--- 
- name: make resolv.conf work fine
  hosts: all
  become: yes
  tasks: 
  - name: Install the packages versions
    ansible.builtin.package:
      name:
        - systemd-resolved 
      state: present  
  - name: Ensure system CA certificates are up to date
    ansible.builtin.package:
      name: ca-certificates
      state: latest
  - name: Make small file
    register: systemd_resolved_conf
    copy:
      dest: "/etc/systemd/resolved.conf"
      content: | 
        [Resolve]
        # Направляем основной трафик на VIP keepalived и привязываем к домену серта
        DNS=192.168.0.88#buenos-dias.guaranteedstruggle.host

        # В фолбэки шлём прямые IP нод ns1 и ns2 на случай, если сам keepalived моргнёт
        FallbackDNS=192.168.0.86#buenos-dias.guaranteedstruggle.host 192.168.0.87#buenos-dias.guaranteedstruggle.host 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google

        # Ваши локальные домены (БЕЗ ЗАПЯТЫХ! Строго через пробел)
        Domains=guaranteedstruggle.host just-for-me.internal

        # Включаем DoT в строгом (strict) режиме для защиты от утечек
        DNSOverTLS=strict
        DNSStubListener=yes

        
  - name: Make fix for resolv-conf rewriting  
    copy:
      dest: "/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate"
      content: | 
        #!/bin/sh
        make_resolv_conf(){
                :
        }
      mode: +x

  - name: restart service
    service:
      name: systemd-resolved
      state: restarted
    #when: systemd_resolved_conf.changed