diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml index fc9bbca7..c13084ec 100644 --- a/roles/dns/tasks/ubuntu.yml +++ b/roles/dns/tasks/ubuntu.yml @@ -82,8 +82,15 @@ - restart dnscrypt-proxy.socket - restart dnscrypt-proxy -- name: Ubuntu | Flush handlers to restart socket if needed - meta: flush_handlers +- name: Ubuntu | Reload systemd daemon after socket configuration + systemd: + daemon_reload: true + when: socket_override.changed + +- name: Ubuntu | Restart dnscrypt-proxy socket to apply configuration + systemd: + name: dnscrypt-proxy.socket + state: restarted when: socket_override.changed - name: Ubuntu | Add custom requirements to successfully start the unit diff --git a/roles/privacy/tasks/advanced_privacy.yml b/roles/privacy/tasks/advanced_privacy.yml index 9e1f0a72..c3614bfe 100644 --- a/roles/privacy/tasks/advanced_privacy.yml +++ b/roles/privacy/tasks/advanced_privacy.yml @@ -12,15 +12,6 @@ - { name: 'kernel.dmesg_restrict', value: '1' } when: privacy_advanced.reduce_kernel_verbosity | bool -- name: Disable BPF JIT if available (optional security hardening) - sysctl: - name: net.core.bpf_jit_enable - value: '0' - state: present - reload: yes - when: privacy_advanced.reduce_kernel_verbosity | bool - ignore_errors: yes - - name: Configure kernel parameters for privacy lineinfile: path: /etc/sysctl.d/99-privacy.conf @@ -31,18 +22,8 @@ - "# Privacy enhancements - reduce kernel logging" - "kernel.printk = 3 4 1 3" - "kernel.dmesg_restrict = 1" - - "# Note: net.core.bpf_jit_enable may not be available on all kernels" when: privacy_advanced.reduce_kernel_verbosity | bool -- name: Add BPF JIT disable to sysctl config if kernel supports it - lineinfile: - path: /etc/sysctl.d/99-privacy.conf - line: "net.core.bpf_jit_enable = 0 # Disable BPF JIT to reduce attack surface" - create: yes - mode: '0644' - when: privacy_advanced.reduce_kernel_verbosity | bool - ignore_errors: yes - - name: Configure journal settings for privacy lineinfile: path: /etc/systemd/journald.conf