From 58ced1a85e428292dc8aa2042471bf2785b2e2e0 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 30 Apr 2026 23:12:08 +0200 Subject: [PATCH] add capability to disable systemd-resolved to base_config role --- roles/base_config/meta/main.yaml | 1 + .../defaults/main.yaml | 9 +++++ .../handlers/main.yaml | 7 ++++ .../meta/argument_specs.yaml | 21 +++++++++++ .../tasks/disable.yaml | 25 +++++++++++++ .../tasks/enable.yaml | 36 +++++++++++++++++++ .../tasks/main.yaml | 10 ++++++ .../templates/resolv.conf.j2 | 11 ++++++ .../templates/resolved.conf.j2 | 11 ++++++ 9 files changed, 131 insertions(+) create mode 100644 roles/deploy_systemd_resolved_config/defaults/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/handlers/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/meta/argument_specs.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/disable.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/enable.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 create mode 100644 roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 diff --git a/roles/base_config/meta/main.yaml b/roles/base_config/meta/main.yaml index d1704a2..d7cc109 100644 --- a/roles/base_config/meta/main.yaml +++ b/roles/base_config/meta/main.yaml @@ -2,3 +2,4 @@ dependencies: - role: deploy_ssh_server_config - role: deploy_systemd_journal_config + - role: deploy_systemd_resolved_config diff --git a/roles/deploy_systemd_resolved_config/defaults/main.yaml b/roles/deploy_systemd_resolved_config/defaults/main.yaml new file mode 100644 index 0000000..c322507 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/defaults/main.yaml @@ -0,0 +1,9 @@ +--- +deploy_systemd_resolved_config__enable: true +deploy_systemd_resolved_config__mode: "stub" +deploy_systemd_resolved_config__dns: [ ] +deploy_systemd_resolved_config__fallback_dns: + - "9.9.9.9" + - "149.112.112.112" + - "2620:fe::fe" + - "2620:fe::9" diff --git a/roles/deploy_systemd_resolved_config/handlers/main.yaml b/roles/deploy_systemd_resolved_config/handlers/main.yaml new file mode 100644 index 0000000..b40760b --- /dev/null +++ b/roles/deploy_systemd_resolved_config/handlers/main.yaml @@ -0,0 +1,7 @@ +--- +- name: "reload systemd-resolved" + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: "systemd-resolved.service" + state: "restarted" diff --git a/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml b/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml new file mode 100644 index 0000000..d9ad05f --- /dev/null +++ b/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml @@ -0,0 +1,21 @@ +--- +argument_specs: + main: + options: + deploy_systemd_resolved_config__enable: + description: "Whether systemd-resolved should be enabled or disabled" + type: bool + required: false + deploy_systemd_resolved_config__mode: + description: "Which /etc/resolv.conf compatibility mode should be configured" + type: str + required: false + choices: [ "stub", "static-stub", "passthru", "extern" ] + deploy_systemd_resolved_config__dns: + description: "A list of DNS servers that will be configured as default dns servers" + type: list + required: false + deploy_systemd_resolved_config__fallback_dns: + description: "A list of fallback DNS servers that will be configured" + type: list + required: false diff --git a/roles/deploy_systemd_resolved_config/tasks/disable.yaml b/roles/deploy_systemd_resolved_config/tasks/disable.yaml new file mode 100644 index 0000000..9092116 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/disable.yaml @@ -0,0 +1,25 @@ +--- +- name: Ensure /etc/resolv.conf is a plain file + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.file: + path: "/etc/resolv.conf" + state: file + +- name: Write nameserver config directly into /etc/resolv.conf + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.template: + src: "resolv.conf.j2" + dest: "/etc/resolv.conf" + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Disable systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: "systemd-resolved.service" + state: stopped + enabled: false diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml new file mode 100644 index 0000000..395ef0d --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -0,0 +1,36 @@ +--- +- name: Deploy systemd-resolved config + tags: [ "deploy_systemd_resolved_config" ] + become: true + notify: "reload systemd-resolved" + ansible.builtin.template: + src: resolved.conf.j2 + dest: /etc/systemd/resolved.conf + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Make /etc/resolv.conf points to systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] + become: true + when: deploy_systemd_resolved_config__mode != "extern" + ansible.builtin.file: # noqa: jinja + path: /etc/resolv.conf + state: link + force: true + src: >- + {%- if deploy_systemd_resolved_config__mode == "stub" -%} + /run/systemd/resolve/stub-resolv.conf + {%- elif deploy_systemd_resolved_config__mode == "static-stub" -%} + /usr/lib/systemd/resolv.conf + {%- elif deploy_systemd_resolved_config__mode == "passthru" -%} + /run/systemd/resolve/resolv.conf + {%- endif -%} + +- name: Ensure systemd-resolved is running and enabled + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: systemd-resolved.service + state: started + enabled: true diff --git a/roles/deploy_systemd_resolved_config/tasks/main.yaml b/roles/deploy_systemd_resolved_config/tasks/main.yaml new file mode 100644 index 0000000..00bc293 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/main.yaml @@ -0,0 +1,10 @@ +--- +- name: Include enable.yaml + tags: [ "deploy_systemd_resolved_config" ] + ansible.builtin.include_tasks: enable.yaml + when: deploy_systemd_resolved_config__enable + +- name: Include disable.yaml + tags: [ "deploy_systemd_resolved_config" ] + ansible.builtin.include_tasks: disable.yaml + when: not deploy_systemd_resolved_config__enable diff --git a/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 b/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 new file mode 100644 index 0000000..fd06a1a --- /dev/null +++ b/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +{% for i in deploy_systemd_resolved_config__dns %} +nameserver {{ i }} +{% endfor %} + +{% for i in deploy_systemd_resolved_config__fallback_dns %} +nameserver {{ i }} +{% endfor %} + +options edns0 diff --git a/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 b/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 new file mode 100644 index 0000000..67968e4 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +# Since the config supports drop-in files, +# use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.' +# +# See resolved.conf(5) for details + +[Resolve] +DNS={{ deploy_systemd_resolved_config__dns | join(" ") }} +FallbackDNS={{ deploy_systemd_resolved_config__fallback_dns | join(" ") }} +