From 5b7af48dd298fa64074a280e8ec8f5b7863d80ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Gonz=C3=A1lez?= <me@alegon.dev>
Date: Mon, 18 Nov 2024 01:17:15 +0100
Subject: [PATCH] chore(common): install `libnss-resolve` for better
 integration with resolved

This makes applications that use the glibc getaddrbyname and similar
APIs that fall back to glibc NSS talk directly to systemd-resolved
through Unix sockets instead of falling back to its stub DNS resolver
over UDP on the loopback interface, which is more efficient and
reliable, as no firewall rules can block such communication.
---
 roles/common/tasks/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 5f0bb29..cd13d57 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -23,6 +23,9 @@
       # Necessary for Ansible:
       # https://docs.ansible.com/ansible-core/2.14/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user
       - acl
+      # Letting glibc NSS use systemd-resolved for DNS resolution is more robust and efficient,
+      # as otherwise a fallback to UDP DNS packets over the loopback interface is done
+      - libnss-resolve
     install_recommends: false
     update_cache: true