From 58ced1a85e428292dc8aa2042471bf2785b2e2e0 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 30 Apr 2026 23:12:08 +0200 Subject: [PATCH 1/3] add capability to disable systemd-resolved to base_config role --- roles/base_config/meta/main.yaml | 1 + .../defaults/main.yaml | 9 +++++ .../handlers/main.yaml | 7 ++++ .../meta/argument_specs.yaml | 21 +++++++++++ .../tasks/disable.yaml | 25 +++++++++++++ .../tasks/enable.yaml | 36 +++++++++++++++++++ .../tasks/main.yaml | 10 ++++++ .../templates/resolv.conf.j2 | 11 ++++++ .../templates/resolved.conf.j2 | 11 ++++++ 9 files changed, 131 insertions(+) create mode 100644 roles/deploy_systemd_resolved_config/defaults/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/handlers/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/meta/argument_specs.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/disable.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/enable.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 create mode 100644 roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 diff --git a/roles/base_config/meta/main.yaml b/roles/base_config/meta/main.yaml index d1704a2..d7cc109 100644 --- a/roles/base_config/meta/main.yaml +++ b/roles/base_config/meta/main.yaml @@ -2,3 +2,4 @@ dependencies: - role: deploy_ssh_server_config - role: deploy_systemd_journal_config + - role: deploy_systemd_resolved_config diff --git a/roles/deploy_systemd_resolved_config/defaults/main.yaml b/roles/deploy_systemd_resolved_config/defaults/main.yaml new file mode 100644 index 0000000..c322507 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/defaults/main.yaml @@ -0,0 +1,9 @@ +--- +deploy_systemd_resolved_config__enable: true +deploy_systemd_resolved_config__mode: "stub" +deploy_systemd_resolved_config__dns: [ ] +deploy_systemd_resolved_config__fallback_dns: + - "9.9.9.9" + - "149.112.112.112" + - "2620:fe::fe" + - "2620:fe::9" diff --git a/roles/deploy_systemd_resolved_config/handlers/main.yaml b/roles/deploy_systemd_resolved_config/handlers/main.yaml new file mode 100644 index 0000000..b40760b --- /dev/null +++ b/roles/deploy_systemd_resolved_config/handlers/main.yaml @@ -0,0 +1,7 @@ +--- +- name: "reload systemd-resolved" + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: "systemd-resolved.service" + state: "restarted" diff --git a/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml b/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml new file mode 100644 index 0000000..d9ad05f --- /dev/null +++ b/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml @@ -0,0 +1,21 @@ +--- +argument_specs: + main: + options: + deploy_systemd_resolved_config__enable: + description: "Whether systemd-resolved should be enabled or disabled" + type: bool + required: false + deploy_systemd_resolved_config__mode: + description: "Which /etc/resolv.conf compatibility mode should be configured" + type: str + required: false + choices: [ "stub", "static-stub", "passthru", "extern" ] + deploy_systemd_resolved_config__dns: + description: "A list of DNS servers that will be configured as default dns servers" + type: list + required: false + deploy_systemd_resolved_config__fallback_dns: + description: "A list of fallback DNS servers that will be configured" + type: list + required: false diff --git a/roles/deploy_systemd_resolved_config/tasks/disable.yaml b/roles/deploy_systemd_resolved_config/tasks/disable.yaml new file mode 100644 index 0000000..9092116 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/disable.yaml @@ -0,0 +1,25 @@ +--- +- name: Ensure /etc/resolv.conf is a plain file + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.file: + path: "/etc/resolv.conf" + state: file + +- name: Write nameserver config directly into /etc/resolv.conf + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.template: + src: "resolv.conf.j2" + dest: "/etc/resolv.conf" + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Disable systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: "systemd-resolved.service" + state: stopped + enabled: false diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml new file mode 100644 index 0000000..395ef0d --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -0,0 +1,36 @@ +--- +- name: Deploy systemd-resolved config + tags: [ "deploy_systemd_resolved_config" ] + become: true + notify: "reload systemd-resolved" + ansible.builtin.template: + src: resolved.conf.j2 + dest: /etc/systemd/resolved.conf + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Make /etc/resolv.conf points to systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] + become: true + when: deploy_systemd_resolved_config__mode != "extern" + ansible.builtin.file: # noqa: jinja + path: /etc/resolv.conf + state: link + force: true + src: >- + {%- if deploy_systemd_resolved_config__mode == "stub" -%} + /run/systemd/resolve/stub-resolv.conf + {%- elif deploy_systemd_resolved_config__mode == "static-stub" -%} + /usr/lib/systemd/resolv.conf + {%- elif deploy_systemd_resolved_config__mode == "passthru" -%} + /run/systemd/resolve/resolv.conf + {%- endif -%} + +- name: Ensure systemd-resolved is running and enabled + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: systemd-resolved.service + state: started + enabled: true diff --git a/roles/deploy_systemd_resolved_config/tasks/main.yaml b/roles/deploy_systemd_resolved_config/tasks/main.yaml new file mode 100644 index 0000000..00bc293 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/main.yaml @@ -0,0 +1,10 @@ +--- +- name: Include enable.yaml + tags: [ "deploy_systemd_resolved_config" ] + ansible.builtin.include_tasks: enable.yaml + when: deploy_systemd_resolved_config__enable + +- name: Include disable.yaml + tags: [ "deploy_systemd_resolved_config" ] + ansible.builtin.include_tasks: disable.yaml + when: not deploy_systemd_resolved_config__enable diff --git a/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 b/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 new file mode 100644 index 0000000..fd06a1a --- /dev/null +++ b/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +{% for i in deploy_systemd_resolved_config__dns %} +nameserver {{ i }} +{% endfor %} + +{% for i in deploy_systemd_resolved_config__fallback_dns %} +nameserver {{ i }} +{% endfor %} + +options edns0 diff --git a/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 b/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 new file mode 100644 index 0000000..67968e4 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +# Since the config supports drop-in files, +# use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.' +# +# See resolved.conf(5) for details + +[Resolve] +DNS={{ deploy_systemd_resolved_config__dns | join(" ") }} +FallbackDNS={{ deploy_systemd_resolved_config__fallback_dns | join(" ") }} + From c304a1c82a188bc1725cdb08c59a4aa4d631bad0 Mon Sep 17 00:00:00 2001 From: lilly Date: Sat, 2 May 2026 00:42:16 +0200 Subject: [PATCH 2/3] add README.md to deploy_systemd_resolved_config role --- .../deploy_systemd_resolved_config/README.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/deploy_systemd_resolved_config/README.md diff --git a/roles/deploy_systemd_resolved_config/README.md b/roles/deploy_systemd_resolved_config/README.md new file mode 100644 index 0000000..fbd6c78 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/README.md @@ -0,0 +1,21 @@ +# Role `deploy_systemd_resolved_config` + +A role for deploying a minimal configuration for [systemd-resolved](https://man.archlinux.org/man/systemd-resolved.8) or alternatively completely disabling it. + +!! Note +If systemd-resolved is disabled, the configuration is instead rendered directly into `/etc/resolv.conf` to ensure a node does not accidentally lose name resolving capabilities. + +## Optional Arguments + +- `deploy_systemd_resolved_config__enable` (defaults to `true`) decides whether systemd-resolved should be enabled or disabled. + +- `deploy_systemd_resolved_config__mode` (defaults to `stub`) controls which compatibility mode is used for `/etc/resolv.conf` when systemd-resolved is enabled. See [man systemd-resolved(8)](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF). + +- `deploy_systemd_resolved_config__dns` is the list of primary DNS servers that will be configured. If e.g. a specific link configures other DNS servers, they will take precedence. + +- `deploy_systemd_resolved_config__fallback_dns` (defaults to Quad9) is the list of fallback DNS servers. If, at runtime, none of the configured primary DNS servers are reachable, these servers will be used as fallback. + +## Hosts + +This role is included as a dependency to [base_config](../base_config/) and therefore does not need to be explicitly pulled in. + From 735de78180cbfe2e79893686d313b50a16e239fb Mon Sep 17 00:00:00 2001 From: Renovate Date: Sat, 2 May 2026 00:16:56 +0000 Subject: [PATCH 3/3] Update docker.io/library/postgres Docker tag to v18 --- inventories/chaosknoten/host_vars/cloud.yaml | 2 +- resources/chaosknoten/lists/docker_compose/compose.yaml | 2 +- resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 9c28d58..0a1d845 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.17 +nextcloud__postgres_version: 18.3 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index fb65594..65248bb 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -58,7 +58,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine + image: docker.io/library/postgres:18-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 0bbfcb8..091bd44 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"