prod/ansible/playbooks/set-dns.yml

---
- name: Configurer les DNS sur Debian
  hosts: all
  become: yes
  vars:
    dns_servers: ["1.1.1.1", "8.8.8.8"]

  tasks:
    - name: Récupérer l'état des services
    # Permet de savoir si systemd-resolved est présent/actif
      service_facts:

    - name: Déterminer si systemd-resolved est actif
      set_fact:
        has_resolved: "{{ ('systemd-resolved.service' in ansible_facts.services) and (ansible_facts.services['systemd-resolved.service'].state in ['running','started']) }}"

    - name: Déterminer si le binaire resolvconf est présent
      stat:
        path: /usr/sbin/resolvconf
      register: resolvconf_bin

    # === Chemin 1 : systemd-resolved ===
    - name: Activer systemd-resolved si présent mais inactif
      when: "'systemd-resolved.service' in ansible_facts.services and not has_resolved"
      ansible.builtin.systemd:
        name: systemd-resolved
        state: started
        enabled: yes

    - name: (resolved) Définir les DNS dans /etc/systemd/resolved.conf
      when: "'systemd-resolved.service' in ansible_facts.services"
      ansible.builtin.ini_file:
        path: /etc/systemd/resolved.conf
        section: Resolve
        option: DNS
        value: "{{ dns_servers | join(' ') }}"
        no_extra_spaces: true
        mode: "0644"
      notify: Restart systemd-resolved

    - name: (resolved) S'assurer que /etc/resolv.conf pointe vers le stub de systemd
      when: "'systemd-resolved.service' in ansible_facts.services"
      ansible.builtin.file:
        path: /etc/resolv.conf
        state: link
        force: true
        src: /run/systemd/resolve/stub-resolv.conf
      notify: Restart systemd-resolved

    # === Chemin 2 : resolvconf (si installé) ===
    - name: (resolvconf) Injecter les serveurs DNS dans /etc/resolvconf/resolv.conf.d/head
      when: "resolvconf_bin.stat.exists and not ('systemd-resolved.service' in ansible_facts.services)"
      ansible.builtin.blockinfile:
        path: /etc/resolvconf/resolv.conf.d/head
        create: true
        block: |
          {% for s in dns_servers %}
          nameserver {{ s }}
          {% endfor %}
      notify: Rebuild resolvconf

    # === Chemin 3 : Fallback direct /etc/resolv.conf ===
    - name: (fallback) Écrire directement /etc/resolv.conf si ni resolved ni resolvconf
      when: "not ('systemd-resolved.service' in ansible_facts.services) and not resolvconf_bin.stat.exists"
      ansible.builtin.copy:
        dest: /etc/resolv.conf
        mode: "0644"
        content: |
          {% for s in dns_servers %}
          nameserver {{ s }}
          {% endfor %}

  handlers:
    - name: Restart systemd-resolved
      ansible.builtin.shell: |
        systemctl restart systemd-resolved
        resolvectl flush-caches || true

    - name: Rebuild resolvconf
      ansible.builtin.command: resolvconf -u