Replace Google DNS fallback with Quad9 (9.9.9.9, 149.112.112.112)
for better privacy consistency. Users choosing Cloudflare likely
value privacy, so Quad9 is a more appropriate fallback than Google.
As discussed in #752 and approved by @dhh in #1043.
Implements DHH's requirement to ensure wlan0 and ethernet interfaces
respect the DNS configuration while excluding docker/loop interfaces.
When using Cloudflare or Custom DNS:
- Sets UseDNS=no in DHCPv4 sections
- Sets UseDNS=no in IPv6AcceptRA sections
- Only configures primary interfaces (en*, eth*, wl*)
- Restarts both systemd-networkd and systemd-resolved
When using DHCP:
- Removes UseDNS=no to allow DHCP provided DNS
- Restores default behavior for all interfaces
Script size increased from 58 to 89 lines to properly handle all
network interfaces as requested.
* Add omarchy-setup-cloudflare-dns script
Addresses issue #745 by providing user choice for DNS configuration.
Features:
- Makes Cloudflare DNS opt-in instead of forced default
- Preserves local development environments with DHCP option
- Includes custom DNS configuration support
- Provides backup/restore functionality
- Follows Omarchy naming conventions
Fixes#745
* Address DHH feedback on DNS configuration script
Changes based on maintainer review:
- Rename script to omarchy-setup-dns (more generic name)
- Remove /usr/local/bin installation (use PATH instead)
- Add migration to reset automatic Cloudflare DNS to DHCP
- Force DNS on physical interfaces only using systemd-networkd
- Exclude docker/virtual interfaces from forced DNS
Fixes local development environment issues while making Cloudflare DNS opt-in.
* Use timestamped backups and remove restore function
Follow Omarchy backup standards by using timestamped backup files
instead of fixed names. Remove restore function since backups now
have unpredictable names - users can manually restore if needed.
This matches the pattern used in omarchy-refresh-config.
* Add DNS over TLS support for enhanced security
Enable opportunistic DNS over TLS when using Cloudflare DNS. This
encrypts DNS queries when possible while falling back to regular DNS
if TLS isn't available, providing security without breaking compatibility.
Thanks to the suggestion in #696 for highlighting this improvement.
* Add certificate validation for DNS over TLS
The DNS servers now include their proper hostnames for certificate
validation (cloudflare-dns.com and dns.google). This ensures we're
actually talking to the real DNS servers when using encrypted DNS,
not some imposter.
Completes the implementation suggested in #696.
* Prevent backup file accumulation
Clean up old backup files before creating new ones to prevent the
accumulation of .bak.* files over time. Keeps only the most recent
backup while maintaining the timestamped naming pattern.
This ensures the system doesn't get cluttered with countless backup
files from repeated script runs.
* Simplify DNS setup script per review feedback
Reduced script complexity from 227 to 58 lines while maintaining core functionality.
Removed unnecessary backup system and systemd-networkd configuration.
Kept essential features: Cloudflare DNS with TLS, DHCP mode, and custom DNS option.
Script now follows established Omarchy conventions for simplicity and size.
* Allow setup from omarchy-menu
* Integrate into Omarchy Menu
* Align parameter
---------
Co-authored-by: David Heinemeier Hansson <david@hey.com>
