From b6421aae65046c1660709ec6807c17e70170d25f Mon Sep 17 00:00:00 2001
From: Lukas Lihotzki <l.lihotzki@famedly.com>
Date: Wed, 9 Oct 2024 18:29:44 +0200
Subject: [PATCH] feat(resolved): add role

---
 roles/systemd_resolved/defaults/main.yml |  4 +++
 roles/systemd_resolved/handlers/main.yml |  6 +++++
 roles/systemd_resolved/tasks/main.yml    | 34 ++++++++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 roles/systemd_resolved/defaults/main.yml
 create mode 100644 roles/systemd_resolved/handlers/main.yml
 create mode 100644 roles/systemd_resolved/tasks/main.yml

diff --git a/roles/systemd_resolved/defaults/main.yml b/roles/systemd_resolved/defaults/main.yml
new file mode 100644
index 0000000..ba0c82f
--- /dev/null
+++ b/roles/systemd_resolved/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+systemd_resolved_dns_servers:
+ - 1.1.1.1
+ - 9.9.9.9
diff --git a/roles/systemd_resolved/handlers/main.yml b/roles/systemd_resolved/handlers/main.yml
new file mode 100644
index 0000000..d3cf046
--- /dev/null
+++ b/roles/systemd_resolved/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    state: restarted
+  listen: restart resolved
diff --git a/roles/systemd_resolved/tasks/main.yml b/roles/systemd_resolved/tasks/main.yml
new file mode 100644
index 0000000..66d87c1
--- /dev/null
+++ b/roles/systemd_resolved/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: Install resolved
+  ansible.builtin.package:
+    name: systemd-resolved
+
+- name: Configure DNS server
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regexp: '^#?DNS='
+    insertafter: [Resolve]
+    line: 'DNS={{ systemd_resolved_dns_servers | join(" ") }}'
+  notify: restart resolved
+
+- name: Enable DNSSEC
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regexp: '^#?DNSSEC='
+    insertafter: [Resolve]
+    line: DNSSEC=yes
+  notify: restart resolved
+
+- name: Enable resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    masked: false
+    enabled: true
+    state: started
+
+- name: Use resolved
+  ansible.builtin.file:
+    src: /run/systemd/resolve/stub-resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+    force: true