router DNS)"
+  echo "To use Cloudflare DNS, run: omarchy-setup-dns Cloudflare"
+fi
+