feat: migrate to systemd-networkd and systemd-resolved to make sure NFS shares...

feat: migrate to systemd-networkd and systemd-resolved to make sure NFS shares mount correctly during boot

tasks/configure_network.yml

 ---
-- name: configure DNS settings
-  net_system:
-    domain-search: "{{ vault_domain_name }}"
-    name_servers: "{{ vault_name_servers }}"
-    state: present
+# Sooo, WTF is this?
+# In Debian 11 Bullseye's default configuration, network is managed by
+#`ifupdown`. This is OK until you try to use NFS mounts, because they require
+# the network to be fully up and reachable. As `ifupdown` won't properly report
+# the actual network status, SystemD will try to mount NFS shares too early and
+# fail inevitably, because the network is not reachable yet.
+#
+# The only proper solution is to swith over to `systemd-networkd`, where this
+# kind of reporting works as expected and the task of mounting NFS shares is
+# put into the correct position during startup ordering.
+#
+# After these tasks have run, you can use `networkctl` to check if the network
+# is configured as expected.
+#
+# We seize the opportunity to switch over to `systemd-resolvd` as well, because
+# it offers DNSSec etc., and, frankly, because we can.
+#
+# After these tasks have run, you can use `resolvectl` to check if the name
+# resolution is configured as expected.
+#
+# As of the time of writing this (2023-01-12), this is a custom configuration,
+# but @Zumpe already told me that the GUBS dev team has plans to make
+# `systemd-networkd` and `systemd-resolved` the default for Debian 12 in GUBS
+# installations, so once this is done, we can probably dispose of these tasks
+# altogether.
+
+# Create a `systemd-networkd` config for ens192 and remove any configuration
+# for that interface from the traditional '/etc/network/interfaces' config file
+# to avoid any interference and hand over management for that interface to
+# `systemd-networkd`. Now, '/etc/network/interfaces' will only contain the
+# config for the loopback interface.
+- name: deploy network interface config
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/{{ item }}"
+    mode: "0644"
+  loop:
+    - "etc/systemd/network/ens192.network"
+    - "etc/network/interfaces"
+
+- name: Link /etc/resolv.conf
+  ansible.builtin.file:
+    src: "/run/systemd/resolve/stub-resolv.conf"
+    dest: "/etc/resolv.conf"
+    state: link
+    force: true
+
+- name: Enable systemd-networkd but don't start now
+  ansible.builtin.systemd:
+    name: "{{ item.n }}"
+    enabled: true
+    state: "{{ item.s | default(omit) }}"
+    daemon_reload: true
+  loop:
+    - n: "systemd-networkd.service"
+    - n: "systemd-resolved.service"
+      s: started
+    - n: "systemd-networkd-wait-online.service"
+
+# The network changes require a reboot, so do that.
+- name: reboot system
+  ansible.builtin.reboot:
+  changed_when: False

tasks/main.yml

@@ -145,6 +145,10 @@
   import_tasks: configure_ntp.yml
   tags: [ntp]
 
+- name: Configure Network
+  ansible.builtin.import_tasks: "configure_network.yml"
+  tags: [network, dns, resolv]
+
 # there's no way to get this task to become idempotent, so we have to skip the test
 - name: Flush handlers am Ende der Rolle
   ansible.builtin.meta: flush_handlers

templates/etc/network/interfaces.j2

+
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# ALL OTHER INTERFACES ARE CONFIGURED BELOW "/etc/systemd/network/".

templates/etc/systemd/network/ens192.network.j2

+[Match]
+Name={{ ansible_facts.default_ipv4.interface }}
+
+[Network]
+Address={{ ansible_facts.default_ipv4.address }}/{{ ansible_facts.default_ipv4.prefix }}
+Gateway={{ ansible_facts.default_ipv4.gateway }}
+DNS=194.95.142.200
+DNS=194.95.142.203
+DNS=194.95.142.157
+Domains=slub-dresden.de
+LLMNR=no