Initial import; migrate some roles from irl.wip

2025-10-31 22:36:32 +00:00 · 2025-10-31 22:36:32 +00:00 · 2ba6c6691b
commit 2ba6c6691b
44 changed files with 1573 additions and 0 deletions
--- a/roles/baseline/tasks/dns_resolver.yml
+++ b/roles/baseline/tasks/dns_resolver.yml
@ -0,0 +1,46 @@
+---
+- name: DNS Resolver | PATCH | Install systemd-resolved
+  ansible.builtin.dnf:
+    name: systemd-resolved
+    state: latest
+
+- name: DNS Resolver | PATCH | Ensure systemd-resolved is in use
+  ansible.builtin.systemd_service:
+    name: systemd-resolved
+    state: started
+    enabled: true
+    masked: false
+
+- name: DNS Resolver | PATCH | Remove loopback address entries containing the hostname from /etc/hosts
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    regexp: '^(127\.0\.0\.1|::1)\s.*{{ inventory_hostname }}'
+    state: absent
+
+- name: DNS Resolver | PATCH | Enable DNSSEC and disable unwanted resolved features
+  ansible.builtin.copy:
+    src: resolved.conf
+    dest: /etc/systemd/resolved.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: "Restart systemd-resolved"
+  become: true
+
+- name: DNS Resolver | PATCH | Ensure /etc/systemd/system/systemd-resolved.service.d exists
+  ansible.builtin.file:
+    path: /etc/systemd/system/systemd-resolved.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: DNS Resolver | PATCH | Disable resolved record synthesising
+  ansible.builtin.copy:
+    src: systemd-resolved-override.conf
+    dest: /etc/systemd/system/systemd-resolved.service.d/override.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: "Restart systemd-resolved"
+  become: true