Use unbound for DNS and disable resolved when unbound is used

We don't need resolved and it is sometimes buggy so let's just get rid of it and use unbound like we do on our mail machines already. Details: https://kanboard.archlinux.org/public/task/104/7dd7510424e4229247e8e0b90bf43e1553fce86cdf8475b60edc956ed5a8 Signed-off-by: Florian Pritz <bluewind@xinu.at>

Use unbound for DNS and disable resolved when unbound is used
d364a728 · Florian Pritz · 744dae84 · d364a728 · d364a728 · d364a728
Commit d364a728 authored 6 years ago by Florian Pritz
--- a/group_vars/all/common.yml
+++ b/group_vars/all/common.yml
+dns_search_domain: "archlinux.org"
--- a/host_vars/luna.archlinux.org/misc
+++ b/host_vars/luna.archlinux.org/misc
@@ -2,6 +2,8 @@
 configure_network: false
 filesystem: "ext4"

+dns_servers: ["127.0.0.1"]
+
 # FIXME: this should probably be configured another way. maybe the
 # mysql/postgres roles should deploy the credentials themselves
 mysql_backup_dir: "/root/backup-mysql"

--- a/host_vars/nymeria.archlinux.org
+++ b/host_vars/nymeria.archlinux.org
@@ -10,6 +10,8 @@ ipv4_gateway: "89.238.67.1"
 ipv6_gateway: "2a00:1828:2000:547::1"
 filesystem: ext4

+dns_servers: ["127.0.0.1"]
+
 archweb_rsync_iso_origin: 'repos.archlinux.org::kitchensink_tier1/iso/'
 archweb_server_email: 'archweb-dev@archlinux.org'
 archweb_domain: 'archweb-dev.archlinux.org'

--- a/host_vars/soyuz.archlinux.org
+++ b/host_vars/soyuz.archlinux.org
@@ -11,6 +11,8 @@ tcp_congestion_control: "bbr"
 filesystem: btrfs
 postgres_backup_dir: "/var/lib/postgres/backup"

+dns_servers: ["127.0.0.1"]
+
 zabbix_agent_templates:
  - Template OS Linux
  - Template App Borg Backup

--- a/host_vars/vostok.archlinux.org
+++ b/host_vars/vostok.archlinux.org
@@ -9,6 +9,8 @@ ipv4_gateway: "5.9.158.161"
 ipv6_gateway: "fe80::1"
 filesystem: ext4

+dns_servers: ["127.0.0.1"]
+
 zabbix_agent_templates:
  - Template OS Linux


--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -7,6 +7,7 @@
    - { role: common, tags: ['common'] }
    - { role: tools, tags: ['tools'] }
    - { role: firewalld, tags: ['firewall'] }
+    - { role: unbound }
    # reconfiguring sshd may break the AUR on luna (unchecked)
    #- { role: sshd, tags: ['sshd'] }
    - { role: root_ssh, tags: ['root_ssh'] }

--- a/playbooks/nymeria.yml
+++ b/playbooks/nymeria.yml
@@ -7,6 +7,7 @@
    - { role: common, tags: ['common'] }
    - { role: tools, tags: ['tools'] }
    - { role: sshd, tags: ['sshd'] }
+    - { role: unbound }
    - { role: root_ssh, tags: ['root_ssh'] }
    - { role: nginx, tags: ["nginx"] }
    - { role: postgres, postgres_max_connections: 1000, postgres_shared_buffers: 4096MB,

--- a/playbooks/sgp.yml
+++ b/playbooks/sgp.yml
@@ -6,6 +6,7 @@
    - { role: common }
    - { role: tools }
    - { role: sshd }
+    - { role: unbound }
    - { role: root_ssh }
    - { role: archusers }
    - { role: nginx }

--- a/playbooks/soyuz.yml
+++ b/playbooks/soyuz.yml
@@ -7,6 +7,7 @@
    - { role: common, tags: ['common'] }
    - { role: tools, tags: ['tools'] }
    - { role: sshd, tags: ['sshd'] }
+    - { role: unbound }
    - { role: root_ssh, tags: ['root_ssh'] }
    - { role: borg-client, tags: ['borg'] }
    - { role: opendkim, dkim_selector: soyuz, tags: ['mail'] }

--- a/playbooks/vostok.yml
+++ b/playbooks/vostok.yml
@@ -7,5 +7,6 @@
    - { role: common, tags: ['common'] }
    - { role: tools, tags: ['tools'] }
    - { role: sshd, tags: ['sshd'] }
+    - { role: unbound }
    - { role: root_ssh, tags: ['root_ssh'] }
    - { role: borg-server, backup_dir: "/backup", backup_clients: "{{groups['borg-clients']}}", tags: ["borg"] }
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -40,14 +40,18 @@

 - name: create symlink to resolv.conf
  file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
-  when: configure_network
+  when: configure_network and not (dns_servers|length == 1 and "127.0.0.1" in dns_servers)
+
+- name: create resolv.conf
+  template: src=resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=0644
+  when: configure_network and (dns_servers|length == 1 and "127.0.0.1" in dns_servers)

 - name: start networkd
  service: name=systemd-networkd state=started enabled=yes
  when: configure_network

 - name: start resolved
-  service: name=systemd-resolved state=started enabled=yes
+  service: name=systemd-resolved state={{"stopped" if dns_servers|length == 1 and "127.0.0.1" in dns_servers else "started"}} enabled={{"no" if dns_servers|length == 1 and "127.0.0.1" in dns_servers else "yes"}}
  when: configure_network

 - name: configure default qdisc

--- a/roles/common/templates/resolv.conf.j2
+++ b/roles/common/templates/resolv.conf.j2
+{% for server in dns_servers %}
+nameserver {{server}}
+{% endfor %}
+
+search {{dns_search_domain}}