From 58ced1a85e428292dc8aa2042471bf2785b2e2e0 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 30 Apr 2026 23:12:08 +0200 Subject: [PATCH 1/3] add capability to disable systemd-resolved to base_config role --- roles/base_config/meta/main.yaml | 1 + .../defaults/main.yaml | 9 +++++ .../handlers/main.yaml | 7 ++++ .../meta/argument_specs.yaml | 21 +++++++++++ .../tasks/disable.yaml | 25 +++++++++++++ .../tasks/enable.yaml | 36 +++++++++++++++++++ .../tasks/main.yaml | 10 ++++++ .../templates/resolv.conf.j2 | 11 ++++++ .../templates/resolved.conf.j2 | 11 ++++++ 9 files changed, 131 insertions(+) create mode 100644 roles/deploy_systemd_resolved_config/defaults/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/handlers/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/meta/argument_specs.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/disable.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/enable.yaml create mode 100644 roles/deploy_systemd_resolved_config/tasks/main.yaml create mode 100644 roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 create mode 100644 roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 diff --git a/roles/base_config/meta/main.yaml b/roles/base_config/meta/main.yaml index d1704a2..d7cc109 100644 --- a/roles/base_config/meta/main.yaml +++ b/roles/base_config/meta/main.yaml @@ -2,3 +2,4 @@ dependencies: - role: deploy_ssh_server_config - role: deploy_systemd_journal_config + - role: deploy_systemd_resolved_config diff --git a/roles/deploy_systemd_resolved_config/defaults/main.yaml b/roles/deploy_systemd_resolved_config/defaults/main.yaml new file mode 100644 index 0000000..c322507 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/defaults/main.yaml @@ -0,0 +1,9 @@ +--- +deploy_systemd_resolved_config__enable: true +deploy_systemd_resolved_config__mode: "stub" +deploy_systemd_resolved_config__dns: [ ] +deploy_systemd_resolved_config__fallback_dns: + - "9.9.9.9" + - "149.112.112.112" + - "2620:fe::fe" + - "2620:fe::9" diff --git a/roles/deploy_systemd_resolved_config/handlers/main.yaml b/roles/deploy_systemd_resolved_config/handlers/main.yaml new file mode 100644 index 0000000..b40760b --- /dev/null +++ b/roles/deploy_systemd_resolved_config/handlers/main.yaml @@ -0,0 +1,7 @@ +--- +- name: "reload systemd-resolved" + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: "systemd-resolved.service" + state: "restarted" diff --git a/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml b/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml new file mode 100644 index 0000000..d9ad05f --- /dev/null +++ b/roles/deploy_systemd_resolved_config/meta/argument_specs.yaml @@ -0,0 +1,21 @@ +--- +argument_specs: + main: + options: + deploy_systemd_resolved_config__enable: + description: "Whether systemd-resolved should be enabled or disabled" + type: bool + required: false + deploy_systemd_resolved_config__mode: + description: "Which /etc/resolv.conf compatibility mode should be configured" + type: str + required: false + choices: [ "stub", "static-stub", "passthru", "extern" ] + deploy_systemd_resolved_config__dns: + description: "A list of DNS servers that will be configured as default dns servers" + type: list + required: false + deploy_systemd_resolved_config__fallback_dns: + description: "A list of fallback DNS servers that will be configured" + type: list + required: false diff --git a/roles/deploy_systemd_resolved_config/tasks/disable.yaml b/roles/deploy_systemd_resolved_config/tasks/disable.yaml new file mode 100644 index 0000000..9092116 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/disable.yaml @@ -0,0 +1,25 @@ +--- +- name: Ensure /etc/resolv.conf is a plain file + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.file: + path: "/etc/resolv.conf" + state: file + +- name: Write nameserver config directly into /etc/resolv.conf + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.template: + src: "resolv.conf.j2" + dest: "/etc/resolv.conf" + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Disable systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: "systemd-resolved.service" + state: stopped + enabled: false diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml new file mode 100644 index 0000000..395ef0d --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -0,0 +1,36 @@ +--- +- name: Deploy systemd-resolved config + tags: [ "deploy_systemd_resolved_config" ] + become: true + notify: "reload systemd-resolved" + ansible.builtin.template: + src: resolved.conf.j2 + dest: /etc/systemd/resolved.conf + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Make /etc/resolv.conf points to systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] + become: true + when: deploy_systemd_resolved_config__mode != "extern" + ansible.builtin.file: # noqa: jinja + path: /etc/resolv.conf + state: link + force: true + src: >- + {%- if deploy_systemd_resolved_config__mode == "stub" -%} + /run/systemd/resolve/stub-resolv.conf + {%- elif deploy_systemd_resolved_config__mode == "static-stub" -%} + /usr/lib/systemd/resolv.conf + {%- elif deploy_systemd_resolved_config__mode == "passthru" -%} + /run/systemd/resolve/resolv.conf + {%- endif -%} + +- name: Ensure systemd-resolved is running and enabled + tags: [ "deploy_systemd_resolved_config" ] + become: true + ansible.builtin.systemd: + name: systemd-resolved.service + state: started + enabled: true diff --git a/roles/deploy_systemd_resolved_config/tasks/main.yaml b/roles/deploy_systemd_resolved_config/tasks/main.yaml new file mode 100644 index 0000000..00bc293 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/tasks/main.yaml @@ -0,0 +1,10 @@ +--- +- name: Include enable.yaml + tags: [ "deploy_systemd_resolved_config" ] + ansible.builtin.include_tasks: enable.yaml + when: deploy_systemd_resolved_config__enable + +- name: Include disable.yaml + tags: [ "deploy_systemd_resolved_config" ] + ansible.builtin.include_tasks: disable.yaml + when: not deploy_systemd_resolved_config__enable diff --git a/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 b/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 new file mode 100644 index 0000000..fd06a1a --- /dev/null +++ b/roles/deploy_systemd_resolved_config/templates/resolv.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +{% for i in deploy_systemd_resolved_config__dns %} +nameserver {{ i }} +{% endfor %} + +{% for i in deploy_systemd_resolved_config__fallback_dns %} +nameserver {{ i }} +{% endfor %} + +options edns0 diff --git a/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 b/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 new file mode 100644 index 0000000..67968e4 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/templates/resolved.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +# Since the config supports drop-in files, +# use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.' +# +# See resolved.conf(5) for details + +[Resolve] +DNS={{ deploy_systemd_resolved_config__dns | join(" ") }} +FallbackDNS={{ deploy_systemd_resolved_config__fallback_dns | join(" ") }} + From c304a1c82a188bc1725cdb08c59a4aa4d631bad0 Mon Sep 17 00:00:00 2001 From: lilly Date: Sat, 2 May 2026 00:42:16 +0200 Subject: [PATCH 2/3] add README.md to deploy_systemd_resolved_config role --- .../deploy_systemd_resolved_config/README.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/deploy_systemd_resolved_config/README.md diff --git a/roles/deploy_systemd_resolved_config/README.md b/roles/deploy_systemd_resolved_config/README.md new file mode 100644 index 0000000..fbd6c78 --- /dev/null +++ b/roles/deploy_systemd_resolved_config/README.md @@ -0,0 +1,21 @@ +# Role `deploy_systemd_resolved_config` + +A role for deploying a minimal configuration for [systemd-resolved](https://man.archlinux.org/man/systemd-resolved.8) or alternatively completely disabling it. + +!! Note +If systemd-resolved is disabled, the configuration is instead rendered directly into `/etc/resolv.conf` to ensure a node does not accidentally lose name resolving capabilities. + +## Optional Arguments + +- `deploy_systemd_resolved_config__enable` (defaults to `true`) decides whether systemd-resolved should be enabled or disabled. + +- `deploy_systemd_resolved_config__mode` (defaults to `stub`) controls which compatibility mode is used for `/etc/resolv.conf` when systemd-resolved is enabled. See [man systemd-resolved(8)](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF). + +- `deploy_systemd_resolved_config__dns` is the list of primary DNS servers that will be configured. If e.g. a specific link configures other DNS servers, they will take precedence. + +- `deploy_systemd_resolved_config__fallback_dns` (defaults to Quad9) is the list of fallback DNS servers. If, at runtime, none of the configured primary DNS servers are reachable, these servers will be used as fallback. + +## Hosts + +This role is included as a dependency to [base_config](../base_config/) and therefore does not need to be explicitly pulled in. + From 98d1bb9d147d74886a54f70b13f74834b2efe030 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sat, 2 May 2026 00:16:41 +0000 Subject: [PATCH 3/3] Update all stable non-major dependencies --- .forgejo/workflows/lint.yaml | 2 +- inventories/chaosknoten/host_vars/netbox.yaml | 2 +- .../chaosknoten/acmedns/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/grafana/docker_compose/compose.yaml.j2 | 8 ++++---- .../chaosknoten/keycloak/docker_compose/compose.yaml.j2 | 2 +- resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 | 2 +- .../chaosknoten/pretalx/docker_compose/compose.yaml.j2 | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index bdd53f5..600d044 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v26.3.0 + uses: https://github.com/ansible/ansible-lint@v26.4.0 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index f28d193..67232cd 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.5.5" +netbox__version: "v4.5.9" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 index 3fcd8c6..c68973f 100644 --- a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 8c38500..4b5b2c0 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.10.0 + image: docker.io/prom/prometheus:v3.11.3 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.31.1 + image: docker.io/prom/alertmanager:v0.32.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.4.2 + image: docker.io/grafana/grafana:12.4.3 container_name: grafana ports: - 3000:3000 @@ -46,7 +46,7 @@ services: - graf_data:/var/lib/grafana pve-exporter: - image: docker.io/prompve/prometheus-pve-exporter:3.8.2 + image: docker.io/prompve/prometheus-pve-exporter:3.8.3 container_name: pve-exporter ports: - 9221:9221 diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index d239bb4..8db3526 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -22,7 +22,7 @@ services: keycloak: - image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.5.7 + image: git.hamburg.ccc.de/ccchh/oci-images/keycloak:26.6.0 pull_policy: always restart: unless-stopped command: start --optimized diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index af1b531..09a71e4 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.20.1 + image: docker.io/binwiederhier/ntfy:v2.22.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 0bbfcb8..a3f19fa 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -23,7 +23,7 @@ services: - pretalx_net static: - image: docker.io/library/nginx:1.29.7 + image: docker.io/library/nginx:1.30.0 restart: unless-stopped volumes: - public:/usr/share/nginx/html