fix(security,common)!: moved sysctl and resolvconf tasks from common to security role to fix DNS resolution fail due to firewall rules

collections/ansible_collections/nullified/infrastructure/extensions/molecule/default/platform_vars.yml

@@ -1,4 +1,4 @@
 custom_base_user_account: 'vagrant'
 security_firewall_mangle_drop_privatenets: false
-common_configure_resolve_conf: true
+security_configure_resolve_conf: true
 global_ip_dualstack: false

collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml

@@ -2,7 +2,6 @@
 common_apt_packages: []
 common_apt_source_components: ["contrib", "non-free", "non-free-firmware"]
 common_apt_use_deb822_format: false
-common_configure_resolve_conf: false
 common_git_email: ""
 common_git_enabled: false
 common_git_force_sign: false
@@ -10,5 +9,4 @@ common_git_signing_key: ""
 common_git_username: ""
 common_github_token: "{{ custom_github_token | default('') }}"
 common_install_fonts: false
-common_sysctl_configuration: {}
 common_user_account: "{{ custom_base_user_account }}"

collections/ansible_collections/nullified/infrastructure/roles/common/handlers/main.yml

@@ -1,5 +1 @@
 ---
-- name: '[system] reload sysctl configuration'
-  become: true
-  ansible.builtin.command:
-    cmd: sysctl --system

collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml

@@ -1,35 +1,4 @@
 ---
-- name: '[system] setup DNS server'
-  block:
-    - name: disable resolv.conf updates from dhclient
-      ansible.builtin.copy:
-        dest: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
-        content: |
-          #!/bin/sh
-          make_resolv_conf(){
-            :
-          }
-        owner: root
-        group: root
-        mode: '0755'
-    - name: update resolv.conf
-      ansible.builtin.template:
-        src: ../templates/system/resolv.conf.j2
-        dest: /etc/resolv.conf
-        mode: '0644'
-        owner: root
-        group: root
-  become: true
-  when: common_configure_resolve_conf is truthy
-
-- name: '[system] re-allow DHCP client to setup DNS resolvers'
-  become: true
-  ansible.builtin.file:
-    path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
-    state: absent
-  failed_when: false
-  when : common_configure_resolve_conf is falsy
-
 - name: '[apt] verify components of default sources'
   become: true
   block:
@@ -135,18 +104,6 @@
         cmds:
           - dpkg -i {asset_dirname}/{asset_filename}
 
-- name: '[system] add sysctl tweaks'
-  become: true
-  ansible.builtin.template:
-    src: ../templates/system/sysctld.local.conf.j2
-    dest: /etc/sysctl.d/local.conf
-    mode: '0644'
-  when: common_sysctl_configuration is truthy
-  vars:
-    sysctl_values: "{{ common_sysctl_configuration }}"
-  notify:
-    - 'common : [system] reload sysctl configuration'
-
 - name: '[apt] install custom packages'
   become: true
   ansible.builtin.apt:

collections/ansible_collections/nullified/infrastructure/roles/common/templates/system/sysctld.local.conf.j2

@@ -1,3 +0,0 @@
-{% for item in common_sysctl_configuration.keys() -%}
-    {{ item }} = {{ common_sysctl_configuration[item] }}
-{% endfor %}

collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml

@@ -2,6 +2,7 @@
 security_apt_force_https: true
 security_apt_https_ignore_list: []
 security_clamav_version: 1.3.1
+security_configure_resolve_conf: false
 security_firewall_enabled: true
 security_firewall_filter_policy_forward: drop
 security_firewall_filter_policy_input: drop
@@ -16,3 +17,4 @@ security_firewall_nat_policy_output: accept
 security_firewall_nat_policy_postrouting: accept
 security_firewall_nat_policy_prerouting: accept
 security_ssh_port: 22
+security_sysctl_configuration: {}

collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml

@@ -44,3 +44,8 @@
   ansible.builtin.apt:
     update_cache: true
     force_apt_get: true
+
+- name: '[system] reload sysctl configuration'
+  become: true
+  ansible.builtin.command:
+    cmd: sysctl --system

collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml

@@ -4,6 +4,49 @@
     gather_subset:
       - distribution
 
+- name: '[system] setup DNS server'
+  block:
+    - name: disable resolv.conf updates from dhclient
+      ansible.builtin.copy:
+        dest: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
+        content: |
+          #!/bin/sh
+          make_resolv_conf(){
+            :
+          }
+        owner: root
+        group: root
+        mode: '0755'
+    - name: update resolv.conf
+      ansible.builtin.template:
+        src: ../templates/system/debian/resolv.conf.j2
+        dest: /etc/resolv.conf
+        mode: '0644'
+        owner: root
+        group: root
+  become: true
+  when: security_configure_resolve_conf is truthy
+
+- name: '[system] re-allow DHCP client to setup DNS resolvers'
+  become: true
+  ansible.builtin.file:
+    path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
+    state: absent
+  failed_when: false
+  when : security_configure_resolve_conf is falsy
+
+- name: '[system] add sysctl tweaks'
+  become: true
+  ansible.builtin.template:
+    src: ../templates/system/debian/sysctld.local.conf.j2
+    dest: /etc/sysctl.d/local.conf
+    mode: '0644'
+  when: security_sysctl_configuration is truthy
+  vars:
+    sysctl_values: "{{ security_sysctl_configuration }}"
+  notify:
+    - 'security : [system] reload sysctl configuration'
+
 - ansible.builtin.include_tasks:
     file: firewall.yml
     apply:

collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/sysctld.local.conf.j2

@@ -0,0 +1,3 @@
+{% for item in security_sysctl_configuration.keys() -%}
+    {{ item }} = {{ security_sysctl_configuration[item] }}
+{% endfor %}

inventory/group_vars/external/vars.yml

@@ -2,3 +2,4 @@
 security_firewall_mangle_drop_privatenets: false
 global_dns_domainname: "{{ vault_global_dns_domainname }}"
 external_provisioner_source_ips: '{{ vault_external_provisioner_source_ips }}'
+security_configure_resolve_conf: true

inventory/host_vars/unobtainium/vars.yml

@@ -12,7 +12,7 @@ common_git_email: "{{ vault_common_gitconfig_email }}"
 common_git_force_sign: true
 common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}"
 common_install_fonts: true
-common_sysctl_configuration:
+security_sysctl_configuration:
   'fs.inotify.max_user_watches': 1048576
   'vm.swappiness': 1
 

inventory/host_vars/unsepttrium/vars.yml

@@ -11,7 +11,7 @@ common_git_email: "{{ vault_common_gitconfig_email }}"
 common_git_force_sign: true
 common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}"
 common_install_fonts: true
-common_sysctl_configuration:
+security_sysctl_configuration:
   'fs.inotify.max_user_watches': 1048576
   'vm.swappiness': 1