From d364a7280097f17509e258d682bbfa69a775922d Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Tue, 25 Dec 2018 16:29:00 +0100
Subject: [PATCH] Use unbound for DNS and disable resolved when unbound is used

We don't need resolved and it is sometimes buggy so let's just get rid
of it and use unbound like we do on our mail machines already.

Details: https://kanboard.archlinux.org/public/task/104/7dd7510424e4229247e8e0b90bf43e1553fce86cdf8475b60edc956ed5a8

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 group_vars/all/common.yml             | 1 +
 host_vars/luna.archlinux.org/misc     | 2 ++
 host_vars/nymeria.archlinux.org       | 2 ++
 host_vars/soyuz.archlinux.org         | 2 ++
 host_vars/vostok.archlinux.org        | 2 ++
 playbooks/all-hosts-basic.yml         | 1 +
 playbooks/nymeria.yml                 | 1 +
 playbooks/sgp.yml                     | 1 +
 playbooks/soyuz.yml                   | 1 +
 playbooks/vostok.yml                  | 1 +
 roles/common/tasks/main.yml           | 8 ++++++--
 roles/common/templates/resolv.conf.j2 | 5 +++++
 12 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 group_vars/all/common.yml
 create mode 100644 roles/common/templates/resolv.conf.j2

diff --git a/group_vars/all/common.yml b/group_vars/all/common.yml
new file mode 100644
index 000000000..3eb8cc43b
--- /dev/null
+++ b/group_vars/all/common.yml
@@ -0,0 +1 @@
+dns_search_domain: "archlinux.org"
diff --git a/host_vars/luna.archlinux.org/misc b/host_vars/luna.archlinux.org/misc
index e61d65ca9..da2669d1b 100644
--- a/host_vars/luna.archlinux.org/misc
+++ b/host_vars/luna.archlinux.org/misc
@@ -2,6 +2,8 @@
 configure_network: false
 filesystem: "ext4"
 
+dns_servers: ["127.0.0.1"]
+
 # FIXME: this should probably be configured another way. maybe the
 # mysql/postgres roles should deploy the credentials themselves
 mysql_backup_dir: "/root/backup-mysql"
diff --git a/host_vars/nymeria.archlinux.org b/host_vars/nymeria.archlinux.org
index 8a9ab82ed..28d59736e 100644
--- a/host_vars/nymeria.archlinux.org
+++ b/host_vars/nymeria.archlinux.org
@@ -10,6 +10,8 @@ ipv4_gateway: "89.238.67.1"
 ipv6_gateway: "2a00:1828:2000:547::1"
 filesystem: ext4
 
+dns_servers: ["127.0.0.1"]
+
 archweb_rsync_iso_origin: 'repos.archlinux.org::kitchensink_tier1/iso/'
 archweb_server_email: 'archweb-dev@archlinux.org'
 archweb_domain: 'archweb-dev.archlinux.org'
diff --git a/host_vars/soyuz.archlinux.org b/host_vars/soyuz.archlinux.org
index ea6c8f867..3dfdfcdd4 100644
--- a/host_vars/soyuz.archlinux.org
+++ b/host_vars/soyuz.archlinux.org
@@ -11,6 +11,8 @@ tcp_congestion_control: "bbr"
 filesystem: btrfs
 postgres_backup_dir: "/var/lib/postgres/backup"
 
+dns_servers: ["127.0.0.1"]
+
 zabbix_agent_templates:
   - Template OS Linux
   - Template App Borg Backup
diff --git a/host_vars/vostok.archlinux.org b/host_vars/vostok.archlinux.org
index a68f2c0b5..0fbbc75da 100644
--- a/host_vars/vostok.archlinux.org
+++ b/host_vars/vostok.archlinux.org
@@ -9,6 +9,8 @@ ipv4_gateway: "5.9.158.161"
 ipv6_gateway: "fe80::1"
 filesystem: ext4
 
+dns_servers: ["127.0.0.1"]
+
 zabbix_agent_templates:
   - Template OS Linux
 
diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml
index db0861c6f..71f3e005d 100644
--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -7,6 +7,7 @@
     - { role: common, tags: ['common'] }
     - { role: tools, tags: ['tools'] }
     - { role: firewalld, tags: ['firewall'] }
+    - { role: unbound }
     # reconfiguring sshd may break the AUR on luna (unchecked)
     #- { role: sshd, tags: ['sshd'] }
     - { role: root_ssh, tags: ['root_ssh'] }
diff --git a/playbooks/nymeria.yml b/playbooks/nymeria.yml
index 13368cf70..ae2b127d7 100644
--- a/playbooks/nymeria.yml
+++ b/playbooks/nymeria.yml
@@ -7,6 +7,7 @@
     - { role: common, tags: ['common'] }
     - { role: tools, tags: ['tools'] }
     - { role: sshd, tags: ['sshd'] }
+    - { role: unbound }
     - { role: root_ssh, tags: ['root_ssh'] }
     - { role: nginx, tags: ["nginx"] }
     - { role: postgres, postgres_max_connections: 1000, postgres_shared_buffers: 4096MB,
diff --git a/playbooks/sgp.yml b/playbooks/sgp.yml
index 803edda93..7063f3aa3 100644
--- a/playbooks/sgp.yml
+++ b/playbooks/sgp.yml
@@ -6,6 +6,7 @@
     - { role: common }
     - { role: tools }
     - { role: sshd }
+    - { role: unbound }
     - { role: root_ssh }
     - { role: archusers }
     - { role: nginx }
diff --git a/playbooks/soyuz.yml b/playbooks/soyuz.yml
index 6720d369d..d967bcd8c 100644
--- a/playbooks/soyuz.yml
+++ b/playbooks/soyuz.yml
@@ -7,6 +7,7 @@
     - { role: common, tags: ['common'] }
     - { role: tools, tags: ['tools'] }
     - { role: sshd, tags: ['sshd'] }
+    - { role: unbound }
     - { role: root_ssh, tags: ['root_ssh'] }
     - { role: borg-client, tags: ['borg'] }
     - { role: opendkim, dkim_selector: soyuz, tags: ['mail'] }
diff --git a/playbooks/vostok.yml b/playbooks/vostok.yml
index ac3d72918..15a787e11 100644
--- a/playbooks/vostok.yml
+++ b/playbooks/vostok.yml
@@ -7,5 +7,6 @@
     - { role: common, tags: ['common'] }
     - { role: tools, tags: ['tools'] }
     - { role: sshd, tags: ['sshd'] }
+    - { role: unbound }
     - { role: root_ssh, tags: ['root_ssh'] }
     - { role: borg-server, backup_dir: "/backup", backup_clients: "{{groups['borg-clients']}}", tags: ["borg"] }
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 2ca84f2e3..c7ec925fe 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -40,14 +40,18 @@
 
 - name: create symlink to resolv.conf
   file: src=/run/systemd/resolve/stub-resolv.conf dest=/etc/resolv.conf state=link force=yes
-  when: configure_network
+  when: configure_network and not (dns_servers|length == 1 and "127.0.0.1" in dns_servers)
+
+- name: create resolv.conf
+  template: src=resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=0644
+  when: configure_network and (dns_servers|length == 1 and "127.0.0.1" in dns_servers)
 
 - name: start networkd
   service: name=systemd-networkd state=started enabled=yes
   when: configure_network
 
 - name: start resolved
-  service: name=systemd-resolved state=started enabled=yes
+  service: name=systemd-resolved state={{"stopped" if dns_servers|length == 1 and "127.0.0.1" in dns_servers else "started"}} enabled={{"no" if dns_servers|length == 1 and "127.0.0.1" in dns_servers else "yes"}}
   when: configure_network
 
 - name: configure default qdisc
diff --git a/roles/common/templates/resolv.conf.j2 b/roles/common/templates/resolv.conf.j2
new file mode 100644
index 000000000..5af87dbec
--- /dev/null
+++ b/roles/common/templates/resolv.conf.j2
@@ -0,0 +1,5 @@
+{% for server in dns_servers %}
+nameserver {{server}}
+{% endfor %}
+
+search {{dns_search_domain}}
-- 
GitLab