5 files changed, 55 insertions, 11 deletions

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index bbaaef5..18462cb 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -12,40 +12,43 @@
   apt: update_cache=yes
 
 - name: Restart unbound
   service: name=unbound state=restarted
 
 - name: Update rkhunter's data file
   command: /usr/bin/rkhunter --propupd
 
 - name: Update firewall
   command: /usr/local/sbin/update-firewall -c
 
 - name: Restart fail2ban
   service: name=fail2ban state=restarted
 
 - name: Restart IPsec
   service: name=ipsec state=restarted
 
 - name: Restart rsyslog
   service: name=rsyslog state=restarted
 
+- name: Restart systemd-resolved
+  service: name=systemd-resolved.service state=restarted
+
 - name: Restart systemd-timesyncd
   service: name=systemd-timesyncd state=restarted
 
 - name: Restart ntp
   service: name=ntp state=restarted
 
 - name: Restart Postfix
   service: name=postfix state=restarted
 
 - name: Reload Postfix
   service: name=postfix state=reloaded
 
 - name: Restart bacula-fd
   service: name=bacula-fd state=restarted
 
 - name: Restart munin-node
   service: name=munin-node state=restarted
 
 - name: Restart freshclam
   service: name=clamav-freshclam state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a6795ba..1dc286e 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -2,40 +2,45 @@
 - import_tasks: sysctl.yml
   tags: sysctl
 - import_tasks: hosts.yml
 - import_tasks: apt.yml
   tags: apt
 - name: Install intel-microcode
   apt: pkg=intel-microcode
   when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
   tags: intel
 - import_tasks: firewall.yml
   tags:
     - firewall
     - iptables
     - nftables
 
 - import_tasks: stunnel.yml
   tags: stunnel
   when: "'webmail' in group_names and 'LDAP_provider' not in group_names"
 - import_tasks: auditd.yml
   tags: auditd
+- import_tasks: resolved.yml
+  tags:
+    - resolv
+    - resolved
+    - dns
 - import_tasks: unbound.yml
   tags:
     - unbound
     - dns
   when: "ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest'"
 - import_tasks: rkhunter.yml
   tags: rkhunter
 - import_tasks: clamav.yml
   tags: clamav
 - import_tasks: fail2ban.yml
   tags: fail2ban
 - import_tasks: smart.yml
   tags:
     - smartmontools
     - smart
   when: "not ansible_virtualization_role == 'guest'"
 - name: Copy genkeypair.sh and gendhparam.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
         owner=root group=staff
diff --git a/roles/common/tasks/resolved.yml b/roles/common/tasks/resolved.yml
new file mode 100644
index 0000000..2834eaa
--- /dev/null
+++ b/roles/common/tasks/resolved.yml
@@ -0,0 +1,36 @@
+- name: Install systemd-resolved
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - systemd-resolved
+    - libnss-resolve
+    - libnss-myhostname
+
+- name: Create directory /etc/systemd/resolved.conf.d
+  file: path=/etc/systemd/resolved.conf.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Configure systemd-resolved
+  template: src=etc/systemd/resolved.conf.d/local.conf.j2
+            dest=/etc/systemd/resolved.conf.d/local.conf
+            owner=root group=root
+            mode=0644
+  notify:
+    - Restart systemd-resolved
+
+- name: Start systemd-resolved
+  service: name=systemd-resolved.service enabled=true state=started
+
+- meta: flush_handlers
+
+- name: Remove resolvconf
+  apt: pkg=resolvconf state=absent purge=yes
+
+- name: Configure /etc/nsswitch.conf
+  lineinfile: "dest=/etc/nsswitch.conf create=no
+               regexp='^(hosts:\\s+).*'
+               line='\\1resolve [!UNAVAIL=return] files myhostname dns'
+               backrefs=true"
+  tags: nsswitch
diff --git a/roles/common/tasks/unbound.yml b/roles/common/tasks/unbound.yml
index b4554ac..dda6769 100644
--- a/roles/common/tasks/unbound.yml
+++ b/roles/common/tasks/unbound.yml
@@ -2,31 +2,20 @@
   apt: pkg={{ packages }}
   vars:
     packages:
     - unbound
     - dns-root-data
 
 - name: Copy unbound configuration
   template: src=templates/etc/unbound/unbound.conf.j2
             dest=/etc/unbound/unbound.conf
             owner=root group=root
             mode=0644
   register: r
   notify:
     - Restart unbound
 
 - name: Start unbound
   service: name=unbound state=started
   when: not r.changed
 
 #- meta: flush_handlers
-
-- name: Use the local DNS server
-  lineinfile: dest=/etc/resolv.conf create=yes
-              regexp='^nameserver\s+127\.0\.0\.1\s*$'
-              line='nameserver 127.0.0.1'
-              insertbefore='^\s*#*?nameserver\s'
-              firstmatch=yes
-  tags:
-    - resolver
-  notify:
-    - Restart Postfix
diff --git a/roles/common/templates/etc/systemd/resolved.conf.d/local.conf.j2 b/roles/common/templates/etc/systemd/resolved.conf.d/local.conf.j2
new file mode 100644
index 0000000..044170a
--- /dev/null
+++ b/roles/common/templates/etc/systemd/resolved.conf.d/local.conf.j2
@@ -0,0 +1,11 @@
+[Resolve]
+LLMNR=no
+{% if ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest' %}
+DNS=127.0.0.1
+# Quad9
+FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+{% else %}
+# Quad9
+DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+{% endif %}
+Domains=fripost.org