fix: deep analysis audit — no_log, resolv.conf, service conflicts, lint

2026-02-20 18:34:59 +01:00
parent 09b3ed44ba
commit b6d06dd96d
17 changed files with 66 additions and 20 deletions
--- a/roles/bootstrap/tasks/debian.yml
+++ b/roles/bootstrap/tasks/debian.yml
@@ -55,6 +55,18 @@
      register: bootstrap_debian_base_result
      changed_when: bootstrap_debian_base_result.rc == 0

+    - name: Generate resolv.conf for chroot
+      ansible.builtin.copy:
+        content: |
+          {% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %}
+          nameserver {{ ns }}
+          {% endfor %}
+          {% if system_cfg.network.dns.search | default([]) | length > 0 %}
+          search {{ system_cfg.network.dns.search | join(' ') }}
+          {% endif %}
+        dest: /mnt/etc/resolv.conf
+        mode: "0644"
+
    - name: Install extra packages
      when: bootstrap_debian_extra_packages | length > 0
      ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"
--- a/roles/bootstrap/tasks/ubuntu.yml
+++ b/roles/bootstrap/tasks/ubuntu.yml
@@ -47,11 +47,16 @@
      register: bootstrap_ubuntu_base_result
      changed_when: bootstrap_ubuntu_base_result.rc == 0

-    - name: Ensure chroot has resolv.conf
+    - name: Generate resolv.conf for chroot
      ansible.builtin.copy:
-        src: /etc/resolv.conf
+        content: |
+          {% for ns in system_cfg.network.dns.servers | default(['1.1.1.1', '8.8.8.8']) %}
+          nameserver {{ ns }}
+          {% endfor %}
+          {% if system_cfg.network.dns.search | default([]) | length > 0 %}
+          search {{ system_cfg.network.dns.search | join(' ') }}
+          {% endif %}
        dest: /mnt/etc/resolv.conf
-        remote_src: true
        mode: "0644"

    - name: Enable universe repository