From 401520e2741d5f5edca379c46a626f46993e88a0 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Tue, 10 Oct 2017 15:41:58 +1100
Subject: [PATCH] Add unbound role

As mentioned in the README, this adds the dynamic configuration for
unbound on hosts. If there is a ipv6 route, it will set forwarding to
ipv6 servers, otherwise use ipv4. This is ported from the
configure_mirror.sh script.

We add a basic test to integration tests

Change-Id: I70b41e45f3d53b191742533c2f3b6c0b6e6c2339
---
 roles/configure-unbound/README.rst            | 27 ++++++++++++
 roles/configure-unbound/defaults/main.yaml    |  7 +++
 roles/configure-unbound/tasks/main.yaml       | 43 +++++++++++++++++++
 .../templates/forwarding.conf.j2              |  6 +++
 tests/base.yaml                               |  2 +-
 tests/configure-unbound.yaml                  | 13 ++++++
 6 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 roles/configure-unbound/README.rst
 create mode 100644 roles/configure-unbound/defaults/main.yaml
 create mode 100644 roles/configure-unbound/tasks/main.yaml
 create mode 100644 roles/configure-unbound/templates/forwarding.conf.j2
 create mode 100644 tests/configure-unbound.yaml

diff --git a/roles/configure-unbound/README.rst b/roles/configure-unbound/README.rst
new file mode 100644
index 00000000..039533e3
--- /dev/null
+++ b/roles/configure-unbound/README.rst
@@ -0,0 +1,27 @@
+An ansible role to dynamically configure DNS forwarders for the
+``unbound`` caching service.  IPv6 will be preferred when there is a
+usable IPv6 default route, otherwise IPv4.
+
+.. note:: This is not a standalone unbound configuration role.  Base
+          setup is done during image builds in
+          ``project-config:nodepool/elements/nodepool-base/finalise.d/89-unbound``;
+          here we just do dynamic configuration of forwarders based on
+          the interfaces available on the actual host.
+
+**Role Variables**
+
+.. zuul:rolevar:: primary_nameserver_v4
+
+   The primary IPv4 nameserver for fowarding requests
+
+.. zuul:rolevar:: primary_nameserver_v6
+
+   The primary IPv6 nameserver for fowarding requests
+
+.. zuul:rolevar:: secondary_nameserver_v4
+
+   The secondary IPv4 nameserver for fowarding requests
+
+.. zuul:rolevar:: secondary_nameserver_v6
+
+   The seconary IPv6 nameserver for fowarding requests
diff --git a/roles/configure-unbound/defaults/main.yaml b/roles/configure-unbound/defaults/main.yaml
new file mode 100644
index 00000000..d0228620
--- /dev/null
+++ b/roles/configure-unbound/defaults/main.yaml
@@ -0,0 +1,7 @@
+# OpenDNS
+primary_nameserver_v6: "2620:0:ccc::2"
+primary_nameserver_v4: "208.67.222.222"
+
+# Google
+secondary_nameserver_v6: "2001:4860:4860::8888"
+secondary_nameserver_v4: "8.8.8.8"
diff --git a/roles/configure-unbound/tasks/main.yaml b/roles/configure-unbound/tasks/main.yaml
new file mode 100644
index 00000000..5c2c0f5f
--- /dev/null
+++ b/roles/configure-unbound/tasks/main.yaml
@@ -0,0 +1,43 @@
+- name: Ensure /etc/unbound exists
+  become: yes
+  file:
+    path: /etc/unbound
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+# Use *only* ipv6 resolvers if ipv6 is present and routable
+# (ansible_default_ipv6 should only be defined for a global, routable
+# address). This avoids traversing potential NAT when using ipv4 which
+# can be unreliable.
+- name: Set IPv6 nameservers
+  when: ansible_default_ipv6.address is defined
+  set_fact:
+    primary_nameserver: '{{ primary_nameserver_v6 }}'
+    secondary_nameserver: '{{ secondary_nameserver_v6 }}'
+
+# Fallback to default ipv4 if there is no ipv6 available as this
+# causes timeouts and failovers that are unnecesary.
+- name: Set IPv4 nameservers
+  when:
+    - ansible_default_ipv6.address is not defined
+  set_fact:
+    primary_nameserver: '{{ primary_nameserver_v4 }}'
+    secondary_nameserver: '{{ secondary_nameserver_v4 }}'
+
+- name: Configure unbound fowarding
+  become: yes
+  template:
+    dest: '/etc/unbound/forwarding.conf'
+    owner: root
+    group: root
+    mode: 0644
+    src: forwarding.conf.j2
+
+- name: restart unbound
+  become: yes
+  service:
+    name: unbound
+    state: restarted
+    enabled: yes
diff --git a/roles/configure-unbound/templates/forwarding.conf.j2 b/roles/configure-unbound/templates/forwarding.conf.j2
new file mode 100644
index 00000000..9b0a1717
--- /dev/null
+++ b/roles/configure-unbound/templates/forwarding.conf.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+forward-zone:
+  name: "."
+  forward-addr: {{ primary_nameserver }}
+  forward-addr: {{ secondary_nameserver }}
diff --git a/tests/base.yaml b/tests/base.yaml
index e0213c31..ee9eef4f 100644
--- a/tests/base.yaml
+++ b/tests/base.yaml
@@ -1,4 +1,4 @@
 # Roles that are part of the 'base' job
-
+- include: configure-unbound.yaml
 - include: mirror-info.yaml
 - include: configure-mirrors.yaml
diff --git a/tests/configure-unbound.yaml b/tests/configure-unbound.yaml
new file mode 100644
index 00000000..86fb5303
--- /dev/null
+++ b/tests/configure-unbound.yaml
@@ -0,0 +1,13 @@
+- name: Test the configure-unbound role
+  hosts: all
+  roles:
+    - role: configure-unbound
+  post_tasks:
+    - name: Check for /etc/unbound/forwarding.conf
+      stat: path=/etc/unbound/forwarding.conf
+      register: f
+    - name: Check forwarding file
+      assert:
+        that:
+          - f.stat.exists
+          - f.stat.isreg