Resolver: Use systemd-resolved.

3 files changed, 41 insertions, 11 deletions

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a6795ba..1dc286e 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -2,40 +2,45 @@
 - import_tasks: sysctl.yml
   tags: sysctl
 - import_tasks: hosts.yml
 - import_tasks: apt.yml
   tags: apt
 - name: Install intel-microcode
   apt: pkg=intel-microcode
   when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
   tags: intel
 - import_tasks: firewall.yml
   tags:
     - firewall
     - iptables
     - nftables
 
 - import_tasks: stunnel.yml
   tags: stunnel
   when: "'webmail' in group_names and 'LDAP_provider' not in group_names"
 - import_tasks: auditd.yml
   tags: auditd
+- import_tasks: resolved.yml
+  tags:
+    - resolv
+    - resolved
+    - dns
 - import_tasks: unbound.yml
   tags:
     - unbound
     - dns
   when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
 - import_tasks: rkhunter.yml
   tags: rkhunter
 - import_tasks: clamav.yml
   tags: clamav
 - import_tasks: fail2ban.yml
   tags: fail2ban
 - import_tasks: smart.yml
   tags:
     - smartmontools
     - smart
   when: "not ansible_virtualization_role == 'guest'"
 - name: Copy genkeypair.sh and gendhparam.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
         owner=root group=staff
diff --git a/roles/common/tasks/resolved.yml b/roles/common/tasks/resolved.yml
new file mode 100644
index 0000000..2834eaa
--- /dev/null
+++ b/roles/common/tasks/resolved.yml
@@ -0,0 +1,36 @@
+- name: Install systemd-resolved
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - systemd-resolved
+    - libnss-resolve
+    - libnss-myhostname
+
+- name: Create directory /etc/systemd/resolved.conf.d
+  file: path=/etc/systemd/resolved.conf.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Configure systemd-resolved
+  template: src=etc/systemd/resolved.conf.d/local.conf.j2
+            dest=/etc/systemd/resolved.conf.d/local.conf
+            owner=root group=root
+            mode=0644
+  notify:
+    - Restart systemd-resolved
+
+- name: Start systemd-resolved
+  service: name=systemd-resolved.service enabled=true state=started
+
+- meta: flush_handlers
+
+- name: Remove resolvconf
+  apt: pkg=resolvconf state=absent purge=yes
+
+- name: Configure /etc/nsswitch.conf
+  lineinfile: "dest=/etc/nsswitch.conf create=no
+               regexp='^(hosts:\\s+).*'
+               line='\\1resolve [!UNAVAIL=return] files myhostname dns'
+               backrefs=true"
+  tags: nsswitch
diff --git a/roles/common/tasks/unbound.yml b/roles/common/tasks/unbound.yml
index b4554ac..dda6769 100644
--- a/roles/common/tasks/unbound.yml
+++ b/roles/common/tasks/unbound.yml
@@ -2,31 +2,20 @@
   apt: pkg={{ packages }}
   vars:
     packages:
     - unbound
     - dns-root-data
 
 - name: Copy unbound configuration
   template: src=templates/etc/unbound/unbound.conf.j2
             dest=/etc/unbound/unbound.conf
             owner=root group=root
             mode=0644
   register: r
   notify:
     - Restart unbound
 
 - name: Start unbound
   service: name=unbound state=started
   when: not r.changed
 
 #- meta: flush_handlers
-
-- name: Use the local DNS server
-  lineinfile: dest=/etc/resolv.conf create=yes
-              regexp='^nameserver\s+127\.0\.0\.1\s*$'
-              line='nameserver 127.0.0.1'
-              insertbefore='^\s*#*?nameserver\s'
-              firstmatch=yes
-  tags:
-    - resolver
-  notify:
-    - Restart Postfix