| 1 | # Managed by Ansible. DNS allowlist resolver for Actions runners. |
| 2 | # Bound only to the dedicated Actions Docker bridge; dnsmasq inserts |
| 3 | # successful allowlisted resolutions into the ipset enforced by |
| 4 | # shithub-runner-firewall.service. |
| 5 | |
| 6 | interface={{ shithub_runner_network_bridge }} |
| 7 | listen-address={{ shithub_runner_network_gateway }} |
| 8 | bind-interfaces |
| 9 | domain-needed |
| 10 | bogus-priv |
| 11 | no-resolv |
| 12 | no-hosts |
| 13 | |
| 14 | {% if shithub_runner_network_allowlist is string %} |
| 15 | {% set allowlist = shithub_runner_network_allowlist.split(",") | map("trim") | list %} |
| 16 | {% else %} |
| 17 | {% set allowlist = shithub_runner_network_allowlist %} |
| 18 | {% endif %} |
| 19 | {% for pattern in allowlist %} |
| 20 | {% set host = (pattern[2:] if pattern.startswith("*.") else pattern) %} |
| 21 | server=/{{ host }}/{{ shithub_runner_dnsmasq_upstream }} |
| 22 | ipset=/{{ host }}/{{ shithub_runner_ipset_name }} |
| 23 | {% endfor %} |
| 24 |