remove systemd-resolved, restart docker-compose services

group_vars/all.yml

@@ -4,15 +4,7 @@ nijika_ip: '100.64.0.2'
 
 nameserver_ip: '10.155.0.1'
 
-dns_servers:
-  - "{{ nameserver_ip }}"
-  - '1.1.1.1'
-  - '1.0.0.1'
-dns_dnssec: true
-dns_domains: ["simponic.xyz"]
-dns_stub_listener: false
-
 step_bootstrap_fingerprint: '2de0c420e3b6f9f8e47f325de908b2b2d395d3bc7e49ed9b672ce9be89bea1bf'
 step_bootstrap_ca_url: 'ca.internal.simponic.xyz'
-step_acme_cert_contact: 'elizabeth.hunt@simponic.xyz'
+step_acme_cert_contact: 'elizabeth@simponic.xyz'
 step_ca_port: 5239

group_vars/ca.yml

@@ -1,6 +1,6 @@
 ---
 step_ca_root_password: "{{ lookup('env', 'STEP_CA_ROOT_PASSWORD') }}"
 step_ca_intermediate_password: "{{ lookup('env', 'STEP_CA_INTERMEDIATE_PASSWORD') }}"
-step_ca_dns: "{{ step_bootstrap_ca_url }}, {{ johan_ip }}, {{ nameserver_ip }}"
+step_ca_dns: "{{ nameserver_ip }}, {{ step_bootstrap_ca_url }}"
 step_ca_name: Simponic Internal CA
 step_ca_address: ":{{ step_ca_port }}"

roles/common/files/docker-compose@.service

@@ -4,10 +4,13 @@ Requires=docker.service
 After=docker.service
 
 [Service]
-Type=oneshot
+Type=simple
+Restart=always
+RestartSec=3
 RemainAfterExit=true
 WorkingDirectory=/etc/docker/compose/%i
-ExecStart=/usr/bin/docker compose up -d --remove-orphans
+ExecStartPre=/usr/bin/docker compose pull
+ExecStart=/usr/bin/docker compose up --detach --remove-orphans
 ExecStop=/usr/bin/docker compose down
 
 [Install]

roles/common/tasks/main.yml

@@ -113,25 +113,3 @@
 
 - name: restart fail2ban
   service: name=fail2ban state=restarted enabled=yes
-
-# DNS
-- name: install systemd-resolved
-  apt: name=systemd-resolved state=latest
-
-- name: Check if systemd-resolved config exists
-  ansible.builtin.stat:
-    path: /etc/systemd/resolved.conf
-  register: systemd_resolved_config
-  check_mode: false
-
-- name: Update DNS servers for systemd-resolvd
-  ansible.builtin.include_tasks:
-    file: 'systemd-resolved.yml'
-  when: systemd_resolved_config.stat.exists | bool
-
-- name: Check if systemd-resolved runs
-  ansible.builtin.shell: pgrep systemd-resolve
-  failed_when: false
-  changed_when: false
-  register: systemd_resolved_running
-  check_mode: false

roles/common/tasks/systemd-resolved.yml

@@ -1,70 +0,0 @@
----
-- name: Add DNS servers
-  community.general.ini_file:
-    path: /etc/systemd/resolved.conf
-    section: Resolve
-    option: DNS
-    value: '{{ dns_servers[0] }}'
-    mode: '0644'
-    no_extra_spaces: true
-  register: conf_dns
-  when: dns_servers | length > 0
-
-- name: Add DNS fallback server
-  community.general.ini_file:
-    path: /etc/systemd/resolved.conf
-    section: Resolve
-    option: FallbackDNS
-    value: '{{ dns_servers[1] }}'
-    mode: '0644'
-    no_extra_spaces: true
-  register: conf_fallbackdns
-  when: dns_servers | length > 1
-
-- name: Enable DNSSEC
-  community.general.ini_file:
-    path: /etc/systemd/resolved.conf
-    section: Resolve
-    option: DNSSEC
-    value: '{{ "yes" if dns_dnssec else "no" }}'
-    mode: '0644'
-    no_extra_spaces: true
-  register: conf_dnssec
-
-- name: Add search domains
-  community.general.ini_file:
-    path: /etc/systemd/resolved.conf
-    section: Resolve
-    option: Domains
-    value: '{{ dns_domains | join(" ") }}'
-    mode: '0644'
-    no_extra_spaces: true
-  register: conf_domains
-
-- name: stub listener
-  community.general.ini_file:
-    path: /etc/systemd/resolved.conf
-    section: Resolve
-    option: DNSStubListener
-    value: '{{ "yes" if dns_stub_listener else "no" }}'
-    mode: '0644'
-    no_extra_spaces: true
-  register: conf_domains
-
-- name: Check if systemd-resolve runs
-  ansible.builtin.shell: pgrep systemd-resolve
-  failed_when: false
-  changed_when: false
-  register: systemd_resolved_running
-  check_mode: false
-
-- name: Reload systemd-resolved
-  ansible.builtin.systemd:
-    name: systemd-resolved
-    state: restarted
-  when:
-    - conf_dns is changed or
-      conf_fallbackdns is changed or
-      conf_dnssec is changed or
-      conf_domains is changed
-    - systemd_resolved_running.rc == 0