diff --git a/group_vars/all/common.yml b/group_vars/all/common.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3eb8cc43bea904e4564aa94b6ca06c9540dcc39e
--- /dev/null
+++ b/group_vars/all/common.yml
@@ -0,0 +1 @@
+dns_search_domain: "archlinux.org"
diff --git a/host_vars/luna.archlinux.org/misc b/host_vars/luna.archlinux.org/misc
index e61d65ca9a4a1cf91ce2128b15b3008ffa44af44..da2669d1b5d71829227d316a29f22271dcce4af1 100644
--- a/host_vars/luna.archlinux.org/misc
+++ b/host_vars/luna.archlinux.org/misc
@@ -2,6 +2,8 @@
configure_network: false
filesystem: "ext4"
+dns_servers: ["127.0.0.1"]
+
# FIXME: this should probably be configured another way. maybe the
# mysql/postgres roles should deploy the credentials themselves
mysql_backup_dir: "/root/backup-mysql"
diff --git a/host_vars/nymeria.archlinux.org b/host_vars/nymeria.archlinux.org
index 8a9ab82edd3f03afd602ca4b291a41755c166a64..28d59736e70e648c6ccb1bcc8407f87cd5f7463f 100644
--- a/host_vars/nymeria.archlinux.org
+++ b/host_vars/nymeria.archlinux.org
@@ -10,6 +10,8 @@ ipv4_gateway: "89.238.67.1"
ipv6_gateway: "2a00:1828:2000:547::1"
filesystem: ext4
+dns_servers: ["127.0.0.1"]
+
archweb_rsync_iso_origin: 'repos.archlinux.org::kitchensink_tier1/iso/'
archweb_server_email: 'archweb-dev@archlinux.org'
archweb_domain: 'archweb-dev.archlinux.org'
diff --git a/host_vars/soyuz.archlinux.org b/host_vars/soyuz.archlinux.org
index ea6c8f8674e7f3c1b2e0ec863a9ef17277194b0f..3dfdfcdd46246bc5e7ee733b6e0dc169b93faf98 100644
--- a/host_vars/soyuz.archlinux.org
+++ b/host_vars/soyuz.archlinux.org
@@ -11,6 +11,8 @@ tcp_congestion_control: "bbr"
filesystem: btrfs
postgres_backup_dir: "/var/lib/postgres/backup"
+dns_servers: ["127.0.0.1"]
+
zabbix_agent_templates:
- Template OS Linux
- Template App Borg Backup
diff --git a/host_vars/vostok.archlinux.org b/host_vars/vostok.archlinux.org
index a68f2c0b58833ddcea7ae35742646e0a6a1b44fe..0fbbc75daa4287b7c627ba81dff2a1cf4a7ad61e 100644
--- a/host_vars/vostok.archlinux.org
+++ b/host_vars/vostok.archlinux.org
@@ -9,6 +9,8 @@ ipv4_gateway: "5.9.158.161"
ipv6_gateway: "fe80::1"
filesystem: ext4
+dns_servers: ["127.0.0.1"]
+
zabbix_agent_templates:
- Template OS Linux
diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml
index db0861c6f3955d516bf3397f79e5c0dc05d1c64d..71f3e005d546e97aeb3b8f95b5a15f80dec46e87 100644
--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -7,6 +7,7 @@
- { role: common, tags: ['common'] }
- { role: tools, tags: ['tools'] }
- { role: firewalld, tags: ['firewall'] }
+ - { role: unbound }
# reconfiguring sshd may break the AUR on luna (unchecked)
#- { role: sshd, tags: ['sshd'] }
- { role: root_ssh, tags: ['root_ssh'] }
diff --git a/playbooks/nymeria.yml b/playbooks/nymeria.yml
index 13368cf70f16dd7a2da5ec99fae7e7fa02c058af..ae2b127d76b65072d13f81ac7e4783b36a575d29 100644
--- a/playbooks/nymeria.yml
+++ b/playbooks/nymeria.yml
@@ -7,6 +7,7 @@
- { role: common, tags: ['common'] }
- { role: tools, tags: ['tools'] }
- { role: sshd, tags: ['sshd'] }
+ - { role: unbound }
- { role: root_ssh, tags: ['root_ssh'] }
- { role: nginx, tags: ["nginx"] }
- { role: postgres, postgres_max_connections: 1000, postgres_shared_buffers: 4096MB,
diff --git a/playbooks/sgp.yml b/playbooks/sgp.yml
index 803edda9304e29493e1180477a96270733d50956..7063f3aa3a6c0930696c49495327c8fc83af2d2d 100644
--- a/playbooks/sgp.yml
+++ b/playbooks/sgp.yml
@@ -6,6 +6,7 @@
- { role: common }
- { role: tools }
- { role: sshd }
+ - { role: unbound }
- { role: root_ssh }
- { role: archusers }
- { role: nginx }
diff --git a/playbooks/soyuz.yml b/playbooks/soyuz.yml
index 6720d369d05c18a1b9dbc9e002c0d748862c6be1..d967bcd8c6bee4e26e70763b76bf95b0166982d7 100644
--- a/playbooks/soyuz.yml
+++ b/playbooks/soyuz.yml
@@ -7,6 +7,7 @@
- { role: common, tags: ['common'] }
- { role: tools, tags: ['tools'] }
- { role: sshd, tags: ['sshd'] }
+ - { role: unbound }
- { role: root_ssh, tags: ['root_ssh'] }
- { role: borg-client, tags: ['borg'] }
- { role: opendkim, dkim_selector: soyuz, tags: ['mail'] }
diff --git a/playbooks/vostok.yml b/playbooks/vostok.yml
index ac3d72918fb8b4ce9934e66c96b143b31bf00bc1..15a787e11cee5b4b43e2515d2302a2089d779ff5 100644
--- a/playbooks/vostok.yml
+++ b/playbooks/vostok.yml
@@ -7,5 +7,6 @@
- { role: common, tags: ['common'] }
- { role: tools, tags: ['tools'] }
- { role: sshd, tags: ['sshd'] }
+ - { role: unbound }
- { role: root_ssh, tags: ['root_ssh'] }
- { role: borg-server, backup_dir: "/backup", backup_clients: "{{groups['borg-clients']}}", tags: ["borg"] }
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 2ca84f2e305245d95b71c5d76dd43c5d34dda057..c7ec925fee3332db54f1dc13fee8674cccf7bd08 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -40,14 +40,18 @@
- name: create symlink to resolv.conf
file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
- when: configure_network
+ when: configure_network and not (dns_servers|length == 1 and "127.0.0.1" in dns_servers)
+
+- name: create resolv.conf
+ template: src=resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=0644
+ when: configure_network and (dns_servers|length == 1 and "127.0.0.1" in dns_servers)
- name: start networkd
service: name=systemd-networkd state=started enabled=yes
when: configure_network
- name: start resolved
- service: name=systemd-resolved state=started enabled=yes
+ service: name=systemd-resolved state={{"stopped" if dns_servers|length == 1 and "127.0.0.1" in dns_servers else "started"}} enabled={{"no" if dns_servers|length == 1 and "127.0.0.1" in dns_servers else "yes"}}
when: configure_network
- name: configure default qdisc
diff --git a/roles/common/templates/resolv.conf.j2 b/roles/common/templates/resolv.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5af87dbecc2453549db01f548dd97b38bce53608
--- /dev/null
+++ b/roles/common/templates/resolv.conf.j2
@@ -0,0 +1,5 @@
+{% for server in dns_servers %}
+nameserver {{server}}
+{% endfor %}
+
+search {{dns_search_domain}}