From 8fe2c55d25ee2c6622f4a8a8b669f4eee514d87e Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 29 Nov 2023 12:22:34 +0100 Subject: [PATCH] setup blocky (#617) Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/617 Co-authored-by: Michael Grote Co-committed-by: Michael Grote --- {roles => friedhof}/mgrote_dotfiles/README.md | 0 .../mgrote_dotfiles/defaults/main.yml | 0 .../mgrote_dotfiles/handlers/main.yml | 0 .../mgrote_dotfiles/tasks/main.yml | 0 group_vars/all.yml | 12 -- group_vars/blocky.yml | 74 +++++++ group_vars/docker.yml | 3 + group_vars/fileserver.yml | 4 - host_vars/fileserver3.mgrote.net.yml | 4 +- inventory | 4 + playbooks/3_service/blocky.yml | 5 + playbooks/base/users.yml | 2 - roles/mgrote_blocky/defaults/main.yml | 68 ++++++ roles/mgrote_blocky/handlers/main.yml | 17 ++ roles/mgrote_blocky/tasks/main.yml | 61 ++++++ .../mgrote_blocky/templates/blocky.service.j2 | 15 ++ roles/mgrote_blocky/templates/config.yml.j2 | 193 ++++++++++++++++++ .../mgrote_systemd_resolved/defaults/main.yml | 2 +- roles/mgrote_systemd_resolved/tasks/main.yml | 3 + .../templates/resolv.conf.j2 | 2 +- 20 files changed, 447 insertions(+), 22 deletions(-) rename {roles => friedhof}/mgrote_dotfiles/README.md (100%) rename {roles => friedhof}/mgrote_dotfiles/defaults/main.yml (100%) rename {roles => friedhof}/mgrote_dotfiles/handlers/main.yml (100%) rename {roles => friedhof}/mgrote_dotfiles/tasks/main.yml (100%) create mode 100644 group_vars/blocky.yml create mode 100644 playbooks/3_service/blocky.yml create mode 100644 roles/mgrote_blocky/defaults/main.yml create mode 100644 roles/mgrote_blocky/handlers/main.yml create mode 100644 roles/mgrote_blocky/tasks/main.yml create mode 100644 roles/mgrote_blocky/templates/blocky.service.j2 create mode 100644 roles/mgrote_blocky/templates/config.yml.j2 diff --git a/roles/mgrote_dotfiles/README.md b/friedhof/mgrote_dotfiles/README.md similarity index 100% rename from roles/mgrote_dotfiles/README.md rename to friedhof/mgrote_dotfiles/README.md diff --git a/roles/mgrote_dotfiles/defaults/main.yml b/friedhof/mgrote_dotfiles/defaults/main.yml similarity index 100% rename from roles/mgrote_dotfiles/defaults/main.yml rename to friedhof/mgrote_dotfiles/defaults/main.yml diff --git a/roles/mgrote_dotfiles/handlers/main.yml b/friedhof/mgrote_dotfiles/handlers/main.yml similarity index 100% rename from roles/mgrote_dotfiles/handlers/main.yml rename to friedhof/mgrote_dotfiles/handlers/main.yml diff --git a/roles/mgrote_dotfiles/tasks/main.yml b/friedhof/mgrote_dotfiles/tasks/main.yml similarity index 100% rename from roles/mgrote_dotfiles/tasks/main.yml rename to friedhof/mgrote_dotfiles/tasks/main.yml diff --git a/group_vars/all.yml b/group_vars/all.yml index 63651533..e050e954 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -52,18 +52,6 @@ users: allow_sudo: true allow_passwordless_sudo: true -### mgrote.dotfiles -dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles -dotfiles_repo_path: /home/mg/dotfiles -dotfiles_files: - - repo_path: "{{ dotfiles_repo_path }}/.vimrc" - local_path: "/home/mg/.vimrc" - - repo_path: "{{ dotfiles_repo_path }}/.tmux.conf" - local_path: "/home/mg/.tmux.conf" - - repo_path: "{{ dotfiles_repo_path }}/.gitconfig" - local_path: "/home/mg/.gitconfig" -dotfiles_owner: mg - ### jnv.unattended_upgrades unattended_mail: "{{ my_mail }}" unattended_mail_only_on_error: true diff --git a/group_vars/blocky.yml b/group_vars/blocky.yml new file mode 100644 index 00000000..a11896de --- /dev/null +++ b/group_vars/blocky.yml @@ -0,0 +1,74 @@ +--- +### mgrote_systemd_resolved +systemd_resolved_nameserver: 9.9.9.9 + +### oefenweb.ufw +ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'ssh' + from_ip: 0.0.0.0/0 + - rule: allow + to_port: 53 + comment: 'dns' + from_ip: 0.0.0.0/0 + +### mgrote_blocky +blocky_version: v0.22 +blocky_block_type: zeroIp +blocky_local_upstream: 192.168.2.1 +blocky_conditional_mapping: # optional + - domain: mgrote.net + resolver: 192.168.2.1 +blocky_dns_upstream: + - 9.9.9.9 + - 1.1.1.1 + - 8.8.8.8 + - 5.9.164.112 +blocky_dns_blocklists: + - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + - http://sysctl.org/cameleon/hosts + - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt +blocky_custom_lookups: # optional + # Internet + - name: wiki.mgrote.net + ip: 192.168.2.43 + - name: audio.mgrote.net + ip: 192.168.2.43 + - name: auth.mgrote.net + ip: 192.168.2.43 + - name: ci.mgrote.net + ip: 192.168.2.43 + - name: git.mgrote.net + ip: 192.168.2.43 + - name: miniflux.mgrote.net + ip: 192.168.2.43 + - name: nextcloud.mgrote.net + ip: 192.168.2.43 + - name: registry.mgrote.net + ip: 192.168.2.43 + # Intern + - name: ads2700w.mgrote.net + ip: 192.168.2.147 + - name: crs305.mgrote.net + ip: 192.168.2.225 + - name: hex.mgrote.net + ip: 192.168.3.144 + - name: pbs-test.mgrote.net + ip: 192.168.2.18 + - name: pbs.mgrote.net + ip: 192.168.3.239 + - name: pve5-test.mgrote.net + ip: 192.168.2.17 + - name: pve5.mgrote.net # bleibt im Router auch angelegt, weil wenn pve aus auch kein blocky ;-) + ip: 192.168.2.16 + - name: rb5009.mgrote.net + ip: 192.168.2.1 + - name: fritz.box + ip: 192.168.5.1 + +### mgrote.apt_manage_packages +apt_packages_internet: + - http://192.168.2.43:3344/bash-helper-scripts-mgrote-latest.deb diff --git a/group_vars/docker.yml b/group_vars/docker.yml index 3aaba0dc..01fc8166 100644 --- a/group_vars/docker.yml +++ b/group_vars/docker.yml @@ -68,3 +68,6 @@ repos_override: # mit docker-repos - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted" - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe" - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security multiverse" + +### mgrote_systemd_resolved +systemd_resolved_nameserver: 192.168.2.37 diff --git a/group_vars/fileserver.yml b/group_vars/fileserver.yml index c48d963f..24f7d4f9 100644 --- a/group_vars/fileserver.yml +++ b/group_vars/fileserver.yml @@ -18,10 +18,6 @@ ufw_rules: comment: 'smb' from_ip: 0.0.0.0/0 -### mgrote.apt_manage_packages -apt_packages_internet: - - http://docker10.mgrote.net:3344/bash-helper-scripts-mgrote-latest.deb - ### mgrote.fileserver_smb smb_workgroup: WORKGROUP smb_min_protocol: "SMB2" diff --git a/host_vars/fileserver3.mgrote.net.yml b/host_vars/fileserver3.mgrote.net.yml index c48d5e07..caaa2c22 100644 --- a/host_vars/fileserver3.mgrote.net.yml +++ b/host_vars/fileserver3.mgrote.net.yml @@ -38,7 +38,7 @@ ytdl_youtube_password: "{{ lookup('keepass', 'youtubedl_youtube_login', 'passwor ytdl_conf_dir: "/etc/youtubedl" #ohne / am ende ytdl_download_limit: "10000K" -### mgrote.fileserver_smb +### mgrote_fileserver_smb smb_users: - name: 'restic' password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}" @@ -47,7 +47,7 @@ smb_users: - name: 'kodi' password: "{{ lookup('keepass', 'fileserver_smb_user_kodi', 'password') }}" - name: 'michaelgrote' - password: "{{ lookup('keepass', 'fileserver_smb_user_mg', 'password') }}" + password: "{{ lookup('keepass', 'fileserver_smb_user_michaelgrote', 'password') }}" - name: 'navidrome' password: "{{ lookup('keepass', 'fileserver_smb_user_navidrome', 'password') }}" - name: 'docker' diff --git a/inventory b/inventory index 05fa4beb..e76d0c1a 100644 --- a/inventory +++ b/inventory @@ -3,6 +3,9 @@ all: fileserver: hosts: fileserver3.mgrote.net: + blocky: + hosts: + blocky.mgrote.net: lxc: hosts: fileserver3.mgrote.net: @@ -41,6 +44,7 @@ all: gitea.mgrote.net: docker10.mgrote.net: pbs.mgrote.net: + blocky.mgrote.net: test: hosts: vm-test-2204.mgrote.net: diff --git a/playbooks/3_service/blocky.yml b/playbooks/3_service/blocky.yml new file mode 100644 index 00000000..267abc3e --- /dev/null +++ b/playbooks/3_service/blocky.yml @@ -0,0 +1,5 @@ +--- +- hosts: blocky + roles: + - { role: mgrote_systemd_resolved, tags: "resolved" } + - { role: mgrote_blocky, tags: "blocky" } diff --git a/playbooks/base/users.yml b/playbooks/base/users.yml index bbbe125a..5214d338 100644 --- a/playbooks/base/users.yml +++ b/playbooks/base/users.yml @@ -4,7 +4,5 @@ roles: - role: mgrote_users tags: "user" - - role: mgrote_dotfiles - tags: "dotfiles" - role: mgrote_vim tags: "vim" diff --git a/roles/mgrote_blocky/defaults/main.yml b/roles/mgrote_blocky/defaults/main.yml new file mode 100644 index 00000000..b1dc2fc1 --- /dev/null +++ b/roles/mgrote_blocky/defaults/main.yml @@ -0,0 +1,68 @@ +--- +# Docs in config.yml and https://0xerr0r.github.io/blocky/configuration/ + +blocky_user: blocky +blocky_group: blocky +blocky_version: v0.22 +blocky_arch: x86_64 +blocky_download_url: "https://github.com/0xERR0R/blocky/releases/download/{{ blocky_version }}/blocky_{{ blocky_version }}_Linux_{{ blocky_arch }}.tar.gz" +blocky_conf_dir: /etc/blocky +blocky_block_type: zeroIp +blocky_block_ttl: 1m +blocky_blacklists_strategy: failOnError +blocky_local_upstream: 192.168.2.1 +blocky_prometheus: false +blocky_fqdn_only: false +blocky_port_dns: 53 +blocky_log_level: info +blocky_dns_upstream: + - 9.9.9.9 + - 1.1.1.1 + - 8.8.8.8 + - 5.9.164.112 +blocky_dns_blocklists: + - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + - http://sysctl.org/cameleon/hosts + - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt +#blocky_custom_lookups: # optional +# # Internet +# - name: wiki.mgrote.net +# ip: 192.168.2.43 +# - name: audio.mgrote.net +# ip: 192.168.2.43 +# - name: auth.mgrote.net +# ip: 192.168.2.43 +# - name: ci.mgrote.net +# ip: 192.168.2.43 +# - name: git.mgrote.net +# ip: 192.168.2.43 +# - name: miniflux.mgrote.net +# ip: 192.168.2.43 +# - name: nextcloud.mgrote.net +# ip: 192.168.2.43 +# - name: registry.mgrote.net +# ip: 192.168.2.43 +# # Intern +# - name: ads2700w.mgrote.net +# ip: 192.168.2.147 +# - name: crs305.mgrote.net +# ip: 192.168.2.225 +# - name: hex.mgrote.net +# ip: 192.168.3.144 +# - name: pbs-test.mgrote.net +# ip: 192.168.2.18 +# - name: pbs.mgrote.net +# ip: 192.168.3.239 +# - name: pve5-test.mgrote.net +# ip: 192.168.2.17 +# - name: pve5.mgrote.net # bleibt im Router auch angelegt, weil wenn pve aus auch kein blocky ;-) +# ip: 192.168.2.16 +# - name: rb5009.mgrote.net +# ip: 192.168.2.1 +# - name: fritz.box +# ip: 192.168.5.1 +#blocky_conditional_mapping: # optional +# - domain: mgrote.net +# resolver: 192.168.2.1 +# diff --git a/roles/mgrote_blocky/handlers/main.yml b/roles/mgrote_blocky/handlers/main.yml new file mode 100644 index 00000000..861be7e3 --- /dev/null +++ b/roles/mgrote_blocky/handlers/main.yml @@ -0,0 +1,17 @@ +--- + +- name: set cap_net_bind_service # noqa no-changed-when + become: true + ansible.builtin.command: setcap 'cap_net_bind_service=+ep' /usr/local/bin/blocky + +- name: systemctl daemon-reload + become: true + ansible.builtin.systemd: + daemon_reload: true + +- name: restart service unit + become: true + ansible.builtin.systemd: + name: blocky.service + state: restarted + enabled: true diff --git a/roles/mgrote_blocky/tasks/main.yml b/roles/mgrote_blocky/tasks/main.yml new file mode 100644 index 00000000..c6289335 --- /dev/null +++ b/roles/mgrote_blocky/tasks/main.yml @@ -0,0 +1,61 @@ +--- +- name: ensure group exists + become: true + ansible.builtin.group: + name: "{{ blocky_group }}" + state: present + +- name: ensure user exists + become: true + ansible.builtin.user: + name: "{{ blocky_user }}" + state: present + create_home: false + +- name: ensure binaries are installed + become: true + ansible.builtin.unarchive: + src: "{{ blocky_download_url }}" + dest: /usr/local/bin + remote_src: true + owner: "{{ blocky_user }}" + group: "{{ blocky_group }}" + mode: "0755" + exclude: + - LICENSE + - README.md + notify: + - set cap_net_bind_service + - restart service unit + +- name: ensure conf dir exists + become: true + ansible.builtin.file: + path: "{{ blocky_conf_dir }}" + state: directory + owner: "{{ blocky_user }}" + group: "{{ blocky_group }}" + mode: "0755" + +- name: template configuration + become: true + ansible.builtin.template: + src: "config.yml.j2" + dest: "{{ blocky_conf_dir }}/config.yml" + owner: "{{ blocky_user }}" + group: "{{ blocky_group }}" + mode: "0600" + notify: + - restart service unit + +- name: template service + become: true + ansible.builtin.template: + src: "blocky.service.j2" + dest: /etc/systemd/system/blocky.service + owner: root + group: root + mode: "0644" + notify: + - systemctl daemon-reload + - restart service unit diff --git a/roles/mgrote_blocky/templates/blocky.service.j2 b/roles/mgrote_blocky/templates/blocky.service.j2 new file mode 100644 index 00000000..656fe94c --- /dev/null +++ b/roles/mgrote_blocky/templates/blocky.service.j2 @@ -0,0 +1,15 @@ +{{ file_header | default () }} + +[Unit] +Description=Blocky is a DNS proxy and ad-blocker for the local network written in Go. +Requires=network.target +Wants=nss-lookup.target +Before=nss-lookup.target +After=network.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/blocky --config {{ blocky_conf_dir }}/config.yml + +[Install] +WantedBy=multi-user.target diff --git a/roles/mgrote_blocky/templates/config.yml.j2 b/roles/mgrote_blocky/templates/config.yml.j2 new file mode 100644 index 00000000..312aba61 --- /dev/null +++ b/roles/mgrote_blocky/templates/config.yml.j2 @@ -0,0 +1,193 @@ +{{ file_header | default () }} +upstreams: + groups: + default: +{% for item in blocky_dns_upstream %} + - {{ item }} +{% endfor %} + strategy: parallel_best + timeout: 2s + +# optional: If true, blocky will fail to start unless at least one upstream server per group is reachable. Default: false +startVerifyUpstream: true + +# optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists. +# accepted: dual, v4, v6 +# default: dual +connectIPVersion: v4 + + +# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.) +blocking: + # definition of blacklist groups. Can be external link (http/https) or local file + blackLists: + ads: +{% for item in blocky_dns_blocklists %} + - {{ item }} +{% endfor %} + # which response will be sent, if query is blocked: + # zeroIp: 0.0.0.0 will be returned (default) + # nxDomain: return NXDOMAIN as return code + # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page. + blockType: {{ blocky_block_type | default ("zeroIp") }} + # optional: TTL for answers to blocked domains + # default: 6h + blockTTL: {{ blocky_block_ttl | default ("6h") }} + clientGroupsBlock: + # default will be used, if no special definition for a client name exists + default: + - ads # siehe blocking.blacklists.ads + # optional: Configure how lists, AKA sources, are loaded + loading: + # optional: list refresh period in duration format. + # Set to a value <= 0 to disable. + # default: 4h + refreshPeriod: 4h + # optional: Applies only to lists that are downloaded (HTTP URLs). + downloads: + # optional: timeout for list download (each url). Use large values for big lists or slow internet connections + # default: 5s + timeout: 5s + # optional: Maximum download attempts + # default: 3 + attempts: 3 + # optional: Time between the download attempts + # default: 500ms + cooldown: 500ms + # optional: Maximum number of lists to process in parallel. + # default: 4 + concurrency: 4 + # optional: if failOnError, application startup will fail if at least one list can't be downloaded/opened + # default: blocking + strategy: {{ blocky_blacklists_strategy | default ("blocking") }} + # Number of errors allowed in a list before it is considered invalid. + # A value of -1 disables the limit. + # default: 5 + maxErrorsPerSource: 5 + +{% if blocky_conditional_mapping is defined %} + +# optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma +# Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name +conditional: + # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver + # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if `fallbackUpstream` was set to `true`, the original query "blog.example.com" will be sent upstream. + # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain. + fallbackUpstream: false + mapping: +{% for item in blocky_conditional_mapping %} + {{ item.domain }}: {{ item.resolver }} +{% endfor %} +{% endif %} + + +{% if blocky_custom_lookups is defined %} +# optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma +# example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3 +customDNS: + customTTL: 1h + # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined). + # if false, queries with unmapped types will be forwarded to the upstream resolver + filterUnmappedTypes: true + # optional: replace domain in the query with other domain before resolver lookup in the mapping + # rewrite: + # example.com: printer.lan + mapping: +{% for item in blocky_custom_lookups %} + {{ item.name }}: {{ item.ip }} +{% endfor %} +{% endif %} + +# optional: configuration for caching of DNS responses +caching: + # duration how long a response must be cached (min value). + # If <=0, use response's TTL, if >0 use this value, if TTL is smaller + # Default: 0 + minTime: 0 + # duration how long a response must be cached (max value). + # If <0, do not cache responses + # If 0, use TTL + # If > 0, use this value, if TTL is greater + # Default: 0 + maxTime: 0 + # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM. + # Default (0): unlimited + maxItemsCount: 0 + # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window) + # this improves the response time for often used queries, but significantly increases external traffic + # default: false + prefetching: true + # prefetch track time window (in duration format) + # default: 120 + prefetchExpires: 120 + # name queries threshold for prefetch + # default: 5 + prefetchThreshold: 5 + # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM. + # Default (0): unlimited + prefetchMaxItemsCount: 0 + # Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results. + # Default: 30m + cacheTimeNegative: 30m + +# optional: configuration of client name resolution +clientLookup: + # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router) + upstream: {{ blocky_local_upstream | default ("192.168.2.1") }} + # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used. + # Example: take second name if present, if not take first name + # singleNameOrder: + # - 2 + # - 1 + + +# optional: configuration for prometheus metrics endpoint +prometheus: + # enabled if true + enable: {{ blocky_prometheus | default ("false") }} + # url path, optional (default '/metrics') + path: /metrics + + +# optional: Mininal TLS version that the DoH and DoT server will use +# minTlsServeVersion: 1.3 + +# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated +#certFile: server.crt +#keyFile: server.key + +# optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries. +bootstrapDns: + - tcp+udp:9.9.9.9 + +# optional: drop all queries with following query types. Default: empty +filtering: + queryTypes: + - AAAA + +# optional: return NXDOMAIN for queries that are not FQDNs. +fqdnOnly: + # default: false + enable: {{ blocky_fqdn_only | default ("false") }} + +# optional: ports configuration +ports: + # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353" + dns: {{ blocky_port_dns | default ("53") }} + # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853 + # tls: 853 + # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443 + # https: 443 + # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000 + http: 4000 + +# optional: logging configuration +log: + # optional: Log level (one from debug, info, warn, error). Default: info + level: {{ blocky_log_level | default ("info") }} + # optional: Log format (text or json). Default: text + format: text + # optional: log timestamps. Default: true + timestamp: true + # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false + privacy: false diff --git a/roles/mgrote_systemd_resolved/defaults/main.yml b/roles/mgrote_systemd_resolved/defaults/main.yml index 3b8e7d76..b860e823 100644 --- a/roles/mgrote_systemd_resolved/defaults/main.yml +++ b/roles/mgrote_systemd_resolved/defaults/main.yml @@ -1,2 +1,2 @@ --- -nameserver: 192.168.2.1 +systemd_resolved_nameserver: 192.168.2.1 diff --git a/roles/mgrote_systemd_resolved/tasks/main.yml b/roles/mgrote_systemd_resolved/tasks/main.yml index 9b7654b7..a308e3c4 100644 --- a/roles/mgrote_systemd_resolved/tasks/main.yml +++ b/roles/mgrote_systemd_resolved/tasks/main.yml @@ -1,11 +1,13 @@ --- - name: Make sure systemd-resolved is running + become: true ansible.builtin.systemd: state: started masked: false name: systemd-resolved - name: template /etc/systemd/resolved.conf + become: true ansible.builtin.template: src: resolved.conf.j2 dest: /etc/systemd/resolved.conf @@ -15,6 +17,7 @@ notify: restart systemd-resolved - name: template /etc/resolv.conf + become: true ansible.builtin.template: src: resolv.conf.j2 dest: /etc/resolv.conf diff --git a/roles/mgrote_systemd_resolved/templates/resolv.conf.j2 b/roles/mgrote_systemd_resolved/templates/resolv.conf.j2 index e9b784a9..936fdcc5 100644 --- a/roles/mgrote_systemd_resolved/templates/resolv.conf.j2 +++ b/roles/mgrote_systemd_resolved/templates/resolv.conf.j2 @@ -1,3 +1,3 @@ {{ file_header | default () }} -nameserver {{ nameserver }} +nameserver {{ systemd_resolved_nameserver }}