summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/main.yml5
-rw-r--r--roles/common/tasks/resolved.yml36
-rw-r--r--roles/common/tasks/unbound.yml11
-rw-r--r--roles/common/templates/etc/systemd/resolved.conf.d/local.conf.j211
5 files changed, 55 insertions, 11 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index bbaaef5..18462cb 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -29,6 +29,9 @@
- name: Restart rsyslog
service: name=rsyslog state=restarted
+- name: Restart systemd-resolved
+ service: name=systemd-resolved.service state=restarted
+
- name: Restart systemd-timesyncd
service: name=systemd-timesyncd state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index a6795ba..1dc286e 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -19,6 +19,11 @@
when: "'webmail' in group_names and 'LDAP_provider' not in group_names"
- import_tasks: auditd.yml
tags: auditd
+- import_tasks: resolved.yml
+ tags:
+ - resolv
+ - resolved
+ - dns
- import_tasks: unbound.yml
tags:
- unbound
diff --git a/roles/common/tasks/resolved.yml b/roles/common/tasks/resolved.yml
new file mode 100644
index 0000000..2834eaa
--- /dev/null
+++ b/roles/common/tasks/resolved.yml
@@ -0,0 +1,36 @@
+- name: Install systemd-resolved
+ apt: pkg={{ packages }}
+ vars:
+ packages:
+ - systemd-resolved
+ - libnss-resolve
+ - libnss-myhostname
+
+- name: Create directory /etc/systemd/resolved.conf.d
+ file: path=/etc/systemd/resolved.conf.d
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Configure systemd-resolved
+ template: src=etc/systemd/resolved.conf.d/local.conf.j2
+ dest=/etc/systemd/resolved.conf.d/local.conf
+ owner=root group=root
+ mode=0644
+ notify:
+ - Restart systemd-resolved
+
+- name: Start systemd-resolved
+ service: name=systemd-resolved.service enabled=true state=started
+
+- meta: flush_handlers
+
+- name: Remove resolvconf
+ apt: pkg=resolvconf state=absent purge=yes
+
+- name: Configure /etc/nsswitch.conf
+ lineinfile: "dest=/etc/nsswitch.conf create=no
+ regexp='^(hosts:\\s+).*'
+ line='\\1resolve [!UNAVAIL=return] files myhostname dns'
+ backrefs=true"
+ tags: nsswitch
diff --git a/roles/common/tasks/unbound.yml b/roles/common/tasks/unbound.yml
index b4554ac..dda6769 100644
--- a/roles/common/tasks/unbound.yml
+++ b/roles/common/tasks/unbound.yml
@@ -19,14 +19,3 @@
when: not r.changed
#- meta: flush_handlers
-
-- name: Use the local DNS server
- lineinfile: dest=/etc/resolv.conf create=yes
- regexp='^nameserver\s+127\.0\.0\.1\s*$'
- line='nameserver 127.0.0.1'
- insertbefore='^\s*#*?nameserver\s'
- firstmatch=yes
- tags:
- - resolver
- notify:
- - Restart Postfix
diff --git a/roles/common/templates/etc/systemd/resolved.conf.d/local.conf.j2 b/roles/common/templates/etc/systemd/resolved.conf.d/local.conf.j2
new file mode 100644
index 0000000..044170a
--- /dev/null
+++ b/roles/common/templates/etc/systemd/resolved.conf.d/local.conf.j2
@@ -0,0 +1,11 @@
+[Resolve]
+LLMNR=no
+{% if ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest' %}
+DNS=127.0.0.1
+# Quad9
+FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+{% else %}
+# Quad9
+DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+{% endif %}
+Domains=fripost.org
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-31 06:05:35 +0000