deactivate systemd-resolved

and replaced paths with global vars
2022-03-24 11:50:54 +01:00
parent 6b974c5633
commit 45652aebe3
12 changed files with 57 additions and 21 deletions
--- a/groups_vars/all
+++ b/groups_vars/all
@@ -0,0 +1 @@
+snmpd_conf: /etc/snmp/snmpd.conf
--- a/roles/database/tasks/configure_snmpd.yml
+++ b/roles/database/tasks/configure_snmpd.yml
@@ -44,7 +44,7 @@

 - name: database | snmpd | configure extend
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    state: present
    line: "extend postgres /usr/bin/sudo -u postgres /etc/snmp/postgres"
    insertafter: "# SECTION: Extends"
@@ -53,7 +53,7 @@

 - name: database | snmpd | configure extend
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    state: present
    line: "extend mysql /etc/snmp/mysql"
    insertafter: "# SECTION: Extends"
--- a/roles/nameserver/tasks/configure_bind_snmpd.yml
+++ b/roles/nameserver/tasks/configure_bind_snmpd.yml
@@ -28,16 +28,16 @@

 - name: nameserver | snmpd | configure named for statistics
  lineinfile:
-    path: "/etc/bind/named.conf.options" # required. The file to modify. Before Ansible 2.3 this option was only usable as I(dest), I(destfile) and I(name).
+    path: "{{ named_conf_options }}" # required. The file to modify. Before Ansible 2.3 this option was only usable as I(dest), I(destfile) and I(name).
    state: present
    line: 'statistics-file "/var/cache/bind/stats"; zone-statistics yes;'
-    insertafter: "options {"
+    insertbefore: "};"
    validate: /usr/sbin/named-checkconf %s
  notify: restart_named

 - name: nameserver | snmpd | configure extend
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    state: present
    line: "extend bind /etc/snmp/bind"
    insertafter: "# SECTION: Extends"
--- a/roles/nameserver/tasks/configure_unbound_snmpd.yml
+++ b/roles/nameserver/tasks/configure_unbound_snmpd.yml
@@ -8,7 +8,7 @@

 - name: nameserver | snmpd | configure extend
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    state: present
    line: "extend unbound /usr/bin/sudo /etc/snmp/unbound"
    insertafter: "# SECTION: Extends"
--- a/roles/nameserver/tasks/disable-systemd-resolved.yml
+++ b/roles/nameserver/tasks/disable-systemd-resolved.yml
@@ -0,0 +1,22 @@
+- name: nameserver | systemd-resolved | edit config
+  lineinfile:
+    path: "/etc/systemd/resolved.conf"
+    regexp: "^.*DNSStubListener=.*$"
+    state: present
+    line: "DNSStubListener=no"
+
+- name: nameserver | systemd-resolved | stop and disable service
+  service:
+    name: "systemd-resolved"
+    state: stopped
+    enabled: false
+
+- name: nameserver | systemd-resolved | remove /etc/resolv.conf (symlink)
+  file:
+    path: "/etc/resolv.conf"
+    state: absent
+
+- name: nameserver | systemd-resolved | create new /etc/resolv.conf
+  copy:
+    dest: "/etc/resolv.conf"
+    content: nameserver 127.0.0.1
--- a/roles/nameserver/tasks/install_unbound.yml
+++ b/roles/nameserver/tasks/install_unbound.yml
@@ -10,4 +10,5 @@
    mode: "0644"
    owner: "root"
    group: "root"
+    verify: "unbound-checkconf /etc/unbound/unbound.conf.d/network.conf"
  notify: restart_unbound
--- a/roles/nameserver/tasks/main.yml
+++ b/roles/nameserver/tasks/main.yml
@@ -3,14 +3,11 @@
  tags: always

 - block:
-  - debug:
-      msg: Debug
+  - name: nameserver | unbound | disable systemd-resolved
+    include_tasks: disable-systemd-resolved.yml
+    when: bind == true or unbound == true

-  # # import role
-  # - import_role:
-  #     name:  # required. The name of the role to be executed.
  - block:
-    # install software
    - include_tasks: install_bind.yml
    - include_tasks: configure_bind_snmpd.yml
    rescue:
--- a/roles/nameserver/vars/Archlinux.yml
+++ b/roles/nameserver/vars/Archlinux.yml
@@ -1,3 +1,8 @@
 bind_package: bind
 unbound_package: unbound
-perl_readbackwards: perl-file-readbackwards
+perl_readbackwards: perl-file-readbackwards
+
+# named / bind specific
+named_conf_zones: /etc/named.conf
+named_conf_options: /etc/named.conf
+named_conf_local: /etc/named.conf
--- a/roles/nameserver/vars/Debian.yml
+++ b/roles/nameserver/vars/Debian.yml
@@ -1,3 +1,8 @@
 bind_package: bind9
 unbound_package: unbound
-perl_readbackwards: libfile-readbackwards-perl
+perl_readbackwards: libfile-readbackwards-perl
+
+# named / bind specific
+named_conf_zones: /etc/bind/named.conf.default-zones
+named_conf_options: /etc/bind/named.conf.options
+named_conf_local: /etc/bind/named.conf.local
--- a/roles/nameserver/vars/Ubuntu.yml
+++ b/roles/nameserver/vars/Ubuntu.yml
@@ -1,3 +1,8 @@
 bind_package: bind9
 unbound_package: unbound
-perl_readbackwards: libfile-readbackwards-perl
+perl_readbackwards: libfile-readbackwards-perl
+
+# named / bind specific
+named_conf_zones: /etc/bind/named.conf.default-zones
+named_conf_options: /etc/bind/named.conf.options
+named_conf_local: /etc/bind/named.conf.local
--- a/roles/server/tasks/utilities/snmpd.yml
+++ b/roles/server/tasks/utilities/snmpd.yml
@@ -17,7 +17,7 @@

 - name: server | snmpd | insert anchors to snmpd.conf
  blockinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    marker: "# {mark} ANSIBLE MANAGED BLOCK" # not required. The marker line template. C({mark}) will be replaced with the values C(in marker_begin) (default="BEGIN") and C(marker_end) (default="END"). Using a custom marker without the C({mark}) variable may result in the block being repeatedly inserted on subsequent playbook runs.
    block: |
      ################################################################################
@@ -35,13 +35,13 @@

 - name: server | snmpd | setup ACLs
  lineinfile:
-    path: "/etc/snmp/snmpd.conf" # required. The file to modify. Before Ansible 2.3 this option was only usable as I(dest), I(destfile) and I(name).
+    path: "{{ snmpd_conf }}" # required. The file to modify. Before Ansible 2.3 this option was only usable as I(dest), I(destfile) and I(name).
    line: "rouser {{snmp_user }} authpriv"
    insertafter: "# SECTION: custom settings"

 - name: server | snmpd | enable service on wireguard interface
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    regexp: "^agentaddress.*$"
    state: present
    line: "agentaddress 127.0.0.1,{{ wg_local_ip | ipaddr('address') }},[::1]"
@@ -49,7 +49,7 @@

 - name: server | snmpd | enable service on all interfaces
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    regexp: "^agentaddress.*$"
    state: present
    line: "agentaddress udp:161,udp6:[::1]:161"
@@ -63,7 +63,7 @@

 - name: server | snmpd | configure extends
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    state: present
    line: "extend {{ item.service }} '{{ item.script }}'"
    insertafter: "# SECTION: custom settings"
--- a/roles/webserver/tasks/configure_nginx_snmpd.yml
+++ b/roles/webserver/tasks/configure_nginx_snmpd.yml
@@ -8,7 +8,7 @@

 - name: webserver | snmpd | configure extend
  lineinfile:
-    path: "/etc/snmp/snmpd.conf"
+    path: "{{ snmpd_conf }}"
    state: present
    line: "extend nginx /etc/snmp/nginx"
    insertafter: "# SECTION: custom settings"