| 1 | # Managed by Ansible. Optional DNS allowlist resolver for Actions runners. |
| 2 | # |
| 3 | # Pair this with a Docker bridge/network that uses this resolver as its only |
| 4 | # DNS server. This controls name resolution, not direct-IP egress; enforce |
| 5 | # direct-IP denial with host firewall rules on the runner bridge. |
| 6 | |
| 7 | domain-needed |
| 8 | bogus-priv |
| 9 | no-resolv |
| 10 | no-hosts |
| 11 | |
| 12 | {% for pattern in shithub_runner_network_allowlist %} |
| 13 | {% set host = (pattern[2:] if pattern.startswith("*.") else pattern) %} |
| 14 | server=/{{ host }}/{{ shithub_runner_dnsmasq_upstream }} |
| 15 | {% endfor %} |
| 16 |