Move DoH to 10.10.10.10 and 10.10.10.11

doh.mesh.nycmesh.net.zone

@@ -6,8 +6,9 @@ $TTL 3600
 nycmesh-713-dns-auth-3 A 199.170.132.47
 
 ; Recursive resolvers
-nycmesh-713-dns-rec-4 A 10.70.90.133
-nycmesh-713-jon-dns-rec-1 A 10.70.90.137
+nycmesh-713-dns-rec-4 A 10.10.10.10
+nycmesh-713-dns-rec-5 A 10.10.10.11
 
 ; doh.mesh.nycmesh.net
-@ A 10.70.90.133
+@ A 10.10.10.10
+@ A 10.10.10.11

infra/ansible/roles/knot_recursive/tasks/doh.yaml

@@ -1,45 +1,66 @@
-- name: Install deps
-  ansible.builtin.apt:
-    lock_timeout: 120
-    update_cache: true
-    pkg:
-      - python3-pip
-      - python3.11-venv
-      - cron
-
-- name: Install certbot
-  ansible.builtin.pip:
-    name:
-      - certbot==2.11.0
-      - certbot-dns-rfc2136==2.11.0
-    virtualenv: /root/certbot_venv
-    virtualenv_command: python3 -m venv
-
-- name: Certbot script
-  ansible.builtin.template:
-    src: certbot.sh.j2
-    dest: /root/certbot.sh
-    mode: "700"
-
-- name: Create tsig.ini
-  ansible.builtin.template:
-    src: tsig.ini.j2
-    dest: /root/tsig.ini
-    mode: "700"
-
-- name: Get cert
-  ansible.builtin.command:
-    cmd: /root/certbot.sh
-    creates: /etc/knot-resolver/server-cert.pem
-
-- name: Crontab
-  ansible.builtin.template:
-    src: certbot_update_cert.j2
-    dest: /etc/cron.d/certbot_update_cert
-    mode: "700"
-
-- name: Restart and enable cron service
-  ansible.builtin.service:
-    name: cron
-    state: restarted
-    enabled: true
+- name: Setup doh
+  when: DOH_SERVER != ""
+  block:
+    - name: Install deps
+      ansible.builtin.apt:
+        lock_timeout: 120
+        update_cache: true
+        pkg:
+          - python3-pip
+          - python3.11-venv
+          - cron
+
+    - name: Install certbot
+      ansible.builtin.pip:
+        name:
+          - certbot==2.11.0
+          - certbot-dns-rfc2136==2.11.0
+        virtualenv: /root/certbot_venv
+        virtualenv_command: python3 -m venv
+
+    - name: Certbot script
+      ansible.builtin.template:
+        src: certbot.sh.j2
+        dest: /root/certbot.sh
+        mode: "700"
+
+    - name: Create tsig.ini
+      ansible.builtin.template:
+        src: tsig.ini.j2
+        dest: /root/tsig.ini
+        mode: "700"
+
+    - name: Get cert
+      ansible.builtin.command:
+        cmd: /root/certbot.sh
+        creates: /etc/knot-resolver/server-cert.pem
+
+    - name: Crontab
+      ansible.builtin.template:
+        src: certbot_update_cert.j2
+        dest: /etc/cron.d/certbot_update_cert
+        mode: "700"
+
+    - name: Restart and enable cron service
+      ansible.builtin.service:
+        name: cron
+        state: restarted
+        enabled: true
+
+- name: Setup doh
+  when: DOH_SERVER == ""
+  block:
+    - name: Cleanup crontab
+      ansible.builtin.file:
+        path: /etc/cron.d/certbot_update_cert
+        state: absent
+
+    - name: Cleanup tsig
+      ansible.builtin.file:
+        path: /root/tsig.ini
+        state: absent
+
+    - name: Cleanup certbot
+      ansible.builtin.file:
+        path: /root/certbot.sh
+        state: absent

infra/ansible/roles/knot_recursive/tasks/main.yaml

@@ -56,7 +56,6 @@
 - name: Setup DoH
   ansible.builtin.include_tasks:
     file: doh.yaml
-  when: DOH_SERVER != ""
 
 - name: Fix kres-cache-gc.service
   ansible.builtin.lineinfile:

infra/terraform/vars.tf

@@ -214,7 +214,6 @@ variable "main_auth_server_ip" {
 variable "mesh_stub_resolver" {
   type        = string
   description = "resolver for mesh bound queries"
-  default     = "10.10.10.11"
 }
 
 variable "bird_ospf_cost" {