From 7c7755a3461d3fb8e30bdfc0fc6c77d76caabb88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Fri, 13 Jan 2023 13:36:29 +0100
Subject: [PATCH] feat: migrate to systemd-networkd and systemd-resolved to
 make sure NFS shares mount correctly during boot

---
 tasks/configure_network.yml                   | 68 +++++++++++++++++--
 tasks/main.yml                                |  4 ++
 templates/etc/network/interfaces.j2           |  9 +++
 .../etc/systemd/network/ens192.network.j2     | 11 +++
 4 files changed, 87 insertions(+), 5 deletions(-)
 create mode 100644 templates/etc/network/interfaces.j2
 create mode 100644 templates/etc/systemd/network/ens192.network.j2

diff --git a/tasks/configure_network.yml b/tasks/configure_network.yml
index c695d84..bb1956c 100644
--- a/tasks/configure_network.yml
+++ b/tasks/configure_network.yml
@@ -1,6 +1,64 @@
 ---
-- name: configure DNS settings
-  net_system:
-    domain-search: "{{ vault_domain_name }}"
-    name_servers: "{{ vault_name_servers }}"
-    state: present
+# Sooo, WTF is this?
+# In Debian 11 Bullseye's default configuration, network is managed by
+#`ifupdown`. This is OK until you try to use NFS mounts, because they require
+# the network to be fully up and reachable. As `ifupdown` won't properly report
+# the actual network status, SystemD will try to mount NFS shares too early and
+# fail inevitably, because the network is not reachable yet.
+#
+# The only proper solution is to swith over to `systemd-networkd`, where this
+# kind of reporting works as expected and the task of mounting NFS shares is
+# put into the correct position during startup ordering.
+#
+# After these tasks have run, you can use `networkctl` to check if the network
+# is configured as expected.
+#
+# We seize the opportunity to switch over to `systemd-resolvd` as well, because
+# it offers DNSSec etc., and, frankly, because we can.
+#
+# After these tasks have run, you can use `resolvectl` to check if the name
+# resolution is configured as expected.
+#
+# As of the time of writing this (2023-01-12), this is a custom configuration,
+# but @Zumpe already told me that the GUBS dev team has plans to make
+# `systemd-networkd` and `systemd-resolved` the default for Debian 12 in GUBS
+# installations, so once this is done, we can probably dispose of these tasks
+# altogether.
+
+# Create a `systemd-networkd` config for ens192 and remove any configuration
+# for that interface from the traditional '/etc/network/interfaces' config file
+# to avoid any interference and hand over management for that interface to
+# `systemd-networkd`. Now, '/etc/network/interfaces' will only contain the
+# config for the loopback interface.
+- name: deploy network interface config
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/{{ item }}"
+    mode: "0644"
+  loop:
+    - "etc/systemd/network/ens192.network"
+    - "etc/network/interfaces"
+
+- name: Link /etc/resolv.conf
+  ansible.builtin.file:
+    src: "/run/systemd/resolve/stub-resolv.conf"
+    dest: "/etc/resolv.conf"
+    state: link
+    force: true
+
+- name: Enable systemd-networkd but don't start now
+  ansible.builtin.systemd:
+    name: "{{ item.n }}"
+    enabled: true
+    state: "{{ item.s | default(omit) }}"
+    daemon_reload: true
+  loop:
+    - n: "systemd-networkd.service"
+    - n: "systemd-resolved.service"
+      s: started
+    - n: "systemd-networkd-wait-online.service"
+
+# The network changes require a reboot, so do that.
+- name: reboot system
+  ansible.builtin.reboot:
+  changed_when: False
diff --git a/tasks/main.yml b/tasks/main.yml
index 97dbda6..785d766 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -145,6 +145,10 @@
   import_tasks: configure_ntp.yml
   tags: [ntp]
 
+- name: Configure Network
+  ansible.builtin.import_tasks: "configure_network.yml"
+  tags: [network, dns, resolv]
+
 # there's no way to get this task to become idempotent, so we have to skip the test
 - name: Flush handlers am Ende der Rolle
   ansible.builtin.meta: flush_handlers
diff --git a/templates/etc/network/interfaces.j2 b/templates/etc/network/interfaces.j2
new file mode 100644
index 0000000..abdf860
--- /dev/null
+++ b/templates/etc/network/interfaces.j2
@@ -0,0 +1,9 @@
+
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# ALL OTHER INTERFACES ARE CONFIGURED BELOW "/etc/systemd/network/".
diff --git a/templates/etc/systemd/network/ens192.network.j2 b/templates/etc/systemd/network/ens192.network.j2
new file mode 100644
index 0000000..2818653
--- /dev/null
+++ b/templates/etc/systemd/network/ens192.network.j2
@@ -0,0 +1,11 @@
+[Match]
+Name={{ ansible_facts.default_ipv4.interface }}
+
+[Network]
+Address={{ ansible_facts.default_ipv4.address }}/{{ ansible_facts.default_ipv4.prefix }}
+Gateway={{ ansible_facts.default_ipv4.gateway }}
+DNS=194.95.142.200
+DNS=194.95.142.203
+DNS=194.95.142.157
+Domains=slub-dresden.de
+LLMNR=no
-- 
GitLab